Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / kubernetes / refs/heads/2018.8.1 / . / README.rst
blob: 22df40628039f48b97910903f0b9117acb12812a [file] [log] [blame]
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1==================
2Kubernetes Formula
3==================
4
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]5Kubernetes is an open-source system for automating deployment, scaling, and
6management of containerized applications. This formula deploys production
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]7ready Kubernetes and generate Kubernetes manifests as well.
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]8
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]9You can download `kubectl` configuration and connect to your cluster. However,
10keep in mind `kubernetes_control_address` needs to be accessible from your computer:
11
12.. code-block:: yaml
13
14 mkdir -p ~/.kube
15 [ -f ~/.kube/config ] && cp -v ~/.kube/config ~/.kube/config-backup
Tomáš Kukrál8ee2bc52017-07-31 17:51:20 +0200[diff] [blame]16 ssh cfg01 "sudo ssh ctl01 /etc/kubernetes/kubeconfig.sh" > ~/.kube/config
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]17 kubectl get no
18
19
20`cfg01` is Salt master node and `ctl01` is one of Kubernetes masters
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]21
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]22Sample Pillars
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]23==============
24
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]25**REQUIRED:** Define image to use for hyperkube, CNIs and calicoctl image
26
27.. code-block:: yaml
28
29 parameters:
30 kubernetes:
31 common:
32 hyperkube:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]33 image: gcr.io/google_containers/hyperkube:v1.6.5
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]34 pool:
35 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]36 calico:
37 calicoctl_image: calico/ctl
38 cni_image: calico/cni
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]39
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]40Enable helm-tiller addon
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]41
42.. code-block:: yaml
43
44 parameters:
45 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]46 common:
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]47 addons:
48 helm:
49 enabled: true
50
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]51Enable calico-policy addon
52
53.. code-block:: yaml
54
55 parameters:
56 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]57 common:
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]58 addons:
59 calico_policy:
60 enabled: true
61
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]62Enable virtlet addon
63
64.. code-block:: yaml
65
66 parameters:
67 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]68 common:
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]69 addons:
70 virtlet:
71 enabled: true
72 namespace: kube-system
Victor Ryzhenkin810c5072018-05-26 00:03:33 +0400[diff] [blame]73 image: mirantis/virtlet:v1.0.3
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]74
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]75Enable netchecker addon
76
77.. code-block:: yaml
78
79 parameters:
80 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]81 common:
82 addons:
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]83 netchecker:
84 enabled: true
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]85 master:
86 namespace:
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]87 netchecker:
88 enabled: true
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]89
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]90Enable Kubenetes Federation control plane
91
92.. code-block:: yaml
93
94 parameters:
95 kubernetes:
96 master:
97 federation:
98 enabled: True
99 name: federation
100 namespace: federation-system
101 source: https://dl.k8s.io/v1.6.6/kubernetes-client-linux-amd64.tar.gz
102 hash: 94b2c9cd29981a8e150c187193bab0d8c0b6e906260f837367feff99860a6376
103 service_type: NodePort
104 dns_provider: coredns
105 childclusters:
106 - secondcluster.mydomain
107 - thirdcluster.mydomain
108
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]109Enable external DNS addon with CoreDNS provider
110
111.. code-block:: yaml
112
113 parameters:
114 kubernetes:
115 common:
116 addons:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]117 coredns:
118 enabled: True
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]119 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]120 enabled: True
121 domain: company.mydomain
122 provider: coredns
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]123
Andrey Shestakov79f4af02017-09-15 21:02:55 +0300[diff] [blame]124Enable external DNS addon with Designate provider
125
126.. code-block:: yaml
127
128 parameters:
129 kubernetes:
130 common:
131 addons:
132 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]133 enabled: True
134 domain: company.mydomain
135 provider: designate
136 designate_os_options:
137 OS_AUTH_URL: https://keystone_auth_endpoint:5000
138 OS_PROJECT_DOMAIN_NAME: default
139 OS_USER_DOMAIN_NAME: default
140 OS_PROJECT_NAME: admin
141 OS_USERNAME: admin
142 OS_PASSWORD: password
143 OS_REGION_NAME: RegionOne
Andrey Shestakov79f4af02017-09-15 21:02:55 +0300[diff] [blame]144
Sergii Golovatiuk650948c2017-09-25 12:00:18 +0200[diff] [blame]145Enable external DNS addon with AWS provider
146
147.. code-block:: yaml
148
149 parameters:
150 kubernetes:
151 common:
152 addons:
153 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]154 enabled: True
155 domain: company.mydomain
156 provider: aws
157 aws_options:
158 AWS_ACCESS_KEY_ID: XXXXXXXXXXXXXXXXXXXX
159 AWS_SECRET_ACCESS_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
160
161Enable external DNS addon with Google CloudDNS provider
162
163.. code-block:: yaml
164
165 parameters:
166 kubernetes:
167 common:
168 addons:
169 externaldns:
170 enabled: True
171 domain: company.mydomain
172 provider: google
173 google_options:
174 key: ''
175 project: default-123
176key should be exported from google console and processed as `cat key.json | tr -d '\n'`
Sergii Golovatiuk650948c2017-09-25 12:00:18 +0200[diff] [blame]177
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]178Enable OpenStack cloud provider
179
180.. code-block:: yaml
181
182 parameters:
183 kubernetes:
184 common:
185 cloudprovider:
186 enabled: True
Tomáš Kukrál10b15672017-09-05 10:08:46 +0200[diff] [blame]187 provider: openstack
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]188 params:
189 auth_url: https://openstack.mydomain:5000/v3
190 username: nova
191 password: nova
192 region: RegionOne
193 tenant_id: 4bce4162d8744c599e350099cfa22a0a
194 domain_name: default
195 subnet_id: 72407854-aca6-4cf1-b873-e9affb09484b
196 lb_version: v2
197
Tomáš Kukrálf78baa62017-04-20 16:18:16 +0200[diff] [blame]198Configure service verbosity
199
200.. code-block:: yaml
201
202 parameters:
203 kubernetes:
204 master:
205 verbosity: 2
206 pool:
207 verbosity: 2
208
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]209Set cluster name and domain
Matthew Mosesohn0f7bee42017-07-17 13:52:16 +0300[diff] [blame]210
211.. code-block:: yaml
212
213 parameters:
214 kubernetes:
215 common:
216 kubernetes_cluster_domain: mycluster.domain
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]217 cluster_name : mycluster
Matthew Mosesohn0f7bee42017-07-17 13:52:16 +0300[diff] [blame]218
Tomáš Kukrálaff35262017-04-18 12:37:45 +0200[diff] [blame]219Enable autoscaler for dns addon. Poll period can be skipped.
220
221.. code-block:: yaml
222
223 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]224 common:
Tomáš Kukrálaff35262017-04-18 12:37:45 +0200[diff] [blame]225 addons:
226 dns:
227 domain: cluster.local
228 enabled: true
229 replicas: 1
230 server: 10.254.0.10
231 autoscaler:
232 enabled: true
233 poll-period-seconds: 60
234
235
Tomáš Kukrál6ef3f892017-02-15 12:02:22 +0100[diff] [blame]236Pass aditional parameters to daemons:
237
238.. code-block:: yaml
239
240 parameters:
241 kubernetes:
242 master:
243 apiserver:
244 daemon_opts:
245 storage-backend: pigeon
246 controller_manager:
247 daemon_opts:
248 log-dir: /dev/nulL
249 pool:
250 kubelet:
251 daemon_opts:
252 max-pods: "6"
253
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]254
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]255Containers on pool definitions in pool.service.local
256
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]257.. code-block:: yaml
258
259 parameters:
260 kubernetes:
261 pool:
262 service:
263 local:
264 enabled: False
265 service: libvirt
266 cluster: openstack-compute
267 namespace: default
268 role: ${linux:system:name}
269 type: LoadBalancer
270 kind: Deployment
271 apiVersion: extensions/v1beta1
272 replicas: 1
273 host_pid: True
274 nodeSelector:
275 - key: openstack
276 value: ${linux:system:name}
277 hostNetwork: True
278 container:
279 libvirt-compute:
280 privileged: True
281 image: ${_param:docker_repository}/libvirt-compute
282 tag: ${_param:openstack_container_tag}
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]283
284Master definition
285
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]286.. code-block:: yaml
287
288 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]289 common:
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]290 cluster_name: cluster
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]291 addons:
292 dns:
293 domain: cluster.local
294 enabled: true
295 replicas: 1
296 server: 10.254.0.10
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]297 master:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]298 admin:
299 password: password
300 username: admin
301 apiserver:
302 address: 10.0.175.100
Swann Croisetff97efc2017-02-23 13:32:33 +0100[diff] [blame]303 secure_port: 443
304 insecure_address: 127.0.0.1
305 insecure_port: 8080
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]306 ca: kubernetes
307 enabled: true
308 etcd:
309 host: 127.0.0.1
310 members:
311 - host: 10.0.175.100
312 name: node040
313 name: node040
314 token: ca939ec9c2a17b0786f6d411fe019e9b
315 kubelet:
316 allow_privileged: true
317 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]318 calico:
319 enabled: true
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]320 service_addresses: 10.254.0.0/16
321 storage:
322 engine: glusterfs
323 members:
324 - host: 10.0.175.101
325 port: 24007
326 - host: 10.0.175.102
327 port: 24007
328 - host: 10.0.175.103
329 port: 24007
330 port: 24007
331 token:
332 admin: DFvQ8GJ9JD4fKNfuyEddw3rjnFTkUKsv
333 controller_manager: EreGh6AnWf8DxH8cYavB2zS029PUi7vx
334 dns: RAFeVSE4UvsCz4gk3KYReuOI5jsZ1Xt3
335 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
336 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
337 logging: MJkXKdbgqRmTHSa2ykTaOaMykgO6KcEf
338 monitoring: hnsj0XqABgrSww7Nqo7UVTSZLJUt2XRd
339 scheduler: HY1UUxEPpmjW4a1dDLGIANYQp1nZkLDk
340 version: v1.2.4
341
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]342
343 kubernetes:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]344 pool:
345 address: 0.0.0.0
346 allow_privileged: true
347 ca: kubernetes
348 cluster_dns: 10.254.0.10
349 cluster_domain: cluster.local
350 enabled: true
351 kubelet:
352 allow_privileged: true
353 config: /etc/kubernetes/manifests
354 frequency: 5s
355 master:
356 apiserver:
357 members:
358 - host: 10.0.175.100
359 etcd:
360 members:
361 - host: 10.0.175.100
362 host: 10.0.175.100
363 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]364 calico:
365 enabled: true
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]366 token:
367 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
368 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
369 version: v1.2.4
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]370
Tomáš Kukrálbc3623e2017-03-23 18:24:06 +0100[diff] [blame]371
Filip Pytloun1e163072017-10-16 17:26:48 +0200[diff] [blame]372Enable basic, token and http authentication, disable ssl auth, create some
373static users:
374
375.. code-block:: yaml
376
377 kubernetes:
378 master:
379 auth:
380 basic:
381 enabled: true
382 user:
383 jdoe:
384 password: dummy
385 groups:
386 - system:admin
387 http:
388 enabled: true
389 header:
390 user: X-Remote-User
391 group: X-Remote-Group
392 ssl:
393 enabled: false
394 token:
395 enabled: true
396 user:
397 jdoe:
398 token: dummytoken
399 groups:
400 - system:admin
401
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]402Kubernetes with OpenContrail network plugin
403------------------------------------------------
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]404
405On Master:
406
407.. code-block:: yaml
408
409 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]410 common:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]411 addons:
Matthew Mosesohn6f4f6c02017-07-03 16:58:50 +0300[diff] [blame]412 contrail_network_controller:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]413 enabled: true
414 namespace: kube-system
Matthew Mosesohn6f4f6c02017-07-03 16:58:50 +0300[diff] [blame]415 image: yashulyak/contrail-controller:latest
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]416 master:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]417 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]418 opencontrail:
419 enabled: true
ashestakove19660a2018-03-05 12:43:30 +0000[diff] [blame]420 default_domain: default-domain
421 default_project: default-domain:default-project
422 public_network: default-domain:default-project:Public
423 public_ip_range: 185.22.97.128/26
424 private_ip_range: 10.150.0.0/16
425 service_cluster_ip_range: 10.254.0.0/16
426 network_label: name
427 service_label: uses
428 cluster_service: kube-system/default
429 config:
430 api:
431 host: 10.0.170.70
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]432On pools:
433
434.. code-block:: yaml
435
436 kubernetes:
437 pool:
438 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]439 opencontrail:
440 enabled: true
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]441
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]442
443Dashboard public IP must be configured when Contrail network is used:
444
445.. code-block:: yaml
446
447 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]448 common:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]449 addons:
Alexander Noskov0637cd62018-02-16 13:49:11 +0400[diff] [blame]450 dashboard:
451 public_ip: 1.1.1.1
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]452
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]453Kubernetes control plane running in systemd
454-------------------------------------------
455
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]456By default kube-apiserver, kube-scheduler, kube-controllermanager, kube-proxy, etcd running in docker containers through manifests. For stable production environment this should be run in systemd.
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]457
458.. code-block:: yaml
459
460 kubernetes:
461 master:
462 container: false
463
464 kubernetes:
465 pool:
466 container: false
467
marco055ff852016-07-27 15:22:33 +0200[diff] [blame]468Because k8s services run under kube user without root privileges, there is need to change secure port for apiserver.
469
470.. code-block:: yaml
471
472 kubernetes:
473 master:
474 apiserver:
475 secure_port: 8081
476
Andrey Shestakove3cf0062018-06-19 15:04:33 +0300[diff] [blame]477Kubernetes with MetalLB
478-----------------------
479
480On Master:
481
482.. code-block:: yaml
483
484 kubernetes:
485 common:
486 addons:
487 metallb:
488 enabled: true
489 addresses:
490 - 172.16.10.150-172.16.10.180
491 - 172.16.10.192/26
492
Andrey Shestakovb3057972018-06-25 17:50:23 +0300[diff] [blame]493Kubernetes with SRIOV
494-----------------------
495
496On Master:
497
498.. code-block:: yaml
499
500 kubernetes:
501 master:
502 network:
503 sriov:
504 enabled: true
505 interface: eno2
506 subnet: 10.55.208.0/24
507 gateway: 10.55.208.1
508
509On pools:
510
511.. code-block:: yaml
512
513 kubernetes:
514 pool:
515 network:
516 sriov:
517 enabled: true
518 interface: eno2
519 subnet: 10.55.208.0/24
520 gateway: 10.55.208.1
521
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]522Kubernetes with Flannel
523-----------------------
524
525On Master:
526
527.. code-block:: yaml
528
529 kubernetes:
530 master:
531 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]532 flannel:
533 enabled: true
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]534
535On pools:
536
537.. code-block:: yaml
538
539 kubernetes:
540 pool:
541 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]542 flannel:
543 enabled: true
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]544
545Kubernetes with Calico
546-----------------------
547
548On Master:
549
550.. code-block:: yaml
551
552 kubernetes:
553 master:
554 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]555 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]556 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]557 mtu: 1500
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]558 # If you don't register master as node:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]559 etcd:
560 members:
561 - host: 10.0.175.101
562 port: 4001
563 - host: 10.0.175.102
564 port: 4001
565 - host: 10.0.175.103
566 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]567
568On pools:
569
570.. code-block:: yaml
571
572 kubernetes:
573 pool:
574 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]575 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]576 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]577 mtu: 1500
578 etcd:
579 members:
580 - host: 10.0.175.101
581 port: 4001
582 - host: 10.0.175.102
583 port: 4001
584 - host: 10.0.175.103
585 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]586
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]587Running with secured etcd:
588
589.. code-block:: yaml
590
591 kubernetes:
592 pool:
593 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]594 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]595 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]596 etcd:
597 ssl:
598 enabled: true
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]599 master:
600 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]601 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]602 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]603 etcd:
604 ssl:
605 enabled: true
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]606
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]607Running with calico-policy controller:
608
609.. code-block:: yaml
610
611 kubernetes:
612 pool:
613 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]614 calico:
615 enabled: true
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]616 addons:
617 calico_policy:
618 enabled: true
619
620 master:
621 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]622 calico:
623 enabled: true
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]624 addons:
625 calico_policy:
626 enabled: true
627
628
629
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]630Enable Prometheus metrics in Felix
631
632.. code-block:: yaml
633
634 kubernetes:
635 pool:
636 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]637 calico:
638 prometheus:
639 enabled: true
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]640 master:
641 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]642 calico:
643 prometheus:
644 enabled: true
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]645
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]646Post deployment configuration
647
648.. code-block:: bash
Jakub Pavlik232833c2016-07-17 13:21:00 +0200[diff] [blame]649
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]650 # set ETCD
651 export ETCD_AUTHORITY=10.0.111.201:4001
652
653 # Set NAT for pods subnet
654 calicoctl pool add 192.168.0.0/16 --nat-outgoing
655
656 # Status commands
657 calicoctl status
658 calicoctl node show
659
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]660Kubernetes with GlusterFS for storage
661---------------------------------------------
662
663.. code-block:: yaml
664
665 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]666 master:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]667 ...
668 storage:
669 engine: glusterfs
670 port: 24007
671 members:
672 - host: 10.0.175.101
673 port: 24007
674 - host: 10.0.175.102
675 port: 24007
676 - host: 10.0.175.103
677 port: 24007
678 ...
679
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]680Kubernetes Storage Class
681------------------------
682
683AWS EBS storageclass integration. It also requires to create IAM policy and profiles for instances and tag all resources by KubernetesCluster in EC2.
684
685.. code-block:: yaml
686
687 kubernetes:
688 common:
689 addons:
690 storageclass:
691 aws_slow:
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]692 enabled: True
693 default: True
694 provisioner: aws-ebs
Petr Michalec52d4e1f2017-09-11 17:50:54 +0200[diff] [blame]695 name: slow
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]696 type: gp2
697 iopspergb: "10"
698 zones: xxx
Petr Michalec52d4e1f2017-09-11 17:50:54 +0200[diff] [blame]699 nfs_shared:
700 name: elasti01
701 enabled: True
702 provisioner: nfs
703 spec:
704 name: elastic_data
705 nfs:
706 server: 10.0.0.1
707 path: /exported_path
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]708
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]709Kubernetes namespaces
710---------------------
711
712Create namespace:
713
714.. code-block:: yaml
715
716 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]717 master:
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]718 ...
719 namespace:
720 kube-system:
721 enabled: True
722 namespace2:
723 enabled: True
724 namespace3:
725 enabled: False
726 ...
727
728Kubernetes labels
729-----------------
730
Marek Celoud901020b2017-01-27 14:51:41 +0100[diff] [blame]731Label node:
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]732
733.. code-block:: yaml
734
Marek Celoud901020b2017-01-27 14:51:41 +0100[diff] [blame]735 kubernetes:
736 master:
737 label:
738 label01:
739 value: value01
740 node: node01
741 enabled: true
742 key: key01
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]743 ...
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]744
marcof7efecb2016-07-16 16:13:37 +0200[diff] [blame]745Pull images from private registries
746-----------------------------------
747
748.. code-block:: yaml
749
750 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]751 master:
marcof7efecb2016-07-16 16:13:37 +0200[diff] [blame]752 ...
753 registry:
754 secret:
755 registry01:
756 enabled: True
757 key: (get from `cat /root/.docker/config.json | base64`)
758 namespace: default
759 ...
760 control:
761 ...
762 service:
763 service01:
764 ...
765 image_pull_secretes: registry01
766 ...
767
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]768Kubernetes Service Definitions in pillars
769==========================================
770
771Following samples show how to generate kubernetes manifest as well and provide single tool for complete infrastructure management.
772
773Deployment manifest
774---------------------
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]775
776.. code-block:: yaml
777
778 salt:
779 control:
780 enabled: True
781 hostNetwork: True
782 service:
783 memcached:
784 privileged: True
785 service: memcached
786 role: server
787 type: LoadBalancer
788 replicas: 3
789 kind: Deployment
790 apiVersion: extensions/v1beta1
791 ports:
792 - port: 8774
793 name: nova-api
794 - port: 8775
795 name: nova-metadata
796 volume:
797 volume_name:
798 type: hostPath
799 mount: /certs
800 path: /etc/certs
801 container:
802 memcached:
803 image: memcached
804 tag:2
805 ports:
806 - port: 8774
807 name: nova-api
808 - port: 8775
809 name: nova-metadata
810 variables:
811 - name: HTTP_TLS_CERTIFICATE:
812 value: /certs/domain.crt
813 - name: HTTP_TLS_KEY
814 value: /certs/domain.key
815 volumes:
816 - name: /etc/certs
817 type: hostPath
818 mount: /certs
819 path: /etc/certs
820
marcobe30c8d2016-10-11 19:16:35 +0200[diff] [blame]821PetSet manifest
822---------------------
823
824.. code-block:: yaml
825
826 service:
827 memcached:
828 apiVersion: apps/v1alpha1
829 kind: PetSet
830 service_name: 'memcached'
831 container:
832 memcached:
833 ...
834
835
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200[diff] [blame]836Configmap
837---------
838
839You are able to create configmaps using support layer between formulas.
840It works simple, eg. in nova formula there's file ``meta/config.yml`` which
841defines config files used by that service and roles.
842
843Kubernetes formula is able to generate these files using custom pillar and
844grains structure. This way you are able to run docker images built by any way
845while still re-using your configuration management.
846
847Example pillar:
848
849.. code-block:: bash
850
851 kubernetes:
852 control:
Jakub Pavlika2779722016-11-25 15:35:26 +0100[diff] [blame]853 config_type: default|kubernetes # Output is yaml k8s or default single files
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200[diff] [blame]854 configmap:
855 nova-control:
856 grains:
857 # Alternate grains as OS running in container may differ from
858 # salt minion OS. Needed only if grains matters for config
859 # generation.
860 os_family: Debian
861 pillar:
862 # Generic pillar for nova controller
863 nova:
864 controller:
865 enabled: true
866 versionn: liberty
867 ...
868
869To tell which services supports config generation, you need to ensure pillar
870structure like this to determine support:
871
872.. code-block:: yaml
873
874 nova:
875 _support:
876 config:
877 enabled: true
878
marcod4d3dbd2016-09-27 11:36:40 +0200[diff] [blame]879initContainers
880--------------
881
882Example pillar:
883
884.. code-block:: bash
885
886 kubernetes:
887 control:
888 service:
889 memcached:
890 init_containers:
891 - name: test-mysql
892 image: busybox
893 command:
894 - sleep
895 - 3600
896 volumes:
897 - name: config
898 mount: /test
899 - name: test-memcached
900 image: busybox
901 command:
902 - sleep
903 - 3600
904 volumes:
905 - name: config
906 mount: /test
907
marcoee859d32016-11-07 11:04:57 +0100[diff] [blame]908Affinity
909--------
910
911podAffinity
912===========
913
914Example pillar:
915
916.. code-block:: bash
917
918 kubernetes:
919 control:
920 service:
921 memcached:
922 affinity:
923 pod_affinity:
924 name: podAffinity
925 expression:
926 label_selector:
927 name: labelSelector
928 selectors:
929 - key: app
930 value: memcached
931 topology_key: kubernetes.io/hostname
932
933podAntiAffinity
934===============
935
936Example pillar:
937
938.. code-block:: bash
939
940 kubernetes:
941 control:
942 service:
943 memcached:
944 affinity:
945 anti_affinity:
946 name: podAntiAffinity
947 expression:
948 label_selector:
949 name: labelSelector
950 selectors:
951 - key: app
952 value: opencontrail-control
953 topology_key: kubernetes.io/hostname
954
955nodeAffinity
956===============
957
958Example pillar:
959
960.. code-block:: bash
961
962 kubernetes:
963 control:
964 service:
965 memcached:
966 affinity:
967 node_affinity:
968 name: nodeAffinity
969 expression:
970 match_expressions:
971 name: matchExpressions
972 selectors:
973 - key: key
974 operator: In
975 values:
976 - value1
977 - value2
978
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]979Volumes
980-------
981
982hostPath
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]983==========
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]984
985.. code-block:: yaml
986
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]987 service:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]988 memcached:
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]989 container:
990 memcached:
991 volumes:
992 - name: volume1
993 mountPath: /volume
994 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]995 ...
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]996 volume:
997 volume1:
998 name: /etc/certs
999 type: hostPath
1000 path: /etc/certs
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1001
1002emptyDir
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]1003========
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1004
1005.. code-block:: yaml
1006
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]1007 service:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1008 memcached:
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]1009 container:
1010 memcached:
1011 volumes:
1012 - name: volume1
1013 mountPath: /volume
1014 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1015 ...
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]1016 volume:
1017 volume1:
1018 name: /etc/certs
1019 type: emptyDir
1020
1021configMap
1022=========
1023
1024.. code-block:: yaml
1025
1026 service:
1027 memcached:
1028 container:
1029 memcached:
1030 volumes:
1031 - name: volume1
1032 mountPath: /volume
1033 readOnly: True
1034 ...
1035 volume:
1036 volume1:
1037 type: config_map
1038 item:
1039 configMap1:
1040 key: config.conf
1041 path: config.conf
1042 configMap2:
1043 key: policy.json
1044 path: policy.json
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1045
marco0eda4fb2016-10-10 19:08:27 +0200[diff] [blame]1046To mount single configuration file instead of whole directory:
1047
1048.. code-block:: yaml
1049
1050 service:
1051 memcached:
1052 container:
1053 memcached:
1054 volumes:
1055 - name: volume1
1056 mountPath: /volume/config.conf
1057 sub_path: config.conf
1058
marcofcc20d02016-10-10 09:56:12 +0200[diff] [blame]1059Generating Jobs
1060===============
1061
1062Example pillar:
1063
1064.. code-block:: yaml
1065
1066 kubernetes:
1067 control:
1068 job:
1069 sleep:
1070 job: sleep
1071 restart_policy: Never
1072 container:
1073 sleep:
1074 image: busybox
1075 tag: latest
1076 command:
1077 - sleep
1078 - "3600"
1079
1080Volumes and Variables can be used as the same way as during Deployment generation.
1081
1082Custom params:
1083
1084.. code-block:: yaml
1085
1086 kubernetes:
1087 control:
1088 job:
1089 host_network: True
1090 host_pid: True
1091 container:
1092 sleep:
1093 privileged: True
1094 node_selector:
1095 key: node
1096 value: one
1097 image_pull_secretes: password
1098
Filip Pytlounbdba6272017-10-18 19:44:27 +0200[diff] [blame]1099Role-based access control
1100=========================
1101
1102To enable RBAC, you need to set following option on your apiserver:
1103
1104.. code-block:: yaml
1105
1106 kubernetes:
1107 master:
1108 auth:
Andrey Shestakovf32d7072017-12-27 22:18:51 +0200[diff] [blame]1109 mode: Node,RBAC
Filip Pytlounbdba6272017-10-18 19:44:27 +0200[diff] [blame]1110
1111Then you can use ``kubernetes.control.role`` state to orchestrate role and
1112rolebindings. Following example shows how to create brand new role and binding
1113for service account:
1114
1115.. code-block:: yaml
1116
1117 control:
1118 role:
1119 etcd-operator:
1120 kind: ClusterRole
1121 rules:
1122 - apiGroups:
1123 - etcd.coreos.com
1124 resources:
1125 - clusters
1126 verbs:
1127 - "*"
1128 - apiGroups:
1129 - extensions
1130 resources:
1131 - thirdpartyresources
1132 verbs:
1133 - create
1134 - apiGroups:
1135 - storage.k8s.io
1136 resources:
1137 - storageclasses
1138 verbs:
1139 - create
1140 - apiGroups:
1141 - ""
1142 resources:
1143 - replicasets
1144 verbs:
1145 - "*"
1146 binding:
1147 etcd-operator:
1148 kind: ClusterRoleBinding
1149 namespace: test # <-- if no namespace, then it's clusterrolebinding
1150 subject:
1151 etcd-operator:
1152 kind: ServiceAccount
1153
1154Simplest possible use-case, add user test edit permissions on it's test
1155namespace:
1156
1157.. code-block:: yaml
1158
1159 kubernetes:
1160 control:
1161 role:
1162 edit:
1163 kind: ClusterRole
1164 # No rules defined, so only binding will be created assuming role
1165 # already exists
1166 binding:
1167 test:
1168 namespace: test
1169 subject:
1170 test:
1171 kind: User
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1172
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]1173More Information
1174================
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1175
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]1176* https://github.com/Juniper/kubernetes/blob
1177/opencontrail-integration/docs /getting-started-guides/opencontrail.md
1178* https://github.com/kubernetes/kubernetes/tree/master/cluster/saltbase
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1179
Filip Pytlound06f6272017-02-02 13:02:03 +0100[diff] [blame]1180
1181Documentation and Bugs
1182======================
1183
1184To learn how to install and update salt-formulas, consult the documentation
1185available online at:
1186
1187 http://salt-formulas.readthedocs.io/
1188
1189In the unfortunate event that bugs are discovered, they should be reported to
1190the appropriate issue tracker. Use Github issue tracker for specific salt
1191formula:
1192
1193 https://github.com/salt-formulas/salt-formula-kubernetes/issues
1194
1195For feature requests, bug reports or blueprints affecting entire ecosystem,
1196use Launchpad salt-formulas project:
1197
1198 https://launchpad.net/salt-formulas
1199
1200You can also join salt-formulas-users team and subscribe to mailing list:
1201
1202 https://launchpad.net/~salt-formulas-users
1203
1204Developers wishing to work on the salt-formulas projects should always base
1205their work on master branch and submit pull request against specific formula.
1206
1207 https://github.com/salt-formulas/salt-formula-kubernetes
1208
1209Any questions or feedback is always welcome so feel free to join our IRC
1210channel:
1211
1212 #salt-formulas @ irc.freenode.net