Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / kubernetes / 7be31589fc43e67c9e4b6466ee478e3f8266bcbb / . / README.rst
blob: 5eab3ee61a4c89ec31fcda07e5c330a5a15ca64f [file] [log] [blame]
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1==================
2Kubernetes Formula
3==================
4
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]5Kubernetes is an open-source system for automating deployment, scaling, and
6management of containerized applications. This formula deploys production
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]7ready Kubernetes and generate Kubernetes manifests as well.
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]8
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]9You can download `kubectl` configuration and connect to your cluster. However,
10keep in mind `kubernetes_control_address` needs to be accessible from your computer:
11
12.. code-block:: yaml
13
14 mkdir -p ~/.kube
15 [ -f ~/.kube/config ] && cp -v ~/.kube/config ~/.kube/config-backup
Tomáš Kukrál8ee2bc52017-07-31 17:51:20 +0200[diff] [blame]16 ssh cfg01 "sudo ssh ctl01 /etc/kubernetes/kubeconfig.sh" > ~/.kube/config
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]17 kubectl get no
18
19
20`cfg01` is Salt master node and `ctl01` is one of Kubernetes masters
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]21
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]22Sample Pillars
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]23==============
24
Aleksei Kasatkin2af48922018-08-21 11:58:19 +0200[diff] [blame]25**REQUIRED:** Define images to use for hyperkube and Calico
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]26
27.. code-block:: yaml
28
29 parameters:
30 kubernetes:
31 common:
32 hyperkube:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]33 image: gcr.io/google_containers/hyperkube:v1.6.5
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]34 pool:
35 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]36 calico:
37 calicoctl_image: calico/ctl
38 cni_image: calico/cni
Aleksei Kasatkin2af48922018-08-21 11:58:19 +0200[diff] [blame]39 image: calico/node
40 kube_controllers_image: calico/kube-controllers
41
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]42
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]43Enable helm-tiller addon
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]44
45.. code-block:: yaml
46
47 parameters:
48 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]49 common:
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]50 addons:
51 helm:
52 enabled: true
53
Aleksei Kasatkin2af48922018-08-21 11:58:19 +0200[diff] [blame]54Enable calico-policy
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]55
56.. code-block:: yaml
57
58 parameters:
59 kubernetes:
Aleksei Kasatkin2af48922018-08-21 11:58:19 +0200[diff] [blame]60 pool:
61 network:
62 calico:
63 policy:
64 enabled: true
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]65
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]66Enable virtlet addon
67
68.. code-block:: yaml
69
70 parameters:
71 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]72 common:
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]73 addons:
74 virtlet:
75 enabled: true
76 namespace: kube-system
Victor Ryzhenkin810c5072018-05-26 00:03:33 +0400[diff] [blame]77 image: mirantis/virtlet:v1.0.3
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]78
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]79Enable netchecker addon
80
81.. code-block:: yaml
82
83 parameters:
84 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]85 common:
86 addons:
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]87 netchecker:
88 enabled: true
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]89 master:
90 namespace:
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]91 netchecker:
92 enabled: true
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]93
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]94Enable Kubenetes Federation control plane
95
96.. code-block:: yaml
97
98 parameters:
99 kubernetes:
100 master:
101 federation:
102 enabled: True
103 name: federation
104 namespace: federation-system
105 source: https://dl.k8s.io/v1.6.6/kubernetes-client-linux-amd64.tar.gz
106 hash: 94b2c9cd29981a8e150c187193bab0d8c0b6e906260f837367feff99860a6376
107 service_type: NodePort
108 dns_provider: coredns
109 childclusters:
110 - secondcluster.mydomain
111 - thirdcluster.mydomain
112
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]113Enable external DNS addon with CoreDNS provider
114
115.. code-block:: yaml
116
117 parameters:
118 kubernetes:
119 common:
120 addons:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]121 coredns:
122 enabled: True
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]123 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]124 enabled: True
125 domain: company.mydomain
126 provider: coredns
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]127
Andrey Shestakov79f4af02017-09-15 21:02:55 +0300[diff] [blame]128Enable external DNS addon with Designate provider
129
130.. code-block:: yaml
131
132 parameters:
133 kubernetes:
134 common:
135 addons:
136 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]137 enabled: True
138 domain: company.mydomain
139 provider: designate
140 designate_os_options:
141 OS_AUTH_URL: https://keystone_auth_endpoint:5000
142 OS_PROJECT_DOMAIN_NAME: default
143 OS_USER_DOMAIN_NAME: default
144 OS_PROJECT_NAME: admin
145 OS_USERNAME: admin
146 OS_PASSWORD: password
147 OS_REGION_NAME: RegionOne
Andrey Shestakov79f4af02017-09-15 21:02:55 +0300[diff] [blame]148
Sergii Golovatiuk650948c2017-09-25 12:00:18 +0200[diff] [blame]149Enable external DNS addon with AWS provider
150
151.. code-block:: yaml
152
153 parameters:
154 kubernetes:
155 common:
156 addons:
157 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]158 enabled: True
159 domain: company.mydomain
160 provider: aws
161 aws_options:
162 AWS_ACCESS_KEY_ID: XXXXXXXXXXXXXXXXXXXX
163 AWS_SECRET_ACCESS_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
164
165Enable external DNS addon with Google CloudDNS provider
166
167.. code-block:: yaml
168
169 parameters:
170 kubernetes:
171 common:
172 addons:
173 externaldns:
174 enabled: True
175 domain: company.mydomain
176 provider: google
177 google_options:
178 key: ''
179 project: default-123
180key should be exported from google console and processed as `cat key.json | tr -d '\n'`
Sergii Golovatiuk650948c2017-09-25 12:00:18 +0200[diff] [blame]181
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]182Enable OpenStack cloud provider
183
184.. code-block:: yaml
185
186 parameters:
187 kubernetes:
188 common:
189 cloudprovider:
190 enabled: True
Tomáš Kukrál10b15672017-09-05 10:08:46 +0200[diff] [blame]191 provider: openstack
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]192 params:
193 auth_url: https://openstack.mydomain:5000/v3
194 username: nova
195 password: nova
196 region: RegionOne
197 tenant_id: 4bce4162d8744c599e350099cfa22a0a
198 domain_name: default
199 subnet_id: 72407854-aca6-4cf1-b873-e9affb09484b
200 lb_version: v2
201
Tomáš Kukrálf78baa62017-04-20 16:18:16 +0200[diff] [blame]202Configure service verbosity
203
204.. code-block:: yaml
205
206 parameters:
207 kubernetes:
208 master:
209 verbosity: 2
210 pool:
211 verbosity: 2
212
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]213Set cluster name and domain
Matthew Mosesohn0f7bee42017-07-17 13:52:16 +0300[diff] [blame]214
215.. code-block:: yaml
216
217 parameters:
218 kubernetes:
219 common:
220 kubernetes_cluster_domain: mycluster.domain
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]221 cluster_name : mycluster
Matthew Mosesohn0f7bee42017-07-17 13:52:16 +0300[diff] [blame]222
Tomáš Kukrálaff35262017-04-18 12:37:45 +0200[diff] [blame]223Enable autoscaler for dns addon. Poll period can be skipped.
224
225.. code-block:: yaml
226
227 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]228 common:
Tomáš Kukrálaff35262017-04-18 12:37:45 +0200[diff] [blame]229 addons:
230 dns:
231 domain: cluster.local
232 enabled: true
233 replicas: 1
234 server: 10.254.0.10
235 autoscaler:
236 enabled: true
237 poll-period-seconds: 60
238
239
Tomáš Kukrál6ef3f892017-02-15 12:02:22 +0100[diff] [blame]240Pass aditional parameters to daemons:
241
242.. code-block:: yaml
243
244 parameters:
245 kubernetes:
246 master:
247 apiserver:
248 daemon_opts:
249 storage-backend: pigeon
250 controller_manager:
251 daemon_opts:
252 log-dir: /dev/nulL
253 pool:
254 kubelet:
255 daemon_opts:
256 max-pods: "6"
257
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]258
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]259Containers on pool definitions in pool.service.local
260
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]261.. code-block:: yaml
262
263 parameters:
264 kubernetes:
265 pool:
266 service:
267 local:
268 enabled: False
269 service: libvirt
270 cluster: openstack-compute
271 namespace: default
272 role: ${linux:system:name}
273 type: LoadBalancer
274 kind: Deployment
275 apiVersion: extensions/v1beta1
276 replicas: 1
277 host_pid: True
278 nodeSelector:
279 - key: openstack
280 value: ${linux:system:name}
281 hostNetwork: True
282 container:
283 libvirt-compute:
284 privileged: True
285 image: ${_param:docker_repository}/libvirt-compute
286 tag: ${_param:openstack_container_tag}
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]287
288Master definition
289
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]290.. code-block:: yaml
291
292 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]293 common:
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]294 cluster_name: cluster
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]295 addons:
296 dns:
297 domain: cluster.local
298 enabled: true
299 replicas: 1
300 server: 10.254.0.10
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]301 master:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]302 admin:
303 password: password
304 username: admin
305 apiserver:
306 address: 10.0.175.100
Swann Croisetff97efc2017-02-23 13:32:33 +0100[diff] [blame]307 secure_port: 443
308 insecure_address: 127.0.0.1
309 insecure_port: 8080
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]310 ca: kubernetes
311 enabled: true
312 etcd:
313 host: 127.0.0.1
314 members:
315 - host: 10.0.175.100
316 name: node040
317 name: node040
318 token: ca939ec9c2a17b0786f6d411fe019e9b
319 kubelet:
320 allow_privileged: true
321 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]322 calico:
323 enabled: true
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]324 service_addresses: 10.254.0.0/16
325 storage:
326 engine: glusterfs
327 members:
328 - host: 10.0.175.101
329 port: 24007
330 - host: 10.0.175.102
331 port: 24007
332 - host: 10.0.175.103
333 port: 24007
334 port: 24007
335 token:
336 admin: DFvQ8GJ9JD4fKNfuyEddw3rjnFTkUKsv
337 controller_manager: EreGh6AnWf8DxH8cYavB2zS029PUi7vx
338 dns: RAFeVSE4UvsCz4gk3KYReuOI5jsZ1Xt3
339 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
340 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
341 logging: MJkXKdbgqRmTHSa2ykTaOaMykgO6KcEf
342 monitoring: hnsj0XqABgrSww7Nqo7UVTSZLJUt2XRd
343 scheduler: HY1UUxEPpmjW4a1dDLGIANYQp1nZkLDk
344 version: v1.2.4
345
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]346
347 kubernetes:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]348 pool:
349 address: 0.0.0.0
350 allow_privileged: true
351 ca: kubernetes
352 cluster_dns: 10.254.0.10
353 cluster_domain: cluster.local
354 enabled: true
355 kubelet:
356 allow_privileged: true
357 config: /etc/kubernetes/manifests
358 frequency: 5s
359 master:
360 apiserver:
361 members:
362 - host: 10.0.175.100
363 etcd:
364 members:
365 - host: 10.0.175.100
366 host: 10.0.175.100
367 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]368 calico:
369 enabled: true
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]370 token:
371 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
372 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
373 version: v1.2.4
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]374
Tomáš Kukrálbc3623e2017-03-23 18:24:06 +0100[diff] [blame]375
Filip Pytloun1e163072017-10-16 17:26:48 +0200[diff] [blame]376Enable basic, token and http authentication, disable ssl auth, create some
377static users:
378
379.. code-block:: yaml
380
381 kubernetes:
382 master:
383 auth:
384 basic:
385 enabled: true
386 user:
387 jdoe:
388 password: dummy
389 groups:
390 - system:admin
391 http:
392 enabled: true
393 header:
394 user: X-Remote-User
395 group: X-Remote-Group
396 ssl:
397 enabled: false
398 token:
399 enabled: true
400 user:
401 jdoe:
402 token: dummytoken
403 groups:
404 - system:admin
405
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]406Kubernetes with OpenContrail network plugin
407------------------------------------------------
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]408
409On Master:
410
411.. code-block:: yaml
412
413 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]414 common:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]415 addons:
Matthew Mosesohn6f4f6c02017-07-03 16:58:50 +0300[diff] [blame]416 contrail_network_controller:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]417 enabled: true
418 namespace: kube-system
Matthew Mosesohn6f4f6c02017-07-03 16:58:50 +0300[diff] [blame]419 image: yashulyak/contrail-controller:latest
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]420 master:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]421 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]422 opencontrail:
423 enabled: true
ashestakove19660a2018-03-05 12:43:30 +0000[diff] [blame]424 default_domain: default-domain
425 default_project: default-domain:default-project
426 public_network: default-domain:default-project:Public
427 public_ip_range: 185.22.97.128/26
428 private_ip_range: 10.150.0.0/16
429 service_cluster_ip_range: 10.254.0.0/16
430 network_label: name
431 service_label: uses
432 cluster_service: kube-system/default
433 config:
434 api:
435 host: 10.0.170.70
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]436On pools:
437
438.. code-block:: yaml
439
440 kubernetes:
441 pool:
442 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]443 opencontrail:
444 enabled: true
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]445
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]446
447Dashboard public IP must be configured when Contrail network is used:
448
449.. code-block:: yaml
450
451 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]452 common:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]453 addons:
Alexander Noskov0637cd62018-02-16 13:49:11 +0400[diff] [blame]454 dashboard:
455 public_ip: 1.1.1.1
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]456
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]457Kubernetes control plane running in systemd
458-------------------------------------------
459
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]460By default kube-apiserver, kube-scheduler, kube-controllermanager, kube-proxy, etcd running in docker containers through manifests. For stable production environment this should be run in systemd.
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]461
462.. code-block:: yaml
463
464 kubernetes:
465 master:
466 container: false
467
468 kubernetes:
469 pool:
470 container: false
471
marco055ff852016-07-27 15:22:33 +0200[diff] [blame]472Because k8s services run under kube user without root privileges, there is need to change secure port for apiserver.
473
474.. code-block:: yaml
475
476 kubernetes:
477 master:
478 apiserver:
479 secure_port: 8081
480
Andrey Shestakove3cf0062018-06-19 15:04:33 +0300[diff] [blame]481Kubernetes with MetalLB
482-----------------------
483
484On Master:
485
486.. code-block:: yaml
487
488 kubernetes:
489 common:
490 addons:
491 metallb:
492 enabled: true
493 addresses:
494 - 172.16.10.150-172.16.10.180
495 - 172.16.10.192/26
496
Andrey Shestakovb3057972018-06-25 17:50:23 +0300[diff] [blame]497Kubernetes with SRIOV
498-----------------------
499
500On Master:
501
502.. code-block:: yaml
503
504 kubernetes:
505 master:
506 network:
507 sriov:
508 enabled: true
509 interface: eno2
510 subnet: 10.55.208.0/24
511 gateway: 10.55.208.1
512
513On pools:
514
515.. code-block:: yaml
516
517 kubernetes:
518 pool:
519 network:
520 sriov:
521 enabled: true
522 interface: eno2
523 subnet: 10.55.208.0/24
524 gateway: 10.55.208.1
525
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]526Kubernetes with Flannel
527-----------------------
528
529On Master:
530
531.. code-block:: yaml
532
533 kubernetes:
534 master:
535 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]536 flannel:
537 enabled: true
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]538
539On pools:
540
541.. code-block:: yaml
542
543 kubernetes:
544 pool:
545 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]546 flannel:
547 enabled: true
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]548
549Kubernetes with Calico
550-----------------------
551
552On Master:
553
554.. code-block:: yaml
555
556 kubernetes:
557 master:
558 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]559 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]560 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]561 mtu: 1500
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]562 # If you don't register master as node:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]563 etcd:
564 members:
565 - host: 10.0.175.101
566 port: 4001
567 - host: 10.0.175.102
568 port: 4001
569 - host: 10.0.175.103
570 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]571
572On pools:
573
574.. code-block:: yaml
575
576 kubernetes:
577 pool:
578 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]579 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]580 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]581 mtu: 1500
582 etcd:
583 members:
584 - host: 10.0.175.101
585 port: 4001
586 - host: 10.0.175.102
587 port: 4001
588 - host: 10.0.175.103
589 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]590
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]591Running with secured etcd:
592
593.. code-block:: yaml
594
595 kubernetes:
596 pool:
597 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]598 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]599 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]600 etcd:
601 ssl:
602 enabled: true
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]603 master:
604 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]605 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]606 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]607 etcd:
608 ssl:
609 enabled: true
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]610
Aleksei Kasatkin2af48922018-08-21 11:58:19 +0200[diff] [blame]611Running with calico-policy:
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]612
613.. code-block:: yaml
614
615 kubernetes:
616 pool:
617 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]618 calico:
619 enabled: true
Aleksei Kasatkin2af48922018-08-21 11:58:19 +0200[diff] [blame]620 policy:
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]621 enabled: true
622
623 master:
624 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]625 calico:
626 enabled: true
Aleksei Kasatkin2af48922018-08-21 11:58:19 +0200[diff] [blame]627 policy:
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]628 enabled: true
629
630
631
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]632Enable Prometheus metrics in Felix
633
634.. code-block:: yaml
635
636 kubernetes:
637 pool:
638 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]639 calico:
640 prometheus:
641 enabled: true
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]642 master:
643 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]644 calico:
645 prometheus:
646 enabled: true
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]647
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]648Post deployment configuration
649
650.. code-block:: bash
Jakub Pavlik232833c2016-07-17 13:21:00 +0200[diff] [blame]651
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]652 # set ETCD
653 export ETCD_AUTHORITY=10.0.111.201:4001
654
655 # Set NAT for pods subnet
656 calicoctl pool add 192.168.0.0/16 --nat-outgoing
657
658 # Status commands
659 calicoctl status
660 calicoctl node show
661
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]662Kubernetes with GlusterFS for storage
663---------------------------------------------
664
665.. code-block:: yaml
666
667 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]668 master:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]669 ...
670 storage:
671 engine: glusterfs
672 port: 24007
673 members:
674 - host: 10.0.175.101
675 port: 24007
676 - host: 10.0.175.102
677 port: 24007
678 - host: 10.0.175.103
679 port: 24007
680 ...
681
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]682Kubernetes Storage Class
683------------------------
684
685AWS EBS storageclass integration. It also requires to create IAM policy and profiles for instances and tag all resources by KubernetesCluster in EC2.
686
687.. code-block:: yaml
688
689 kubernetes:
690 common:
691 addons:
692 storageclass:
693 aws_slow:
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]694 enabled: True
695 default: True
696 provisioner: aws-ebs
Petr Michalec52d4e1f2017-09-11 17:50:54 +0200[diff] [blame]697 name: slow
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]698 type: gp2
699 iopspergb: "10"
700 zones: xxx
Petr Michalec52d4e1f2017-09-11 17:50:54 +0200[diff] [blame]701 nfs_shared:
702 name: elasti01
703 enabled: True
704 provisioner: nfs
705 spec:
706 name: elastic_data
707 nfs:
708 server: 10.0.0.1
709 path: /exported_path
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]710
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]711Kubernetes namespaces
712---------------------
713
714Create namespace:
715
716.. code-block:: yaml
717
718 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]719 master:
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]720 ...
721 namespace:
722 kube-system:
723 enabled: True
724 namespace2:
725 enabled: True
726 namespace3:
727 enabled: False
728 ...
729
730Kubernetes labels
731-----------------
732
Marek Celoud901020b2017-01-27 14:51:41 +0100[diff] [blame]733Label node:
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]734
735.. code-block:: yaml
736
Marek Celoud901020b2017-01-27 14:51:41 +0100[diff] [blame]737 kubernetes:
738 master:
739 label:
740 label01:
741 value: value01
742 node: node01
743 enabled: true
744 key: key01
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]745 ...
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]746
marcof7efecb2016-07-16 16:13:37 +0200[diff] [blame]747Pull images from private registries
748-----------------------------------
749
750.. code-block:: yaml
751
752 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]753 master:
marcof7efecb2016-07-16 16:13:37 +0200[diff] [blame]754 ...
755 registry:
756 secret:
757 registry01:
758 enabled: True
759 key: (get from `cat /root/.docker/config.json | base64`)
760 namespace: default
761 ...
762 control:
763 ...
764 service:
765 service01:
766 ...
767 image_pull_secretes: registry01
768 ...
769
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]770Kubernetes Service Definitions in pillars
771==========================================
772
773Following samples show how to generate kubernetes manifest as well and provide single tool for complete infrastructure management.
774
775Deployment manifest
776---------------------
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]777
778.. code-block:: yaml
779
780 salt:
781 control:
782 enabled: True
783 hostNetwork: True
784 service:
785 memcached:
786 privileged: True
787 service: memcached
788 role: server
789 type: LoadBalancer
790 replicas: 3
791 kind: Deployment
792 apiVersion: extensions/v1beta1
793 ports:
794 - port: 8774
795 name: nova-api
796 - port: 8775
797 name: nova-metadata
798 volume:
799 volume_name:
800 type: hostPath
801 mount: /certs
802 path: /etc/certs
803 container:
804 memcached:
805 image: memcached
806 tag:2
807 ports:
808 - port: 8774
809 name: nova-api
810 - port: 8775
811 name: nova-metadata
812 variables:
813 - name: HTTP_TLS_CERTIFICATE:
814 value: /certs/domain.crt
815 - name: HTTP_TLS_KEY
816 value: /certs/domain.key
817 volumes:
818 - name: /etc/certs
819 type: hostPath
820 mount: /certs
821 path: /etc/certs
822
marcobe30c8d2016-10-11 19:16:35 +0200[diff] [blame]823PetSet manifest
824---------------------
825
826.. code-block:: yaml
827
828 service:
829 memcached:
830 apiVersion: apps/v1alpha1
831 kind: PetSet
832 service_name: 'memcached'
833 container:
834 memcached:
835 ...
836
837
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200[diff] [blame]838Configmap
839---------
840
841You are able to create configmaps using support layer between formulas.
842It works simple, eg. in nova formula there's file ``meta/config.yml`` which
843defines config files used by that service and roles.
844
845Kubernetes formula is able to generate these files using custom pillar and
846grains structure. This way you are able to run docker images built by any way
847while still re-using your configuration management.
848
849Example pillar:
850
851.. code-block:: bash
852
853 kubernetes:
854 control:
Jakub Pavlika2779722016-11-25 15:35:26 +0100[diff] [blame]855 config_type: default|kubernetes # Output is yaml k8s or default single files
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200[diff] [blame]856 configmap:
857 nova-control:
858 grains:
859 # Alternate grains as OS running in container may differ from
860 # salt minion OS. Needed only if grains matters for config
861 # generation.
862 os_family: Debian
863 pillar:
864 # Generic pillar for nova controller
865 nova:
866 controller:
867 enabled: true
868 versionn: liberty
869 ...
870
871To tell which services supports config generation, you need to ensure pillar
872structure like this to determine support:
873
874.. code-block:: yaml
875
876 nova:
877 _support:
878 config:
879 enabled: true
880
marcod4d3dbd2016-09-27 11:36:40 +0200[diff] [blame]881initContainers
882--------------
883
884Example pillar:
885
886.. code-block:: bash
887
888 kubernetes:
889 control:
890 service:
891 memcached:
892 init_containers:
893 - name: test-mysql
894 image: busybox
895 command:
896 - sleep
897 - 3600
898 volumes:
899 - name: config
900 mount: /test
901 - name: test-memcached
902 image: busybox
903 command:
904 - sleep
905 - 3600
906 volumes:
907 - name: config
908 mount: /test
909
marcoee859d32016-11-07 11:04:57 +0100[diff] [blame]910Affinity
911--------
912
913podAffinity
914===========
915
916Example pillar:
917
918.. code-block:: bash
919
920 kubernetes:
921 control:
922 service:
923 memcached:
924 affinity:
925 pod_affinity:
926 name: podAffinity
927 expression:
928 label_selector:
929 name: labelSelector
930 selectors:
931 - key: app
932 value: memcached
933 topology_key: kubernetes.io/hostname
934
935podAntiAffinity
936===============
937
938Example pillar:
939
940.. code-block:: bash
941
942 kubernetes:
943 control:
944 service:
945 memcached:
946 affinity:
947 anti_affinity:
948 name: podAntiAffinity
949 expression:
950 label_selector:
951 name: labelSelector
952 selectors:
953 - key: app
954 value: opencontrail-control
955 topology_key: kubernetes.io/hostname
956
957nodeAffinity
958===============
959
960Example pillar:
961
962.. code-block:: bash
963
964 kubernetes:
965 control:
966 service:
967 memcached:
968 affinity:
969 node_affinity:
970 name: nodeAffinity
971 expression:
972 match_expressions:
973 name: matchExpressions
974 selectors:
975 - key: key
976 operator: In
977 values:
978 - value1
979 - value2
980
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]981Volumes
982-------
983
984hostPath
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]985==========
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]986
987.. code-block:: yaml
988
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]989 service:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]990 memcached:
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]991 container:
992 memcached:
993 volumes:
994 - name: volume1
995 mountPath: /volume
996 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]997 ...
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]998 volume:
999 volume1:
1000 name: /etc/certs
1001 type: hostPath
1002 path: /etc/certs
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1003
1004emptyDir
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]1005========
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1006
1007.. code-block:: yaml
1008
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]1009 service:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1010 memcached:
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]1011 container:
1012 memcached:
1013 volumes:
1014 - name: volume1
1015 mountPath: /volume
1016 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1017 ...
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]1018 volume:
1019 volume1:
1020 name: /etc/certs
1021 type: emptyDir
1022
1023configMap
1024=========
1025
1026.. code-block:: yaml
1027
1028 service:
1029 memcached:
1030 container:
1031 memcached:
1032 volumes:
1033 - name: volume1
1034 mountPath: /volume
1035 readOnly: True
1036 ...
1037 volume:
1038 volume1:
1039 type: config_map
1040 item:
1041 configMap1:
1042 key: config.conf
1043 path: config.conf
1044 configMap2:
1045 key: policy.json
1046 path: policy.json
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1047
marco0eda4fb2016-10-10 19:08:27 +0200[diff] [blame]1048To mount single configuration file instead of whole directory:
1049
1050.. code-block:: yaml
1051
1052 service:
1053 memcached:
1054 container:
1055 memcached:
1056 volumes:
1057 - name: volume1
1058 mountPath: /volume/config.conf
1059 sub_path: config.conf
1060
marcofcc20d02016-10-10 09:56:12 +0200[diff] [blame]1061Generating Jobs
1062===============
1063
1064Example pillar:
1065
1066.. code-block:: yaml
1067
1068 kubernetes:
1069 control:
1070 job:
1071 sleep:
1072 job: sleep
1073 restart_policy: Never
1074 container:
1075 sleep:
1076 image: busybox
1077 tag: latest
1078 command:
1079 - sleep
1080 - "3600"
1081
1082Volumes and Variables can be used as the same way as during Deployment generation.
1083
1084Custom params:
1085
1086.. code-block:: yaml
1087
1088 kubernetes:
1089 control:
1090 job:
1091 host_network: True
1092 host_pid: True
1093 container:
1094 sleep:
1095 privileged: True
1096 node_selector:
1097 key: node
1098 value: one
1099 image_pull_secretes: password
1100
Filip Pytlounbdba6272017-10-18 19:44:27 +0200[diff] [blame]1101Role-based access control
1102=========================
1103
1104To enable RBAC, you need to set following option on your apiserver:
1105
1106.. code-block:: yaml
1107
1108 kubernetes:
1109 master:
1110 auth:
Andrey Shestakovf32d7072017-12-27 22:18:51 +0200[diff] [blame]1111 mode: Node,RBAC
Filip Pytlounbdba6272017-10-18 19:44:27 +0200[diff] [blame]1112
1113Then you can use ``kubernetes.control.role`` state to orchestrate role and
1114rolebindings. Following example shows how to create brand new role and binding
1115for service account:
1116
1117.. code-block:: yaml
1118
1119 control:
1120 role:
1121 etcd-operator:
1122 kind: ClusterRole
1123 rules:
1124 - apiGroups:
1125 - etcd.coreos.com
1126 resources:
1127 - clusters
1128 verbs:
1129 - "*"
1130 - apiGroups:
1131 - extensions
1132 resources:
1133 - thirdpartyresources
1134 verbs:
1135 - create
1136 - apiGroups:
1137 - storage.k8s.io
1138 resources:
1139 - storageclasses
1140 verbs:
1141 - create
1142 - apiGroups:
1143 - ""
1144 resources:
1145 - replicasets
1146 verbs:
1147 - "*"
1148 binding:
1149 etcd-operator:
1150 kind: ClusterRoleBinding
1151 namespace: test # <-- if no namespace, then it's clusterrolebinding
1152 subject:
1153 etcd-operator:
1154 kind: ServiceAccount
1155
1156Simplest possible use-case, add user test edit permissions on it's test
1157namespace:
1158
1159.. code-block:: yaml
1160
1161 kubernetes:
1162 control:
1163 role:
1164 edit:
1165 kind: ClusterRole
1166 # No rules defined, so only binding will be created assuming role
1167 # already exists
1168 binding:
1169 test:
1170 namespace: test
1171 subject:
1172 test:
1173 kind: User
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1174
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]1175More Information
1176================
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1177
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]1178* https://github.com/Juniper/kubernetes/blob
1179/opencontrail-integration/docs /getting-started-guides/opencontrail.md
1180* https://github.com/kubernetes/kubernetes/tree/master/cluster/saltbase
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1181
Filip Pytlound06f6272017-02-02 13:02:03 +0100[diff] [blame]1182
1183Documentation and Bugs
1184======================
1185
1186To learn how to install and update salt-formulas, consult the documentation
1187available online at:
1188
1189 http://salt-formulas.readthedocs.io/
1190
1191In the unfortunate event that bugs are discovered, they should be reported to
1192the appropriate issue tracker. Use Github issue tracker for specific salt
1193formula:
1194
1195 https://github.com/salt-formulas/salt-formula-kubernetes/issues
1196
1197For feature requests, bug reports or blueprints affecting entire ecosystem,
1198use Launchpad salt-formulas project:
1199
1200 https://launchpad.net/salt-formulas
1201
1202You can also join salt-formulas-users team and subscribe to mailing list:
1203
1204 https://launchpad.net/~salt-formulas-users
1205
1206Developers wishing to work on the salt-formulas projects should always base
1207their work on master branch and submit pull request against specific formula.
1208
1209 https://github.com/salt-formulas/salt-formula-kubernetes
1210
1211Any questions or feedback is always welcome so feel free to join our IRC
1212channel:
1213
1214 #salt-formulas @ irc.freenode.net