blob: 7de80e1516913ca0ecd9ef48064e117f76a4bec3 [file] [log] [blame]
marcoacdae7e2015-12-02 15:35:37 +01001==================
2Kubernetes Formula
3==================
4
Ales Komarek9db8af42017-06-08 11:08:05 +02005Kubernetes is an open-source system for automating deployment, scaling, and
6management of containerized applications. This formula deploys production
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +02007ready Kubernetes and generate Kubernetes manifests as well.
marcoacdae7e2015-12-02 15:35:37 +01008
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +02009You can download `kubectl` configuration and connect to your cluster. However,
10keep in mind `kubernetes_control_address` needs to be accessible from your computer:
11
12.. code-block:: yaml
13
14 mkdir -p ~/.kube
15 [ -f ~/.kube/config ] && cp -v ~/.kube/config ~/.kube/config-backup
Tomáš Kukrál8ee2bc52017-07-31 17:51:20 +020016 ssh cfg01 "sudo ssh ctl01 /etc/kubernetes/kubeconfig.sh" > ~/.kube/config
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +020017 kubectl get no
18
19
20`cfg01` is Salt master node and `ctl01` is one of Kubernetes masters
marcoacdae7e2015-12-02 15:35:37 +010021
Ales Komarek9db8af42017-06-08 11:08:05 +020022Sample Pillars
marcoacdae7e2015-12-02 15:35:37 +010023==============
24
Aleksei Kasatkin2af48922018-08-21 11:58:19 +020025**REQUIRED:** Define images to use for hyperkube and Calico
Tomáš Kukrál189da4b2017-01-18 14:30:09 +010026
27.. code-block:: yaml
28
29 parameters:
30 kubernetes:
31 common:
32 hyperkube:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +020033 image: gcr.io/google_containers/hyperkube:v1.6.5
Tomáš Kukrál189da4b2017-01-18 14:30:09 +010034 pool:
35 network:
ashestakova7b8d352018-02-27 13:54:27 +000036 calico:
37 calicoctl_image: calico/ctl
38 cni_image: calico/cni
Aleksei Kasatkin2af48922018-08-21 11:58:19 +020039 image: calico/node
40 kube_controllers_image: calico/kube-controllers
41
Tomáš Kukrál189da4b2017-01-18 14:30:09 +010042
Tomáš Kukrál25a64d72017-03-23 14:14:07 +010043Enable helm-tiller addon
Tomáš Kukrál1b50f772017-03-23 12:51:32 +010044
45.. code-block:: yaml
46
47 parameters:
48 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +020049 common:
Tomáš Kukrál1b50f772017-03-23 12:51:32 +010050 addons:
51 helm:
52 enabled: true
53
Aleksei Kasatkin2af48922018-08-21 11:58:19 +020054Enable calico-policy
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +030055
56.. code-block:: yaml
57
58 parameters:
59 kubernetes:
Aleksei Kasatkin2af48922018-08-21 11:58:19 +020060 pool:
61 network:
62 calico:
63 policy:
64 enabled: true
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +030065
Jakub Pavlikc1d11e52017-06-23 11:09:20 +020066Enable virtlet addon
67
68.. code-block:: yaml
69
70 parameters:
71 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +020072 common:
Jakub Pavlikc1d11e52017-06-23 11:09:20 +020073 addons:
74 virtlet:
75 enabled: true
76 namespace: kube-system
Victor Ryzhenkin810c5072018-05-26 00:03:33 +040077 image: mirantis/virtlet:v1.0.3
Jakub Pavlikc1d11e52017-06-23 11:09:20 +020078
Tomáš Kukrál25a64d72017-03-23 14:14:07 +010079Enable netchecker addon
80
81.. code-block:: yaml
82
83 parameters:
84 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +020085 common:
86 addons:
Tomáš Kukrál25a64d72017-03-23 14:14:07 +010087 netchecker:
88 enabled: true
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +020089 master:
90 namespace:
Tomáš Kukrál25a64d72017-03-23 14:14:07 +010091 netchecker:
92 enabled: true
Tomáš Kukrál1b50f772017-03-23 12:51:32 +010093
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +030094Enable Kubenetes Federation control plane
95
96.. code-block:: yaml
97
98 parameters:
99 kubernetes:
100 master:
101 federation:
102 enabled: True
103 name: federation
104 namespace: federation-system
105 source: https://dl.k8s.io/v1.6.6/kubernetes-client-linux-amd64.tar.gz
106 hash: 94b2c9cd29981a8e150c187193bab0d8c0b6e906260f837367feff99860a6376
107 service_type: NodePort
108 dns_provider: coredns
109 childclusters:
110 - secondcluster.mydomain
111 - thirdcluster.mydomain
112
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300113Enable external DNS addon with CoreDNS provider
114
115.. code-block:: yaml
116
117 parameters:
118 kubernetes:
119 common:
120 addons:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200121 coredns:
122 enabled: True
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300123 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200124 enabled: True
125 domain: company.mydomain
126 provider: coredns
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300127
Andrey Shestakov79f4af02017-09-15 21:02:55 +0300128Enable external DNS addon with Designate provider
129
130.. code-block:: yaml
131
132 parameters:
133 kubernetes:
134 common:
135 addons:
136 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200137 enabled: True
138 domain: company.mydomain
139 provider: designate
140 designate_os_options:
141 OS_AUTH_URL: https://keystone_auth_endpoint:5000
142 OS_PROJECT_DOMAIN_NAME: default
143 OS_USER_DOMAIN_NAME: default
144 OS_PROJECT_NAME: admin
145 OS_USERNAME: admin
146 OS_PASSWORD: password
147 OS_REGION_NAME: RegionOne
Andrey Shestakov79f4af02017-09-15 21:02:55 +0300148
Sergii Golovatiuk650948c2017-09-25 12:00:18 +0200149Enable external DNS addon with AWS provider
150
151.. code-block:: yaml
152
153 parameters:
154 kubernetes:
155 common:
156 addons:
157 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200158 enabled: True
159 domain: company.mydomain
160 provider: aws
161 aws_options:
162 AWS_ACCESS_KEY_ID: XXXXXXXXXXXXXXXXXXXX
163 AWS_SECRET_ACCESS_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
164
165Enable external DNS addon with Google CloudDNS provider
166
167.. code-block:: yaml
168
169 parameters:
170 kubernetes:
171 common:
172 addons:
173 externaldns:
174 enabled: True
175 domain: company.mydomain
176 provider: google
177 google_options:
178 key: ''
179 project: default-123
180key should be exported from google console and processed as `cat key.json | tr -d '\n'`
Sergii Golovatiuk650948c2017-09-25 12:00:18 +0200181
Matthew Mosesohn19903512017-08-31 19:38:19 +0300182Enable OpenStack cloud provider
183
184.. code-block:: yaml
185
186 parameters:
187 kubernetes:
188 common:
189 cloudprovider:
190 enabled: True
Tomáš Kukrál10b15672017-09-05 10:08:46 +0200191 provider: openstack
Matthew Mosesohn19903512017-08-31 19:38:19 +0300192 params:
193 auth_url: https://openstack.mydomain:5000/v3
194 username: nova
195 password: nova
196 region: RegionOne
197 tenant_id: 4bce4162d8744c599e350099cfa22a0a
198 domain_name: default
199 subnet_id: 72407854-aca6-4cf1-b873-e9affb09484b
200 lb_version: v2
201
Tomáš Kukrálf78baa62017-04-20 16:18:16 +0200202Configure service verbosity
203
204.. code-block:: yaml
205
206 parameters:
207 kubernetes:
208 master:
209 verbosity: 2
210 pool:
211 verbosity: 2
212
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300213Set cluster name and domain
Matthew Mosesohn0f7bee42017-07-17 13:52:16 +0300214
215.. code-block:: yaml
216
217 parameters:
218 kubernetes:
219 common:
220 kubernetes_cluster_domain: mycluster.domain
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300221 cluster_name : mycluster
Matthew Mosesohn0f7bee42017-07-17 13:52:16 +0300222
Tomáš Kukrálaff35262017-04-18 12:37:45 +0200223Enable autoscaler for dns addon. Poll period can be skipped.
224
225.. code-block:: yaml
226
227 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200228 common:
Tomáš Kukrálaff35262017-04-18 12:37:45 +0200229 addons:
230 dns:
231 domain: cluster.local
232 enabled: true
233 replicas: 1
234 server: 10.254.0.10
235 autoscaler:
236 enabled: true
237 poll-period-seconds: 60
238
239
Tomáš Kukrál6ef3f892017-02-15 12:02:22 +0100240Pass aditional parameters to daemons:
241
242.. code-block:: yaml
243
244 parameters:
245 kubernetes:
246 master:
247 apiserver:
248 daemon_opts:
249 storage-backend: pigeon
250 controller_manager:
251 daemon_opts:
252 log-dir: /dev/nulL
253 pool:
254 kubelet:
255 daemon_opts:
256 max-pods: "6"
257
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100258
Ales Komarek688a04c2016-07-15 15:12:30 +0200259Containers on pool definitions in pool.service.local
260
Jakub Pavlik7e985322016-07-17 13:16:15 +0200261.. code-block:: yaml
262
263 parameters:
264 kubernetes:
265 pool:
266 service:
267 local:
268 enabled: False
269 service: libvirt
270 cluster: openstack-compute
271 namespace: default
272 role: ${linux:system:name}
273 type: LoadBalancer
274 kind: Deployment
275 apiVersion: extensions/v1beta1
276 replicas: 1
277 host_pid: True
278 nodeSelector:
279 - key: openstack
280 value: ${linux:system:name}
281 hostNetwork: True
282 container:
283 libvirt-compute:
284 privileged: True
285 image: ${_param:docker_repository}/libvirt-compute
286 tag: ${_param:openstack_container_tag}
Ales Komarek688a04c2016-07-15 15:12:30 +0200287
288Master definition
289
marcoacdae7e2015-12-02 15:35:37 +0100290.. code-block:: yaml
291
292 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200293 common:
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300294 cluster_name: cluster
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200295 addons:
296 dns:
297 domain: cluster.local
298 enabled: true
299 replicas: 1
300 server: 10.254.0.10
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200301 master:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200302 admin:
303 password: password
304 username: admin
305 apiserver:
306 address: 10.0.175.100
Swann Croisetff97efc2017-02-23 13:32:33 +0100307 secure_port: 443
308 insecure_address: 127.0.0.1
309 insecure_port: 8080
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200310 ca: kubernetes
311 enabled: true
312 etcd:
313 host: 127.0.0.1
314 members:
315 - host: 10.0.175.100
316 name: node040
317 name: node040
318 token: ca939ec9c2a17b0786f6d411fe019e9b
319 kubelet:
320 allow_privileged: true
321 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200322 calico:
323 enabled: true
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200324 service_addresses: 10.254.0.0/16
325 storage:
326 engine: glusterfs
327 members:
328 - host: 10.0.175.101
329 port: 24007
330 - host: 10.0.175.102
331 port: 24007
332 - host: 10.0.175.103
333 port: 24007
334 port: 24007
335 token:
336 admin: DFvQ8GJ9JD4fKNfuyEddw3rjnFTkUKsv
337 controller_manager: EreGh6AnWf8DxH8cYavB2zS029PUi7vx
338 dns: RAFeVSE4UvsCz4gk3KYReuOI5jsZ1Xt3
339 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
340 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
341 logging: MJkXKdbgqRmTHSa2ykTaOaMykgO6KcEf
342 monitoring: hnsj0XqABgrSww7Nqo7UVTSZLJUt2XRd
343 scheduler: HY1UUxEPpmjW4a1dDLGIANYQp1nZkLDk
344 version: v1.2.4
345
marcoacdae7e2015-12-02 15:35:37 +0100346
347 kubernetes:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200348 pool:
349 address: 0.0.0.0
350 allow_privileged: true
351 ca: kubernetes
352 cluster_dns: 10.254.0.10
353 cluster_domain: cluster.local
354 enabled: true
355 kubelet:
356 allow_privileged: true
357 config: /etc/kubernetes/manifests
358 frequency: 5s
359 master:
360 apiserver:
361 members:
362 - host: 10.0.175.100
363 etcd:
364 members:
365 - host: 10.0.175.100
366 host: 10.0.175.100
367 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200368 calico:
369 enabled: true
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200370 token:
371 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
372 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
373 version: v1.2.4
marcoacdae7e2015-12-02 15:35:37 +0100374
Tomáš Kukrálbc3623e2017-03-23 18:24:06 +0100375
Filip Pytloun1e163072017-10-16 17:26:48 +0200376Enable basic, token and http authentication, disable ssl auth, create some
377static users:
378
379.. code-block:: yaml
380
381 kubernetes:
382 master:
383 auth:
384 basic:
385 enabled: true
386 user:
387 jdoe:
388 password: dummy
389 groups:
390 - system:admin
391 http:
392 enabled: true
393 header:
394 user: X-Remote-User
395 group: X-Remote-Group
396 ssl:
397 enabled: false
398 token:
399 enabled: true
400 user:
401 jdoe:
402 token: dummytoken
403 groups:
404 - system:admin
405
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200406Kubernetes with OpenContrail network plugin
407------------------------------------------------
marcoacdae7e2015-12-02 15:35:37 +0100408
409On Master:
410
411.. code-block:: yaml
412
413 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200414 master:
marcoacdae7e2015-12-02 15:35:37 +0100415 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200416 opencontrail:
417 enabled: true
ashestakove19660a2018-03-05 12:43:30 +0000418 default_domain: default-domain
419 default_project: default-domain:default-project
420 public_network: default-domain:default-project:Public
421 public_ip_range: 185.22.97.128/26
422 private_ip_range: 10.150.0.0/16
423 service_cluster_ip_range: 10.254.0.0/16
424 network_label: name
425 service_label: uses
426 cluster_service: kube-system/default
427 config:
428 api:
429 host: 10.0.170.70
marcoacdae7e2015-12-02 15:35:37 +0100430On pools:
431
432.. code-block:: yaml
433
434 kubernetes:
435 pool:
436 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200437 opencontrail:
438 enabled: true
marcoacdae7e2015-12-02 15:35:37 +0100439
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200440
441Dashboard public IP must be configured when Contrail network is used:
442
443.. code-block:: yaml
444
445 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200446 common:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200447 addons:
Alexander Noskov0637cd62018-02-16 13:49:11 +0400448 dashboard:
449 public_ip: 1.1.1.1
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200450
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200451Kubernetes control plane running in systemd
452-------------------------------------------
453
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300454By default kube-apiserver, kube-scheduler, kube-controllermanager, kube-proxy, etcd running in docker containers through manifests. For stable production environment this should be run in systemd.
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200455
456.. code-block:: yaml
457
458 kubernetes:
459 master:
460 container: false
461
462 kubernetes:
463 pool:
464 container: false
465
marco055ff852016-07-27 15:22:33 +0200466Because k8s services run under kube user without root privileges, there is need to change secure port for apiserver.
467
468.. code-block:: yaml
469
470 kubernetes:
471 master:
472 apiserver:
473 secure_port: 8081
474
Andrey Shestakove3cf0062018-06-19 15:04:33 +0300475Kubernetes with MetalLB
476-----------------------
477
478On Master:
479
480.. code-block:: yaml
481
482 kubernetes:
483 common:
484 addons:
485 metallb:
486 enabled: true
487 addresses:
488 - 172.16.10.150-172.16.10.180
489 - 172.16.10.192/26
490
Andrey Shestakovb3057972018-06-25 17:50:23 +0300491Kubernetes with SRIOV
492-----------------------
493
494On Master:
495
496.. code-block:: yaml
497
498 kubernetes:
499 master:
500 network:
501 sriov:
502 enabled: true
503 interface: eno2
504 subnet: 10.55.208.0/24
505 gateway: 10.55.208.1
506
507On pools:
508
509.. code-block:: yaml
510
511 kubernetes:
512 pool:
513 network:
514 sriov:
515 enabled: true
516 interface: eno2
517 subnet: 10.55.208.0/24
518 gateway: 10.55.208.1
519
marcoacdae7e2015-12-02 15:35:37 +0100520Kubernetes with Flannel
521-----------------------
522
523On Master:
524
525.. code-block:: yaml
526
527 kubernetes:
528 master:
529 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200530 flannel:
531 enabled: true
marcoacdae7e2015-12-02 15:35:37 +0100532
533On pools:
534
535.. code-block:: yaml
536
537 kubernetes:
538 pool:
539 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200540 flannel:
541 enabled: true
marcoacdae7e2015-12-02 15:35:37 +0100542
543Kubernetes with Calico
544-----------------------
545
546On Master:
547
548.. code-block:: yaml
549
550 kubernetes:
551 master:
552 network:
ashestakova7b8d352018-02-27 13:54:27 +0000553 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200554 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000555 mtu: 1500
Jakub Pavlik7e985322016-07-17 13:16:15 +0200556 # If you don't register master as node:
ashestakova7b8d352018-02-27 13:54:27 +0000557 etcd:
558 members:
559 - host: 10.0.175.101
560 port: 4001
561 - host: 10.0.175.102
562 port: 4001
563 - host: 10.0.175.103
564 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100565
566On pools:
567
568.. code-block:: yaml
569
570 kubernetes:
571 pool:
572 network:
ashestakova7b8d352018-02-27 13:54:27 +0000573 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200574 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000575 mtu: 1500
576 etcd:
577 members:
578 - host: 10.0.175.101
579 port: 4001
580 - host: 10.0.175.102
581 port: 4001
582 - host: 10.0.175.103
583 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100584
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100585Running with secured etcd:
586
587.. code-block:: yaml
588
589 kubernetes:
590 pool:
591 network:
ashestakova7b8d352018-02-27 13:54:27 +0000592 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200593 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000594 etcd:
595 ssl:
596 enabled: true
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100597 master:
598 network:
ashestakova7b8d352018-02-27 13:54:27 +0000599 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200600 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000601 etcd:
602 ssl:
603 enabled: true
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100604
Aleksei Kasatkin2af48922018-08-21 11:58:19 +0200605Running with calico-policy:
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300606
607.. code-block:: yaml
608
609 kubernetes:
610 pool:
611 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200612 calico:
613 enabled: true
Aleksei Kasatkin2af48922018-08-21 11:58:19 +0200614 policy:
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300615 enabled: true
616
617 master:
618 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200619 calico:
620 enabled: true
Aleksei Kasatkin2af48922018-08-21 11:58:19 +0200621 policy:
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300622 enabled: true
623
624
625
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100626Enable Prometheus metrics in Felix
627
628.. code-block:: yaml
629
630 kubernetes:
631 pool:
632 network:
ashestakova7b8d352018-02-27 13:54:27 +0000633 calico:
634 prometheus:
635 enabled: true
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100636 master:
637 network:
ashestakova7b8d352018-02-27 13:54:27 +0000638 calico:
639 prometheus:
640 enabled: true
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100641
Jakub Pavlik7e985322016-07-17 13:16:15 +0200642Post deployment configuration
643
644.. code-block:: bash
Jakub Pavlik232833c2016-07-17 13:21:00 +0200645
Jakub Pavlik7e985322016-07-17 13:16:15 +0200646 # set ETCD
647 export ETCD_AUTHORITY=10.0.111.201:4001
648
649 # Set NAT for pods subnet
650 calicoctl pool add 192.168.0.0/16 --nat-outgoing
651
652 # Status commands
653 calicoctl status
654 calicoctl node show
655
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200656Kubernetes with GlusterFS for storage
657---------------------------------------------
658
659.. code-block:: yaml
660
661 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100662 master:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200663 ...
664 storage:
665 engine: glusterfs
666 port: 24007
667 members:
668 - host: 10.0.175.101
669 port: 24007
670 - host: 10.0.175.102
671 port: 24007
672 - host: 10.0.175.103
673 port: 24007
674 ...
675
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200676Kubernetes Storage Class
677------------------------
678
679AWS EBS storageclass integration. It also requires to create IAM policy and profiles for instances and tag all resources by KubernetesCluster in EC2.
680
681.. code-block:: yaml
682
683 kubernetes:
684 common:
685 addons:
686 storageclass:
687 aws_slow:
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200688 enabled: True
689 default: True
690 provisioner: aws-ebs
Petr Michalec52d4e1f2017-09-11 17:50:54 +0200691 name: slow
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200692 type: gp2
693 iopspergb: "10"
694 zones: xxx
Petr Michalec52d4e1f2017-09-11 17:50:54 +0200695 nfs_shared:
696 name: elasti01
697 enabled: True
698 provisioner: nfs
699 spec:
700 name: elastic_data
701 nfs:
702 server: 10.0.0.1
703 path: /exported_path
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200704
Andrey Shestakov06278042018-09-07 12:43:25 +0300705Ceph RBD storageclass integration.
706
707.. code-block:: yaml
708
709 kubernetes:
710 common:
711 addons:
712 storageclass:
713 rbd:
714 enabled: True
715 default: True
716 provisioner: rbd
717 name: rbd
718 user_id: kubernetes
719 user_key: AQAOoo5bGqtPExAABGSPtThpt5s+iq97KAE+WQ==
720 monitors: cmn01:6789,cmn02:6789,cmn03:6789
721 pool: kubernetes
722 fstype: ext4
723
marco45fc1b72016-07-02 16:11:18 +0200724Kubernetes namespaces
725---------------------
726
727Create namespace:
728
729.. code-block:: yaml
730
731 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100732 master:
marco45fc1b72016-07-02 16:11:18 +0200733 ...
734 namespace:
735 kube-system:
736 enabled: True
737 namespace2:
738 enabled: True
739 namespace3:
740 enabled: False
741 ...
742
743Kubernetes labels
744-----------------
745
Marek Celoud901020b2017-01-27 14:51:41 +0100746Label node:
marco45fc1b72016-07-02 16:11:18 +0200747
748.. code-block:: yaml
749
Marek Celoud901020b2017-01-27 14:51:41 +0100750 kubernetes:
751 master:
752 label:
753 label01:
754 value: value01
755 node: node01
756 enabled: true
757 key: key01
marco45fc1b72016-07-02 16:11:18 +0200758 ...
marco45fc1b72016-07-02 16:11:18 +0200759
marcof7efecb2016-07-16 16:13:37 +0200760Pull images from private registries
761-----------------------------------
762
763.. code-block:: yaml
764
765 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100766 master:
marcof7efecb2016-07-16 16:13:37 +0200767 ...
768 registry:
769 secret:
770 registry01:
771 enabled: True
772 key: (get from `cat /root/.docker/config.json | base64`)
773 namespace: default
774 ...
775 control:
776 ...
777 service:
778 service01:
779 ...
780 image_pull_secretes: registry01
781 ...
782
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200783Kubernetes Service Definitions in pillars
784==========================================
785
786Following samples show how to generate kubernetes manifest as well and provide single tool for complete infrastructure management.
787
788Deployment manifest
789---------------------
marcoacdae7e2015-12-02 15:35:37 +0100790
791.. code-block:: yaml
792
793 salt:
794 control:
795 enabled: True
796 hostNetwork: True
797 service:
798 memcached:
799 privileged: True
800 service: memcached
801 role: server
802 type: LoadBalancer
803 replicas: 3
804 kind: Deployment
805 apiVersion: extensions/v1beta1
806 ports:
807 - port: 8774
808 name: nova-api
809 - port: 8775
810 name: nova-metadata
811 volume:
812 volume_name:
813 type: hostPath
814 mount: /certs
815 path: /etc/certs
816 container:
817 memcached:
818 image: memcached
819 tag:2
820 ports:
821 - port: 8774
822 name: nova-api
823 - port: 8775
824 name: nova-metadata
825 variables:
826 - name: HTTP_TLS_CERTIFICATE:
827 value: /certs/domain.crt
828 - name: HTTP_TLS_KEY
829 value: /certs/domain.key
830 volumes:
831 - name: /etc/certs
832 type: hostPath
833 mount: /certs
834 path: /etc/certs
835
marcobe30c8d2016-10-11 19:16:35 +0200836PetSet manifest
837---------------------
838
839.. code-block:: yaml
840
841 service:
842 memcached:
843 apiVersion: apps/v1alpha1
844 kind: PetSet
845 service_name: 'memcached'
846 container:
847 memcached:
848 ...
849
850
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200851Configmap
852---------
853
854You are able to create configmaps using support layer between formulas.
855It works simple, eg. in nova formula there's file ``meta/config.yml`` which
856defines config files used by that service and roles.
857
858Kubernetes formula is able to generate these files using custom pillar and
859grains structure. This way you are able to run docker images built by any way
860while still re-using your configuration management.
861
862Example pillar:
863
864.. code-block:: bash
865
866 kubernetes:
867 control:
Jakub Pavlika2779722016-11-25 15:35:26 +0100868 config_type: default|kubernetes # Output is yaml k8s or default single files
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200869 configmap:
870 nova-control:
871 grains:
872 # Alternate grains as OS running in container may differ from
873 # salt minion OS. Needed only if grains matters for config
874 # generation.
875 os_family: Debian
876 pillar:
877 # Generic pillar for nova controller
878 nova:
879 controller:
880 enabled: true
881 versionn: liberty
882 ...
883
884To tell which services supports config generation, you need to ensure pillar
885structure like this to determine support:
886
887.. code-block:: yaml
888
889 nova:
890 _support:
891 config:
892 enabled: true
893
marcod4d3dbd2016-09-27 11:36:40 +0200894initContainers
895--------------
896
897Example pillar:
898
899.. code-block:: bash
900
901 kubernetes:
902 control:
903 service:
904 memcached:
905 init_containers:
906 - name: test-mysql
907 image: busybox
908 command:
909 - sleep
910 - 3600
911 volumes:
912 - name: config
913 mount: /test
914 - name: test-memcached
915 image: busybox
916 command:
917 - sleep
918 - 3600
919 volumes:
920 - name: config
921 mount: /test
922
marcoee859d32016-11-07 11:04:57 +0100923Affinity
924--------
925
926podAffinity
927===========
928
929Example pillar:
930
931.. code-block:: bash
932
933 kubernetes:
934 control:
935 service:
936 memcached:
937 affinity:
938 pod_affinity:
939 name: podAffinity
940 expression:
941 label_selector:
942 name: labelSelector
943 selectors:
944 - key: app
945 value: memcached
946 topology_key: kubernetes.io/hostname
947
948podAntiAffinity
949===============
950
951Example pillar:
952
953.. code-block:: bash
954
955 kubernetes:
956 control:
957 service:
958 memcached:
959 affinity:
960 anti_affinity:
961 name: podAntiAffinity
962 expression:
963 label_selector:
964 name: labelSelector
965 selectors:
966 - key: app
967 value: opencontrail-control
968 topology_key: kubernetes.io/hostname
969
970nodeAffinity
971===============
972
973Example pillar:
974
975.. code-block:: bash
976
977 kubernetes:
978 control:
979 service:
980 memcached:
981 affinity:
982 node_affinity:
983 name: nodeAffinity
984 expression:
985 match_expressions:
986 name: matchExpressions
987 selectors:
988 - key: key
989 operator: In
990 values:
991 - value1
992 - value2
993
marcoacdae7e2015-12-02 15:35:37 +0100994Volumes
995-------
996
997hostPath
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200998==========
marcoacdae7e2015-12-02 15:35:37 +0100999
1000.. code-block:: yaml
1001
marcob469f882016-09-27 09:56:13 +02001002 service:
marcoacdae7e2015-12-02 15:35:37 +01001003 memcached:
marcob469f882016-09-27 09:56:13 +02001004 container:
1005 memcached:
1006 volumes:
1007 - name: volume1
1008 mountPath: /volume
1009 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +01001010 ...
marcob469f882016-09-27 09:56:13 +02001011 volume:
1012 volume1:
1013 name: /etc/certs
1014 type: hostPath
1015 path: /etc/certs
marcoacdae7e2015-12-02 15:35:37 +01001016
1017emptyDir
Ales Komarek688a04c2016-07-15 15:12:30 +02001018========
marcoacdae7e2015-12-02 15:35:37 +01001019
1020.. code-block:: yaml
1021
marcob469f882016-09-27 09:56:13 +02001022 service:
marcoacdae7e2015-12-02 15:35:37 +01001023 memcached:
marcob469f882016-09-27 09:56:13 +02001024 container:
1025 memcached:
1026 volumes:
1027 - name: volume1
1028 mountPath: /volume
1029 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +01001030 ...
marcob469f882016-09-27 09:56:13 +02001031 volume:
1032 volume1:
1033 name: /etc/certs
1034 type: emptyDir
1035
1036configMap
1037=========
1038
1039.. code-block:: yaml
1040
1041 service:
1042 memcached:
1043 container:
1044 memcached:
1045 volumes:
1046 - name: volume1
1047 mountPath: /volume
1048 readOnly: True
1049 ...
1050 volume:
1051 volume1:
1052 type: config_map
1053 item:
1054 configMap1:
1055 key: config.conf
1056 path: config.conf
1057 configMap2:
1058 key: policy.json
1059 path: policy.json
Jakub Pavlik27ad3a62016-08-05 11:39:45 +02001060
marco0eda4fb2016-10-10 19:08:27 +02001061To mount single configuration file instead of whole directory:
1062
1063.. code-block:: yaml
1064
1065 service:
1066 memcached:
1067 container:
1068 memcached:
1069 volumes:
1070 - name: volume1
1071 mountPath: /volume/config.conf
1072 sub_path: config.conf
1073
marcofcc20d02016-10-10 09:56:12 +02001074Generating Jobs
1075===============
1076
1077Example pillar:
1078
1079.. code-block:: yaml
1080
1081 kubernetes:
1082 control:
1083 job:
1084 sleep:
1085 job: sleep
1086 restart_policy: Never
1087 container:
1088 sleep:
1089 image: busybox
1090 tag: latest
1091 command:
1092 - sleep
1093 - "3600"
1094
1095Volumes and Variables can be used as the same way as during Deployment generation.
1096
1097Custom params:
1098
1099.. code-block:: yaml
1100
1101 kubernetes:
1102 control:
1103 job:
1104 host_network: True
1105 host_pid: True
1106 container:
1107 sleep:
1108 privileged: True
1109 node_selector:
1110 key: node
1111 value: one
1112 image_pull_secretes: password
1113
Filip Pytlounbdba6272017-10-18 19:44:27 +02001114Role-based access control
1115=========================
1116
1117To enable RBAC, you need to set following option on your apiserver:
1118
1119.. code-block:: yaml
1120
1121 kubernetes:
1122 master:
1123 auth:
Andrey Shestakovf32d7072017-12-27 22:18:51 +02001124 mode: Node,RBAC
Filip Pytlounbdba6272017-10-18 19:44:27 +02001125
1126Then you can use ``kubernetes.control.role`` state to orchestrate role and
1127rolebindings. Following example shows how to create brand new role and binding
1128for service account:
1129
1130.. code-block:: yaml
1131
1132 control:
1133 role:
1134 etcd-operator:
1135 kind: ClusterRole
1136 rules:
1137 - apiGroups:
1138 - etcd.coreos.com
1139 resources:
1140 - clusters
1141 verbs:
1142 - "*"
1143 - apiGroups:
1144 - extensions
1145 resources:
1146 - thirdpartyresources
1147 verbs:
1148 - create
1149 - apiGroups:
1150 - storage.k8s.io
1151 resources:
1152 - storageclasses
1153 verbs:
1154 - create
1155 - apiGroups:
1156 - ""
1157 resources:
1158 - replicasets
1159 verbs:
1160 - "*"
1161 binding:
1162 etcd-operator:
1163 kind: ClusterRoleBinding
1164 namespace: test # <-- if no namespace, then it's clusterrolebinding
1165 subject:
1166 etcd-operator:
1167 kind: ServiceAccount
1168
1169Simplest possible use-case, add user test edit permissions on it's test
1170namespace:
1171
1172.. code-block:: yaml
1173
1174 kubernetes:
1175 control:
1176 role:
1177 edit:
1178 kind: ClusterRole
1179 # No rules defined, so only binding will be created assuming role
1180 # already exists
1181 binding:
1182 test:
1183 namespace: test
1184 subject:
1185 test:
1186 kind: User
Jakub Pavlik27ad3a62016-08-05 11:39:45 +02001187
Vasyl Saienkoce54d402019-02-26 14:46:54 +00001188Manage client (kubectl resources)
1189Assign labels to nodes:
1190
1191.. code-block:: yaml
1192
1193 kubernetes:
1194 client:
1195 enabled: true
1196 apiserver:
1197 insecure_address: 0.0.0.0
1198 insecure_port: 8080
1199 resources:
1200 enabled: true
1201 label:
1202 test:
1203 value: enabled
1204 status: 'present'
1205 node:
1206 - cmp1
1207 - cmp2
1208 enabled: true
1209 key: mylabel
1210
Oleksii Grudev4cf21532019-04-16 13:17:57 +00001211Install Helm charts:
1212
1213.. code-block:: yaml
1214
1215 kubernetes:
1216 client:
1217 helm:
1218 enabled: True
1219 repos:
1220 repo1:
1221 enabled: True
1222 repository:
1223 test: https://mirantisworkloads.storage.googleapis.com/
1224 charts:
1225 010_ingress_kube_system:
1226 enabled: True
1227 release: ingress-kube-system
1228 chart_name: local/ingress
1229 namespace: kube-system
1230 values:
1231 deployment:
1232 mode: cluster
1233 type: DaemonSet
1234 network:
1235 host_namespace: True
Ales Komarek9db8af42017-06-08 11:08:05 +02001236More Information
1237================
Jakub Pavlik27ad3a62016-08-05 11:39:45 +02001238
Ales Komarek9db8af42017-06-08 11:08:05 +02001239* https://github.com/Juniper/kubernetes/blob
1240/opencontrail-integration/docs /getting-started-guides/opencontrail.md
1241* https://github.com/kubernetes/kubernetes/tree/master/cluster/saltbase