blob: 37fa48218f86b54e19da125caa075e828b6bb7d8 [file] [log] [blame]
marcoacdae7e2015-12-02 15:35:37 +01001==================
2Kubernetes Formula
3==================
4
Ales Komarek9db8af42017-06-08 11:08:05 +02005Kubernetes is an open-source system for automating deployment, scaling, and
6management of containerized applications. This formula deploys production
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +02007ready Kubernetes and generate Kubernetes manifests as well.
marcoacdae7e2015-12-02 15:35:37 +01008
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +02009You can download `kubectl` configuration and connect to your cluster. However,
10keep in mind `kubernetes_control_address` needs to be accessible from your computer:
11
12.. code-block:: yaml
13
14 mkdir -p ~/.kube
15 [ -f ~/.kube/config ] && cp -v ~/.kube/config ~/.kube/config-backup
Tomáš Kukrál8ee2bc52017-07-31 17:51:20 +020016 ssh cfg01 "sudo ssh ctl01 /etc/kubernetes/kubeconfig.sh" > ~/.kube/config
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +020017 kubectl get no
18
19
20`cfg01` is Salt master node and `ctl01` is one of Kubernetes masters
marcoacdae7e2015-12-02 15:35:37 +010021
Ales Komarek9db8af42017-06-08 11:08:05 +020022Sample Pillars
marcoacdae7e2015-12-02 15:35:37 +010023==============
24
Tomáš Kukrál189da4b2017-01-18 14:30:09 +010025**REQUIRED:** Define image to use for hyperkube, CNIs and calicoctl image
26
27.. code-block:: yaml
28
29 parameters:
30 kubernetes:
31 common:
32 hyperkube:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +020033 image: gcr.io/google_containers/hyperkube:v1.6.5
Tomáš Kukrál189da4b2017-01-18 14:30:09 +010034 pool:
35 network:
36 calicoctl:
37 image: calico/ctl
38 cni:
39 image: calico/cni
40
Tomáš Kukrál25a64d72017-03-23 14:14:07 +010041Enable helm-tiller addon
Tomáš Kukrál1b50f772017-03-23 12:51:32 +010042
43.. code-block:: yaml
44
45 parameters:
46 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +020047 common:
Tomáš Kukrál1b50f772017-03-23 12:51:32 +010048 addons:
49 helm:
50 enabled: true
51
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +030052Enable calico-policy addon
53
54.. code-block:: yaml
55
56 parameters:
57 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +020058 common:
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +030059 addons:
60 calico_policy:
61 enabled: true
62
Jakub Pavlikc1d11e52017-06-23 11:09:20 +020063Enable virtlet addon
64
65.. code-block:: yaml
66
67 parameters:
68 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +020069 common:
Jakub Pavlikc1d11e52017-06-23 11:09:20 +020070 addons:
71 virtlet:
72 enabled: true
73 namespace: kube-system
Andrey Shestakov655034e2017-09-15 12:30:28 +030074 image: mirantis/virtlet:v0.8.0
Jakub Pavlikc1d11e52017-06-23 11:09:20 +020075 hosts:
76 - cmp01
77 - cmp02
Jakub Pavlikc1d11e52017-06-23 11:09:20 +020078
Tomáš Kukrál25a64d72017-03-23 14:14:07 +010079Enable netchecker addon
80
81.. code-block:: yaml
82
83 parameters:
84 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +020085 common:
86 addons:
Tomáš Kukrál25a64d72017-03-23 14:14:07 +010087 netchecker:
88 enabled: true
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +020089 master:
90 namespace:
Tomáš Kukrál25a64d72017-03-23 14:14:07 +010091 netchecker:
92 enabled: true
Tomáš Kukrál1b50f772017-03-23 12:51:32 +010093
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +030094Enable Kubenetes Federation control plane
95
96.. code-block:: yaml
97
98 parameters:
99 kubernetes:
100 master:
101 federation:
102 enabled: True
103 name: federation
104 namespace: federation-system
105 source: https://dl.k8s.io/v1.6.6/kubernetes-client-linux-amd64.tar.gz
106 hash: 94b2c9cd29981a8e150c187193bab0d8c0b6e906260f837367feff99860a6376
107 service_type: NodePort
108 dns_provider: coredns
109 childclusters:
110 - secondcluster.mydomain
111 - thirdcluster.mydomain
112
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300113Enable external DNS addon with CoreDNS provider
114
115.. code-block:: yaml
116
117 parameters:
118 kubernetes:
119 common:
120 addons:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200121 coredns:
122 enabled: True
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300123 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200124 enabled: True
125 domain: company.mydomain
126 provider: coredns
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300127
Andrey Shestakov79f4af02017-09-15 21:02:55 +0300128Enable external DNS addon with Designate provider
129
130.. code-block:: yaml
131
132 parameters:
133 kubernetes:
134 common:
135 addons:
136 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200137 enabled: True
138 domain: company.mydomain
139 provider: designate
140 designate_os_options:
141 OS_AUTH_URL: https://keystone_auth_endpoint:5000
142 OS_PROJECT_DOMAIN_NAME: default
143 OS_USER_DOMAIN_NAME: default
144 OS_PROJECT_NAME: admin
145 OS_USERNAME: admin
146 OS_PASSWORD: password
147 OS_REGION_NAME: RegionOne
Andrey Shestakov79f4af02017-09-15 21:02:55 +0300148
Sergii Golovatiuk650948c2017-09-25 12:00:18 +0200149Enable external DNS addon with AWS provider
150
151.. code-block:: yaml
152
153 parameters:
154 kubernetes:
155 common:
156 addons:
157 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200158 enabled: True
159 domain: company.mydomain
160 provider: aws
161 aws_options:
162 AWS_ACCESS_KEY_ID: XXXXXXXXXXXXXXXXXXXX
163 AWS_SECRET_ACCESS_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
164
165Enable external DNS addon with Google CloudDNS provider
166
167.. code-block:: yaml
168
169 parameters:
170 kubernetes:
171 common:
172 addons:
173 externaldns:
174 enabled: True
175 domain: company.mydomain
176 provider: google
177 google_options:
178 key: ''
179 project: default-123
180key should be exported from google console and processed as `cat key.json | tr -d '\n'`
Sergii Golovatiuk650948c2017-09-25 12:00:18 +0200181
Matthew Mosesohn19903512017-08-31 19:38:19 +0300182Enable OpenStack cloud provider
183
184.. code-block:: yaml
185
186 parameters:
187 kubernetes:
188 common:
189 cloudprovider:
190 enabled: True
Tomáš Kukrál10b15672017-09-05 10:08:46 +0200191 provider: openstack
Matthew Mosesohn19903512017-08-31 19:38:19 +0300192 params:
193 auth_url: https://openstack.mydomain:5000/v3
194 username: nova
195 password: nova
196 region: RegionOne
197 tenant_id: 4bce4162d8744c599e350099cfa22a0a
198 domain_name: default
199 subnet_id: 72407854-aca6-4cf1-b873-e9affb09484b
200 lb_version: v2
201
Tomáš Kukrálf78baa62017-04-20 16:18:16 +0200202Configure service verbosity
203
204.. code-block:: yaml
205
206 parameters:
207 kubernetes:
208 master:
209 verbosity: 2
210 pool:
211 verbosity: 2
212
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300213Set cluster name and domain
Matthew Mosesohn0f7bee42017-07-17 13:52:16 +0300214
215.. code-block:: yaml
216
217 parameters:
218 kubernetes:
219 common:
220 kubernetes_cluster_domain: mycluster.domain
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300221 cluster_name : mycluster
Matthew Mosesohn0f7bee42017-07-17 13:52:16 +0300222
Tomáš Kukrálaff35262017-04-18 12:37:45 +0200223Enable autoscaler for dns addon. Poll period can be skipped.
224
225.. code-block:: yaml
226
227 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200228 common:
Tomáš Kukrálaff35262017-04-18 12:37:45 +0200229 addons:
230 dns:
231 domain: cluster.local
232 enabled: true
233 replicas: 1
234 server: 10.254.0.10
235 autoscaler:
236 enabled: true
237 poll-period-seconds: 60
238
239
Tomáš Kukrál6ef3f892017-02-15 12:02:22 +0100240Pass aditional parameters to daemons:
241
242.. code-block:: yaml
243
244 parameters:
245 kubernetes:
246 master:
247 apiserver:
248 daemon_opts:
249 storage-backend: pigeon
250 controller_manager:
251 daemon_opts:
252 log-dir: /dev/nulL
253 pool:
254 kubelet:
255 daemon_opts:
256 max-pods: "6"
257
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100258
Ales Komarek688a04c2016-07-15 15:12:30 +0200259Containers on pool definitions in pool.service.local
260
Jakub Pavlik7e985322016-07-17 13:16:15 +0200261.. code-block:: yaml
262
263 parameters:
264 kubernetes:
265 pool:
266 service:
267 local:
268 enabled: False
269 service: libvirt
270 cluster: openstack-compute
271 namespace: default
272 role: ${linux:system:name}
273 type: LoadBalancer
274 kind: Deployment
275 apiVersion: extensions/v1beta1
276 replicas: 1
277 host_pid: True
278 nodeSelector:
279 - key: openstack
280 value: ${linux:system:name}
281 hostNetwork: True
282 container:
283 libvirt-compute:
284 privileged: True
285 image: ${_param:docker_repository}/libvirt-compute
286 tag: ${_param:openstack_container_tag}
Ales Komarek688a04c2016-07-15 15:12:30 +0200287
288Master definition
289
marcoacdae7e2015-12-02 15:35:37 +0100290.. code-block:: yaml
291
292 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200293 common:
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300294 cluster_name: cluster
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200295 addons:
296 dns:
297 domain: cluster.local
298 enabled: true
299 replicas: 1
300 server: 10.254.0.10
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200301 master:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200302 admin:
303 password: password
304 username: admin
305 apiserver:
306 address: 10.0.175.100
Swann Croisetff97efc2017-02-23 13:32:33 +0100307 secure_port: 443
308 insecure_address: 127.0.0.1
309 insecure_port: 8080
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200310 ca: kubernetes
311 enabled: true
312 etcd:
313 host: 127.0.0.1
314 members:
315 - host: 10.0.175.100
316 name: node040
317 name: node040
318 token: ca939ec9c2a17b0786f6d411fe019e9b
319 kubelet:
320 allow_privileged: true
321 network:
322 engine: calico
Matthew Mosesohn3d8c1112017-06-06 16:25:46 +0300323 mtu: 1500
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200324 hash: fb5e30ebe6154911a66ec3fb5f1195b2
325 private_ip_range: 10.150.0.0/16
326 version: v0.19.0
327 service_addresses: 10.254.0.0/16
328 storage:
329 engine: glusterfs
330 members:
331 - host: 10.0.175.101
332 port: 24007
333 - host: 10.0.175.102
334 port: 24007
335 - host: 10.0.175.103
336 port: 24007
337 port: 24007
338 token:
339 admin: DFvQ8GJ9JD4fKNfuyEddw3rjnFTkUKsv
340 controller_manager: EreGh6AnWf8DxH8cYavB2zS029PUi7vx
341 dns: RAFeVSE4UvsCz4gk3KYReuOI5jsZ1Xt3
342 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
343 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
344 logging: MJkXKdbgqRmTHSa2ykTaOaMykgO6KcEf
345 monitoring: hnsj0XqABgrSww7Nqo7UVTSZLJUt2XRd
346 scheduler: HY1UUxEPpmjW4a1dDLGIANYQp1nZkLDk
347 version: v1.2.4
348
marcoacdae7e2015-12-02 15:35:37 +0100349
350 kubernetes:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200351 pool:
352 address: 0.0.0.0
353 allow_privileged: true
354 ca: kubernetes
355 cluster_dns: 10.254.0.10
356 cluster_domain: cluster.local
357 enabled: true
358 kubelet:
359 allow_privileged: true
360 config: /etc/kubernetes/manifests
361 frequency: 5s
362 master:
363 apiserver:
364 members:
365 - host: 10.0.175.100
366 etcd:
367 members:
368 - host: 10.0.175.100
369 host: 10.0.175.100
370 network:
371 engine: calico
Matthew Mosesohn3d8c1112017-06-06 16:25:46 +0300372 mtu: 1500
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200373 hash: fb5e30ebe6154911a66ec3fb5f1195b2
374 version: v0.19.0
375 token:
376 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
377 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
378 version: v1.2.4
marcoacdae7e2015-12-02 15:35:37 +0100379
Tomáš Kukrálbc3623e2017-03-23 18:24:06 +0100380
Filip Pytloun1e163072017-10-16 17:26:48 +0200381Enable basic, token and http authentication, disable ssl auth, create some
382static users:
383
384.. code-block:: yaml
385
386 kubernetes:
387 master:
388 auth:
389 basic:
390 enabled: true
391 user:
392 jdoe:
393 password: dummy
394 groups:
395 - system:admin
396 http:
397 enabled: true
398 header:
399 user: X-Remote-User
400 group: X-Remote-Group
401 ssl:
402 enabled: false
403 token:
404 enabled: true
405 user:
406 jdoe:
407 token: dummytoken
408 groups:
409 - system:admin
410
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200411Kubernetes with OpenContrail network plugin
412------------------------------------------------
marcoacdae7e2015-12-02 15:35:37 +0100413
414On Master:
415
416.. code-block:: yaml
417
418 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200419 common:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200420 addons:
Matthew Mosesohn6f4f6c02017-07-03 16:58:50 +0300421 contrail_network_controller:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200422 enabled: true
423 namespace: kube-system
Matthew Mosesohn6f4f6c02017-07-03 16:58:50 +0300424 image: yashulyak/contrail-controller:latest
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200425 master:
marcoacdae7e2015-12-02 15:35:37 +0100426 network:
427 engine: opencontrail
marcoacdae7e2015-12-02 15:35:37 +0100428 default_domain: default-domain
429 default_project: default-domain:default-project
430 public_network: default-domain:default-project:Public
431 public_ip_range: 185.22.97.128/26
432 private_ip_range: 10.150.0.0/16
433 service_cluster_ip_range: 10.254.0.0/16
434 network_label: name
435 service_label: uses
436 cluster_service: kube-system/default
Tomáš Kukrál0eefee72017-07-18 13:17:27 +0200437 config:
438 api:
439 host: 10.0.170.70
marcoacdae7e2015-12-02 15:35:37 +0100440On pools:
441
442.. code-block:: yaml
443
444 kubernetes:
445 pool:
446 network:
447 engine: opencontrail
448
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200449
450Dashboard public IP must be configured when Contrail network is used:
451
452.. code-block:: yaml
453
454 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200455 common:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200456 addons:
457 public_ip: 1.1.1.1
458
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200459Kubernetes control plane running in systemd
460-------------------------------------------
461
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300462By default kube-apiserver, kube-scheduler, kube-controllermanager, kube-proxy, etcd running in docker containers through manifests. For stable production environment this should be run in systemd.
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200463
464.. code-block:: yaml
465
466 kubernetes:
467 master:
468 container: false
469
470 kubernetes:
471 pool:
472 container: false
473
marco055ff852016-07-27 15:22:33 +0200474Because k8s services run under kube user without root privileges, there is need to change secure port for apiserver.
475
476.. code-block:: yaml
477
478 kubernetes:
479 master:
480 apiserver:
481 secure_port: 8081
482
marcoacdae7e2015-12-02 15:35:37 +0100483Kubernetes with Flannel
484-----------------------
485
486On Master:
487
488.. code-block:: yaml
489
490 kubernetes:
491 master:
492 network:
493 engine: flannel
Jakub Pavlik7e985322016-07-17 13:16:15 +0200494 # If you don't register master as node:
marcoa05621f2016-07-14 10:35:24 +0200495 etcd:
496 members:
497 - host: 10.0.175.101
498 port: 4001
499 - host: 10.0.175.102
500 port: 4001
501 - host: 10.0.175.103
502 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100503 common:
504 network:
505 engine: flannel
506
507On pools:
508
509.. code-block:: yaml
510
511 kubernetes:
512 pool:
513 network:
514 engine: flannel
marcoa05621f2016-07-14 10:35:24 +0200515 etcd:
516 members:
517 - host: 10.0.175.101
518 port: 4001
519 - host: 10.0.175.102
520 port: 4001
521 - host: 10.0.175.103
522 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100523 common:
524 network:
525 engine: flannel
526
527Kubernetes with Calico
528-----------------------
529
530On Master:
531
532.. code-block:: yaml
533
534 kubernetes:
535 master:
536 network:
537 engine: calico
Matthew Mosesohn3d8c1112017-06-06 16:25:46 +0300538 mtu: 1500
Jakub Pavlik7e985322016-07-17 13:16:15 +0200539 # If you don't register master as node:
marcoa05621f2016-07-14 10:35:24 +0200540 etcd:
541 members:
542 - host: 10.0.175.101
543 port: 4001
544 - host: 10.0.175.102
545 port: 4001
546 - host: 10.0.175.103
547 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100548
549On pools:
550
551.. code-block:: yaml
552
553 kubernetes:
554 pool:
555 network:
556 engine: calico
Matthew Mosesohn3d8c1112017-06-06 16:25:46 +0300557 mtu: 1500
marcoa05621f2016-07-14 10:35:24 +0200558 etcd:
559 members:
560 - host: 10.0.175.101
561 port: 4001
562 - host: 10.0.175.102
563 port: 4001
564 - host: 10.0.175.103
565 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100566
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100567Running with secured etcd:
568
569.. code-block:: yaml
570
571 kubernetes:
572 pool:
573 network:
574 engine: calico
Matthew Mosesohn3d8c1112017-06-06 16:25:46 +0300575 mtu: 1500
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100576 etcd:
577 ssl:
578 enabled: true
579 master:
580 network:
581 engine: calico
582 etcd:
583 ssl:
584 enabled: true
585
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300586Running with calico-policy controller:
587
588.. code-block:: yaml
589
590 kubernetes:
591 pool:
592 network:
593 engine: calico
Matthew Mosesohn3d8c1112017-06-06 16:25:46 +0300594 mtu: 1500
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300595 addons:
596 calico_policy:
597 enabled: true
598
599 master:
600 network:
601 engine: calico
Matthew Mosesohn3d8c1112017-06-06 16:25:46 +0300602 mtu: 1500
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300603 addons:
604 calico_policy:
605 enabled: true
606
607
608
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100609Enable Prometheus metrics in Felix
610
611.. code-block:: yaml
612
613 kubernetes:
614 pool:
615 network:
616 prometheus:
617 enabled: true
618 master:
619 network:
620 prometheus:
621 enabled: true
622
Jakub Pavlik7e985322016-07-17 13:16:15 +0200623Post deployment configuration
624
625.. code-block:: bash
Jakub Pavlik232833c2016-07-17 13:21:00 +0200626
Jakub Pavlik7e985322016-07-17 13:16:15 +0200627 # set ETCD
628 export ETCD_AUTHORITY=10.0.111.201:4001
629
630 # Set NAT for pods subnet
631 calicoctl pool add 192.168.0.0/16 --nat-outgoing
632
633 # Status commands
634 calicoctl status
635 calicoctl node show
636
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200637Kubernetes with GlusterFS for storage
638---------------------------------------------
639
640.. code-block:: yaml
641
642 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100643 master:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200644 ...
645 storage:
646 engine: glusterfs
647 port: 24007
648 members:
649 - host: 10.0.175.101
650 port: 24007
651 - host: 10.0.175.102
652 port: 24007
653 - host: 10.0.175.103
654 port: 24007
655 ...
656
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200657Kubernetes Storage Class
658------------------------
659
660AWS EBS storageclass integration. It also requires to create IAM policy and profiles for instances and tag all resources by KubernetesCluster in EC2.
661
662.. code-block:: yaml
663
664 kubernetes:
665 common:
666 addons:
667 storageclass:
668 aws_slow:
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200669 enabled: True
670 default: True
671 provisioner: aws-ebs
Petr Michalec52d4e1f2017-09-11 17:50:54 +0200672 name: slow
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200673 type: gp2
674 iopspergb: "10"
675 zones: xxx
Petr Michalec52d4e1f2017-09-11 17:50:54 +0200676 nfs_shared:
677 name: elasti01
678 enabled: True
679 provisioner: nfs
680 spec:
681 name: elastic_data
682 nfs:
683 server: 10.0.0.1
684 path: /exported_path
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200685
marco45fc1b72016-07-02 16:11:18 +0200686Kubernetes namespaces
687---------------------
688
689Create namespace:
690
691.. code-block:: yaml
692
693 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100694 master:
marco45fc1b72016-07-02 16:11:18 +0200695 ...
696 namespace:
697 kube-system:
698 enabled: True
699 namespace2:
700 enabled: True
701 namespace3:
702 enabled: False
703 ...
704
705Kubernetes labels
706-----------------
707
Marek Celoud901020b2017-01-27 14:51:41 +0100708Label node:
marco45fc1b72016-07-02 16:11:18 +0200709
710.. code-block:: yaml
711
Marek Celoud901020b2017-01-27 14:51:41 +0100712 kubernetes:
713 master:
714 label:
715 label01:
716 value: value01
717 node: node01
718 enabled: true
719 key: key01
marco45fc1b72016-07-02 16:11:18 +0200720 ...
marco45fc1b72016-07-02 16:11:18 +0200721
marcof7efecb2016-07-16 16:13:37 +0200722Pull images from private registries
723-----------------------------------
724
725.. code-block:: yaml
726
727 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100728 master:
marcof7efecb2016-07-16 16:13:37 +0200729 ...
730 registry:
731 secret:
732 registry01:
733 enabled: True
734 key: (get from `cat /root/.docker/config.json | base64`)
735 namespace: default
736 ...
737 control:
738 ...
739 service:
740 service01:
741 ...
742 image_pull_secretes: registry01
743 ...
744
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200745Kubernetes Service Definitions in pillars
746==========================================
747
748Following samples show how to generate kubernetes manifest as well and provide single tool for complete infrastructure management.
749
750Deployment manifest
751---------------------
marcoacdae7e2015-12-02 15:35:37 +0100752
753.. code-block:: yaml
754
755 salt:
756 control:
757 enabled: True
758 hostNetwork: True
759 service:
760 memcached:
761 privileged: True
762 service: memcached
763 role: server
764 type: LoadBalancer
765 replicas: 3
766 kind: Deployment
767 apiVersion: extensions/v1beta1
768 ports:
769 - port: 8774
770 name: nova-api
771 - port: 8775
772 name: nova-metadata
773 volume:
774 volume_name:
775 type: hostPath
776 mount: /certs
777 path: /etc/certs
778 container:
779 memcached:
780 image: memcached
781 tag:2
782 ports:
783 - port: 8774
784 name: nova-api
785 - port: 8775
786 name: nova-metadata
787 variables:
788 - name: HTTP_TLS_CERTIFICATE:
789 value: /certs/domain.crt
790 - name: HTTP_TLS_KEY
791 value: /certs/domain.key
792 volumes:
793 - name: /etc/certs
794 type: hostPath
795 mount: /certs
796 path: /etc/certs
797
marcobe30c8d2016-10-11 19:16:35 +0200798PetSet manifest
799---------------------
800
801.. code-block:: yaml
802
803 service:
804 memcached:
805 apiVersion: apps/v1alpha1
806 kind: PetSet
807 service_name: 'memcached'
808 container:
809 memcached:
810 ...
811
812
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200813Configmap
814---------
815
816You are able to create configmaps using support layer between formulas.
817It works simple, eg. in nova formula there's file ``meta/config.yml`` which
818defines config files used by that service and roles.
819
820Kubernetes formula is able to generate these files using custom pillar and
821grains structure. This way you are able to run docker images built by any way
822while still re-using your configuration management.
823
824Example pillar:
825
826.. code-block:: bash
827
828 kubernetes:
829 control:
Jakub Pavlika2779722016-11-25 15:35:26 +0100830 config_type: default|kubernetes # Output is yaml k8s or default single files
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200831 configmap:
832 nova-control:
833 grains:
834 # Alternate grains as OS running in container may differ from
835 # salt minion OS. Needed only if grains matters for config
836 # generation.
837 os_family: Debian
838 pillar:
839 # Generic pillar for nova controller
840 nova:
841 controller:
842 enabled: true
843 versionn: liberty
844 ...
845
846To tell which services supports config generation, you need to ensure pillar
847structure like this to determine support:
848
849.. code-block:: yaml
850
851 nova:
852 _support:
853 config:
854 enabled: true
855
marcod4d3dbd2016-09-27 11:36:40 +0200856initContainers
857--------------
858
859Example pillar:
860
861.. code-block:: bash
862
863 kubernetes:
864 control:
865 service:
866 memcached:
867 init_containers:
868 - name: test-mysql
869 image: busybox
870 command:
871 - sleep
872 - 3600
873 volumes:
874 - name: config
875 mount: /test
876 - name: test-memcached
877 image: busybox
878 command:
879 - sleep
880 - 3600
881 volumes:
882 - name: config
883 mount: /test
884
marcoee859d32016-11-07 11:04:57 +0100885Affinity
886--------
887
888podAffinity
889===========
890
891Example pillar:
892
893.. code-block:: bash
894
895 kubernetes:
896 control:
897 service:
898 memcached:
899 affinity:
900 pod_affinity:
901 name: podAffinity
902 expression:
903 label_selector:
904 name: labelSelector
905 selectors:
906 - key: app
907 value: memcached
908 topology_key: kubernetes.io/hostname
909
910podAntiAffinity
911===============
912
913Example pillar:
914
915.. code-block:: bash
916
917 kubernetes:
918 control:
919 service:
920 memcached:
921 affinity:
922 anti_affinity:
923 name: podAntiAffinity
924 expression:
925 label_selector:
926 name: labelSelector
927 selectors:
928 - key: app
929 value: opencontrail-control
930 topology_key: kubernetes.io/hostname
931
932nodeAffinity
933===============
934
935Example pillar:
936
937.. code-block:: bash
938
939 kubernetes:
940 control:
941 service:
942 memcached:
943 affinity:
944 node_affinity:
945 name: nodeAffinity
946 expression:
947 match_expressions:
948 name: matchExpressions
949 selectors:
950 - key: key
951 operator: In
952 values:
953 - value1
954 - value2
955
marcoacdae7e2015-12-02 15:35:37 +0100956Volumes
957-------
958
959hostPath
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200960==========
marcoacdae7e2015-12-02 15:35:37 +0100961
962.. code-block:: yaml
963
marcob469f882016-09-27 09:56:13 +0200964 service:
marcoacdae7e2015-12-02 15:35:37 +0100965 memcached:
marcob469f882016-09-27 09:56:13 +0200966 container:
967 memcached:
968 volumes:
969 - name: volume1
970 mountPath: /volume
971 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100972 ...
marcob469f882016-09-27 09:56:13 +0200973 volume:
974 volume1:
975 name: /etc/certs
976 type: hostPath
977 path: /etc/certs
marcoacdae7e2015-12-02 15:35:37 +0100978
979emptyDir
Ales Komarek688a04c2016-07-15 15:12:30 +0200980========
marcoacdae7e2015-12-02 15:35:37 +0100981
982.. code-block:: yaml
983
marcob469f882016-09-27 09:56:13 +0200984 service:
marcoacdae7e2015-12-02 15:35:37 +0100985 memcached:
marcob469f882016-09-27 09:56:13 +0200986 container:
987 memcached:
988 volumes:
989 - name: volume1
990 mountPath: /volume
991 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100992 ...
marcob469f882016-09-27 09:56:13 +0200993 volume:
994 volume1:
995 name: /etc/certs
996 type: emptyDir
997
998configMap
999=========
1000
1001.. code-block:: yaml
1002
1003 service:
1004 memcached:
1005 container:
1006 memcached:
1007 volumes:
1008 - name: volume1
1009 mountPath: /volume
1010 readOnly: True
1011 ...
1012 volume:
1013 volume1:
1014 type: config_map
1015 item:
1016 configMap1:
1017 key: config.conf
1018 path: config.conf
1019 configMap2:
1020 key: policy.json
1021 path: policy.json
Jakub Pavlik27ad3a62016-08-05 11:39:45 +02001022
marco0eda4fb2016-10-10 19:08:27 +02001023To mount single configuration file instead of whole directory:
1024
1025.. code-block:: yaml
1026
1027 service:
1028 memcached:
1029 container:
1030 memcached:
1031 volumes:
1032 - name: volume1
1033 mountPath: /volume/config.conf
1034 sub_path: config.conf
1035
marcofcc20d02016-10-10 09:56:12 +02001036Generating Jobs
1037===============
1038
1039Example pillar:
1040
1041.. code-block:: yaml
1042
1043 kubernetes:
1044 control:
1045 job:
1046 sleep:
1047 job: sleep
1048 restart_policy: Never
1049 container:
1050 sleep:
1051 image: busybox
1052 tag: latest
1053 command:
1054 - sleep
1055 - "3600"
1056
1057Volumes and Variables can be used as the same way as during Deployment generation.
1058
1059Custom params:
1060
1061.. code-block:: yaml
1062
1063 kubernetes:
1064 control:
1065 job:
1066 host_network: True
1067 host_pid: True
1068 container:
1069 sleep:
1070 privileged: True
1071 node_selector:
1072 key: node
1073 value: one
1074 image_pull_secretes: password
1075
Filip Pytlounbdba6272017-10-18 19:44:27 +02001076Role-based access control
1077=========================
1078
1079To enable RBAC, you need to set following option on your apiserver:
1080
1081.. code-block:: yaml
1082
1083 kubernetes:
1084 master:
1085 auth:
Andrey Shestakovf32d7072017-12-27 22:18:51 +02001086 mode: Node,RBAC
Filip Pytlounbdba6272017-10-18 19:44:27 +02001087
1088Then you can use ``kubernetes.control.role`` state to orchestrate role and
1089rolebindings. Following example shows how to create brand new role and binding
1090for service account:
1091
1092.. code-block:: yaml
1093
1094 control:
1095 role:
1096 etcd-operator:
1097 kind: ClusterRole
1098 rules:
1099 - apiGroups:
1100 - etcd.coreos.com
1101 resources:
1102 - clusters
1103 verbs:
1104 - "*"
1105 - apiGroups:
1106 - extensions
1107 resources:
1108 - thirdpartyresources
1109 verbs:
1110 - create
1111 - apiGroups:
1112 - storage.k8s.io
1113 resources:
1114 - storageclasses
1115 verbs:
1116 - create
1117 - apiGroups:
1118 - ""
1119 resources:
1120 - replicasets
1121 verbs:
1122 - "*"
1123 binding:
1124 etcd-operator:
1125 kind: ClusterRoleBinding
1126 namespace: test # <-- if no namespace, then it's clusterrolebinding
1127 subject:
1128 etcd-operator:
1129 kind: ServiceAccount
1130
1131Simplest possible use-case, add user test edit permissions on it's test
1132namespace:
1133
1134.. code-block:: yaml
1135
1136 kubernetes:
1137 control:
1138 role:
1139 edit:
1140 kind: ClusterRole
1141 # No rules defined, so only binding will be created assuming role
1142 # already exists
1143 binding:
1144 test:
1145 namespace: test
1146 subject:
1147 test:
1148 kind: User
Jakub Pavlik27ad3a62016-08-05 11:39:45 +02001149
Ales Komarek9db8af42017-06-08 11:08:05 +02001150More Information
1151================
Jakub Pavlik27ad3a62016-08-05 11:39:45 +02001152
Ales Komarek9db8af42017-06-08 11:08:05 +02001153* https://github.com/Juniper/kubernetes/blob
1154/opencontrail-integration/docs /getting-started-guides/opencontrail.md
1155* https://github.com/kubernetes/kubernetes/tree/master/cluster/saltbase
Jakub Pavlik27ad3a62016-08-05 11:39:45 +02001156
Filip Pytlound06f6272017-02-02 13:02:03 +01001157
1158Documentation and Bugs
1159======================
1160
1161To learn how to install and update salt-formulas, consult the documentation
1162available online at:
1163
1164 http://salt-formulas.readthedocs.io/
1165
1166In the unfortunate event that bugs are discovered, they should be reported to
1167the appropriate issue tracker. Use Github issue tracker for specific salt
1168formula:
1169
1170 https://github.com/salt-formulas/salt-formula-kubernetes/issues
1171
1172For feature requests, bug reports or blueprints affecting entire ecosystem,
1173use Launchpad salt-formulas project:
1174
1175 https://launchpad.net/salt-formulas
1176
1177You can also join salt-formulas-users team and subscribe to mailing list:
1178
1179 https://launchpad.net/~salt-formulas-users
1180
1181Developers wishing to work on the salt-formulas projects should always base
1182their work on master branch and submit pull request against specific formula.
1183
1184 https://github.com/salt-formulas/salt-formula-kubernetes
1185
1186Any questions or feedback is always welcome so feel free to join our IRC
1187channel:
1188
1189 #salt-formulas @ irc.freenode.net