commit 2513f1fd8e25a63c9b48a92cd8c557047d04bfd6
author Aleksei Kasatkin <akasatkin@mirantis.com> Fri May 18 15:33:00 2018 +0200
committer Aleksei Kasatkin <akasatkin@mirantis.com> Fri May 18 15:41:57 2018 +0200
tree 15ab16019747f81795712e749dd174edf8fb0453
parent 5de983a654f60417741c8b0eb668dda76c1b6417

Configure Calico policy

Calico policy can be deployed and set up using MCP now.
'calico-kube-controllers' deployment was updated so that
it should be compatible with Kubernetes v1.7 - v1.10.

PROD-19834

Change-Id: I2371913fda8153b3806a5c913ce7c08af1bd79e6

kubernetes/files/kube-addons/calico-policy/calico-policy-controller.yml

diff --git a/kubernetes/files/kube-addons/calico-policy/calico-policy-controller.yml b/kubernetes/files/kube-addons/calico-policy/calico-policy-controller.yml
index 19611f2..af68e14 100644
--- a/kubernetes/files/kube-addons/calico-policy/calico-policy-controller.yml
+++ b/kubernetes/files/kube-addons/calico-policy/calico-policy-controller.yml
@@ -1,36 +1,58 @@
 {%- from "kubernetes/map.jinja" import common with context -%}
 {%- from "kubernetes/map.jinja" import master with context -%}
+# This manifest deploys the Calico Kubernetes controllers.
+# See https://github.com/projectcalico/kube-controllers
 apiVersion: extensions/v1beta1
-kind: ReplicaSet
+kind: Deployment
 metadata:
-  name: calico-policy-controller
+  name: calico-kube-controllers
   namespace: {{ common.addons.calico_policy.namespace }}
   labels:
-    k8s-app: calico-policy
-    kubernetes.io/cluster-service: "true"
+    k8s-app: calico-kube-controllers
     addonmanager.kubernetes.io/mode: Reconcile
 spec:
+  # The controllers can only have a single active instance.
   replicas: 1
   selector:
     matchLabels:
-      k8s-app: calico-policy
+      k8s-app: calico-kube-controllers
+  strategy:
+    type: Recreate
   template:
     metadata:
-      name: calico-policy-controller
+      name: calico-kube-controllers
       namespace: {{ common.addons.calico_policy.namespace }}
       labels:
-        k8s-app: calico-policy
+        k8s-app: calico-kube-controllers
       annotations:
+        # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
+        # reserves resources for critical add-on pods so that they can be rescheduled after
+        # a failure. This annotation works in tandem with the toleration below.
+        # Note. Rescheduler is deprecated in k8s v1.10 and is to be removed in k8s v1.11.
+        scheduler.alpha.kubernetes.io/critical-pod: ''
 {%- if common.addons.calico_policy.cni is defined %}
         cni: {{ common.addons.calico_policy.cni }}
 {%- endif %}
     spec:
+      # The controllers must run in the host network namespace so that
+      # it isn't governed by policy that would prevent it from working.
       hostNetwork: true
       tolerations:
-        - key: node-role.kubernetes.io/master
-          effect: NoSchedule
+      # this taint is set by all kubelets running `--cloud-provider=external`
+      # so we should tolerate it to schedule the calico pods
+      - key: node.cloudprovider.kubernetes.io/uninitialized
+        value: "true"
+        effect: NoSchedule
+      - key: node-role.kubernetes.io/master
+        effect: NoSchedule
+      # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
+      # This, along with the annotation above marks this pod as a critical add-on.
+      # Note. Rescheduler is deprecated in k8s v1.10 and is to be removed in k8s v1.11.
+      - key: CriticalAddonsOnly
+        operator: Exists
+      serviceAccountName: calico-kube-controllers
       containers:
-        - name: calico-policy-controller
+        - name: calico-kube-controllers
           image: {{ common.addons.calico_policy.image }}
           imagePullPolicy: IfNotPresent
           resources:
@@ -41,25 +63,25 @@
               cpu: 30m
               memory: 64M
           env:
+            # The list of etcd nodes in the cluster.
             - name: ETCD_ENDPOINTS
               value: "{% for member in master.network.calico.etcd.members %}http{% if master.network.calico.etcd.get('ssl', {}).get('enabled') %}s{% endif %}://{{ member.host }}:{{ member.port }}{% if not loop.last %},{% endif %}{% endfor %}"
+            # CA certificate, client certificate, client key files for accessing the etcd cluster.
             - name: ETCD_CA_CERT_FILE
               value: "/var/lib/etcd/ca.pem"
             - name: ETCD_CERT_FILE
               value: "/var/lib/etcd/etcd-client.pem"
             - name: ETCD_KEY_FILE
               value: "/var/lib/etcd/etcd-client.pem"
-            # Location of the Kubernetes API - this shouldn't need to be
-            # changed so long as it is used in conjunction with
-            # CONFIGURE_ETC_HOSTS="true".
-            - name: K8S_API
-              value: "https://kubernetes.default"
-            # Configure /etc/hosts within the container to resolve
-            # the kubernetes.default Service to the correct clusterIP
-            # using the environment provided by the kubelet.
-            # This removes the need for KubeDNS to resolve the Service.
-            - name: CONFIGURE_ETC_HOSTS
-              value: "true"
+            # Which controllers to run.
+            - name: ENABLED_CONTROLLERS
+              value: "policy,profile,workloadendpoint,node"
+            # Minimum log level to be displayed.
+            - name: LOG_LEVEL
+              value: "info"
+            # Period to perform reconciliation with the Calico datastore. Default is 5m.
+            - name: RECONCILER_PERIOD
+              value: "1m"
           volumeMounts:
           - mountPath: /var/lib/etcd/
             name: etcd-certs
@@ -69,3 +91,51 @@
           path: /var/lib/etcd
         name: etcd-certs
 
+---
+
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: calico-kube-controllers
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-kube-controllers
+subjects:
+- kind: ServiceAccount
+  name: calico-kube-controllers
+  namespace: {{ common.addons.calico_policy.namespace }}
+
+---
+
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: calico-kube-controllers
+rules:
+  - apiGroups:
+    - ""
+    - extensions
+    resources:
+      - pods
+      - namespaces
+      - networkpolicies
+      - nodes
+    verbs:
+      - watch
+      - list
+  - apiGroups:
+    - networking.k8s.io
+    resources:
+      - networkpolicies
+    verbs:
+      - watch
+      - list
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: calico-kube-controllers
+  namespace: {{ common.addons.calico_policy.namespace }}

metadata/service/common.yml

diff --git a/metadata/service/common.yml b/metadata/service/common.yml
index 161e025..169a5b2 100644
--- a/metadata/service/common.yml
+++ b/metadata/service/common.yml
@@ -35,7 +35,7 @@
           server_image: mirantis/k8s-netchecker-server:stable
         calico_policy:
           enabled: False
-          image: calico/kube-policy-controller:v0.5.4
+          image: docker-prod-virtual.docker.mirantis.net/mirantis/projectcalico/calico/kube-controllers:v1.0.4
           namespace: kube-system
         contrail_network_controller:
           enabled: False

metadata/service/master/single.yml

diff --git a/metadata/service/master/single.yml b/metadata/service/master/single.yml
index 8eb6b63..8c34b63 100644
--- a/metadata/service/master/single.yml
+++ b/metadata/service/master/single.yml
@@ -53,7 +53,7 @@
           tiller_image: gcr.io/kubernetes-helm/tiller:v2.4.2
         calico_policy:
           enabled: False
-          image: calico/kube-policy-controller:v0.5.4
+          image: docker-prod-virtual.docker.mirantis.net/mirantis/projectcalico/calico/kube-controllers:v1.0.4
           namespace: kube-system
         contrail_network_controller:
           enabled: False