Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / kubernetes / 3c706d6d828de7aab0d4ec1782b0328751adf337 / . / README.rst
blob: 7ec845ba788e8d2f9b5d4eb37408d37e2fe70e5c [file] [log] [blame]
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1==================
2Kubernetes Formula
3==================
4
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]5Kubernetes is an open-source system for automating deployment, scaling, and
6management of containerized applications. This formula deploys production
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]7ready Kubernetes and generate Kubernetes manifests as well.
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]8
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]9You can download `kubectl` configuration and connect to your cluster. However,
10keep in mind `kubernetes_control_address` needs to be accessible from your computer:
11
12.. code-block:: yaml
13
14 mkdir -p ~/.kube
15 [ -f ~/.kube/config ] && cp -v ~/.kube/config ~/.kube/config-backup
Tomáš Kukrál8ee2bc52017-07-31 17:51:20 +0200[diff] [blame]16 ssh cfg01 "sudo ssh ctl01 /etc/kubernetes/kubeconfig.sh" > ~/.kube/config
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]17 kubectl get no
18
19
20`cfg01` is Salt master node and `ctl01` is one of Kubernetes masters
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]21
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]22Sample Pillars
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]23==============
24
Aleksei Kasatkin2af48922018-08-21 11:58:19 +0200[diff] [blame]25**REQUIRED:** Define images to use for hyperkube and Calico
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]26
27.. code-block:: yaml
28
29 parameters:
30 kubernetes:
31 common:
32 hyperkube:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]33 image: gcr.io/google_containers/hyperkube:v1.6.5
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]34 pool:
35 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]36 calico:
37 calicoctl_image: calico/ctl
38 cni_image: calico/cni
Aleksei Kasatkin2af48922018-08-21 11:58:19 +0200[diff] [blame]39 image: calico/node
40 kube_controllers_image: calico/kube-controllers
41
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]42
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]43Enable helm-tiller addon
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]44
45.. code-block:: yaml
46
47 parameters:
48 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]49 common:
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]50 addons:
51 helm:
52 enabled: true
53
Aleksei Kasatkin2af48922018-08-21 11:58:19 +0200[diff] [blame]54Enable calico-policy
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]55
56.. code-block:: yaml
57
58 parameters:
59 kubernetes:
Aleksei Kasatkin2af48922018-08-21 11:58:19 +0200[diff] [blame]60 pool:
61 network:
62 calico:
63 policy:
64 enabled: true
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]65
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]66Enable virtlet addon
67
68.. code-block:: yaml
69
70 parameters:
71 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]72 common:
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]73 addons:
74 virtlet:
75 enabled: true
76 namespace: kube-system
Victor Ryzhenkin810c5072018-05-26 00:03:33 +0400[diff] [blame]77 image: mirantis/virtlet:v1.0.3
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]78
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]79Enable netchecker addon
80
81.. code-block:: yaml
82
83 parameters:
84 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]85 common:
86 addons:
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]87 netchecker:
88 enabled: true
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]89 master:
90 namespace:
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]91 netchecker:
92 enabled: true
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]93
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]94Enable Kubenetes Federation control plane
95
96.. code-block:: yaml
97
98 parameters:
99 kubernetes:
100 master:
101 federation:
102 enabled: True
103 name: federation
104 namespace: federation-system
105 source: https://dl.k8s.io/v1.6.6/kubernetes-client-linux-amd64.tar.gz
106 hash: 94b2c9cd29981a8e150c187193bab0d8c0b6e906260f837367feff99860a6376
107 service_type: NodePort
108 dns_provider: coredns
109 childclusters:
110 - secondcluster.mydomain
111 - thirdcluster.mydomain
112
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]113Enable external DNS addon with CoreDNS provider
114
115.. code-block:: yaml
116
117 parameters:
118 kubernetes:
119 common:
120 addons:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]121 coredns:
122 enabled: True
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]123 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]124 enabled: True
125 domain: company.mydomain
126 provider: coredns
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]127
Andrey Shestakov79f4af02017-09-15 21:02:55 +0300[diff] [blame]128Enable external DNS addon with Designate provider
129
130.. code-block:: yaml
131
132 parameters:
133 kubernetes:
134 common:
135 addons:
136 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]137 enabled: True
138 domain: company.mydomain
139 provider: designate
140 designate_os_options:
141 OS_AUTH_URL: https://keystone_auth_endpoint:5000
142 OS_PROJECT_DOMAIN_NAME: default
143 OS_USER_DOMAIN_NAME: default
144 OS_PROJECT_NAME: admin
145 OS_USERNAME: admin
146 OS_PASSWORD: password
147 OS_REGION_NAME: RegionOne
Andrey Shestakov79f4af02017-09-15 21:02:55 +0300[diff] [blame]148
Sergii Golovatiuk650948c2017-09-25 12:00:18 +0200[diff] [blame]149Enable external DNS addon with AWS provider
150
151.. code-block:: yaml
152
153 parameters:
154 kubernetes:
155 common:
156 addons:
157 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]158 enabled: True
159 domain: company.mydomain
160 provider: aws
161 aws_options:
162 AWS_ACCESS_KEY_ID: XXXXXXXXXXXXXXXXXXXX
163 AWS_SECRET_ACCESS_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
164
165Enable external DNS addon with Google CloudDNS provider
166
167.. code-block:: yaml
168
169 parameters:
170 kubernetes:
171 common:
172 addons:
173 externaldns:
174 enabled: True
175 domain: company.mydomain
176 provider: google
177 google_options:
178 key: ''
179 project: default-123
180key should be exported from google console and processed as `cat key.json | tr -d '\n'`
Sergii Golovatiuk650948c2017-09-25 12:00:18 +0200[diff] [blame]181
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]182Enable OpenStack cloud provider
183
184.. code-block:: yaml
185
186 parameters:
187 kubernetes:
188 common:
189 cloudprovider:
190 enabled: True
Tomáš Kukrál10b15672017-09-05 10:08:46 +0200[diff] [blame]191 provider: openstack
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]192 params:
193 auth_url: https://openstack.mydomain:5000/v3
194 username: nova
195 password: nova
196 region: RegionOne
197 tenant_id: 4bce4162d8744c599e350099cfa22a0a
198 domain_name: default
199 subnet_id: 72407854-aca6-4cf1-b873-e9affb09484b
200 lb_version: v2
201
Tomáš Kukrálf78baa62017-04-20 16:18:16 +0200[diff] [blame]202Configure service verbosity
203
204.. code-block:: yaml
205
206 parameters:
207 kubernetes:
208 master:
209 verbosity: 2
210 pool:
211 verbosity: 2
212
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]213Set cluster name and domain
Matthew Mosesohn0f7bee42017-07-17 13:52:16 +0300[diff] [blame]214
215.. code-block:: yaml
216
217 parameters:
218 kubernetes:
219 common:
220 kubernetes_cluster_domain: mycluster.domain
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]221 cluster_name : mycluster
Matthew Mosesohn0f7bee42017-07-17 13:52:16 +0300[diff] [blame]222
Tomáš Kukrálaff35262017-04-18 12:37:45 +0200[diff] [blame]223Enable autoscaler for dns addon. Poll period can be skipped.
224
225.. code-block:: yaml
226
227 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]228 common:
Tomáš Kukrálaff35262017-04-18 12:37:45 +0200[diff] [blame]229 addons:
230 dns:
231 domain: cluster.local
232 enabled: true
233 replicas: 1
234 server: 10.254.0.10
235 autoscaler:
236 enabled: true
237 poll-period-seconds: 60
238
239
Tomáš Kukrál6ef3f892017-02-15 12:02:22 +0100[diff] [blame]240Pass aditional parameters to daemons:
241
242.. code-block:: yaml
243
244 parameters:
245 kubernetes:
246 master:
247 apiserver:
248 daemon_opts:
249 storage-backend: pigeon
250 controller_manager:
251 daemon_opts:
252 log-dir: /dev/nulL
253 pool:
254 kubelet:
255 daemon_opts:
256 max-pods: "6"
257
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]258
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]259Containers on pool definitions in pool.service.local
260
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]261.. code-block:: yaml
262
263 parameters:
264 kubernetes:
265 pool:
266 service:
267 local:
268 enabled: False
269 service: libvirt
270 cluster: openstack-compute
271 namespace: default
272 role: ${linux:system:name}
273 type: LoadBalancer
274 kind: Deployment
275 apiVersion: extensions/v1beta1
276 replicas: 1
277 host_pid: True
278 nodeSelector:
279 - key: openstack
280 value: ${linux:system:name}
281 hostNetwork: True
282 container:
283 libvirt-compute:
284 privileged: True
285 image: ${_param:docker_repository}/libvirt-compute
286 tag: ${_param:openstack_container_tag}
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]287
288Master definition
289
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]290.. code-block:: yaml
291
292 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]293 common:
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]294 cluster_name: cluster
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]295 addons:
296 dns:
297 domain: cluster.local
298 enabled: true
299 replicas: 1
300 server: 10.254.0.10
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]301 master:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]302 admin:
303 password: password
304 username: admin
305 apiserver:
306 address: 10.0.175.100
Swann Croisetff97efc2017-02-23 13:32:33 +0100[diff] [blame]307 secure_port: 443
308 insecure_address: 127.0.0.1
309 insecure_port: 8080
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]310 ca: kubernetes
311 enabled: true
312 etcd:
313 host: 127.0.0.1
314 members:
315 - host: 10.0.175.100
316 name: node040
317 name: node040
318 token: ca939ec9c2a17b0786f6d411fe019e9b
319 kubelet:
320 allow_privileged: true
321 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]322 calico:
323 enabled: true
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]324 service_addresses: 10.254.0.0/16
325 storage:
326 engine: glusterfs
327 members:
328 - host: 10.0.175.101
329 port: 24007
330 - host: 10.0.175.102
331 port: 24007
332 - host: 10.0.175.103
333 port: 24007
334 port: 24007
335 token:
336 admin: DFvQ8GJ9JD4fKNfuyEddw3rjnFTkUKsv
337 controller_manager: EreGh6AnWf8DxH8cYavB2zS029PUi7vx
338 dns: RAFeVSE4UvsCz4gk3KYReuOI5jsZ1Xt3
339 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
340 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
341 logging: MJkXKdbgqRmTHSa2ykTaOaMykgO6KcEf
342 monitoring: hnsj0XqABgrSww7Nqo7UVTSZLJUt2XRd
343 scheduler: HY1UUxEPpmjW4a1dDLGIANYQp1nZkLDk
344 version: v1.2.4
345
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]346
347 kubernetes:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]348 pool:
349 address: 0.0.0.0
350 allow_privileged: true
351 ca: kubernetes
352 cluster_dns: 10.254.0.10
353 cluster_domain: cluster.local
354 enabled: true
355 kubelet:
356 allow_privileged: true
357 config: /etc/kubernetes/manifests
358 frequency: 5s
359 master:
360 apiserver:
361 members:
362 - host: 10.0.175.100
363 etcd:
364 members:
365 - host: 10.0.175.100
366 host: 10.0.175.100
367 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]368 calico:
369 enabled: true
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]370 token:
371 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
372 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
373 version: v1.2.4
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]374
Tomáš Kukrálbc3623e2017-03-23 18:24:06 +0100[diff] [blame]375
Filip Pytloun1e163072017-10-16 17:26:48 +0200[diff] [blame]376Enable basic, token and http authentication, disable ssl auth, create some
377static users:
378
379.. code-block:: yaml
380
381 kubernetes:
382 master:
383 auth:
384 basic:
385 enabled: true
386 user:
387 jdoe:
388 password: dummy
389 groups:
390 - system:admin
391 http:
392 enabled: true
393 header:
394 user: X-Remote-User
395 group: X-Remote-Group
396 ssl:
397 enabled: false
398 token:
399 enabled: true
400 user:
401 jdoe:
402 token: dummytoken
403 groups:
404 - system:admin
405
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]406Kubernetes with OpenContrail network plugin
407------------------------------------------------
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]408
409On Master:
410
411.. code-block:: yaml
412
413 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]414 common:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]415 addons:
Matthew Mosesohn6f4f6c02017-07-03 16:58:50 +0300[diff] [blame]416 contrail_network_controller:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]417 enabled: true
418 namespace: kube-system
Matthew Mosesohn6f4f6c02017-07-03 16:58:50 +0300[diff] [blame]419 image: yashulyak/contrail-controller:latest
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]420 master:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]421 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]422 opencontrail:
423 enabled: true
ashestakove19660a2018-03-05 12:43:30 +0000[diff] [blame]424 default_domain: default-domain
425 default_project: default-domain:default-project
426 public_network: default-domain:default-project:Public
427 public_ip_range: 185.22.97.128/26
428 private_ip_range: 10.150.0.0/16
429 service_cluster_ip_range: 10.254.0.0/16
430 network_label: name
431 service_label: uses
432 cluster_service: kube-system/default
433 config:
434 api:
435 host: 10.0.170.70
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]436On pools:
437
438.. code-block:: yaml
439
440 kubernetes:
441 pool:
442 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]443 opencontrail:
444 enabled: true
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]445
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]446
447Dashboard public IP must be configured when Contrail network is used:
448
449.. code-block:: yaml
450
451 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]452 common:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]453 addons:
Alexander Noskov0637cd62018-02-16 13:49:11 +0400[diff] [blame]454 dashboard:
455 public_ip: 1.1.1.1
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]456
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]457Kubernetes control plane running in systemd
458-------------------------------------------
459
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]460By default kube-apiserver, kube-scheduler, kube-controllermanager, kube-proxy, etcd running in docker containers through manifests. For stable production environment this should be run in systemd.
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]461
462.. code-block:: yaml
463
464 kubernetes:
465 master:
466 container: false
467
468 kubernetes:
469 pool:
470 container: false
471
marco055ff852016-07-27 15:22:33 +0200[diff] [blame]472Because k8s services run under kube user without root privileges, there is need to change secure port for apiserver.
473
474.. code-block:: yaml
475
476 kubernetes:
477 master:
478 apiserver:
479 secure_port: 8081
480
Andrey Shestakove3cf0062018-06-19 15:04:33 +0300[diff] [blame]481Kubernetes with MetalLB
482-----------------------
483
484On Master:
485
486.. code-block:: yaml
487
488 kubernetes:
489 common:
490 addons:
491 metallb:
492 enabled: true
493 addresses:
494 - 172.16.10.150-172.16.10.180
495 - 172.16.10.192/26
496
Andrey Shestakovb3057972018-06-25 17:50:23 +0300[diff] [blame]497Kubernetes with SRIOV
498-----------------------
499
500On Master:
501
502.. code-block:: yaml
503
504 kubernetes:
505 master:
506 network:
507 sriov:
508 enabled: true
509 interface: eno2
510 subnet: 10.55.208.0/24
511 gateway: 10.55.208.1
512
513On pools:
514
515.. code-block:: yaml
516
517 kubernetes:
518 pool:
519 network:
520 sriov:
521 enabled: true
522 interface: eno2
523 subnet: 10.55.208.0/24
524 gateway: 10.55.208.1
525
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]526Kubernetes with Flannel
527-----------------------
528
529On Master:
530
531.. code-block:: yaml
532
533 kubernetes:
534 master:
535 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]536 flannel:
537 enabled: true
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]538
539On pools:
540
541.. code-block:: yaml
542
543 kubernetes:
544 pool:
545 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]546 flannel:
547 enabled: true
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]548
549Kubernetes with Calico
550-----------------------
551
552On Master:
553
554.. code-block:: yaml
555
556 kubernetes:
557 master:
558 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]559 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]560 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]561 mtu: 1500
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]562 # If you don't register master as node:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]563 etcd:
564 members:
565 - host: 10.0.175.101
566 port: 4001
567 - host: 10.0.175.102
568 port: 4001
569 - host: 10.0.175.103
570 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]571
572On pools:
573
574.. code-block:: yaml
575
576 kubernetes:
577 pool:
578 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]579 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]580 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]581 mtu: 1500
582 etcd:
583 members:
584 - host: 10.0.175.101
585 port: 4001
586 - host: 10.0.175.102
587 port: 4001
588 - host: 10.0.175.103
589 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]590
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]591Running with secured etcd:
592
593.. code-block:: yaml
594
595 kubernetes:
596 pool:
597 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]598 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]599 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]600 etcd:
601 ssl:
602 enabled: true
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]603 master:
604 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]605 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]606 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]607 etcd:
608 ssl:
609 enabled: true
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]610
Aleksei Kasatkin2af48922018-08-21 11:58:19 +0200[diff] [blame]611Running with calico-policy:
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]612
613.. code-block:: yaml
614
615 kubernetes:
616 pool:
617 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]618 calico:
619 enabled: true
Aleksei Kasatkin2af48922018-08-21 11:58:19 +0200[diff] [blame]620 policy:
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]621 enabled: true
622
623 master:
624 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]625 calico:
626 enabled: true
Aleksei Kasatkin2af48922018-08-21 11:58:19 +0200[diff] [blame]627 policy:
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]628 enabled: true
629
630
631
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]632Enable Prometheus metrics in Felix
633
634.. code-block:: yaml
635
636 kubernetes:
637 pool:
638 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]639 calico:
640 prometheus:
641 enabled: true
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]642 master:
643 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]644 calico:
645 prometheus:
646 enabled: true
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]647
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]648Post deployment configuration
649
650.. code-block:: bash
Jakub Pavlik232833c2016-07-17 13:21:00 +0200[diff] [blame]651
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]652 # set ETCD
653 export ETCD_AUTHORITY=10.0.111.201:4001
654
655 # Set NAT for pods subnet
656 calicoctl pool add 192.168.0.0/16 --nat-outgoing
657
658 # Status commands
659 calicoctl status
660 calicoctl node show
661
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]662Kubernetes with GlusterFS for storage
663---------------------------------------------
664
665.. code-block:: yaml
666
667 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]668 master:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]669 ...
670 storage:
671 engine: glusterfs
672 port: 24007
673 members:
674 - host: 10.0.175.101
675 port: 24007
676 - host: 10.0.175.102
677 port: 24007
678 - host: 10.0.175.103
679 port: 24007
680 ...
681
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]682Kubernetes Storage Class
683------------------------
684
685AWS EBS storageclass integration. It also requires to create IAM policy and profiles for instances and tag all resources by KubernetesCluster in EC2.
686
687.. code-block:: yaml
688
689 kubernetes:
690 common:
691 addons:
692 storageclass:
693 aws_slow:
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]694 enabled: True
695 default: True
696 provisioner: aws-ebs
Petr Michalec52d4e1f2017-09-11 17:50:54 +0200[diff] [blame]697 name: slow
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]698 type: gp2
699 iopspergb: "10"
700 zones: xxx
Petr Michalec52d4e1f2017-09-11 17:50:54 +0200[diff] [blame]701 nfs_shared:
702 name: elasti01
703 enabled: True
704 provisioner: nfs
705 spec:
706 name: elastic_data
707 nfs:
708 server: 10.0.0.1
709 path: /exported_path
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]710
Andrey Shestakov06278042018-09-07 12:43:25 +0300[diff] [blame]711Ceph RBD storageclass integration.
712
713.. code-block:: yaml
714
715 kubernetes:
716 common:
717 addons:
718 storageclass:
719 rbd:
720 enabled: True
721 default: True
722 provisioner: rbd
723 name: rbd
724 user_id: kubernetes
725 user_key: AQAOoo5bGqtPExAABGSPtThpt5s+iq97KAE+WQ==
726 monitors: cmn01:6789,cmn02:6789,cmn03:6789
727 pool: kubernetes
728 fstype: ext4
729
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]730Kubernetes namespaces
731---------------------
732
733Create namespace:
734
735.. code-block:: yaml
736
737 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]738 master:
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]739 ...
740 namespace:
741 kube-system:
742 enabled: True
743 namespace2:
744 enabled: True
745 namespace3:
746 enabled: False
747 ...
748
749Kubernetes labels
750-----------------
751
Marek Celoud901020b2017-01-27 14:51:41 +0100[diff] [blame]752Label node:
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]753
754.. code-block:: yaml
755
Marek Celoud901020b2017-01-27 14:51:41 +0100[diff] [blame]756 kubernetes:
757 master:
758 label:
759 label01:
760 value: value01
761 node: node01
762 enabled: true
763 key: key01
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]764 ...
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]765
marcof7efecb2016-07-16 16:13:37 +0200[diff] [blame]766Pull images from private registries
767-----------------------------------
768
769.. code-block:: yaml
770
771 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]772 master:
marcof7efecb2016-07-16 16:13:37 +0200[diff] [blame]773 ...
774 registry:
775 secret:
776 registry01:
777 enabled: True
778 key: (get from `cat /root/.docker/config.json | base64`)
779 namespace: default
780 ...
781 control:
782 ...
783 service:
784 service01:
785 ...
786 image_pull_secretes: registry01
787 ...
788
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]789Kubernetes Service Definitions in pillars
790==========================================
791
792Following samples show how to generate kubernetes manifest as well and provide single tool for complete infrastructure management.
793
794Deployment manifest
795---------------------
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]796
797.. code-block:: yaml
798
799 salt:
800 control:
801 enabled: True
802 hostNetwork: True
803 service:
804 memcached:
805 privileged: True
806 service: memcached
807 role: server
808 type: LoadBalancer
809 replicas: 3
810 kind: Deployment
811 apiVersion: extensions/v1beta1
812 ports:
813 - port: 8774
814 name: nova-api
815 - port: 8775
816 name: nova-metadata
817 volume:
818 volume_name:
819 type: hostPath
820 mount: /certs
821 path: /etc/certs
822 container:
823 memcached:
824 image: memcached
825 tag:2
826 ports:
827 - port: 8774
828 name: nova-api
829 - port: 8775
830 name: nova-metadata
831 variables:
832 - name: HTTP_TLS_CERTIFICATE:
833 value: /certs/domain.crt
834 - name: HTTP_TLS_KEY
835 value: /certs/domain.key
836 volumes:
837 - name: /etc/certs
838 type: hostPath
839 mount: /certs
840 path: /etc/certs
841
marcobe30c8d2016-10-11 19:16:35 +0200[diff] [blame]842PetSet manifest
843---------------------
844
845.. code-block:: yaml
846
847 service:
848 memcached:
849 apiVersion: apps/v1alpha1
850 kind: PetSet
851 service_name: 'memcached'
852 container:
853 memcached:
854 ...
855
856
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200[diff] [blame]857Configmap
858---------
859
860You are able to create configmaps using support layer between formulas.
861It works simple, eg. in nova formula there's file ``meta/config.yml`` which
862defines config files used by that service and roles.
863
864Kubernetes formula is able to generate these files using custom pillar and
865grains structure. This way you are able to run docker images built by any way
866while still re-using your configuration management.
867
868Example pillar:
869
870.. code-block:: bash
871
872 kubernetes:
873 control:
Jakub Pavlika2779722016-11-25 15:35:26 +0100[diff] [blame]874 config_type: default|kubernetes # Output is yaml k8s or default single files
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200[diff] [blame]875 configmap:
876 nova-control:
877 grains:
878 # Alternate grains as OS running in container may differ from
879 # salt minion OS. Needed only if grains matters for config
880 # generation.
881 os_family: Debian
882 pillar:
883 # Generic pillar for nova controller
884 nova:
885 controller:
886 enabled: true
887 versionn: liberty
888 ...
889
890To tell which services supports config generation, you need to ensure pillar
891structure like this to determine support:
892
893.. code-block:: yaml
894
895 nova:
896 _support:
897 config:
898 enabled: true
899
marcod4d3dbd2016-09-27 11:36:40 +0200[diff] [blame]900initContainers
901--------------
902
903Example pillar:
904
905.. code-block:: bash
906
907 kubernetes:
908 control:
909 service:
910 memcached:
911 init_containers:
912 - name: test-mysql
913 image: busybox
914 command:
915 - sleep
916 - 3600
917 volumes:
918 - name: config
919 mount: /test
920 - name: test-memcached
921 image: busybox
922 command:
923 - sleep
924 - 3600
925 volumes:
926 - name: config
927 mount: /test
928
marcoee859d32016-11-07 11:04:57 +0100[diff] [blame]929Affinity
930--------
931
932podAffinity
933===========
934
935Example pillar:
936
937.. code-block:: bash
938
939 kubernetes:
940 control:
941 service:
942 memcached:
943 affinity:
944 pod_affinity:
945 name: podAffinity
946 expression:
947 label_selector:
948 name: labelSelector
949 selectors:
950 - key: app
951 value: memcached
952 topology_key: kubernetes.io/hostname
953
954podAntiAffinity
955===============
956
957Example pillar:
958
959.. code-block:: bash
960
961 kubernetes:
962 control:
963 service:
964 memcached:
965 affinity:
966 anti_affinity:
967 name: podAntiAffinity
968 expression:
969 label_selector:
970 name: labelSelector
971 selectors:
972 - key: app
973 value: opencontrail-control
974 topology_key: kubernetes.io/hostname
975
976nodeAffinity
977===============
978
979Example pillar:
980
981.. code-block:: bash
982
983 kubernetes:
984 control:
985 service:
986 memcached:
987 affinity:
988 node_affinity:
989 name: nodeAffinity
990 expression:
991 match_expressions:
992 name: matchExpressions
993 selectors:
994 - key: key
995 operator: In
996 values:
997 - value1
998 - value2
999
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1000Volumes
1001-------
1002
1003hostPath
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]1004==========
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1005
1006.. code-block:: yaml
1007
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]1008 service:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1009 memcached:
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]1010 container:
1011 memcached:
1012 volumes:
1013 - name: volume1
1014 mountPath: /volume
1015 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1016 ...
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]1017 volume:
1018 volume1:
1019 name: /etc/certs
1020 type: hostPath
1021 path: /etc/certs
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1022
1023emptyDir
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]1024========
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1025
1026.. code-block:: yaml
1027
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]1028 service:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1029 memcached:
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]1030 container:
1031 memcached:
1032 volumes:
1033 - name: volume1
1034 mountPath: /volume
1035 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1036 ...
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]1037 volume:
1038 volume1:
1039 name: /etc/certs
1040 type: emptyDir
1041
1042configMap
1043=========
1044
1045.. code-block:: yaml
1046
1047 service:
1048 memcached:
1049 container:
1050 memcached:
1051 volumes:
1052 - name: volume1
1053 mountPath: /volume
1054 readOnly: True
1055 ...
1056 volume:
1057 volume1:
1058 type: config_map
1059 item:
1060 configMap1:
1061 key: config.conf
1062 path: config.conf
1063 configMap2:
1064 key: policy.json
1065 path: policy.json
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1066
marco0eda4fb2016-10-10 19:08:27 +0200[diff] [blame]1067To mount single configuration file instead of whole directory:
1068
1069.. code-block:: yaml
1070
1071 service:
1072 memcached:
1073 container:
1074 memcached:
1075 volumes:
1076 - name: volume1
1077 mountPath: /volume/config.conf
1078 sub_path: config.conf
1079
marcofcc20d02016-10-10 09:56:12 +0200[diff] [blame]1080Generating Jobs
1081===============
1082
1083Example pillar:
1084
1085.. code-block:: yaml
1086
1087 kubernetes:
1088 control:
1089 job:
1090 sleep:
1091 job: sleep
1092 restart_policy: Never
1093 container:
1094 sleep:
1095 image: busybox
1096 tag: latest
1097 command:
1098 - sleep
1099 - "3600"
1100
1101Volumes and Variables can be used as the same way as during Deployment generation.
1102
1103Custom params:
1104
1105.. code-block:: yaml
1106
1107 kubernetes:
1108 control:
1109 job:
1110 host_network: True
1111 host_pid: True
1112 container:
1113 sleep:
1114 privileged: True
1115 node_selector:
1116 key: node
1117 value: one
1118 image_pull_secretes: password
1119
Filip Pytlounbdba6272017-10-18 19:44:27 +0200[diff] [blame]1120Role-based access control
1121=========================
1122
1123To enable RBAC, you need to set following option on your apiserver:
1124
1125.. code-block:: yaml
1126
1127 kubernetes:
1128 master:
1129 auth:
Andrey Shestakovf32d7072017-12-27 22:18:51 +0200[diff] [blame]1130 mode: Node,RBAC
Filip Pytlounbdba6272017-10-18 19:44:27 +0200[diff] [blame]1131
1132Then you can use ``kubernetes.control.role`` state to orchestrate role and
1133rolebindings. Following example shows how to create brand new role and binding
1134for service account:
1135
1136.. code-block:: yaml
1137
1138 control:
1139 role:
1140 etcd-operator:
1141 kind: ClusterRole
1142 rules:
1143 - apiGroups:
1144 - etcd.coreos.com
1145 resources:
1146 - clusters
1147 verbs:
1148 - "*"
1149 - apiGroups:
1150 - extensions
1151 resources:
1152 - thirdpartyresources
1153 verbs:
1154 - create
1155 - apiGroups:
1156 - storage.k8s.io
1157 resources:
1158 - storageclasses
1159 verbs:
1160 - create
1161 - apiGroups:
1162 - ""
1163 resources:
1164 - replicasets
1165 verbs:
1166 - "*"
1167 binding:
1168 etcd-operator:
1169 kind: ClusterRoleBinding
1170 namespace: test # <-- if no namespace, then it's clusterrolebinding
1171 subject:
1172 etcd-operator:
1173 kind: ServiceAccount
1174
1175Simplest possible use-case, add user test edit permissions on it's test
1176namespace:
1177
1178.. code-block:: yaml
1179
1180 kubernetes:
1181 control:
1182 role:
1183 edit:
1184 kind: ClusterRole
1185 # No rules defined, so only binding will be created assuming role
1186 # already exists
1187 binding:
1188 test:
1189 namespace: test
1190 subject:
1191 test:
1192 kind: User
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1193
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]1194More Information
1195================
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1196
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]1197* https://github.com/Juniper/kubernetes/blob
1198/opencontrail-integration/docs /getting-started-guides/opencontrail.md
1199* https://github.com/kubernetes/kubernetes/tree/master/cluster/saltbase
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1200
Filip Pytlound06f6272017-02-02 13:02:03 +0100[diff] [blame]1201
1202Documentation and Bugs
1203======================
1204
1205To learn how to install and update salt-formulas, consult the documentation
1206available online at:
1207
1208 http://salt-formulas.readthedocs.io/
1209
1210In the unfortunate event that bugs are discovered, they should be reported to
1211the appropriate issue tracker. Use Github issue tracker for specific salt
1212formula:
1213
1214 https://github.com/salt-formulas/salt-formula-kubernetes/issues
1215
1216For feature requests, bug reports or blueprints affecting entire ecosystem,
1217use Launchpad salt-formulas project:
1218
1219 https://launchpad.net/salt-formulas
1220
1221You can also join salt-formulas-users team and subscribe to mailing list:
1222
1223 https://launchpad.net/~salt-formulas-users
1224
1225Developers wishing to work on the salt-formulas projects should always base
1226their work on master branch and submit pull request against specific formula.
1227
1228 https://github.com/salt-formulas/salt-formula-kubernetes
1229
1230Any questions or feedback is always welcome so feel free to join our IRC
1231channel:
1232
1233 #salt-formulas @ irc.freenode.net