Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / kubernetes / 80b9bd54c4f66e63e2a7e6b1ce9695738b63ec17 / . / README.rst
blob: 799495a50cf20be24bf4e9491f2c9b85325b7f76 [file] [log] [blame]
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1==================
2Kubernetes Formula
3==================
4
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]5Kubernetes is an open-source system for automating deployment, scaling, and
6management of containerized applications. This formula deploys production
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]7ready Kubernetes and generate Kubernetes manifests as well.
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]8
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]9You can download `kubectl` configuration and connect to your cluster. However,
10keep in mind `kubernetes_control_address` needs to be accessible from your computer:
11
12.. code-block:: yaml
13
14 mkdir -p ~/.kube
15 [ -f ~/.kube/config ] && cp -v ~/.kube/config ~/.kube/config-backup
Tomáš Kukrál8ee2bc52017-07-31 17:51:20 +0200[diff] [blame]16 ssh cfg01 "sudo ssh ctl01 /etc/kubernetes/kubeconfig.sh" > ~/.kube/config
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]17 kubectl get no
18
19
20`cfg01` is Salt master node and `ctl01` is one of Kubernetes masters
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]21
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]22Sample Pillars
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]23==============
24
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]25**REQUIRED:** Define image to use for hyperkube, CNIs and calicoctl image
26
27.. code-block:: yaml
28
29 parameters:
30 kubernetes:
31 common:
32 hyperkube:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]33 image: gcr.io/google_containers/hyperkube:v1.6.5
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]34 pool:
35 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]36 calico:
37 calicoctl_image: calico/ctl
38 cni_image: calico/cni
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]39
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]40Enable helm-tiller addon
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]41
42.. code-block:: yaml
43
44 parameters:
45 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]46 common:
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]47 addons:
48 helm:
49 enabled: true
50
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]51Enable calico-policy addon
52
53.. code-block:: yaml
54
55 parameters:
56 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]57 common:
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]58 addons:
59 calico_policy:
60 enabled: true
61
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]62Enable virtlet addon
63
64.. code-block:: yaml
65
66 parameters:
67 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]68 common:
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]69 addons:
70 virtlet:
71 enabled: true
72 namespace: kube-system
Andrey Shestakov655034e2017-09-15 12:30:28 +0300[diff] [blame]73 image: mirantis/virtlet:v0.8.0
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]74 hosts:
75 - cmp01
76 - cmp02
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]77
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]78Enable netchecker addon
79
80.. code-block:: yaml
81
82 parameters:
83 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]84 common:
85 addons:
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]86 netchecker:
87 enabled: true
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]88 master:
89 namespace:
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]90 netchecker:
91 enabled: true
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]92
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]93Enable Kubenetes Federation control plane
94
95.. code-block:: yaml
96
97 parameters:
98 kubernetes:
99 master:
100 federation:
101 enabled: True
102 name: federation
103 namespace: federation-system
104 source: https://dl.k8s.io/v1.6.6/kubernetes-client-linux-amd64.tar.gz
105 hash: 94b2c9cd29981a8e150c187193bab0d8c0b6e906260f837367feff99860a6376
106 service_type: NodePort
107 dns_provider: coredns
108 childclusters:
109 - secondcluster.mydomain
110 - thirdcluster.mydomain
111
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]112Enable external DNS addon with CoreDNS provider
113
114.. code-block:: yaml
115
116 parameters:
117 kubernetes:
118 common:
119 addons:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]120 coredns:
121 enabled: True
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]122 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]123 enabled: True
124 domain: company.mydomain
125 provider: coredns
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]126
Andrey Shestakov79f4af02017-09-15 21:02:55 +0300[diff] [blame]127Enable external DNS addon with Designate provider
128
129.. code-block:: yaml
130
131 parameters:
132 kubernetes:
133 common:
134 addons:
135 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]136 enabled: True
137 domain: company.mydomain
138 provider: designate
139 designate_os_options:
140 OS_AUTH_URL: https://keystone_auth_endpoint:5000
141 OS_PROJECT_DOMAIN_NAME: default
142 OS_USER_DOMAIN_NAME: default
143 OS_PROJECT_NAME: admin
144 OS_USERNAME: admin
145 OS_PASSWORD: password
146 OS_REGION_NAME: RegionOne
Andrey Shestakov79f4af02017-09-15 21:02:55 +0300[diff] [blame]147
Sergii Golovatiuk650948c2017-09-25 12:00:18 +0200[diff] [blame]148Enable external DNS addon with AWS provider
149
150.. code-block:: yaml
151
152 parameters:
153 kubernetes:
154 common:
155 addons:
156 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]157 enabled: True
158 domain: company.mydomain
159 provider: aws
160 aws_options:
161 AWS_ACCESS_KEY_ID: XXXXXXXXXXXXXXXXXXXX
162 AWS_SECRET_ACCESS_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
163
164Enable external DNS addon with Google CloudDNS provider
165
166.. code-block:: yaml
167
168 parameters:
169 kubernetes:
170 common:
171 addons:
172 externaldns:
173 enabled: True
174 domain: company.mydomain
175 provider: google
176 google_options:
177 key: ''
178 project: default-123
179key should be exported from google console and processed as `cat key.json | tr -d '\n'`
Sergii Golovatiuk650948c2017-09-25 12:00:18 +0200[diff] [blame]180
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]181Enable OpenStack cloud provider
182
183.. code-block:: yaml
184
185 parameters:
186 kubernetes:
187 common:
188 cloudprovider:
189 enabled: True
Tomáš Kukrál10b15672017-09-05 10:08:46 +0200[diff] [blame]190 provider: openstack
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]191 params:
192 auth_url: https://openstack.mydomain:5000/v3
193 username: nova
194 password: nova
195 region: RegionOne
196 tenant_id: 4bce4162d8744c599e350099cfa22a0a
197 domain_name: default
198 subnet_id: 72407854-aca6-4cf1-b873-e9affb09484b
199 lb_version: v2
200
Tomáš Kukrálf78baa62017-04-20 16:18:16 +0200[diff] [blame]201Configure service verbosity
202
203.. code-block:: yaml
204
205 parameters:
206 kubernetes:
207 master:
208 verbosity: 2
209 pool:
210 verbosity: 2
211
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]212Set cluster name and domain
Matthew Mosesohn0f7bee42017-07-17 13:52:16 +0300[diff] [blame]213
214.. code-block:: yaml
215
216 parameters:
217 kubernetes:
218 common:
219 kubernetes_cluster_domain: mycluster.domain
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]220 cluster_name : mycluster
Matthew Mosesohn0f7bee42017-07-17 13:52:16 +0300[diff] [blame]221
Tomáš Kukrálaff35262017-04-18 12:37:45 +0200[diff] [blame]222Enable autoscaler for dns addon. Poll period can be skipped.
223
224.. code-block:: yaml
225
226 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]227 common:
Tomáš Kukrálaff35262017-04-18 12:37:45 +0200[diff] [blame]228 addons:
229 dns:
230 domain: cluster.local
231 enabled: true
232 replicas: 1
233 server: 10.254.0.10
234 autoscaler:
235 enabled: true
236 poll-period-seconds: 60
237
238
Tomáš Kukrál6ef3f892017-02-15 12:02:22 +0100[diff] [blame]239Pass aditional parameters to daemons:
240
241.. code-block:: yaml
242
243 parameters:
244 kubernetes:
245 master:
246 apiserver:
247 daemon_opts:
248 storage-backend: pigeon
249 controller_manager:
250 daemon_opts:
251 log-dir: /dev/nulL
252 pool:
253 kubelet:
254 daemon_opts:
255 max-pods: "6"
256
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]257
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]258Containers on pool definitions in pool.service.local
259
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]260.. code-block:: yaml
261
262 parameters:
263 kubernetes:
264 pool:
265 service:
266 local:
267 enabled: False
268 service: libvirt
269 cluster: openstack-compute
270 namespace: default
271 role: ${linux:system:name}
272 type: LoadBalancer
273 kind: Deployment
274 apiVersion: extensions/v1beta1
275 replicas: 1
276 host_pid: True
277 nodeSelector:
278 - key: openstack
279 value: ${linux:system:name}
280 hostNetwork: True
281 container:
282 libvirt-compute:
283 privileged: True
284 image: ${_param:docker_repository}/libvirt-compute
285 tag: ${_param:openstack_container_tag}
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]286
287Master definition
288
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]289.. code-block:: yaml
290
291 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]292 common:
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]293 cluster_name: cluster
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]294 addons:
295 dns:
296 domain: cluster.local
297 enabled: true
298 replicas: 1
299 server: 10.254.0.10
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]300 master:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]301 admin:
302 password: password
303 username: admin
304 apiserver:
305 address: 10.0.175.100
Swann Croisetff97efc2017-02-23 13:32:33 +0100[diff] [blame]306 secure_port: 443
307 insecure_address: 127.0.0.1
308 insecure_port: 8080
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]309 ca: kubernetes
310 enabled: true
311 etcd:
312 host: 127.0.0.1
313 members:
314 - host: 10.0.175.100
315 name: node040
316 name: node040
317 token: ca939ec9c2a17b0786f6d411fe019e9b
318 kubelet:
319 allow_privileged: true
320 network:
ashestakov263ee602018-03-06 15:33:16 +0000[diff] [blame]321 cnis:
322 - calico
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]323 service_addresses: 10.254.0.0/16
324 storage:
325 engine: glusterfs
326 members:
327 - host: 10.0.175.101
328 port: 24007
329 - host: 10.0.175.102
330 port: 24007
331 - host: 10.0.175.103
332 port: 24007
333 port: 24007
334 token:
335 admin: DFvQ8GJ9JD4fKNfuyEddw3rjnFTkUKsv
336 controller_manager: EreGh6AnWf8DxH8cYavB2zS029PUi7vx
337 dns: RAFeVSE4UvsCz4gk3KYReuOI5jsZ1Xt3
338 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
339 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
340 logging: MJkXKdbgqRmTHSa2ykTaOaMykgO6KcEf
341 monitoring: hnsj0XqABgrSww7Nqo7UVTSZLJUt2XRd
342 scheduler: HY1UUxEPpmjW4a1dDLGIANYQp1nZkLDk
343 version: v1.2.4
344
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]345
346 kubernetes:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]347 pool:
348 address: 0.0.0.0
349 allow_privileged: true
350 ca: kubernetes
351 cluster_dns: 10.254.0.10
352 cluster_domain: cluster.local
353 enabled: true
354 kubelet:
355 allow_privileged: true
356 config: /etc/kubernetes/manifests
357 frequency: 5s
358 master:
359 apiserver:
360 members:
361 - host: 10.0.175.100
362 etcd:
363 members:
364 - host: 10.0.175.100
365 host: 10.0.175.100
366 network:
ashestakov263ee602018-03-06 15:33:16 +0000[diff] [blame]367 cnis:
368 - calico
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]369 token:
370 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
371 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
372 version: v1.2.4
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]373
Tomáš Kukrálbc3623e2017-03-23 18:24:06 +0100[diff] [blame]374
Filip Pytloun1e163072017-10-16 17:26:48 +0200[diff] [blame]375Enable basic, token and http authentication, disable ssl auth, create some
376static users:
377
378.. code-block:: yaml
379
380 kubernetes:
381 master:
382 auth:
383 basic:
384 enabled: true
385 user:
386 jdoe:
387 password: dummy
388 groups:
389 - system:admin
390 http:
391 enabled: true
392 header:
393 user: X-Remote-User
394 group: X-Remote-Group
395 ssl:
396 enabled: false
397 token:
398 enabled: true
399 user:
400 jdoe:
401 token: dummytoken
402 groups:
403 - system:admin
404
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]405Kubernetes with OpenContrail network plugin
406------------------------------------------------
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]407
408On Master:
409
410.. code-block:: yaml
411
412 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]413 common:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]414 addons:
Matthew Mosesohn6f4f6c02017-07-03 16:58:50 +0300[diff] [blame]415 contrail_network_controller:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]416 enabled: true
417 namespace: kube-system
Matthew Mosesohn6f4f6c02017-07-03 16:58:50 +0300[diff] [blame]418 image: yashulyak/contrail-controller:latest
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]419 master:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]420 network:
ashestakov263ee602018-03-06 15:33:16 +0000[diff] [blame]421 cnis:
422 - opencontrail
ashestakove19660a2018-03-05 12:43:30 +0000[diff] [blame]423 contrail:
424 default_domain: default-domain
425 default_project: default-domain:default-project
426 public_network: default-domain:default-project:Public
427 public_ip_range: 185.22.97.128/26
428 private_ip_range: 10.150.0.0/16
429 service_cluster_ip_range: 10.254.0.0/16
430 network_label: name
431 service_label: uses
432 cluster_service: kube-system/default
433 config:
434 api:
435 host: 10.0.170.70
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]436On pools:
437
438.. code-block:: yaml
439
440 kubernetes:
441 pool:
442 network:
ashestakov263ee602018-03-06 15:33:16 +0000[diff] [blame]443 cnis:
444 - opencontrail
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]445
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]446
447Dashboard public IP must be configured when Contrail network is used:
448
449.. code-block:: yaml
450
451 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]452 common:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]453 addons:
454 public_ip: 1.1.1.1
455
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]456Kubernetes control plane running in systemd
457-------------------------------------------
458
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]459By default kube-apiserver, kube-scheduler, kube-controllermanager, kube-proxy, etcd running in docker containers through manifests. For stable production environment this should be run in systemd.
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]460
461.. code-block:: yaml
462
463 kubernetes:
464 master:
465 container: false
466
467 kubernetes:
468 pool:
469 container: false
470
marco055ff852016-07-27 15:22:33 +0200[diff] [blame]471Because k8s services run under kube user without root privileges, there is need to change secure port for apiserver.
472
473.. code-block:: yaml
474
475 kubernetes:
476 master:
477 apiserver:
478 secure_port: 8081
479
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]480Kubernetes with Flannel
481-----------------------
482
483On Master:
484
485.. code-block:: yaml
486
487 kubernetes:
488 master:
489 network:
ashestakov263ee602018-03-06 15:33:16 +0000[diff] [blame]490 cnis:
491 - flannel
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]492
493On pools:
494
495.. code-block:: yaml
496
497 kubernetes:
498 pool:
499 network:
ashestakov263ee602018-03-06 15:33:16 +0000[diff] [blame]500 cnis:
501 - flannel
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]502
503Kubernetes with Calico
504-----------------------
505
506On Master:
507
508.. code-block:: yaml
509
510 kubernetes:
511 master:
512 network:
ashestakov263ee602018-03-06 15:33:16 +0000[diff] [blame]513 cnis:
514 - calico
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]515 calico:
516 mtu: 1500
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]517 # If you don't register master as node:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]518 etcd:
519 members:
520 - host: 10.0.175.101
521 port: 4001
522 - host: 10.0.175.102
523 port: 4001
524 - host: 10.0.175.103
525 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]526
527On pools:
528
529.. code-block:: yaml
530
531 kubernetes:
532 pool:
533 network:
ashestakov263ee602018-03-06 15:33:16 +0000[diff] [blame]534 cnis:
535 - calico
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]536 calico:
537 mtu: 1500
538 etcd:
539 members:
540 - host: 10.0.175.101
541 port: 4001
542 - host: 10.0.175.102
543 port: 4001
544 - host: 10.0.175.103
545 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]546
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]547Running with secured etcd:
548
549.. code-block:: yaml
550
551 kubernetes:
552 pool:
553 network:
ashestakov263ee602018-03-06 15:33:16 +0000[diff] [blame]554 cnis:
555 - calico
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]556 calico:
557 etcd:
558 ssl:
559 enabled: true
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]560 master:
561 network:
ashestakov263ee602018-03-06 15:33:16 +0000[diff] [blame]562 cnis:
563 - calico
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]564 calico:
565 etcd:
566 ssl:
567 enabled: true
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]568
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]569Running with calico-policy controller:
570
571.. code-block:: yaml
572
573 kubernetes:
574 pool:
575 network:
ashestakov263ee602018-03-06 15:33:16 +0000[diff] [blame]576 cnis:
577 - calico
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]578 addons:
579 calico_policy:
580 enabled: true
581
582 master:
583 network:
ashestakov263ee602018-03-06 15:33:16 +0000[diff] [blame]584 cnis:
585 - calico
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]586 addons:
587 calico_policy:
588 enabled: true
589
590
591
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]592Enable Prometheus metrics in Felix
593
594.. code-block:: yaml
595
596 kubernetes:
597 pool:
598 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]599 calico:
600 prometheus:
601 enabled: true
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]602 master:
603 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]604 calico:
605 prometheus:
606 enabled: true
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]607
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]608Post deployment configuration
609
610.. code-block:: bash
Jakub Pavlik232833c2016-07-17 13:21:00 +0200[diff] [blame]611
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]612 # set ETCD
613 export ETCD_AUTHORITY=10.0.111.201:4001
614
615 # Set NAT for pods subnet
616 calicoctl pool add 192.168.0.0/16 --nat-outgoing
617
618 # Status commands
619 calicoctl status
620 calicoctl node show
621
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]622Kubernetes with GlusterFS for storage
623---------------------------------------------
624
625.. code-block:: yaml
626
627 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]628 master:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]629 ...
630 storage:
631 engine: glusterfs
632 port: 24007
633 members:
634 - host: 10.0.175.101
635 port: 24007
636 - host: 10.0.175.102
637 port: 24007
638 - host: 10.0.175.103
639 port: 24007
640 ...
641
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]642Kubernetes Storage Class
643------------------------
644
645AWS EBS storageclass integration. It also requires to create IAM policy and profiles for instances and tag all resources by KubernetesCluster in EC2.
646
647.. code-block:: yaml
648
649 kubernetes:
650 common:
651 addons:
652 storageclass:
653 aws_slow:
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]654 enabled: True
655 default: True
656 provisioner: aws-ebs
Petr Michalec52d4e1f2017-09-11 17:50:54 +0200[diff] [blame]657 name: slow
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]658 type: gp2
659 iopspergb: "10"
660 zones: xxx
Petr Michalec52d4e1f2017-09-11 17:50:54 +0200[diff] [blame]661 nfs_shared:
662 name: elasti01
663 enabled: True
664 provisioner: nfs
665 spec:
666 name: elastic_data
667 nfs:
668 server: 10.0.0.1
669 path: /exported_path
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]670
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]671Kubernetes namespaces
672---------------------
673
674Create namespace:
675
676.. code-block:: yaml
677
678 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]679 master:
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]680 ...
681 namespace:
682 kube-system:
683 enabled: True
684 namespace2:
685 enabled: True
686 namespace3:
687 enabled: False
688 ...
689
690Kubernetes labels
691-----------------
692
Marek Celoud901020b2017-01-27 14:51:41 +0100[diff] [blame]693Label node:
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]694
695.. code-block:: yaml
696
Marek Celoud901020b2017-01-27 14:51:41 +0100[diff] [blame]697 kubernetes:
698 master:
699 label:
700 label01:
701 value: value01
702 node: node01
703 enabled: true
704 key: key01
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]705 ...
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]706
marcof7efecb2016-07-16 16:13:37 +0200[diff] [blame]707Pull images from private registries
708-----------------------------------
709
710.. code-block:: yaml
711
712 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]713 master:
marcof7efecb2016-07-16 16:13:37 +0200[diff] [blame]714 ...
715 registry:
716 secret:
717 registry01:
718 enabled: True
719 key: (get from `cat /root/.docker/config.json | base64`)
720 namespace: default
721 ...
722 control:
723 ...
724 service:
725 service01:
726 ...
727 image_pull_secretes: registry01
728 ...
729
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]730Kubernetes Service Definitions in pillars
731==========================================
732
733Following samples show how to generate kubernetes manifest as well and provide single tool for complete infrastructure management.
734
735Deployment manifest
736---------------------
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]737
738.. code-block:: yaml
739
740 salt:
741 control:
742 enabled: True
743 hostNetwork: True
744 service:
745 memcached:
746 privileged: True
747 service: memcached
748 role: server
749 type: LoadBalancer
750 replicas: 3
751 kind: Deployment
752 apiVersion: extensions/v1beta1
753 ports:
754 - port: 8774
755 name: nova-api
756 - port: 8775
757 name: nova-metadata
758 volume:
759 volume_name:
760 type: hostPath
761 mount: /certs
762 path: /etc/certs
763 container:
764 memcached:
765 image: memcached
766 tag:2
767 ports:
768 - port: 8774
769 name: nova-api
770 - port: 8775
771 name: nova-metadata
772 variables:
773 - name: HTTP_TLS_CERTIFICATE:
774 value: /certs/domain.crt
775 - name: HTTP_TLS_KEY
776 value: /certs/domain.key
777 volumes:
778 - name: /etc/certs
779 type: hostPath
780 mount: /certs
781 path: /etc/certs
782
marcobe30c8d2016-10-11 19:16:35 +0200[diff] [blame]783PetSet manifest
784---------------------
785
786.. code-block:: yaml
787
788 service:
789 memcached:
790 apiVersion: apps/v1alpha1
791 kind: PetSet
792 service_name: 'memcached'
793 container:
794 memcached:
795 ...
796
797
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200[diff] [blame]798Configmap
799---------
800
801You are able to create configmaps using support layer between formulas.
802It works simple, eg. in nova formula there's file ``meta/config.yml`` which
803defines config files used by that service and roles.
804
805Kubernetes formula is able to generate these files using custom pillar and
806grains structure. This way you are able to run docker images built by any way
807while still re-using your configuration management.
808
809Example pillar:
810
811.. code-block:: bash
812
813 kubernetes:
814 control:
Jakub Pavlika2779722016-11-25 15:35:26 +0100[diff] [blame]815 config_type: default|kubernetes # Output is yaml k8s or default single files
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200[diff] [blame]816 configmap:
817 nova-control:
818 grains:
819 # Alternate grains as OS running in container may differ from
820 # salt minion OS. Needed only if grains matters for config
821 # generation.
822 os_family: Debian
823 pillar:
824 # Generic pillar for nova controller
825 nova:
826 controller:
827 enabled: true
828 versionn: liberty
829 ...
830
831To tell which services supports config generation, you need to ensure pillar
832structure like this to determine support:
833
834.. code-block:: yaml
835
836 nova:
837 _support:
838 config:
839 enabled: true
840
marcod4d3dbd2016-09-27 11:36:40 +0200[diff] [blame]841initContainers
842--------------
843
844Example pillar:
845
846.. code-block:: bash
847
848 kubernetes:
849 control:
850 service:
851 memcached:
852 init_containers:
853 - name: test-mysql
854 image: busybox
855 command:
856 - sleep
857 - 3600
858 volumes:
859 - name: config
860 mount: /test
861 - name: test-memcached
862 image: busybox
863 command:
864 - sleep
865 - 3600
866 volumes:
867 - name: config
868 mount: /test
869
marcoee859d32016-11-07 11:04:57 +0100[diff] [blame]870Affinity
871--------
872
873podAffinity
874===========
875
876Example pillar:
877
878.. code-block:: bash
879
880 kubernetes:
881 control:
882 service:
883 memcached:
884 affinity:
885 pod_affinity:
886 name: podAffinity
887 expression:
888 label_selector:
889 name: labelSelector
890 selectors:
891 - key: app
892 value: memcached
893 topology_key: kubernetes.io/hostname
894
895podAntiAffinity
896===============
897
898Example pillar:
899
900.. code-block:: bash
901
902 kubernetes:
903 control:
904 service:
905 memcached:
906 affinity:
907 anti_affinity:
908 name: podAntiAffinity
909 expression:
910 label_selector:
911 name: labelSelector
912 selectors:
913 - key: app
914 value: opencontrail-control
915 topology_key: kubernetes.io/hostname
916
917nodeAffinity
918===============
919
920Example pillar:
921
922.. code-block:: bash
923
924 kubernetes:
925 control:
926 service:
927 memcached:
928 affinity:
929 node_affinity:
930 name: nodeAffinity
931 expression:
932 match_expressions:
933 name: matchExpressions
934 selectors:
935 - key: key
936 operator: In
937 values:
938 - value1
939 - value2
940
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]941Volumes
942-------
943
944hostPath
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]945==========
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]946
947.. code-block:: yaml
948
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]949 service:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]950 memcached:
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]951 container:
952 memcached:
953 volumes:
954 - name: volume1
955 mountPath: /volume
956 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]957 ...
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]958 volume:
959 volume1:
960 name: /etc/certs
961 type: hostPath
962 path: /etc/certs
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]963
964emptyDir
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]965========
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]966
967.. code-block:: yaml
968
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]969 service:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]970 memcached:
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]971 container:
972 memcached:
973 volumes:
974 - name: volume1
975 mountPath: /volume
976 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]977 ...
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]978 volume:
979 volume1:
980 name: /etc/certs
981 type: emptyDir
982
983configMap
984=========
985
986.. code-block:: yaml
987
988 service:
989 memcached:
990 container:
991 memcached:
992 volumes:
993 - name: volume1
994 mountPath: /volume
995 readOnly: True
996 ...
997 volume:
998 volume1:
999 type: config_map
1000 item:
1001 configMap1:
1002 key: config.conf
1003 path: config.conf
1004 configMap2:
1005 key: policy.json
1006 path: policy.json
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1007
marco0eda4fb2016-10-10 19:08:27 +0200[diff] [blame]1008To mount single configuration file instead of whole directory:
1009
1010.. code-block:: yaml
1011
1012 service:
1013 memcached:
1014 container:
1015 memcached:
1016 volumes:
1017 - name: volume1
1018 mountPath: /volume/config.conf
1019 sub_path: config.conf
1020
marcofcc20d02016-10-10 09:56:12 +0200[diff] [blame]1021Generating Jobs
1022===============
1023
1024Example pillar:
1025
1026.. code-block:: yaml
1027
1028 kubernetes:
1029 control:
1030 job:
1031 sleep:
1032 job: sleep
1033 restart_policy: Never
1034 container:
1035 sleep:
1036 image: busybox
1037 tag: latest
1038 command:
1039 - sleep
1040 - "3600"
1041
1042Volumes and Variables can be used as the same way as during Deployment generation.
1043
1044Custom params:
1045
1046.. code-block:: yaml
1047
1048 kubernetes:
1049 control:
1050 job:
1051 host_network: True
1052 host_pid: True
1053 container:
1054 sleep:
1055 privileged: True
1056 node_selector:
1057 key: node
1058 value: one
1059 image_pull_secretes: password
1060
Filip Pytlounbdba6272017-10-18 19:44:27 +0200[diff] [blame]1061Role-based access control
1062=========================
1063
1064To enable RBAC, you need to set following option on your apiserver:
1065
1066.. code-block:: yaml
1067
1068 kubernetes:
1069 master:
1070 auth:
Andrey Shestakovf32d7072017-12-27 22:18:51 +0200[diff] [blame]1071 mode: Node,RBAC
Filip Pytlounbdba6272017-10-18 19:44:27 +0200[diff] [blame]1072
1073Then you can use ``kubernetes.control.role`` state to orchestrate role and
1074rolebindings. Following example shows how to create brand new role and binding
1075for service account:
1076
1077.. code-block:: yaml
1078
1079 control:
1080 role:
1081 etcd-operator:
1082 kind: ClusterRole
1083 rules:
1084 - apiGroups:
1085 - etcd.coreos.com
1086 resources:
1087 - clusters
1088 verbs:
1089 - "*"
1090 - apiGroups:
1091 - extensions
1092 resources:
1093 - thirdpartyresources
1094 verbs:
1095 - create
1096 - apiGroups:
1097 - storage.k8s.io
1098 resources:
1099 - storageclasses
1100 verbs:
1101 - create
1102 - apiGroups:
1103 - ""
1104 resources:
1105 - replicasets
1106 verbs:
1107 - "*"
1108 binding:
1109 etcd-operator:
1110 kind: ClusterRoleBinding
1111 namespace: test # <-- if no namespace, then it's clusterrolebinding
1112 subject:
1113 etcd-operator:
1114 kind: ServiceAccount
1115
1116Simplest possible use-case, add user test edit permissions on it's test
1117namespace:
1118
1119.. code-block:: yaml
1120
1121 kubernetes:
1122 control:
1123 role:
1124 edit:
1125 kind: ClusterRole
1126 # No rules defined, so only binding will be created assuming role
1127 # already exists
1128 binding:
1129 test:
1130 namespace: test
1131 subject:
1132 test:
1133 kind: User
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1134
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]1135More Information
1136================
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1137
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]1138* https://github.com/Juniper/kubernetes/blob
1139/opencontrail-integration/docs /getting-started-guides/opencontrail.md
1140* https://github.com/kubernetes/kubernetes/tree/master/cluster/saltbase
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1141
Filip Pytlound06f6272017-02-02 13:02:03 +0100[diff] [blame]1142
1143Documentation and Bugs
1144======================
1145
1146To learn how to install and update salt-formulas, consult the documentation
1147available online at:
1148
1149 http://salt-formulas.readthedocs.io/
1150
1151In the unfortunate event that bugs are discovered, they should be reported to
1152the appropriate issue tracker. Use Github issue tracker for specific salt
1153formula:
1154
1155 https://github.com/salt-formulas/salt-formula-kubernetes/issues
1156
1157For feature requests, bug reports or blueprints affecting entire ecosystem,
1158use Launchpad salt-formulas project:
1159
1160 https://launchpad.net/salt-formulas
1161
1162You can also join salt-formulas-users team and subscribe to mailing list:
1163
1164 https://launchpad.net/~salt-formulas-users
1165
1166Developers wishing to work on the salt-formulas projects should always base
1167their work on master branch and submit pull request against specific formula.
1168
1169 https://github.com/salt-formulas/salt-formula-kubernetes
1170
1171Any questions or feedback is always welcome so feel free to join our IRC
1172channel:
1173
1174 #salt-formulas @ irc.freenode.net