Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / kubernetes / a7b8d35a6417389e7332cff4090ac1c1140aabb3 / . / README.rst
blob: 8750f07b75718fc93484e8c8792e35c8f96f9bc7 [file] [log] [blame]
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1==================
2Kubernetes Formula
3==================
4
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]5Kubernetes is an open-source system for automating deployment, scaling, and
6management of containerized applications. This formula deploys production
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]7ready Kubernetes and generate Kubernetes manifests as well.
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]8
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]9You can download `kubectl` configuration and connect to your cluster. However,
10keep in mind `kubernetes_control_address` needs to be accessible from your computer:
11
12.. code-block:: yaml
13
14 mkdir -p ~/.kube
15 [ -f ~/.kube/config ] && cp -v ~/.kube/config ~/.kube/config-backup
Tomáš Kukrál8ee2bc52017-07-31 17:51:20 +0200[diff] [blame]16 ssh cfg01 "sudo ssh ctl01 /etc/kubernetes/kubeconfig.sh" > ~/.kube/config
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]17 kubectl get no
18
19
20`cfg01` is Salt master node and `ctl01` is one of Kubernetes masters
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]21
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]22Sample Pillars
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]23==============
24
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]25**REQUIRED:** Define image to use for hyperkube, CNIs and calicoctl image
26
27.. code-block:: yaml
28
29 parameters:
30 kubernetes:
31 common:
32 hyperkube:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]33 image: gcr.io/google_containers/hyperkube:v1.6.5
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]34 pool:
35 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame^]36 calico:
37 calicoctl_image: calico/ctl
38 cni_image: calico/cni
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]39
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]40Enable helm-tiller addon
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]41
42.. code-block:: yaml
43
44 parameters:
45 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]46 common:
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]47 addons:
48 helm:
49 enabled: true
50
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]51Enable calico-policy addon
52
53.. code-block:: yaml
54
55 parameters:
56 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]57 common:
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]58 addons:
59 calico_policy:
60 enabled: true
61
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]62Enable virtlet addon
63
64.. code-block:: yaml
65
66 parameters:
67 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]68 common:
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]69 addons:
70 virtlet:
71 enabled: true
72 namespace: kube-system
Andrey Shestakov655034e2017-09-15 12:30:28 +0300[diff] [blame]73 image: mirantis/virtlet:v0.8.0
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]74 hosts:
75 - cmp01
76 - cmp02
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]77
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]78Enable netchecker addon
79
80.. code-block:: yaml
81
82 parameters:
83 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]84 common:
85 addons:
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]86 netchecker:
87 enabled: true
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]88 master:
89 namespace:
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]90 netchecker:
91 enabled: true
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]92
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]93Enable Kubenetes Federation control plane
94
95.. code-block:: yaml
96
97 parameters:
98 kubernetes:
99 master:
100 federation:
101 enabled: True
102 name: federation
103 namespace: federation-system
104 source: https://dl.k8s.io/v1.6.6/kubernetes-client-linux-amd64.tar.gz
105 hash: 94b2c9cd29981a8e150c187193bab0d8c0b6e906260f837367feff99860a6376
106 service_type: NodePort
107 dns_provider: coredns
108 childclusters:
109 - secondcluster.mydomain
110 - thirdcluster.mydomain
111
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]112Enable external DNS addon with CoreDNS provider
113
114.. code-block:: yaml
115
116 parameters:
117 kubernetes:
118 common:
119 addons:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]120 coredns:
121 enabled: True
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]122 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]123 enabled: True
124 domain: company.mydomain
125 provider: coredns
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]126
Andrey Shestakov79f4af02017-09-15 21:02:55 +0300[diff] [blame]127Enable external DNS addon with Designate provider
128
129.. code-block:: yaml
130
131 parameters:
132 kubernetes:
133 common:
134 addons:
135 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]136 enabled: True
137 domain: company.mydomain
138 provider: designate
139 designate_os_options:
140 OS_AUTH_URL: https://keystone_auth_endpoint:5000
141 OS_PROJECT_DOMAIN_NAME: default
142 OS_USER_DOMAIN_NAME: default
143 OS_PROJECT_NAME: admin
144 OS_USERNAME: admin
145 OS_PASSWORD: password
146 OS_REGION_NAME: RegionOne
Andrey Shestakov79f4af02017-09-15 21:02:55 +0300[diff] [blame]147
Sergii Golovatiuk650948c2017-09-25 12:00:18 +0200[diff] [blame]148Enable external DNS addon with AWS provider
149
150.. code-block:: yaml
151
152 parameters:
153 kubernetes:
154 common:
155 addons:
156 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]157 enabled: True
158 domain: company.mydomain
159 provider: aws
160 aws_options:
161 AWS_ACCESS_KEY_ID: XXXXXXXXXXXXXXXXXXXX
162 AWS_SECRET_ACCESS_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
163
164Enable external DNS addon with Google CloudDNS provider
165
166.. code-block:: yaml
167
168 parameters:
169 kubernetes:
170 common:
171 addons:
172 externaldns:
173 enabled: True
174 domain: company.mydomain
175 provider: google
176 google_options:
177 key: ''
178 project: default-123
179key should be exported from google console and processed as `cat key.json | tr -d '\n'`
Sergii Golovatiuk650948c2017-09-25 12:00:18 +0200[diff] [blame]180
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]181Enable OpenStack cloud provider
182
183.. code-block:: yaml
184
185 parameters:
186 kubernetes:
187 common:
188 cloudprovider:
189 enabled: True
Tomáš Kukrál10b15672017-09-05 10:08:46 +0200[diff] [blame]190 provider: openstack
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]191 params:
192 auth_url: https://openstack.mydomain:5000/v3
193 username: nova
194 password: nova
195 region: RegionOne
196 tenant_id: 4bce4162d8744c599e350099cfa22a0a
197 domain_name: default
198 subnet_id: 72407854-aca6-4cf1-b873-e9affb09484b
199 lb_version: v2
200
Tomáš Kukrálf78baa62017-04-20 16:18:16 +0200[diff] [blame]201Configure service verbosity
202
203.. code-block:: yaml
204
205 parameters:
206 kubernetes:
207 master:
208 verbosity: 2
209 pool:
210 verbosity: 2
211
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]212Set cluster name and domain
Matthew Mosesohn0f7bee42017-07-17 13:52:16 +0300[diff] [blame]213
214.. code-block:: yaml
215
216 parameters:
217 kubernetes:
218 common:
219 kubernetes_cluster_domain: mycluster.domain
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]220 cluster_name : mycluster
Matthew Mosesohn0f7bee42017-07-17 13:52:16 +0300[diff] [blame]221
Tomáš Kukrálaff35262017-04-18 12:37:45 +0200[diff] [blame]222Enable autoscaler for dns addon. Poll period can be skipped.
223
224.. code-block:: yaml
225
226 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]227 common:
Tomáš Kukrálaff35262017-04-18 12:37:45 +0200[diff] [blame]228 addons:
229 dns:
230 domain: cluster.local
231 enabled: true
232 replicas: 1
233 server: 10.254.0.10
234 autoscaler:
235 enabled: true
236 poll-period-seconds: 60
237
238
Tomáš Kukrál6ef3f892017-02-15 12:02:22 +0100[diff] [blame]239Pass aditional parameters to daemons:
240
241.. code-block:: yaml
242
243 parameters:
244 kubernetes:
245 master:
246 apiserver:
247 daemon_opts:
248 storage-backend: pigeon
249 controller_manager:
250 daemon_opts:
251 log-dir: /dev/nulL
252 pool:
253 kubelet:
254 daemon_opts:
255 max-pods: "6"
256
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]257
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]258Containers on pool definitions in pool.service.local
259
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]260.. code-block:: yaml
261
262 parameters:
263 kubernetes:
264 pool:
265 service:
266 local:
267 enabled: False
268 service: libvirt
269 cluster: openstack-compute
270 namespace: default
271 role: ${linux:system:name}
272 type: LoadBalancer
273 kind: Deployment
274 apiVersion: extensions/v1beta1
275 replicas: 1
276 host_pid: True
277 nodeSelector:
278 - key: openstack
279 value: ${linux:system:name}
280 hostNetwork: True
281 container:
282 libvirt-compute:
283 privileged: True
284 image: ${_param:docker_repository}/libvirt-compute
285 tag: ${_param:openstack_container_tag}
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]286
287Master definition
288
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]289.. code-block:: yaml
290
291 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]292 common:
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]293 cluster_name: cluster
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]294 addons:
295 dns:
296 domain: cluster.local
297 enabled: true
298 replicas: 1
299 server: 10.254.0.10
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]300 master:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]301 admin:
302 password: password
303 username: admin
304 apiserver:
305 address: 10.0.175.100
Swann Croisetff97efc2017-02-23 13:32:33 +0100[diff] [blame]306 secure_port: 443
307 insecure_address: 127.0.0.1
308 insecure_port: 8080
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]309 ca: kubernetes
310 enabled: true
311 etcd:
312 host: 127.0.0.1
313 members:
314 - host: 10.0.175.100
315 name: node040
316 name: node040
317 token: ca939ec9c2a17b0786f6d411fe019e9b
318 kubelet:
319 allow_privileged: true
320 network:
321 engine: calico
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]322 service_addresses: 10.254.0.0/16
323 storage:
324 engine: glusterfs
325 members:
326 - host: 10.0.175.101
327 port: 24007
328 - host: 10.0.175.102
329 port: 24007
330 - host: 10.0.175.103
331 port: 24007
332 port: 24007
333 token:
334 admin: DFvQ8GJ9JD4fKNfuyEddw3rjnFTkUKsv
335 controller_manager: EreGh6AnWf8DxH8cYavB2zS029PUi7vx
336 dns: RAFeVSE4UvsCz4gk3KYReuOI5jsZ1Xt3
337 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
338 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
339 logging: MJkXKdbgqRmTHSa2ykTaOaMykgO6KcEf
340 monitoring: hnsj0XqABgrSww7Nqo7UVTSZLJUt2XRd
341 scheduler: HY1UUxEPpmjW4a1dDLGIANYQp1nZkLDk
342 version: v1.2.4
343
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]344
345 kubernetes:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]346 pool:
347 address: 0.0.0.0
348 allow_privileged: true
349 ca: kubernetes
350 cluster_dns: 10.254.0.10
351 cluster_domain: cluster.local
352 enabled: true
353 kubelet:
354 allow_privileged: true
355 config: /etc/kubernetes/manifests
356 frequency: 5s
357 master:
358 apiserver:
359 members:
360 - host: 10.0.175.100
361 etcd:
362 members:
363 - host: 10.0.175.100
364 host: 10.0.175.100
365 network:
366 engine: calico
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]367 token:
368 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
369 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
370 version: v1.2.4
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]371
Tomáš Kukrálbc3623e2017-03-23 18:24:06 +0100[diff] [blame]372
Filip Pytloun1e163072017-10-16 17:26:48 +0200[diff] [blame]373Enable basic, token and http authentication, disable ssl auth, create some
374static users:
375
376.. code-block:: yaml
377
378 kubernetes:
379 master:
380 auth:
381 basic:
382 enabled: true
383 user:
384 jdoe:
385 password: dummy
386 groups:
387 - system:admin
388 http:
389 enabled: true
390 header:
391 user: X-Remote-User
392 group: X-Remote-Group
393 ssl:
394 enabled: false
395 token:
396 enabled: true
397 user:
398 jdoe:
399 token: dummytoken
400 groups:
401 - system:admin
402
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]403Kubernetes with OpenContrail network plugin
404------------------------------------------------
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]405
406On Master:
407
408.. code-block:: yaml
409
410 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]411 common:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]412 addons:
Matthew Mosesohn6f4f6c02017-07-03 16:58:50 +0300[diff] [blame]413 contrail_network_controller:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]414 enabled: true
415 namespace: kube-system
Matthew Mosesohn6f4f6c02017-07-03 16:58:50 +0300[diff] [blame]416 image: yashulyak/contrail-controller:latest
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]417 master:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]418 network:
419 engine: opencontrail
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]420 default_domain: default-domain
421 default_project: default-domain:default-project
422 public_network: default-domain:default-project:Public
423 public_ip_range: 185.22.97.128/26
424 private_ip_range: 10.150.0.0/16
425 service_cluster_ip_range: 10.254.0.0/16
426 network_label: name
427 service_label: uses
428 cluster_service: kube-system/default
Tomáš Kukrál0eefee72017-07-18 13:17:27 +0200[diff] [blame]429 config:
430 api:
431 host: 10.0.170.70
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]432On pools:
433
434.. code-block:: yaml
435
436 kubernetes:
437 pool:
438 network:
439 engine: opencontrail
440
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]441
442Dashboard public IP must be configured when Contrail network is used:
443
444.. code-block:: yaml
445
446 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]447 common:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]448 addons:
449 public_ip: 1.1.1.1
450
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]451Kubernetes control plane running in systemd
452-------------------------------------------
453
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]454By default kube-apiserver, kube-scheduler, kube-controllermanager, kube-proxy, etcd running in docker containers through manifests. For stable production environment this should be run in systemd.
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]455
456.. code-block:: yaml
457
458 kubernetes:
459 master:
460 container: false
461
462 kubernetes:
463 pool:
464 container: false
465
marco055ff852016-07-27 15:22:33 +0200[diff] [blame]466Because k8s services run under kube user without root privileges, there is need to change secure port for apiserver.
467
468.. code-block:: yaml
469
470 kubernetes:
471 master:
472 apiserver:
473 secure_port: 8081
474
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]475Kubernetes with Flannel
476-----------------------
477
478On Master:
479
480.. code-block:: yaml
481
482 kubernetes:
483 master:
484 network:
485 engine: flannel
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]486 # If you don't register master as node:
marcoa05621f2016-07-14 10:35:24 +0200[diff] [blame]487 etcd:
488 members:
489 - host: 10.0.175.101
490 port: 4001
491 - host: 10.0.175.102
492 port: 4001
493 - host: 10.0.175.103
494 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]495 common:
496 network:
497 engine: flannel
498
499On pools:
500
501.. code-block:: yaml
502
503 kubernetes:
504 pool:
505 network:
506 engine: flannel
marcoa05621f2016-07-14 10:35:24 +0200[diff] [blame]507 etcd:
508 members:
509 - host: 10.0.175.101
510 port: 4001
511 - host: 10.0.175.102
512 port: 4001
513 - host: 10.0.175.103
514 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]515 common:
516 network:
517 engine: flannel
518
519Kubernetes with Calico
520-----------------------
521
522On Master:
523
524.. code-block:: yaml
525
526 kubernetes:
527 master:
528 network:
529 engine: calico
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame^]530 calico:
531 mtu: 1500
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]532 # If you don't register master as node:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame^]533 etcd:
534 members:
535 - host: 10.0.175.101
536 port: 4001
537 - host: 10.0.175.102
538 port: 4001
539 - host: 10.0.175.103
540 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]541
542On pools:
543
544.. code-block:: yaml
545
546 kubernetes:
547 pool:
548 network:
549 engine: calico
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame^]550 calico:
551 mtu: 1500
552 etcd:
553 members:
554 - host: 10.0.175.101
555 port: 4001
556 - host: 10.0.175.102
557 port: 4001
558 - host: 10.0.175.103
559 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]560
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]561Running with secured etcd:
562
563.. code-block:: yaml
564
565 kubernetes:
566 pool:
567 network:
568 engine: calico
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame^]569 calico:
570 etcd:
571 ssl:
572 enabled: true
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]573 master:
574 network:
575 engine: calico
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame^]576 calico:
577 etcd:
578 ssl:
579 enabled: true
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]580
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]581Running with calico-policy controller:
582
583.. code-block:: yaml
584
585 kubernetes:
586 pool:
587 network:
588 engine: calico
589 addons:
590 calico_policy:
591 enabled: true
592
593 master:
594 network:
595 engine: calico
596 addons:
597 calico_policy:
598 enabled: true
599
600
601
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]602Enable Prometheus metrics in Felix
603
604.. code-block:: yaml
605
606 kubernetes:
607 pool:
608 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame^]609 calico:
610 prometheus:
611 enabled: true
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]612 master:
613 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame^]614 calico:
615 prometheus:
616 enabled: true
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]617
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]618Post deployment configuration
619
620.. code-block:: bash
Jakub Pavlik232833c2016-07-17 13:21:00 +0200[diff] [blame]621
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]622 # set ETCD
623 export ETCD_AUTHORITY=10.0.111.201:4001
624
625 # Set NAT for pods subnet
626 calicoctl pool add 192.168.0.0/16 --nat-outgoing
627
628 # Status commands
629 calicoctl status
630 calicoctl node show
631
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]632Kubernetes with GlusterFS for storage
633---------------------------------------------
634
635.. code-block:: yaml
636
637 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]638 master:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]639 ...
640 storage:
641 engine: glusterfs
642 port: 24007
643 members:
644 - host: 10.0.175.101
645 port: 24007
646 - host: 10.0.175.102
647 port: 24007
648 - host: 10.0.175.103
649 port: 24007
650 ...
651
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]652Kubernetes Storage Class
653------------------------
654
655AWS EBS storageclass integration. It also requires to create IAM policy and profiles for instances and tag all resources by KubernetesCluster in EC2.
656
657.. code-block:: yaml
658
659 kubernetes:
660 common:
661 addons:
662 storageclass:
663 aws_slow:
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]664 enabled: True
665 default: True
666 provisioner: aws-ebs
Petr Michalec52d4e1f2017-09-11 17:50:54 +0200[diff] [blame]667 name: slow
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]668 type: gp2
669 iopspergb: "10"
670 zones: xxx
Petr Michalec52d4e1f2017-09-11 17:50:54 +0200[diff] [blame]671 nfs_shared:
672 name: elasti01
673 enabled: True
674 provisioner: nfs
675 spec:
676 name: elastic_data
677 nfs:
678 server: 10.0.0.1
679 path: /exported_path
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]680
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]681Kubernetes namespaces
682---------------------
683
684Create namespace:
685
686.. code-block:: yaml
687
688 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]689 master:
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]690 ...
691 namespace:
692 kube-system:
693 enabled: True
694 namespace2:
695 enabled: True
696 namespace3:
697 enabled: False
698 ...
699
700Kubernetes labels
701-----------------
702
Marek Celoud901020b2017-01-27 14:51:41 +0100[diff] [blame]703Label node:
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]704
705.. code-block:: yaml
706
Marek Celoud901020b2017-01-27 14:51:41 +0100[diff] [blame]707 kubernetes:
708 master:
709 label:
710 label01:
711 value: value01
712 node: node01
713 enabled: true
714 key: key01
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]715 ...
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]716
marcof7efecb2016-07-16 16:13:37 +0200[diff] [blame]717Pull images from private registries
718-----------------------------------
719
720.. code-block:: yaml
721
722 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]723 master:
marcof7efecb2016-07-16 16:13:37 +0200[diff] [blame]724 ...
725 registry:
726 secret:
727 registry01:
728 enabled: True
729 key: (get from `cat /root/.docker/config.json | base64`)
730 namespace: default
731 ...
732 control:
733 ...
734 service:
735 service01:
736 ...
737 image_pull_secretes: registry01
738 ...
739
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]740Kubernetes Service Definitions in pillars
741==========================================
742
743Following samples show how to generate kubernetes manifest as well and provide single tool for complete infrastructure management.
744
745Deployment manifest
746---------------------
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]747
748.. code-block:: yaml
749
750 salt:
751 control:
752 enabled: True
753 hostNetwork: True
754 service:
755 memcached:
756 privileged: True
757 service: memcached
758 role: server
759 type: LoadBalancer
760 replicas: 3
761 kind: Deployment
762 apiVersion: extensions/v1beta1
763 ports:
764 - port: 8774
765 name: nova-api
766 - port: 8775
767 name: nova-metadata
768 volume:
769 volume_name:
770 type: hostPath
771 mount: /certs
772 path: /etc/certs
773 container:
774 memcached:
775 image: memcached
776 tag:2
777 ports:
778 - port: 8774
779 name: nova-api
780 - port: 8775
781 name: nova-metadata
782 variables:
783 - name: HTTP_TLS_CERTIFICATE:
784 value: /certs/domain.crt
785 - name: HTTP_TLS_KEY
786 value: /certs/domain.key
787 volumes:
788 - name: /etc/certs
789 type: hostPath
790 mount: /certs
791 path: /etc/certs
792
marcobe30c8d2016-10-11 19:16:35 +0200[diff] [blame]793PetSet manifest
794---------------------
795
796.. code-block:: yaml
797
798 service:
799 memcached:
800 apiVersion: apps/v1alpha1
801 kind: PetSet
802 service_name: 'memcached'
803 container:
804 memcached:
805 ...
806
807
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200[diff] [blame]808Configmap
809---------
810
811You are able to create configmaps using support layer between formulas.
812It works simple, eg. in nova formula there's file ``meta/config.yml`` which
813defines config files used by that service and roles.
814
815Kubernetes formula is able to generate these files using custom pillar and
816grains structure. This way you are able to run docker images built by any way
817while still re-using your configuration management.
818
819Example pillar:
820
821.. code-block:: bash
822
823 kubernetes:
824 control:
Jakub Pavlika2779722016-11-25 15:35:26 +0100[diff] [blame]825 config_type: default|kubernetes # Output is yaml k8s or default single files
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200[diff] [blame]826 configmap:
827 nova-control:
828 grains:
829 # Alternate grains as OS running in container may differ from
830 # salt minion OS. Needed only if grains matters for config
831 # generation.
832 os_family: Debian
833 pillar:
834 # Generic pillar for nova controller
835 nova:
836 controller:
837 enabled: true
838 versionn: liberty
839 ...
840
841To tell which services supports config generation, you need to ensure pillar
842structure like this to determine support:
843
844.. code-block:: yaml
845
846 nova:
847 _support:
848 config:
849 enabled: true
850
marcod4d3dbd2016-09-27 11:36:40 +0200[diff] [blame]851initContainers
852--------------
853
854Example pillar:
855
856.. code-block:: bash
857
858 kubernetes:
859 control:
860 service:
861 memcached:
862 init_containers:
863 - name: test-mysql
864 image: busybox
865 command:
866 - sleep
867 - 3600
868 volumes:
869 - name: config
870 mount: /test
871 - name: test-memcached
872 image: busybox
873 command:
874 - sleep
875 - 3600
876 volumes:
877 - name: config
878 mount: /test
879
marcoee859d32016-11-07 11:04:57 +0100[diff] [blame]880Affinity
881--------
882
883podAffinity
884===========
885
886Example pillar:
887
888.. code-block:: bash
889
890 kubernetes:
891 control:
892 service:
893 memcached:
894 affinity:
895 pod_affinity:
896 name: podAffinity
897 expression:
898 label_selector:
899 name: labelSelector
900 selectors:
901 - key: app
902 value: memcached
903 topology_key: kubernetes.io/hostname
904
905podAntiAffinity
906===============
907
908Example pillar:
909
910.. code-block:: bash
911
912 kubernetes:
913 control:
914 service:
915 memcached:
916 affinity:
917 anti_affinity:
918 name: podAntiAffinity
919 expression:
920 label_selector:
921 name: labelSelector
922 selectors:
923 - key: app
924 value: opencontrail-control
925 topology_key: kubernetes.io/hostname
926
927nodeAffinity
928===============
929
930Example pillar:
931
932.. code-block:: bash
933
934 kubernetes:
935 control:
936 service:
937 memcached:
938 affinity:
939 node_affinity:
940 name: nodeAffinity
941 expression:
942 match_expressions:
943 name: matchExpressions
944 selectors:
945 - key: key
946 operator: In
947 values:
948 - value1
949 - value2
950
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]951Volumes
952-------
953
954hostPath
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]955==========
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]956
957.. code-block:: yaml
958
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]959 service:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]960 memcached:
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]961 container:
962 memcached:
963 volumes:
964 - name: volume1
965 mountPath: /volume
966 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]967 ...
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]968 volume:
969 volume1:
970 name: /etc/certs
971 type: hostPath
972 path: /etc/certs
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]973
974emptyDir
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]975========
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]976
977.. code-block:: yaml
978
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]979 service:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]980 memcached:
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]981 container:
982 memcached:
983 volumes:
984 - name: volume1
985 mountPath: /volume
986 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]987 ...
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]988 volume:
989 volume1:
990 name: /etc/certs
991 type: emptyDir
992
993configMap
994=========
995
996.. code-block:: yaml
997
998 service:
999 memcached:
1000 container:
1001 memcached:
1002 volumes:
1003 - name: volume1
1004 mountPath: /volume
1005 readOnly: True
1006 ...
1007 volume:
1008 volume1:
1009 type: config_map
1010 item:
1011 configMap1:
1012 key: config.conf
1013 path: config.conf
1014 configMap2:
1015 key: policy.json
1016 path: policy.json
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1017
marco0eda4fb2016-10-10 19:08:27 +0200[diff] [blame]1018To mount single configuration file instead of whole directory:
1019
1020.. code-block:: yaml
1021
1022 service:
1023 memcached:
1024 container:
1025 memcached:
1026 volumes:
1027 - name: volume1
1028 mountPath: /volume/config.conf
1029 sub_path: config.conf
1030
marcofcc20d02016-10-10 09:56:12 +0200[diff] [blame]1031Generating Jobs
1032===============
1033
1034Example pillar:
1035
1036.. code-block:: yaml
1037
1038 kubernetes:
1039 control:
1040 job:
1041 sleep:
1042 job: sleep
1043 restart_policy: Never
1044 container:
1045 sleep:
1046 image: busybox
1047 tag: latest
1048 command:
1049 - sleep
1050 - "3600"
1051
1052Volumes and Variables can be used as the same way as during Deployment generation.
1053
1054Custom params:
1055
1056.. code-block:: yaml
1057
1058 kubernetes:
1059 control:
1060 job:
1061 host_network: True
1062 host_pid: True
1063 container:
1064 sleep:
1065 privileged: True
1066 node_selector:
1067 key: node
1068 value: one
1069 image_pull_secretes: password
1070
Filip Pytlounbdba6272017-10-18 19:44:27 +0200[diff] [blame]1071Role-based access control
1072=========================
1073
1074To enable RBAC, you need to set following option on your apiserver:
1075
1076.. code-block:: yaml
1077
1078 kubernetes:
1079 master:
1080 auth:
Andrey Shestakovf32d7072017-12-27 22:18:51 +0200[diff] [blame]1081 mode: Node,RBAC
Filip Pytlounbdba6272017-10-18 19:44:27 +0200[diff] [blame]1082
1083Then you can use ``kubernetes.control.role`` state to orchestrate role and
1084rolebindings. Following example shows how to create brand new role and binding
1085for service account:
1086
1087.. code-block:: yaml
1088
1089 control:
1090 role:
1091 etcd-operator:
1092 kind: ClusterRole
1093 rules:
1094 - apiGroups:
1095 - etcd.coreos.com
1096 resources:
1097 - clusters
1098 verbs:
1099 - "*"
1100 - apiGroups:
1101 - extensions
1102 resources:
1103 - thirdpartyresources
1104 verbs:
1105 - create
1106 - apiGroups:
1107 - storage.k8s.io
1108 resources:
1109 - storageclasses
1110 verbs:
1111 - create
1112 - apiGroups:
1113 - ""
1114 resources:
1115 - replicasets
1116 verbs:
1117 - "*"
1118 binding:
1119 etcd-operator:
1120 kind: ClusterRoleBinding
1121 namespace: test # <-- if no namespace, then it's clusterrolebinding
1122 subject:
1123 etcd-operator:
1124 kind: ServiceAccount
1125
1126Simplest possible use-case, add user test edit permissions on it's test
1127namespace:
1128
1129.. code-block:: yaml
1130
1131 kubernetes:
1132 control:
1133 role:
1134 edit:
1135 kind: ClusterRole
1136 # No rules defined, so only binding will be created assuming role
1137 # already exists
1138 binding:
1139 test:
1140 namespace: test
1141 subject:
1142 test:
1143 kind: User
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1144
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]1145More Information
1146================
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1147
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]1148* https://github.com/Juniper/kubernetes/blob
1149/opencontrail-integration/docs /getting-started-guides/opencontrail.md
1150* https://github.com/kubernetes/kubernetes/tree/master/cluster/saltbase
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1151
Filip Pytlound06f6272017-02-02 13:02:03 +0100[diff] [blame]1152
1153Documentation and Bugs
1154======================
1155
1156To learn how to install and update salt-formulas, consult the documentation
1157available online at:
1158
1159 http://salt-formulas.readthedocs.io/
1160
1161In the unfortunate event that bugs are discovered, they should be reported to
1162the appropriate issue tracker. Use Github issue tracker for specific salt
1163formula:
1164
1165 https://github.com/salt-formulas/salt-formula-kubernetes/issues
1166
1167For feature requests, bug reports or blueprints affecting entire ecosystem,
1168use Launchpad salt-formulas project:
1169
1170 https://launchpad.net/salt-formulas
1171
1172You can also join salt-formulas-users team and subscribe to mailing list:
1173
1174 https://launchpad.net/~salt-formulas-users
1175
1176Developers wishing to work on the salt-formulas projects should always base
1177their work on master branch and submit pull request against specific formula.
1178
1179 https://github.com/salt-formulas/salt-formula-kubernetes
1180
1181Any questions or feedback is always welcome so feel free to join our IRC
1182channel:
1183
1184 #salt-formulas @ irc.freenode.net