Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / kubernetes / 05e2705cd6bd9a5937ddea76d0c1828ba162c599 / . / README.rst
blob: 6b509c374e05583edf34506bd3e6ba2b5a198cb1 [file] [log] [blame]
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1==================
2Kubernetes Formula
3==================
4
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]5Kubernetes is an open-source system for automating deployment, scaling, and
6management of containerized applications. This formula deploys production
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]7ready Kubernetes and generate Kubernetes manifests as well.
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]8
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]9You can download `kubectl` configuration and connect to your cluster. However,
10keep in mind `kubernetes_control_address` needs to be accessible from your computer:
11
12.. code-block:: yaml
13
14 mkdir -p ~/.kube
15 [ -f ~/.kube/config ] && cp -v ~/.kube/config ~/.kube/config-backup
Tomáš Kukrál8ee2bc52017-07-31 17:51:20 +0200[diff] [blame]16 ssh cfg01 "sudo ssh ctl01 /etc/kubernetes/kubeconfig.sh" > ~/.kube/config
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]17 kubectl get no
18
19
20`cfg01` is Salt master node and `ctl01` is one of Kubernetes masters
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]21
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]22Sample Pillars
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]23==============
24
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]25**REQUIRED:** Define image to use for hyperkube, CNIs and calicoctl image
26
27.. code-block:: yaml
28
29 parameters:
30 kubernetes:
31 common:
32 hyperkube:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]33 image: gcr.io/google_containers/hyperkube:v1.6.5
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]34 pool:
35 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]36 calico:
37 calicoctl_image: calico/ctl
38 cni_image: calico/cni
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]39
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]40Enable helm-tiller addon
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]41
42.. code-block:: yaml
43
44 parameters:
45 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]46 common:
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]47 addons:
48 helm:
49 enabled: true
50
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]51Enable calico-policy addon
52
53.. code-block:: yaml
54
55 parameters:
56 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]57 common:
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]58 addons:
59 calico_policy:
60 enabled: true
61
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]62Enable virtlet addon
63
64.. code-block:: yaml
65
66 parameters:
67 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]68 common:
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]69 addons:
70 virtlet:
71 enabled: true
72 namespace: kube-system
Andrey Shestakov655034e2017-09-15 12:30:28 +0300[diff] [blame]73 image: mirantis/virtlet:v0.8.0
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]74 hosts:
75 - cmp01
76 - cmp02
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]77
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]78Enable netchecker addon
79
80.. code-block:: yaml
81
82 parameters:
83 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]84 common:
85 addons:
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]86 netchecker:
87 enabled: true
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]88 master:
89 namespace:
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]90 netchecker:
91 enabled: true
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]92
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]93Enable Kubenetes Federation control plane
94
95.. code-block:: yaml
96
97 parameters:
98 kubernetes:
99 master:
100 federation:
101 enabled: True
102 name: federation
103 namespace: federation-system
104 source: https://dl.k8s.io/v1.6.6/kubernetes-client-linux-amd64.tar.gz
105 hash: 94b2c9cd29981a8e150c187193bab0d8c0b6e906260f837367feff99860a6376
106 service_type: NodePort
107 dns_provider: coredns
108 childclusters:
109 - secondcluster.mydomain
110 - thirdcluster.mydomain
111
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]112Enable external DNS addon with CoreDNS provider
113
114.. code-block:: yaml
115
116 parameters:
117 kubernetes:
118 common:
119 addons:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]120 coredns:
121 enabled: True
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]122 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]123 enabled: True
124 domain: company.mydomain
125 provider: coredns
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]126
Andrey Shestakov79f4af02017-09-15 21:02:55 +0300[diff] [blame]127Enable external DNS addon with Designate provider
128
129.. code-block:: yaml
130
131 parameters:
132 kubernetes:
133 common:
134 addons:
135 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]136 enabled: True
137 domain: company.mydomain
138 provider: designate
139 designate_os_options:
140 OS_AUTH_URL: https://keystone_auth_endpoint:5000
141 OS_PROJECT_DOMAIN_NAME: default
142 OS_USER_DOMAIN_NAME: default
143 OS_PROJECT_NAME: admin
144 OS_USERNAME: admin
145 OS_PASSWORD: password
146 OS_REGION_NAME: RegionOne
Andrey Shestakov79f4af02017-09-15 21:02:55 +0300[diff] [blame]147
Sergii Golovatiuk650948c2017-09-25 12:00:18 +0200[diff] [blame]148Enable external DNS addon with AWS provider
149
150.. code-block:: yaml
151
152 parameters:
153 kubernetes:
154 common:
155 addons:
156 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]157 enabled: True
158 domain: company.mydomain
159 provider: aws
160 aws_options:
161 AWS_ACCESS_KEY_ID: XXXXXXXXXXXXXXXXXXXX
162 AWS_SECRET_ACCESS_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
163
164Enable external DNS addon with Google CloudDNS provider
165
166.. code-block:: yaml
167
168 parameters:
169 kubernetes:
170 common:
171 addons:
172 externaldns:
173 enabled: True
174 domain: company.mydomain
175 provider: google
176 google_options:
177 key: ''
178 project: default-123
179key should be exported from google console and processed as `cat key.json | tr -d '\n'`
Sergii Golovatiuk650948c2017-09-25 12:00:18 +0200[diff] [blame]180
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]181Enable OpenStack cloud provider
182
183.. code-block:: yaml
184
185 parameters:
186 kubernetes:
187 common:
188 cloudprovider:
189 enabled: True
Tomáš Kukrál10b15672017-09-05 10:08:46 +0200[diff] [blame]190 provider: openstack
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]191 params:
192 auth_url: https://openstack.mydomain:5000/v3
193 username: nova
194 password: nova
195 region: RegionOne
196 tenant_id: 4bce4162d8744c599e350099cfa22a0a
197 domain_name: default
198 subnet_id: 72407854-aca6-4cf1-b873-e9affb09484b
199 lb_version: v2
200
Tomáš Kukrálf78baa62017-04-20 16:18:16 +0200[diff] [blame]201Configure service verbosity
202
203.. code-block:: yaml
204
205 parameters:
206 kubernetes:
207 master:
208 verbosity: 2
209 pool:
210 verbosity: 2
211
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]212Set cluster name and domain
Matthew Mosesohn0f7bee42017-07-17 13:52:16 +0300[diff] [blame]213
214.. code-block:: yaml
215
216 parameters:
217 kubernetes:
218 common:
219 kubernetes_cluster_domain: mycluster.domain
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]220 cluster_name : mycluster
Matthew Mosesohn0f7bee42017-07-17 13:52:16 +0300[diff] [blame]221
Tomáš Kukrálaff35262017-04-18 12:37:45 +0200[diff] [blame]222Enable autoscaler for dns addon. Poll period can be skipped.
223
224.. code-block:: yaml
225
226 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]227 common:
Tomáš Kukrálaff35262017-04-18 12:37:45 +0200[diff] [blame]228 addons:
229 dns:
230 domain: cluster.local
231 enabled: true
232 replicas: 1
233 server: 10.254.0.10
234 autoscaler:
235 enabled: true
236 poll-period-seconds: 60
237
238
Tomáš Kukrál6ef3f892017-02-15 12:02:22 +0100[diff] [blame]239Pass aditional parameters to daemons:
240
241.. code-block:: yaml
242
243 parameters:
244 kubernetes:
245 master:
246 apiserver:
247 daemon_opts:
248 storage-backend: pigeon
249 controller_manager:
250 daemon_opts:
251 log-dir: /dev/nulL
252 pool:
253 kubelet:
254 daemon_opts:
255 max-pods: "6"
256
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]257
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]258Containers on pool definitions in pool.service.local
259
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]260.. code-block:: yaml
261
262 parameters:
263 kubernetes:
264 pool:
265 service:
266 local:
267 enabled: False
268 service: libvirt
269 cluster: openstack-compute
270 namespace: default
271 role: ${linux:system:name}
272 type: LoadBalancer
273 kind: Deployment
274 apiVersion: extensions/v1beta1
275 replicas: 1
276 host_pid: True
277 nodeSelector:
278 - key: openstack
279 value: ${linux:system:name}
280 hostNetwork: True
281 container:
282 libvirt-compute:
283 privileged: True
284 image: ${_param:docker_repository}/libvirt-compute
285 tag: ${_param:openstack_container_tag}
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]286
287Master definition
288
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]289.. code-block:: yaml
290
291 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]292 common:
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]293 cluster_name: cluster
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]294 addons:
295 dns:
296 domain: cluster.local
297 enabled: true
298 replicas: 1
299 server: 10.254.0.10
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]300 master:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]301 admin:
302 password: password
303 username: admin
304 apiserver:
305 address: 10.0.175.100
Swann Croisetff97efc2017-02-23 13:32:33 +0100[diff] [blame]306 secure_port: 443
307 insecure_address: 127.0.0.1
308 insecure_port: 8080
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]309 ca: kubernetes
310 enabled: true
311 etcd:
312 host: 127.0.0.1
313 members:
314 - host: 10.0.175.100
315 name: node040
316 name: node040
317 token: ca939ec9c2a17b0786f6d411fe019e9b
318 kubelet:
319 allow_privileged: true
320 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]321 calico:
322 enabled: true
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]323 service_addresses: 10.254.0.0/16
324 storage:
325 engine: glusterfs
326 members:
327 - host: 10.0.175.101
328 port: 24007
329 - host: 10.0.175.102
330 port: 24007
331 - host: 10.0.175.103
332 port: 24007
333 port: 24007
334 token:
335 admin: DFvQ8GJ9JD4fKNfuyEddw3rjnFTkUKsv
336 controller_manager: EreGh6AnWf8DxH8cYavB2zS029PUi7vx
337 dns: RAFeVSE4UvsCz4gk3KYReuOI5jsZ1Xt3
338 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
339 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
340 logging: MJkXKdbgqRmTHSa2ykTaOaMykgO6KcEf
341 monitoring: hnsj0XqABgrSww7Nqo7UVTSZLJUt2XRd
342 scheduler: HY1UUxEPpmjW4a1dDLGIANYQp1nZkLDk
343 version: v1.2.4
344
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]345
346 kubernetes:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]347 pool:
348 address: 0.0.0.0
349 allow_privileged: true
350 ca: kubernetes
351 cluster_dns: 10.254.0.10
352 cluster_domain: cluster.local
353 enabled: true
354 kubelet:
355 allow_privileged: true
356 config: /etc/kubernetes/manifests
357 frequency: 5s
358 master:
359 apiserver:
360 members:
361 - host: 10.0.175.100
362 etcd:
363 members:
364 - host: 10.0.175.100
365 host: 10.0.175.100
366 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]367 calico:
368 enabled: true
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]369 token:
370 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
371 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
372 version: v1.2.4
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]373
Tomáš Kukrálbc3623e2017-03-23 18:24:06 +0100[diff] [blame]374
Filip Pytloun1e163072017-10-16 17:26:48 +0200[diff] [blame]375Enable basic, token and http authentication, disable ssl auth, create some
376static users:
377
378.. code-block:: yaml
379
380 kubernetes:
381 master:
382 auth:
383 basic:
384 enabled: true
385 user:
386 jdoe:
387 password: dummy
388 groups:
389 - system:admin
390 http:
391 enabled: true
392 header:
393 user: X-Remote-User
394 group: X-Remote-Group
395 ssl:
396 enabled: false
397 token:
398 enabled: true
399 user:
400 jdoe:
401 token: dummytoken
402 groups:
403 - system:admin
404
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]405Kubernetes with OpenContrail network plugin
406------------------------------------------------
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]407
408On Master:
409
410.. code-block:: yaml
411
412 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]413 common:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]414 addons:
Matthew Mosesohn6f4f6c02017-07-03 16:58:50 +0300[diff] [blame]415 contrail_network_controller:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]416 enabled: true
417 namespace: kube-system
Matthew Mosesohn6f4f6c02017-07-03 16:58:50 +0300[diff] [blame]418 image: yashulyak/contrail-controller:latest
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]419 master:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]420 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]421 opencontrail:
422 enabled: true
ashestakove19660a2018-03-05 12:43:30 +0000[diff] [blame]423 default_domain: default-domain
424 default_project: default-domain:default-project
425 public_network: default-domain:default-project:Public
426 public_ip_range: 185.22.97.128/26
427 private_ip_range: 10.150.0.0/16
428 service_cluster_ip_range: 10.254.0.0/16
429 network_label: name
430 service_label: uses
431 cluster_service: kube-system/default
432 config:
433 api:
434 host: 10.0.170.70
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]435On pools:
436
437.. code-block:: yaml
438
439 kubernetes:
440 pool:
441 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]442 opencontrail:
443 enabled: true
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]444
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]445
446Dashboard public IP must be configured when Contrail network is used:
447
448.. code-block:: yaml
449
450 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]451 common:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]452 addons:
453 public_ip: 1.1.1.1
454
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]455Kubernetes control plane running in systemd
456-------------------------------------------
457
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]458By default kube-apiserver, kube-scheduler, kube-controllermanager, kube-proxy, etcd running in docker containers through manifests. For stable production environment this should be run in systemd.
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]459
460.. code-block:: yaml
461
462 kubernetes:
463 master:
464 container: false
465
466 kubernetes:
467 pool:
468 container: false
469
marco055ff852016-07-27 15:22:33 +0200[diff] [blame]470Because k8s services run under kube user without root privileges, there is need to change secure port for apiserver.
471
472.. code-block:: yaml
473
474 kubernetes:
475 master:
476 apiserver:
477 secure_port: 8081
478
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]479Kubernetes with Flannel
480-----------------------
481
482On Master:
483
484.. code-block:: yaml
485
486 kubernetes:
487 master:
488 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]489 flannel:
490 enabled: true
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]491
492On pools:
493
494.. code-block:: yaml
495
496 kubernetes:
497 pool:
498 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]499 flannel:
500 enabled: true
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]501
502Kubernetes with Calico
503-----------------------
504
505On Master:
506
507.. code-block:: yaml
508
509 kubernetes:
510 master:
511 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]512 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]513 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]514 mtu: 1500
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]515 # If you don't register master as node:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]516 etcd:
517 members:
518 - host: 10.0.175.101
519 port: 4001
520 - host: 10.0.175.102
521 port: 4001
522 - host: 10.0.175.103
523 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]524
525On pools:
526
527.. code-block:: yaml
528
529 kubernetes:
530 pool:
531 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]532 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]533 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]534 mtu: 1500
535 etcd:
536 members:
537 - host: 10.0.175.101
538 port: 4001
539 - host: 10.0.175.102
540 port: 4001
541 - host: 10.0.175.103
542 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]543
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]544Running with secured etcd:
545
546.. code-block:: yaml
547
548 kubernetes:
549 pool:
550 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]551 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]552 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]553 etcd:
554 ssl:
555 enabled: true
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]556 master:
557 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]558 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]559 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]560 etcd:
561 ssl:
562 enabled: true
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]563
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]564Running with calico-policy controller:
565
566.. code-block:: yaml
567
568 kubernetes:
569 pool:
570 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]571 calico:
572 enabled: true
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]573 addons:
574 calico_policy:
575 enabled: true
576
577 master:
578 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]579 calico:
580 enabled: true
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]581 addons:
582 calico_policy:
583 enabled: true
584
585
586
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]587Enable Prometheus metrics in Felix
588
589.. code-block:: yaml
590
591 kubernetes:
592 pool:
593 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]594 calico:
595 prometheus:
596 enabled: true
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]597 master:
598 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]599 calico:
600 prometheus:
601 enabled: true
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]602
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]603Post deployment configuration
604
605.. code-block:: bash
Jakub Pavlik232833c2016-07-17 13:21:00 +0200[diff] [blame]606
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]607 # set ETCD
608 export ETCD_AUTHORITY=10.0.111.201:4001
609
610 # Set NAT for pods subnet
611 calicoctl pool add 192.168.0.0/16 --nat-outgoing
612
613 # Status commands
614 calicoctl status
615 calicoctl node show
616
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]617Kubernetes with GlusterFS for storage
618---------------------------------------------
619
620.. code-block:: yaml
621
622 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]623 master:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]624 ...
625 storage:
626 engine: glusterfs
627 port: 24007
628 members:
629 - host: 10.0.175.101
630 port: 24007
631 - host: 10.0.175.102
632 port: 24007
633 - host: 10.0.175.103
634 port: 24007
635 ...
636
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]637Kubernetes Storage Class
638------------------------
639
640AWS EBS storageclass integration. It also requires to create IAM policy and profiles for instances and tag all resources by KubernetesCluster in EC2.
641
642.. code-block:: yaml
643
644 kubernetes:
645 common:
646 addons:
647 storageclass:
648 aws_slow:
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]649 enabled: True
650 default: True
651 provisioner: aws-ebs
Petr Michalec52d4e1f2017-09-11 17:50:54 +0200[diff] [blame]652 name: slow
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]653 type: gp2
654 iopspergb: "10"
655 zones: xxx
Petr Michalec52d4e1f2017-09-11 17:50:54 +0200[diff] [blame]656 nfs_shared:
657 name: elasti01
658 enabled: True
659 provisioner: nfs
660 spec:
661 name: elastic_data
662 nfs:
663 server: 10.0.0.1
664 path: /exported_path
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]665
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]666Kubernetes namespaces
667---------------------
668
669Create namespace:
670
671.. code-block:: yaml
672
673 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]674 master:
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]675 ...
676 namespace:
677 kube-system:
678 enabled: True
679 namespace2:
680 enabled: True
681 namespace3:
682 enabled: False
683 ...
684
685Kubernetes labels
686-----------------
687
Marek Celoud901020b2017-01-27 14:51:41 +0100[diff] [blame]688Label node:
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]689
690.. code-block:: yaml
691
Marek Celoud901020b2017-01-27 14:51:41 +0100[diff] [blame]692 kubernetes:
693 master:
694 label:
695 label01:
696 value: value01
697 node: node01
698 enabled: true
699 key: key01
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]700 ...
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]701
marcof7efecb2016-07-16 16:13:37 +0200[diff] [blame]702Pull images from private registries
703-----------------------------------
704
705.. code-block:: yaml
706
707 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]708 master:
marcof7efecb2016-07-16 16:13:37 +0200[diff] [blame]709 ...
710 registry:
711 secret:
712 registry01:
713 enabled: True
714 key: (get from `cat /root/.docker/config.json | base64`)
715 namespace: default
716 ...
717 control:
718 ...
719 service:
720 service01:
721 ...
722 image_pull_secretes: registry01
723 ...
724
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]725Kubernetes Service Definitions in pillars
726==========================================
727
728Following samples show how to generate kubernetes manifest as well and provide single tool for complete infrastructure management.
729
730Deployment manifest
731---------------------
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]732
733.. code-block:: yaml
734
735 salt:
736 control:
737 enabled: True
738 hostNetwork: True
739 service:
740 memcached:
741 privileged: True
742 service: memcached
743 role: server
744 type: LoadBalancer
745 replicas: 3
746 kind: Deployment
747 apiVersion: extensions/v1beta1
748 ports:
749 - port: 8774
750 name: nova-api
751 - port: 8775
752 name: nova-metadata
753 volume:
754 volume_name:
755 type: hostPath
756 mount: /certs
757 path: /etc/certs
758 container:
759 memcached:
760 image: memcached
761 tag:2
762 ports:
763 - port: 8774
764 name: nova-api
765 - port: 8775
766 name: nova-metadata
767 variables:
768 - name: HTTP_TLS_CERTIFICATE:
769 value: /certs/domain.crt
770 - name: HTTP_TLS_KEY
771 value: /certs/domain.key
772 volumes:
773 - name: /etc/certs
774 type: hostPath
775 mount: /certs
776 path: /etc/certs
777
marcobe30c8d2016-10-11 19:16:35 +0200[diff] [blame]778PetSet manifest
779---------------------
780
781.. code-block:: yaml
782
783 service:
784 memcached:
785 apiVersion: apps/v1alpha1
786 kind: PetSet
787 service_name: 'memcached'
788 container:
789 memcached:
790 ...
791
792
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200[diff] [blame]793Configmap
794---------
795
796You are able to create configmaps using support layer between formulas.
797It works simple, eg. in nova formula there's file ``meta/config.yml`` which
798defines config files used by that service and roles.
799
800Kubernetes formula is able to generate these files using custom pillar and
801grains structure. This way you are able to run docker images built by any way
802while still re-using your configuration management.
803
804Example pillar:
805
806.. code-block:: bash
807
808 kubernetes:
809 control:
Jakub Pavlika2779722016-11-25 15:35:26 +0100[diff] [blame]810 config_type: default|kubernetes # Output is yaml k8s or default single files
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200[diff] [blame]811 configmap:
812 nova-control:
813 grains:
814 # Alternate grains as OS running in container may differ from
815 # salt minion OS. Needed only if grains matters for config
816 # generation.
817 os_family: Debian
818 pillar:
819 # Generic pillar for nova controller
820 nova:
821 controller:
822 enabled: true
823 versionn: liberty
824 ...
825
826To tell which services supports config generation, you need to ensure pillar
827structure like this to determine support:
828
829.. code-block:: yaml
830
831 nova:
832 _support:
833 config:
834 enabled: true
835
marcod4d3dbd2016-09-27 11:36:40 +0200[diff] [blame]836initContainers
837--------------
838
839Example pillar:
840
841.. code-block:: bash
842
843 kubernetes:
844 control:
845 service:
846 memcached:
847 init_containers:
848 - name: test-mysql
849 image: busybox
850 command:
851 - sleep
852 - 3600
853 volumes:
854 - name: config
855 mount: /test
856 - name: test-memcached
857 image: busybox
858 command:
859 - sleep
860 - 3600
861 volumes:
862 - name: config
863 mount: /test
864
marcoee859d32016-11-07 11:04:57 +0100[diff] [blame]865Affinity
866--------
867
868podAffinity
869===========
870
871Example pillar:
872
873.. code-block:: bash
874
875 kubernetes:
876 control:
877 service:
878 memcached:
879 affinity:
880 pod_affinity:
881 name: podAffinity
882 expression:
883 label_selector:
884 name: labelSelector
885 selectors:
886 - key: app
887 value: memcached
888 topology_key: kubernetes.io/hostname
889
890podAntiAffinity
891===============
892
893Example pillar:
894
895.. code-block:: bash
896
897 kubernetes:
898 control:
899 service:
900 memcached:
901 affinity:
902 anti_affinity:
903 name: podAntiAffinity
904 expression:
905 label_selector:
906 name: labelSelector
907 selectors:
908 - key: app
909 value: opencontrail-control
910 topology_key: kubernetes.io/hostname
911
912nodeAffinity
913===============
914
915Example pillar:
916
917.. code-block:: bash
918
919 kubernetes:
920 control:
921 service:
922 memcached:
923 affinity:
924 node_affinity:
925 name: nodeAffinity
926 expression:
927 match_expressions:
928 name: matchExpressions
929 selectors:
930 - key: key
931 operator: In
932 values:
933 - value1
934 - value2
935
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]936Volumes
937-------
938
939hostPath
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]940==========
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]941
942.. code-block:: yaml
943
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]944 service:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]945 memcached:
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]946 container:
947 memcached:
948 volumes:
949 - name: volume1
950 mountPath: /volume
951 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]952 ...
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]953 volume:
954 volume1:
955 name: /etc/certs
956 type: hostPath
957 path: /etc/certs
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]958
959emptyDir
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]960========
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]961
962.. code-block:: yaml
963
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]964 service:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]965 memcached:
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]966 container:
967 memcached:
968 volumes:
969 - name: volume1
970 mountPath: /volume
971 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]972 ...
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]973 volume:
974 volume1:
975 name: /etc/certs
976 type: emptyDir
977
978configMap
979=========
980
981.. code-block:: yaml
982
983 service:
984 memcached:
985 container:
986 memcached:
987 volumes:
988 - name: volume1
989 mountPath: /volume
990 readOnly: True
991 ...
992 volume:
993 volume1:
994 type: config_map
995 item:
996 configMap1:
997 key: config.conf
998 path: config.conf
999 configMap2:
1000 key: policy.json
1001 path: policy.json
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1002
marco0eda4fb2016-10-10 19:08:27 +0200[diff] [blame]1003To mount single configuration file instead of whole directory:
1004
1005.. code-block:: yaml
1006
1007 service:
1008 memcached:
1009 container:
1010 memcached:
1011 volumes:
1012 - name: volume1
1013 mountPath: /volume/config.conf
1014 sub_path: config.conf
1015
marcofcc20d02016-10-10 09:56:12 +0200[diff] [blame]1016Generating Jobs
1017===============
1018
1019Example pillar:
1020
1021.. code-block:: yaml
1022
1023 kubernetes:
1024 control:
1025 job:
1026 sleep:
1027 job: sleep
1028 restart_policy: Never
1029 container:
1030 sleep:
1031 image: busybox
1032 tag: latest
1033 command:
1034 - sleep
1035 - "3600"
1036
1037Volumes and Variables can be used as the same way as during Deployment generation.
1038
1039Custom params:
1040
1041.. code-block:: yaml
1042
1043 kubernetes:
1044 control:
1045 job:
1046 host_network: True
1047 host_pid: True
1048 container:
1049 sleep:
1050 privileged: True
1051 node_selector:
1052 key: node
1053 value: one
1054 image_pull_secretes: password
1055
Filip Pytlounbdba6272017-10-18 19:44:27 +0200[diff] [blame]1056Role-based access control
1057=========================
1058
1059To enable RBAC, you need to set following option on your apiserver:
1060
1061.. code-block:: yaml
1062
1063 kubernetes:
1064 master:
1065 auth:
Andrey Shestakovf32d7072017-12-27 22:18:51 +0200[diff] [blame]1066 mode: Node,RBAC
Filip Pytlounbdba6272017-10-18 19:44:27 +0200[diff] [blame]1067
1068Then you can use ``kubernetes.control.role`` state to orchestrate role and
1069rolebindings. Following example shows how to create brand new role and binding
1070for service account:
1071
1072.. code-block:: yaml
1073
1074 control:
1075 role:
1076 etcd-operator:
1077 kind: ClusterRole
1078 rules:
1079 - apiGroups:
1080 - etcd.coreos.com
1081 resources:
1082 - clusters
1083 verbs:
1084 - "*"
1085 - apiGroups:
1086 - extensions
1087 resources:
1088 - thirdpartyresources
1089 verbs:
1090 - create
1091 - apiGroups:
1092 - storage.k8s.io
1093 resources:
1094 - storageclasses
1095 verbs:
1096 - create
1097 - apiGroups:
1098 - ""
1099 resources:
1100 - replicasets
1101 verbs:
1102 - "*"
1103 binding:
1104 etcd-operator:
1105 kind: ClusterRoleBinding
1106 namespace: test # <-- if no namespace, then it's clusterrolebinding
1107 subject:
1108 etcd-operator:
1109 kind: ServiceAccount
1110
1111Simplest possible use-case, add user test edit permissions on it's test
1112namespace:
1113
1114.. code-block:: yaml
1115
1116 kubernetes:
1117 control:
1118 role:
1119 edit:
1120 kind: ClusterRole
1121 # No rules defined, so only binding will be created assuming role
1122 # already exists
1123 binding:
1124 test:
1125 namespace: test
1126 subject:
1127 test:
1128 kind: User
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1129
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]1130More Information
1131================
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1132
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]1133* https://github.com/Juniper/kubernetes/blob
1134/opencontrail-integration/docs /getting-started-guides/opencontrail.md
1135* https://github.com/kubernetes/kubernetes/tree/master/cluster/saltbase
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1136
Filip Pytlound06f6272017-02-02 13:02:03 +0100[diff] [blame]1137
1138Documentation and Bugs
1139======================
1140
1141To learn how to install and update salt-formulas, consult the documentation
1142available online at:
1143
1144 http://salt-formulas.readthedocs.io/
1145
1146In the unfortunate event that bugs are discovered, they should be reported to
1147the appropriate issue tracker. Use Github issue tracker for specific salt
1148formula:
1149
1150 https://github.com/salt-formulas/salt-formula-kubernetes/issues
1151
1152For feature requests, bug reports or blueprints affecting entire ecosystem,
1153use Launchpad salt-formulas project:
1154
1155 https://launchpad.net/salt-formulas
1156
1157You can also join salt-formulas-users team and subscribe to mailing list:
1158
1159 https://launchpad.net/~salt-formulas-users
1160
1161Developers wishing to work on the salt-formulas projects should always base
1162their work on master branch and submit pull request against specific formula.
1163
1164 https://github.com/salt-formulas/salt-formula-kubernetes
1165
1166Any questions or feedback is always welcome so feel free to join our IRC
1167channel:
1168
1169 #salt-formulas @ irc.freenode.net