Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / kubernetes / e3cf0066aea3b76bb8af46a76fe796998f88622a / . / README.rst
blob: c9dc10a1590f51a73e2aaee46d6b731c2b75feda [file] [log] [blame]
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1==================
2Kubernetes Formula
3==================
4
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]5Kubernetes is an open-source system for automating deployment, scaling, and
6management of containerized applications. This formula deploys production
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]7ready Kubernetes and generate Kubernetes manifests as well.
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]8
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]9You can download `kubectl` configuration and connect to your cluster. However,
10keep in mind `kubernetes_control_address` needs to be accessible from your computer:
11
12.. code-block:: yaml
13
14 mkdir -p ~/.kube
15 [ -f ~/.kube/config ] && cp -v ~/.kube/config ~/.kube/config-backup
Tomáš Kukrál8ee2bc52017-07-31 17:51:20 +0200[diff] [blame]16 ssh cfg01 "sudo ssh ctl01 /etc/kubernetes/kubeconfig.sh" > ~/.kube/config
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]17 kubectl get no
18
19
20`cfg01` is Salt master node and `ctl01` is one of Kubernetes masters
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]21
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]22Sample Pillars
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]23==============
24
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]25**REQUIRED:** Define image to use for hyperkube, CNIs and calicoctl image
26
27.. code-block:: yaml
28
29 parameters:
30 kubernetes:
31 common:
32 hyperkube:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]33 image: gcr.io/google_containers/hyperkube:v1.6.5
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]34 pool:
35 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]36 calico:
37 calicoctl_image: calico/ctl
38 cni_image: calico/cni
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]39
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]40Enable helm-tiller addon
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]41
42.. code-block:: yaml
43
44 parameters:
45 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]46 common:
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]47 addons:
48 helm:
49 enabled: true
50
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]51Enable calico-policy addon
52
53.. code-block:: yaml
54
55 parameters:
56 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]57 common:
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]58 addons:
59 calico_policy:
60 enabled: true
61
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]62Enable virtlet addon
63
64.. code-block:: yaml
65
66 parameters:
67 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]68 common:
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]69 addons:
70 virtlet:
71 enabled: true
72 namespace: kube-system
Victor Ryzhenkin810c5072018-05-26 00:03:33 +0400[diff] [blame]73 image: mirantis/virtlet:v1.0.3
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]74 hosts:
75 - cmp01
76 - cmp02
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]77
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]78Enable netchecker addon
79
80.. code-block:: yaml
81
82 parameters:
83 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]84 common:
85 addons:
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]86 netchecker:
87 enabled: true
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]88 master:
89 namespace:
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]90 netchecker:
91 enabled: true
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]92
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]93Enable Kubenetes Federation control plane
94
95.. code-block:: yaml
96
97 parameters:
98 kubernetes:
99 master:
100 federation:
101 enabled: True
102 name: federation
103 namespace: federation-system
104 source: https://dl.k8s.io/v1.6.6/kubernetes-client-linux-amd64.tar.gz
105 hash: 94b2c9cd29981a8e150c187193bab0d8c0b6e906260f837367feff99860a6376
106 service_type: NodePort
107 dns_provider: coredns
108 childclusters:
109 - secondcluster.mydomain
110 - thirdcluster.mydomain
111
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]112Enable external DNS addon with CoreDNS provider
113
114.. code-block:: yaml
115
116 parameters:
117 kubernetes:
118 common:
119 addons:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]120 coredns:
121 enabled: True
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]122 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]123 enabled: True
124 domain: company.mydomain
125 provider: coredns
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]126
Andrey Shestakov79f4af02017-09-15 21:02:55 +0300[diff] [blame]127Enable external DNS addon with Designate provider
128
129.. code-block:: yaml
130
131 parameters:
132 kubernetes:
133 common:
134 addons:
135 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]136 enabled: True
137 domain: company.mydomain
138 provider: designate
139 designate_os_options:
140 OS_AUTH_URL: https://keystone_auth_endpoint:5000
141 OS_PROJECT_DOMAIN_NAME: default
142 OS_USER_DOMAIN_NAME: default
143 OS_PROJECT_NAME: admin
144 OS_USERNAME: admin
145 OS_PASSWORD: password
146 OS_REGION_NAME: RegionOne
Andrey Shestakov79f4af02017-09-15 21:02:55 +0300[diff] [blame]147
Sergii Golovatiuk650948c2017-09-25 12:00:18 +0200[diff] [blame]148Enable external DNS addon with AWS provider
149
150.. code-block:: yaml
151
152 parameters:
153 kubernetes:
154 common:
155 addons:
156 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]157 enabled: True
158 domain: company.mydomain
159 provider: aws
160 aws_options:
161 AWS_ACCESS_KEY_ID: XXXXXXXXXXXXXXXXXXXX
162 AWS_SECRET_ACCESS_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
163
164Enable external DNS addon with Google CloudDNS provider
165
166.. code-block:: yaml
167
168 parameters:
169 kubernetes:
170 common:
171 addons:
172 externaldns:
173 enabled: True
174 domain: company.mydomain
175 provider: google
176 google_options:
177 key: ''
178 project: default-123
179key should be exported from google console and processed as `cat key.json | tr -d '\n'`
Sergii Golovatiuk650948c2017-09-25 12:00:18 +0200[diff] [blame]180
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]181Enable OpenStack cloud provider
182
183.. code-block:: yaml
184
185 parameters:
186 kubernetes:
187 common:
188 cloudprovider:
189 enabled: True
Tomáš Kukrál10b15672017-09-05 10:08:46 +0200[diff] [blame]190 provider: openstack
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]191 params:
192 auth_url: https://openstack.mydomain:5000/v3
193 username: nova
194 password: nova
195 region: RegionOne
196 tenant_id: 4bce4162d8744c599e350099cfa22a0a
197 domain_name: default
198 subnet_id: 72407854-aca6-4cf1-b873-e9affb09484b
199 lb_version: v2
200
Tomáš Kukrálf78baa62017-04-20 16:18:16 +0200[diff] [blame]201Configure service verbosity
202
203.. code-block:: yaml
204
205 parameters:
206 kubernetes:
207 master:
208 verbosity: 2
209 pool:
210 verbosity: 2
211
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]212Set cluster name and domain
Matthew Mosesohn0f7bee42017-07-17 13:52:16 +0300[diff] [blame]213
214.. code-block:: yaml
215
216 parameters:
217 kubernetes:
218 common:
219 kubernetes_cluster_domain: mycluster.domain
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]220 cluster_name : mycluster
Matthew Mosesohn0f7bee42017-07-17 13:52:16 +0300[diff] [blame]221
Tomáš Kukrálaff35262017-04-18 12:37:45 +0200[diff] [blame]222Enable autoscaler for dns addon. Poll period can be skipped.
223
224.. code-block:: yaml
225
226 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]227 common:
Tomáš Kukrálaff35262017-04-18 12:37:45 +0200[diff] [blame]228 addons:
229 dns:
230 domain: cluster.local
231 enabled: true
232 replicas: 1
233 server: 10.254.0.10
234 autoscaler:
235 enabled: true
236 poll-period-seconds: 60
237
238
Tomáš Kukrál6ef3f892017-02-15 12:02:22 +0100[diff] [blame]239Pass aditional parameters to daemons:
240
241.. code-block:: yaml
242
243 parameters:
244 kubernetes:
245 master:
246 apiserver:
247 daemon_opts:
248 storage-backend: pigeon
249 controller_manager:
250 daemon_opts:
251 log-dir: /dev/nulL
252 pool:
253 kubelet:
254 daemon_opts:
255 max-pods: "6"
256
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]257
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]258Containers on pool definitions in pool.service.local
259
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]260.. code-block:: yaml
261
262 parameters:
263 kubernetes:
264 pool:
265 service:
266 local:
267 enabled: False
268 service: libvirt
269 cluster: openstack-compute
270 namespace: default
271 role: ${linux:system:name}
272 type: LoadBalancer
273 kind: Deployment
274 apiVersion: extensions/v1beta1
275 replicas: 1
276 host_pid: True
277 nodeSelector:
278 - key: openstack
279 value: ${linux:system:name}
280 hostNetwork: True
281 container:
282 libvirt-compute:
283 privileged: True
284 image: ${_param:docker_repository}/libvirt-compute
285 tag: ${_param:openstack_container_tag}
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]286
287Master definition
288
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]289.. code-block:: yaml
290
291 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]292 common:
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]293 cluster_name: cluster
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]294 addons:
295 dns:
296 domain: cluster.local
297 enabled: true
298 replicas: 1
299 server: 10.254.0.10
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]300 master:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]301 admin:
302 password: password
303 username: admin
304 apiserver:
305 address: 10.0.175.100
Swann Croisetff97efc2017-02-23 13:32:33 +0100[diff] [blame]306 secure_port: 443
307 insecure_address: 127.0.0.1
308 insecure_port: 8080
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]309 ca: kubernetes
310 enabled: true
311 etcd:
312 host: 127.0.0.1
313 members:
314 - host: 10.0.175.100
315 name: node040
316 name: node040
317 token: ca939ec9c2a17b0786f6d411fe019e9b
318 kubelet:
319 allow_privileged: true
320 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]321 calico:
322 enabled: true
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]323 service_addresses: 10.254.0.0/16
324 storage:
325 engine: glusterfs
326 members:
327 - host: 10.0.175.101
328 port: 24007
329 - host: 10.0.175.102
330 port: 24007
331 - host: 10.0.175.103
332 port: 24007
333 port: 24007
334 token:
335 admin: DFvQ8GJ9JD4fKNfuyEddw3rjnFTkUKsv
336 controller_manager: EreGh6AnWf8DxH8cYavB2zS029PUi7vx
337 dns: RAFeVSE4UvsCz4gk3KYReuOI5jsZ1Xt3
338 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
339 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
340 logging: MJkXKdbgqRmTHSa2ykTaOaMykgO6KcEf
341 monitoring: hnsj0XqABgrSww7Nqo7UVTSZLJUt2XRd
342 scheduler: HY1UUxEPpmjW4a1dDLGIANYQp1nZkLDk
343 version: v1.2.4
344
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]345
346 kubernetes:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]347 pool:
348 address: 0.0.0.0
349 allow_privileged: true
350 ca: kubernetes
351 cluster_dns: 10.254.0.10
352 cluster_domain: cluster.local
353 enabled: true
354 kubelet:
355 allow_privileged: true
356 config: /etc/kubernetes/manifests
357 frequency: 5s
358 master:
359 apiserver:
360 members:
361 - host: 10.0.175.100
362 etcd:
363 members:
364 - host: 10.0.175.100
365 host: 10.0.175.100
366 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]367 calico:
368 enabled: true
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]369 token:
370 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
371 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
372 version: v1.2.4
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]373
Tomáš Kukrálbc3623e2017-03-23 18:24:06 +0100[diff] [blame]374
Filip Pytloun1e163072017-10-16 17:26:48 +0200[diff] [blame]375Enable basic, token and http authentication, disable ssl auth, create some
376static users:
377
378.. code-block:: yaml
379
380 kubernetes:
381 master:
382 auth:
383 basic:
384 enabled: true
385 user:
386 jdoe:
387 password: dummy
388 groups:
389 - system:admin
390 http:
391 enabled: true
392 header:
393 user: X-Remote-User
394 group: X-Remote-Group
395 ssl:
396 enabled: false
397 token:
398 enabled: true
399 user:
400 jdoe:
401 token: dummytoken
402 groups:
403 - system:admin
404
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]405Kubernetes with OpenContrail network plugin
406------------------------------------------------
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]407
408On Master:
409
410.. code-block:: yaml
411
412 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]413 common:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]414 addons:
Matthew Mosesohn6f4f6c02017-07-03 16:58:50 +0300[diff] [blame]415 contrail_network_controller:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]416 enabled: true
417 namespace: kube-system
Matthew Mosesohn6f4f6c02017-07-03 16:58:50 +0300[diff] [blame]418 image: yashulyak/contrail-controller:latest
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]419 master:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]420 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]421 opencontrail:
422 enabled: true
ashestakove19660a2018-03-05 12:43:30 +0000[diff] [blame]423 default_domain: default-domain
424 default_project: default-domain:default-project
425 public_network: default-domain:default-project:Public
426 public_ip_range: 185.22.97.128/26
427 private_ip_range: 10.150.0.0/16
428 service_cluster_ip_range: 10.254.0.0/16
429 network_label: name
430 service_label: uses
431 cluster_service: kube-system/default
432 config:
433 api:
434 host: 10.0.170.70
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]435On pools:
436
437.. code-block:: yaml
438
439 kubernetes:
440 pool:
441 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]442 opencontrail:
443 enabled: true
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]444
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]445
446Dashboard public IP must be configured when Contrail network is used:
447
448.. code-block:: yaml
449
450 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]451 common:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]452 addons:
453 public_ip: 1.1.1.1
454
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]455Kubernetes control plane running in systemd
456-------------------------------------------
457
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]458By default kube-apiserver, kube-scheduler, kube-controllermanager, kube-proxy, etcd running in docker containers through manifests. For stable production environment this should be run in systemd.
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]459
460.. code-block:: yaml
461
462 kubernetes:
463 master:
464 container: false
465
466 kubernetes:
467 pool:
468 container: false
469
marco055ff852016-07-27 15:22:33 +0200[diff] [blame]470Because k8s services run under kube user without root privileges, there is need to change secure port for apiserver.
471
472.. code-block:: yaml
473
474 kubernetes:
475 master:
476 apiserver:
477 secure_port: 8081
478
Andrey Shestakove3cf0062018-06-19 15:04:33 +0300[diff] [blame^]479Kubernetes with MetalLB
480-----------------------
481
482On Master:
483
484.. code-block:: yaml
485
486 kubernetes:
487 common:
488 addons:
489 metallb:
490 enabled: true
491 addresses:
492 - 172.16.10.150-172.16.10.180
493 - 172.16.10.192/26
494
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]495Kubernetes with Flannel
496-----------------------
497
498On Master:
499
500.. code-block:: yaml
501
502 kubernetes:
503 master:
504 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]505 flannel:
506 enabled: true
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]507
508On pools:
509
510.. code-block:: yaml
511
512 kubernetes:
513 pool:
514 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]515 flannel:
516 enabled: true
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]517
518Kubernetes with Calico
519-----------------------
520
521On Master:
522
523.. code-block:: yaml
524
525 kubernetes:
526 master:
527 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]528 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]529 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]530 mtu: 1500
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]531 # If you don't register master as node:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]532 etcd:
533 members:
534 - host: 10.0.175.101
535 port: 4001
536 - host: 10.0.175.102
537 port: 4001
538 - host: 10.0.175.103
539 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]540
541On pools:
542
543.. code-block:: yaml
544
545 kubernetes:
546 pool:
547 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]548 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]549 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]550 mtu: 1500
551 etcd:
552 members:
553 - host: 10.0.175.101
554 port: 4001
555 - host: 10.0.175.102
556 port: 4001
557 - host: 10.0.175.103
558 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]559
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]560Running with secured etcd:
561
562.. code-block:: yaml
563
564 kubernetes:
565 pool:
566 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]567 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]568 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]569 etcd:
570 ssl:
571 enabled: true
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]572 master:
573 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]574 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]575 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]576 etcd:
577 ssl:
578 enabled: true
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]579
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]580Running with calico-policy controller:
581
582.. code-block:: yaml
583
584 kubernetes:
585 pool:
586 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]587 calico:
588 enabled: true
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]589 addons:
590 calico_policy:
591 enabled: true
592
593 master:
594 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]595 calico:
596 enabled: true
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]597 addons:
598 calico_policy:
599 enabled: true
600
601
602
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]603Enable Prometheus metrics in Felix
604
605.. code-block:: yaml
606
607 kubernetes:
608 pool:
609 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]610 calico:
611 prometheus:
612 enabled: true
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]613 master:
614 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]615 calico:
616 prometheus:
617 enabled: true
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]618
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]619Post deployment configuration
620
621.. code-block:: bash
Jakub Pavlik232833c2016-07-17 13:21:00 +0200[diff] [blame]622
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]623 # set ETCD
624 export ETCD_AUTHORITY=10.0.111.201:4001
625
626 # Set NAT for pods subnet
627 calicoctl pool add 192.168.0.0/16 --nat-outgoing
628
629 # Status commands
630 calicoctl status
631 calicoctl node show
632
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]633Kubernetes with GlusterFS for storage
634---------------------------------------------
635
636.. code-block:: yaml
637
638 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]639 master:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]640 ...
641 storage:
642 engine: glusterfs
643 port: 24007
644 members:
645 - host: 10.0.175.101
646 port: 24007
647 - host: 10.0.175.102
648 port: 24007
649 - host: 10.0.175.103
650 port: 24007
651 ...
652
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]653Kubernetes Storage Class
654------------------------
655
656AWS EBS storageclass integration. It also requires to create IAM policy and profiles for instances and tag all resources by KubernetesCluster in EC2.
657
658.. code-block:: yaml
659
660 kubernetes:
661 common:
662 addons:
663 storageclass:
664 aws_slow:
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]665 enabled: True
666 default: True
667 provisioner: aws-ebs
Petr Michalec52d4e1f2017-09-11 17:50:54 +0200[diff] [blame]668 name: slow
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]669 type: gp2
670 iopspergb: "10"
671 zones: xxx
Petr Michalec52d4e1f2017-09-11 17:50:54 +0200[diff] [blame]672 nfs_shared:
673 name: elasti01
674 enabled: True
675 provisioner: nfs
676 spec:
677 name: elastic_data
678 nfs:
679 server: 10.0.0.1
680 path: /exported_path
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]681
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]682Kubernetes namespaces
683---------------------
684
685Create namespace:
686
687.. code-block:: yaml
688
689 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]690 master:
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]691 ...
692 namespace:
693 kube-system:
694 enabled: True
695 namespace2:
696 enabled: True
697 namespace3:
698 enabled: False
699 ...
700
701Kubernetes labels
702-----------------
703
Marek Celoud901020b2017-01-27 14:51:41 +0100[diff] [blame]704Label node:
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]705
706.. code-block:: yaml
707
Marek Celoud901020b2017-01-27 14:51:41 +0100[diff] [blame]708 kubernetes:
709 master:
710 label:
711 label01:
712 value: value01
713 node: node01
714 enabled: true
715 key: key01
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]716 ...
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]717
marcof7efecb2016-07-16 16:13:37 +0200[diff] [blame]718Pull images from private registries
719-----------------------------------
720
721.. code-block:: yaml
722
723 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]724 master:
marcof7efecb2016-07-16 16:13:37 +0200[diff] [blame]725 ...
726 registry:
727 secret:
728 registry01:
729 enabled: True
730 key: (get from `cat /root/.docker/config.json | base64`)
731 namespace: default
732 ...
733 control:
734 ...
735 service:
736 service01:
737 ...
738 image_pull_secretes: registry01
739 ...
740
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]741Kubernetes Service Definitions in pillars
742==========================================
743
744Following samples show how to generate kubernetes manifest as well and provide single tool for complete infrastructure management.
745
746Deployment manifest
747---------------------
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]748
749.. code-block:: yaml
750
751 salt:
752 control:
753 enabled: True
754 hostNetwork: True
755 service:
756 memcached:
757 privileged: True
758 service: memcached
759 role: server
760 type: LoadBalancer
761 replicas: 3
762 kind: Deployment
763 apiVersion: extensions/v1beta1
764 ports:
765 - port: 8774
766 name: nova-api
767 - port: 8775
768 name: nova-metadata
769 volume:
770 volume_name:
771 type: hostPath
772 mount: /certs
773 path: /etc/certs
774 container:
775 memcached:
776 image: memcached
777 tag:2
778 ports:
779 - port: 8774
780 name: nova-api
781 - port: 8775
782 name: nova-metadata
783 variables:
784 - name: HTTP_TLS_CERTIFICATE:
785 value: /certs/domain.crt
786 - name: HTTP_TLS_KEY
787 value: /certs/domain.key
788 volumes:
789 - name: /etc/certs
790 type: hostPath
791 mount: /certs
792 path: /etc/certs
793
marcobe30c8d2016-10-11 19:16:35 +0200[diff] [blame]794PetSet manifest
795---------------------
796
797.. code-block:: yaml
798
799 service:
800 memcached:
801 apiVersion: apps/v1alpha1
802 kind: PetSet
803 service_name: 'memcached'
804 container:
805 memcached:
806 ...
807
808
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200[diff] [blame]809Configmap
810---------
811
812You are able to create configmaps using support layer between formulas.
813It works simple, eg. in nova formula there's file ``meta/config.yml`` which
814defines config files used by that service and roles.
815
816Kubernetes formula is able to generate these files using custom pillar and
817grains structure. This way you are able to run docker images built by any way
818while still re-using your configuration management.
819
820Example pillar:
821
822.. code-block:: bash
823
824 kubernetes:
825 control:
Jakub Pavlika2779722016-11-25 15:35:26 +0100[diff] [blame]826 config_type: default|kubernetes # Output is yaml k8s or default single files
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200[diff] [blame]827 configmap:
828 nova-control:
829 grains:
830 # Alternate grains as OS running in container may differ from
831 # salt minion OS. Needed only if grains matters for config
832 # generation.
833 os_family: Debian
834 pillar:
835 # Generic pillar for nova controller
836 nova:
837 controller:
838 enabled: true
839 versionn: liberty
840 ...
841
842To tell which services supports config generation, you need to ensure pillar
843structure like this to determine support:
844
845.. code-block:: yaml
846
847 nova:
848 _support:
849 config:
850 enabled: true
851
marcod4d3dbd2016-09-27 11:36:40 +0200[diff] [blame]852initContainers
853--------------
854
855Example pillar:
856
857.. code-block:: bash
858
859 kubernetes:
860 control:
861 service:
862 memcached:
863 init_containers:
864 - name: test-mysql
865 image: busybox
866 command:
867 - sleep
868 - 3600
869 volumes:
870 - name: config
871 mount: /test
872 - name: test-memcached
873 image: busybox
874 command:
875 - sleep
876 - 3600
877 volumes:
878 - name: config
879 mount: /test
880
marcoee859d32016-11-07 11:04:57 +0100[diff] [blame]881Affinity
882--------
883
884podAffinity
885===========
886
887Example pillar:
888
889.. code-block:: bash
890
891 kubernetes:
892 control:
893 service:
894 memcached:
895 affinity:
896 pod_affinity:
897 name: podAffinity
898 expression:
899 label_selector:
900 name: labelSelector
901 selectors:
902 - key: app
903 value: memcached
904 topology_key: kubernetes.io/hostname
905
906podAntiAffinity
907===============
908
909Example pillar:
910
911.. code-block:: bash
912
913 kubernetes:
914 control:
915 service:
916 memcached:
917 affinity:
918 anti_affinity:
919 name: podAntiAffinity
920 expression:
921 label_selector:
922 name: labelSelector
923 selectors:
924 - key: app
925 value: opencontrail-control
926 topology_key: kubernetes.io/hostname
927
928nodeAffinity
929===============
930
931Example pillar:
932
933.. code-block:: bash
934
935 kubernetes:
936 control:
937 service:
938 memcached:
939 affinity:
940 node_affinity:
941 name: nodeAffinity
942 expression:
943 match_expressions:
944 name: matchExpressions
945 selectors:
946 - key: key
947 operator: In
948 values:
949 - value1
950 - value2
951
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]952Volumes
953-------
954
955hostPath
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]956==========
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]957
958.. code-block:: yaml
959
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]960 service:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]961 memcached:
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]962 container:
963 memcached:
964 volumes:
965 - name: volume1
966 mountPath: /volume
967 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]968 ...
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]969 volume:
970 volume1:
971 name: /etc/certs
972 type: hostPath
973 path: /etc/certs
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]974
975emptyDir
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]976========
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]977
978.. code-block:: yaml
979
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]980 service:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]981 memcached:
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]982 container:
983 memcached:
984 volumes:
985 - name: volume1
986 mountPath: /volume
987 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]988 ...
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]989 volume:
990 volume1:
991 name: /etc/certs
992 type: emptyDir
993
994configMap
995=========
996
997.. code-block:: yaml
998
999 service:
1000 memcached:
1001 container:
1002 memcached:
1003 volumes:
1004 - name: volume1
1005 mountPath: /volume
1006 readOnly: True
1007 ...
1008 volume:
1009 volume1:
1010 type: config_map
1011 item:
1012 configMap1:
1013 key: config.conf
1014 path: config.conf
1015 configMap2:
1016 key: policy.json
1017 path: policy.json
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1018
marco0eda4fb2016-10-10 19:08:27 +0200[diff] [blame]1019To mount single configuration file instead of whole directory:
1020
1021.. code-block:: yaml
1022
1023 service:
1024 memcached:
1025 container:
1026 memcached:
1027 volumes:
1028 - name: volume1
1029 mountPath: /volume/config.conf
1030 sub_path: config.conf
1031
marcofcc20d02016-10-10 09:56:12 +0200[diff] [blame]1032Generating Jobs
1033===============
1034
1035Example pillar:
1036
1037.. code-block:: yaml
1038
1039 kubernetes:
1040 control:
1041 job:
1042 sleep:
1043 job: sleep
1044 restart_policy: Never
1045 container:
1046 sleep:
1047 image: busybox
1048 tag: latest
1049 command:
1050 - sleep
1051 - "3600"
1052
1053Volumes and Variables can be used as the same way as during Deployment generation.
1054
1055Custom params:
1056
1057.. code-block:: yaml
1058
1059 kubernetes:
1060 control:
1061 job:
1062 host_network: True
1063 host_pid: True
1064 container:
1065 sleep:
1066 privileged: True
1067 node_selector:
1068 key: node
1069 value: one
1070 image_pull_secretes: password
1071
Filip Pytlounbdba6272017-10-18 19:44:27 +0200[diff] [blame]1072Role-based access control
1073=========================
1074
1075To enable RBAC, you need to set following option on your apiserver:
1076
1077.. code-block:: yaml
1078
1079 kubernetes:
1080 master:
1081 auth:
Andrey Shestakovf32d7072017-12-27 22:18:51 +0200[diff] [blame]1082 mode: Node,RBAC
Filip Pytlounbdba6272017-10-18 19:44:27 +0200[diff] [blame]1083
1084Then you can use ``kubernetes.control.role`` state to orchestrate role and
1085rolebindings. Following example shows how to create brand new role and binding
1086for service account:
1087
1088.. code-block:: yaml
1089
1090 control:
1091 role:
1092 etcd-operator:
1093 kind: ClusterRole
1094 rules:
1095 - apiGroups:
1096 - etcd.coreos.com
1097 resources:
1098 - clusters
1099 verbs:
1100 - "*"
1101 - apiGroups:
1102 - extensions
1103 resources:
1104 - thirdpartyresources
1105 verbs:
1106 - create
1107 - apiGroups:
1108 - storage.k8s.io
1109 resources:
1110 - storageclasses
1111 verbs:
1112 - create
1113 - apiGroups:
1114 - ""
1115 resources:
1116 - replicasets
1117 verbs:
1118 - "*"
1119 binding:
1120 etcd-operator:
1121 kind: ClusterRoleBinding
1122 namespace: test # <-- if no namespace, then it's clusterrolebinding
1123 subject:
1124 etcd-operator:
1125 kind: ServiceAccount
1126
1127Simplest possible use-case, add user test edit permissions on it's test
1128namespace:
1129
1130.. code-block:: yaml
1131
1132 kubernetes:
1133 control:
1134 role:
1135 edit:
1136 kind: ClusterRole
1137 # No rules defined, so only binding will be created assuming role
1138 # already exists
1139 binding:
1140 test:
1141 namespace: test
1142 subject:
1143 test:
1144 kind: User
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1145
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]1146More Information
1147================
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1148
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]1149* https://github.com/Juniper/kubernetes/blob
1150/opencontrail-integration/docs /getting-started-guides/opencontrail.md
1151* https://github.com/kubernetes/kubernetes/tree/master/cluster/saltbase
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1152
Filip Pytlound06f6272017-02-02 13:02:03 +0100[diff] [blame]1153
1154Documentation and Bugs
1155======================
1156
1157To learn how to install and update salt-formulas, consult the documentation
1158available online at:
1159
1160 http://salt-formulas.readthedocs.io/
1161
1162In the unfortunate event that bugs are discovered, they should be reported to
1163the appropriate issue tracker. Use Github issue tracker for specific salt
1164formula:
1165
1166 https://github.com/salt-formulas/salt-formula-kubernetes/issues
1167
1168For feature requests, bug reports or blueprints affecting entire ecosystem,
1169use Launchpad salt-formulas project:
1170
1171 https://launchpad.net/salt-formulas
1172
1173You can also join salt-formulas-users team and subscribe to mailing list:
1174
1175 https://launchpad.net/~salt-formulas-users
1176
1177Developers wishing to work on the salt-formulas projects should always base
1178their work on master branch and submit pull request against specific formula.
1179
1180 https://github.com/salt-formulas/salt-formula-kubernetes
1181
1182Any questions or feedback is always welcome so feel free to join our IRC
1183channel:
1184
1185 #salt-formulas @ irc.freenode.net