Gitiles
Code Review Sign In
gerrit.mcp.mirantis.com / salt-formulas / kubernetes / refs/heads/release/2018.8.0 / . / README.rst
blob: 3795e8fce609a9fecf710f7f87b445d999e45134 [file] [log] [blame]
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1==================
2Kubernetes Formula
3==================
4
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]5Kubernetes is an open-source system for automating deployment, scaling, and
6management of containerized applications. This formula deploys production
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]7ready Kubernetes and generate Kubernetes manifests as well.
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]8
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]9You can download `kubectl` configuration and connect to your cluster. However,
10keep in mind `kubernetes_control_address` needs to be accessible from your computer:
11
12.. code-block:: yaml
13
14 mkdir -p ~/.kube
15 [ -f ~/.kube/config ] && cp -v ~/.kube/config ~/.kube/config-backup
Tomáš Kukrál8ee2bc52017-07-31 17:51:20 +0200[diff] [blame]16 ssh cfg01 "sudo ssh ctl01 /etc/kubernetes/kubeconfig.sh" > ~/.kube/config
Tomáš Kukrálf1fcc272017-06-15 10:14:16 +0200[diff] [blame]17 kubectl get no
18
19
20`cfg01` is Salt master node and `ctl01` is one of Kubernetes masters
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]21
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]22Sample Pillars
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]23==============
24
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]25**REQUIRED:** Define image to use for hyperkube, CNIs and calicoctl image
26
27.. code-block:: yaml
28
29 parameters:
30 kubernetes:
31 common:
32 hyperkube:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]33 image: gcr.io/google_containers/hyperkube:v1.6.5
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]34 pool:
35 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]36 calico:
37 calicoctl_image: calico/ctl
38 cni_image: calico/cni
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]39
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]40Enable helm-tiller addon
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]41
42.. code-block:: yaml
43
44 parameters:
45 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]46 common:
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]47 addons:
48 helm:
49 enabled: true
50
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]51Enable calico-policy addon
52
53.. code-block:: yaml
54
55 parameters:
56 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]57 common:
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]58 addons:
59 calico_policy:
60 enabled: true
61
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]62Enable virtlet addon
63
64.. code-block:: yaml
65
66 parameters:
67 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]68 common:
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]69 addons:
70 virtlet:
71 enabled: true
72 namespace: kube-system
Victor Ryzhenkin810c5072018-05-26 00:03:33 +0400[diff] [blame]73 image: mirantis/virtlet:v1.0.3
Jakub Pavlikc1d11e52017-06-23 11:09:20 +0200[diff] [blame]74
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]75Enable netchecker addon
76
77.. code-block:: yaml
78
79 parameters:
80 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]81 common:
82 addons:
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]83 netchecker:
84 enabled: true
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]85 master:
86 namespace:
Tomáš Kukrál25a64d72017-03-23 14:14:07 +0100[diff] [blame]87 netchecker:
88 enabled: true
Tomáš Kukrál1b50f772017-03-23 12:51:32 +0100[diff] [blame]89
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]90Enable Kubenetes Federation control plane
91
92.. code-block:: yaml
93
94 parameters:
95 kubernetes:
96 master:
97 federation:
98 enabled: True
99 name: federation
100 namespace: federation-system
101 source: https://dl.k8s.io/v1.6.6/kubernetes-client-linux-amd64.tar.gz
102 hash: 94b2c9cd29981a8e150c187193bab0d8c0b6e906260f837367feff99860a6376
103 service_type: NodePort
104 dns_provider: coredns
105 childclusters:
106 - secondcluster.mydomain
107 - thirdcluster.mydomain
108
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]109Enable external DNS addon with CoreDNS provider
110
111.. code-block:: yaml
112
113 parameters:
114 kubernetes:
115 common:
116 addons:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]117 coredns:
118 enabled: True
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]119 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]120 enabled: True
121 domain: company.mydomain
122 provider: coredns
Matthew Mosesohn3be5dd92017-08-25 16:54:51 +0300[diff] [blame]123
Andrey Shestakov79f4af02017-09-15 21:02:55 +0300[diff] [blame]124Enable external DNS addon with Designate provider
125
126.. code-block:: yaml
127
128 parameters:
129 kubernetes:
130 common:
131 addons:
132 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]133 enabled: True
134 domain: company.mydomain
135 provider: designate
136 designate_os_options:
137 OS_AUTH_URL: https://keystone_auth_endpoint:5000
138 OS_PROJECT_DOMAIN_NAME: default
139 OS_USER_DOMAIN_NAME: default
140 OS_PROJECT_NAME: admin
141 OS_USERNAME: admin
142 OS_PASSWORD: password
143 OS_REGION_NAME: RegionOne
Andrey Shestakov79f4af02017-09-15 21:02:55 +0300[diff] [blame]144
Sergii Golovatiuk650948c2017-09-25 12:00:18 +0200[diff] [blame]145Enable external DNS addon with AWS provider
146
147.. code-block:: yaml
148
149 parameters:
150 kubernetes:
151 common:
152 addons:
153 externaldns:
Sergii Golovatiuk08e47f32017-09-28 15:24:23 +0200[diff] [blame]154 enabled: True
155 domain: company.mydomain
156 provider: aws
157 aws_options:
158 AWS_ACCESS_KEY_ID: XXXXXXXXXXXXXXXXXXXX
159 AWS_SECRET_ACCESS_KEY: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
160
161Enable external DNS addon with Google CloudDNS provider
162
163.. code-block:: yaml
164
165 parameters:
166 kubernetes:
167 common:
168 addons:
169 externaldns:
170 enabled: True
171 domain: company.mydomain
172 provider: google
173 google_options:
174 key: ''
175 project: default-123
176key should be exported from google console and processed as `cat key.json | tr -d '\n'`
Sergii Golovatiuk650948c2017-09-25 12:00:18 +0200[diff] [blame]177
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]178Enable OpenStack cloud provider
179
180.. code-block:: yaml
181
182 parameters:
183 kubernetes:
184 common:
185 cloudprovider:
186 enabled: True
Tomáš Kukrál10b15672017-09-05 10:08:46 +0200[diff] [blame]187 provider: openstack
Matthew Mosesohn19903512017-08-31 19:38:19 +0300[diff] [blame]188 params:
189 auth_url: https://openstack.mydomain:5000/v3
190 username: nova
191 password: nova
192 region: RegionOne
193 tenant_id: 4bce4162d8744c599e350099cfa22a0a
194 domain_name: default
195 subnet_id: 72407854-aca6-4cf1-b873-e9affb09484b
196 lb_version: v2
197
Tomáš Kukrálf78baa62017-04-20 16:18:16 +0200[diff] [blame]198Configure service verbosity
199
200.. code-block:: yaml
201
202 parameters:
203 kubernetes:
204 master:
205 verbosity: 2
206 pool:
207 verbosity: 2
208
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]209Set cluster name and domain
Matthew Mosesohn0f7bee42017-07-17 13:52:16 +0300[diff] [blame]210
211.. code-block:: yaml
212
213 parameters:
214 kubernetes:
215 common:
216 kubernetes_cluster_domain: mycluster.domain
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]217 cluster_name : mycluster
Matthew Mosesohn0f7bee42017-07-17 13:52:16 +0300[diff] [blame]218
Tomáš Kukrálaff35262017-04-18 12:37:45 +0200[diff] [blame]219Enable autoscaler for dns addon. Poll period can be skipped.
220
221.. code-block:: yaml
222
223 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]224 common:
Tomáš Kukrálaff35262017-04-18 12:37:45 +0200[diff] [blame]225 addons:
226 dns:
227 domain: cluster.local
228 enabled: true
229 replicas: 1
230 server: 10.254.0.10
231 autoscaler:
232 enabled: true
233 poll-period-seconds: 60
234
235
Tomáš Kukrál6ef3f892017-02-15 12:02:22 +0100[diff] [blame]236Pass aditional parameters to daemons:
237
238.. code-block:: yaml
239
240 parameters:
241 kubernetes:
242 master:
243 apiserver:
244 daemon_opts:
245 storage-backend: pigeon
246 controller_manager:
247 daemon_opts:
248 log-dir: /dev/nulL
249 pool:
250 kubelet:
251 daemon_opts:
252 max-pods: "6"
253
Tomáš Kukrál189da4b2017-01-18 14:30:09 +0100[diff] [blame]254
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]255Containers on pool definitions in pool.service.local
256
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]257.. code-block:: yaml
258
259 parameters:
260 kubernetes:
261 pool:
262 service:
263 local:
264 enabled: False
265 service: libvirt
266 cluster: openstack-compute
267 namespace: default
268 role: ${linux:system:name}
269 type: LoadBalancer
270 kind: Deployment
271 apiVersion: extensions/v1beta1
272 replicas: 1
273 host_pid: True
274 nodeSelector:
275 - key: openstack
276 value: ${linux:system:name}
277 hostNetwork: True
278 container:
279 libvirt-compute:
280 privileged: True
281 image: ${_param:docker_repository}/libvirt-compute
282 tag: ${_param:openstack_container_tag}
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]283
284Master definition
285
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]286.. code-block:: yaml
287
288 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]289 common:
Matthew Mosesohn32ec04a2017-07-17 19:53:47 +0300[diff] [blame]290 cluster_name: cluster
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]291 addons:
292 dns:
293 domain: cluster.local
294 enabled: true
295 replicas: 1
296 server: 10.254.0.10
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]297 master:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]298 admin:
299 password: password
300 username: admin
301 apiserver:
302 address: 10.0.175.100
Swann Croisetff97efc2017-02-23 13:32:33 +0100[diff] [blame]303 secure_port: 443
304 insecure_address: 127.0.0.1
305 insecure_port: 8080
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]306 ca: kubernetes
307 enabled: true
308 etcd:
309 host: 127.0.0.1
310 members:
311 - host: 10.0.175.100
312 name: node040
313 name: node040
314 token: ca939ec9c2a17b0786f6d411fe019e9b
315 kubelet:
316 allow_privileged: true
317 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]318 calico:
319 enabled: true
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]320 service_addresses: 10.254.0.0/16
321 storage:
322 engine: glusterfs
323 members:
324 - host: 10.0.175.101
325 port: 24007
326 - host: 10.0.175.102
327 port: 24007
328 - host: 10.0.175.103
329 port: 24007
330 port: 24007
331 token:
332 admin: DFvQ8GJ9JD4fKNfuyEddw3rjnFTkUKsv
333 controller_manager: EreGh6AnWf8DxH8cYavB2zS029PUi7vx
334 dns: RAFeVSE4UvsCz4gk3KYReuOI5jsZ1Xt3
335 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
336 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
337 logging: MJkXKdbgqRmTHSa2ykTaOaMykgO6KcEf
338 monitoring: hnsj0XqABgrSww7Nqo7UVTSZLJUt2XRd
339 scheduler: HY1UUxEPpmjW4a1dDLGIANYQp1nZkLDk
340 version: v1.2.4
341
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]342
343 kubernetes:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]344 pool:
345 address: 0.0.0.0
346 allow_privileged: true
347 ca: kubernetes
348 cluster_dns: 10.254.0.10
349 cluster_domain: cluster.local
350 enabled: true
351 kubelet:
352 allow_privileged: true
353 config: /etc/kubernetes/manifests
354 frequency: 5s
355 master:
356 apiserver:
357 members:
358 - host: 10.0.175.100
359 etcd:
360 members:
361 - host: 10.0.175.100
362 host: 10.0.175.100
363 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]364 calico:
365 enabled: true
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]366 token:
367 kube_proxy: DFvQ8GelB7afH3wClC9romaMPhquyyEe
368 kubelet: 7bN5hJ9JD4fKjnFTkUKsvVNfuyEddw3r
369 version: v1.2.4
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]370
Tomáš Kukrálbc3623e2017-03-23 18:24:06 +0100[diff] [blame]371
Filip Pytloun1e163072017-10-16 17:26:48 +0200[diff] [blame]372Enable basic, token and http authentication, disable ssl auth, create some
373static users:
374
375.. code-block:: yaml
376
377 kubernetes:
378 master:
379 auth:
380 basic:
381 enabled: true
382 user:
383 jdoe:
384 password: dummy
385 groups:
386 - system:admin
387 http:
388 enabled: true
389 header:
390 user: X-Remote-User
391 group: X-Remote-Group
392 ssl:
393 enabled: false
394 token:
395 enabled: true
396 user:
397 jdoe:
398 token: dummytoken
399 groups:
400 - system:admin
401
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]402Kubernetes with OpenContrail network plugin
403------------------------------------------------
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]404
405On Master:
406
407.. code-block:: yaml
408
409 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]410 common:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]411 addons:
Matthew Mosesohn6f4f6c02017-07-03 16:58:50 +0300[diff] [blame]412 contrail_network_controller:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]413 enabled: true
414 namespace: kube-system
Matthew Mosesohn6f4f6c02017-07-03 16:58:50 +0300[diff] [blame]415 image: yashulyak/contrail-controller:latest
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]416 master:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]417 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]418 opencontrail:
419 enabled: true
ashestakove19660a2018-03-05 12:43:30 +0000[diff] [blame]420 default_domain: default-domain
421 default_project: default-domain:default-project
422 public_network: default-domain:default-project:Public
423 public_ip_range: 185.22.97.128/26
424 private_ip_range: 10.150.0.0/16
425 service_cluster_ip_range: 10.254.0.0/16
426 network_label: name
427 service_label: uses
428 cluster_service: kube-system/default
429 config:
430 api:
431 host: 10.0.170.70
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]432On pools:
433
434.. code-block:: yaml
435
436 kubernetes:
437 pool:
438 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]439 opencontrail:
440 enabled: true
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]441
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]442
443Dashboard public IP must be configured when Contrail network is used:
444
445.. code-block:: yaml
446
447 kubernetes:
Sergii Golovatiuk707f7d82017-08-07 15:49:23 +0200[diff] [blame]448 common:
Tomáš Kukrál13b1edb2017-06-08 16:47:34 +0200[diff] [blame]449 addons:
450 public_ip: 1.1.1.1
451
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]452Kubernetes control plane running in systemd
453-------------------------------------------
454
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]455By default kube-apiserver, kube-scheduler, kube-controllermanager, kube-proxy, etcd running in docker containers through manifests. For stable production environment this should be run in systemd.
Jakub Pavlik1cfc1fe2016-07-25 11:01:52 +0200[diff] [blame]456
457.. code-block:: yaml
458
459 kubernetes:
460 master:
461 container: false
462
463 kubernetes:
464 pool:
465 container: false
466
marco055ff852016-07-27 15:22:33 +0200[diff] [blame]467Because k8s services run under kube user without root privileges, there is need to change secure port for apiserver.
468
469.. code-block:: yaml
470
471 kubernetes:
472 master:
473 apiserver:
474 secure_port: 8081
475
Andrey Shestakove3cf0062018-06-19 15:04:33 +0300[diff] [blame]476Kubernetes with MetalLB
477-----------------------
478
479On Master:
480
481.. code-block:: yaml
482
483 kubernetes:
484 common:
485 addons:
486 metallb:
487 enabled: true
488 addresses:
489 - 172.16.10.150-172.16.10.180
490 - 172.16.10.192/26
491
Andrey Shestakovb3057972018-06-25 17:50:23 +0300[diff] [blame]492Kubernetes with SRIOV
493-----------------------
494
495On Master:
496
497.. code-block:: yaml
498
499 kubernetes:
500 master:
501 network:
502 sriov:
503 enabled: true
504 interface: eno2
505 subnet: 10.55.208.0/24
506 gateway: 10.55.208.1
507
508On pools:
509
510.. code-block:: yaml
511
512 kubernetes:
513 pool:
514 network:
515 sriov:
516 enabled: true
517 interface: eno2
518 subnet: 10.55.208.0/24
519 gateway: 10.55.208.1
520
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]521Kubernetes with Flannel
522-----------------------
523
524On Master:
525
526.. code-block:: yaml
527
528 kubernetes:
529 master:
530 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]531 flannel:
532 enabled: true
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]533
534On pools:
535
536.. code-block:: yaml
537
538 kubernetes:
539 pool:
540 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]541 flannel:
542 enabled: true
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]543
544Kubernetes with Calico
545-----------------------
546
547On Master:
548
549.. code-block:: yaml
550
551 kubernetes:
552 master:
553 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]554 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]555 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]556 mtu: 1500
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]557 # If you don't register master as node:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]558 etcd:
559 members:
560 - host: 10.0.175.101
561 port: 4001
562 - host: 10.0.175.102
563 port: 4001
564 - host: 10.0.175.103
565 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]566
567On pools:
568
569.. code-block:: yaml
570
571 kubernetes:
572 pool:
573 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]574 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]575 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]576 mtu: 1500
577 etcd:
578 members:
579 - host: 10.0.175.101
580 port: 4001
581 - host: 10.0.175.102
582 port: 4001
583 - host: 10.0.175.103
584 port: 4001
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]585
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]586Running with secured etcd:
587
588.. code-block:: yaml
589
590 kubernetes:
591 pool:
592 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]593 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]594 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]595 etcd:
596 ssl:
597 enabled: true
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]598 master:
599 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]600 calico:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]601 enabled: true
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]602 etcd:
603 ssl:
604 enabled: true
Tomáš Kukrál34c59362017-03-01 14:00:37 +0100[diff] [blame]605
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]606Running with calico-policy controller:
607
608.. code-block:: yaml
609
610 kubernetes:
611 pool:
612 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]613 calico:
614 enabled: true
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]615 addons:
616 calico_policy:
617 enabled: true
618
619 master:
620 network:
Andrey Shestakovd389a5a2018-03-12 18:00:52 +0200[diff] [blame]621 calico:
622 enabled: true
Matthew Mosesohnbf9d3fb2017-05-17 16:17:02 +0300[diff] [blame]623 addons:
624 calico_policy:
625 enabled: true
626
627
628
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]629Enable Prometheus metrics in Felix
630
631.. code-block:: yaml
632
633 kubernetes:
634 pool:
635 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]636 calico:
637 prometheus:
638 enabled: true
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]639 master:
640 network:
ashestakova7b8d352018-02-27 13:54:27 +0000[diff] [blame]641 calico:
642 prometheus:
643 enabled: true
Tomáš Kukrál7e91a942017-03-23 16:02:52 +0100[diff] [blame]644
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]645Post deployment configuration
646
647.. code-block:: bash
Jakub Pavlik232833c2016-07-17 13:21:00 +0200[diff] [blame]648
Jakub Pavlik7e985322016-07-17 13:16:15 +0200[diff] [blame]649 # set ETCD
650 export ETCD_AUTHORITY=10.0.111.201:4001
651
652 # Set NAT for pods subnet
653 calicoctl pool add 192.168.0.0/16 --nat-outgoing
654
655 # Status commands
656 calicoctl status
657 calicoctl node show
658
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]659Kubernetes with GlusterFS for storage
660---------------------------------------------
661
662.. code-block:: yaml
663
664 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]665 master:
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]666 ...
667 storage:
668 engine: glusterfs
669 port: 24007
670 members:
671 - host: 10.0.175.101
672 port: 24007
673 - host: 10.0.175.102
674 port: 24007
675 - host: 10.0.175.103
676 port: 24007
677 ...
678
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]679Kubernetes Storage Class
680------------------------
681
682AWS EBS storageclass integration. It also requires to create IAM policy and profiles for instances and tag all resources by KubernetesCluster in EC2.
683
684.. code-block:: yaml
685
686 kubernetes:
687 common:
688 addons:
689 storageclass:
690 aws_slow:
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]691 enabled: True
692 default: True
693 provisioner: aws-ebs
Petr Michalec52d4e1f2017-09-11 17:50:54 +0200[diff] [blame]694 name: slow
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]695 type: gp2
696 iopspergb: "10"
697 zones: xxx
Petr Michalec52d4e1f2017-09-11 17:50:54 +0200[diff] [blame]698 nfs_shared:
699 name: elasti01
700 enabled: True
701 provisioner: nfs
702 spec:
703 name: elastic_data
704 nfs:
705 server: 10.0.0.1
706 path: /exported_path
Jakub Pavlik5b043a22017-09-05 09:33:58 +0200[diff] [blame]707
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]708Kubernetes namespaces
709---------------------
710
711Create namespace:
712
713.. code-block:: yaml
714
715 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]716 master:
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]717 ...
718 namespace:
719 kube-system:
720 enabled: True
721 namespace2:
722 enabled: True
723 namespace3:
724 enabled: False
725 ...
726
727Kubernetes labels
728-----------------
729
Marek Celoud901020b2017-01-27 14:51:41 +0100[diff] [blame]730Label node:
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]731
732.. code-block:: yaml
733
Marek Celoud901020b2017-01-27 14:51:41 +0100[diff] [blame]734 kubernetes:
735 master:
736 label:
737 label01:
738 value: value01
739 node: node01
740 enabled: true
741 key: key01
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]742 ...
marco45fc1b72016-07-02 16:11:18 +0200[diff] [blame]743
marcof7efecb2016-07-16 16:13:37 +0200[diff] [blame]744Pull images from private registries
745-----------------------------------
746
747.. code-block:: yaml
748
749 kubernetes:
Tomáš Kukrál4f0dae32017-03-21 19:04:19 +0100[diff] [blame]750 master:
marcof7efecb2016-07-16 16:13:37 +0200[diff] [blame]751 ...
752 registry:
753 secret:
754 registry01:
755 enabled: True
756 key: (get from `cat /root/.docker/config.json | base64`)
757 namespace: default
758 ...
759 control:
760 ...
761 service:
762 service01:
763 ...
764 image_pull_secretes: registry01
765 ...
766
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]767Kubernetes Service Definitions in pillars
768==========================================
769
770Following samples show how to generate kubernetes manifest as well and provide single tool for complete infrastructure management.
771
772Deployment manifest
773---------------------
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]774
775.. code-block:: yaml
776
777 salt:
778 control:
779 enabled: True
780 hostNetwork: True
781 service:
782 memcached:
783 privileged: True
784 service: memcached
785 role: server
786 type: LoadBalancer
787 replicas: 3
788 kind: Deployment
789 apiVersion: extensions/v1beta1
790 ports:
791 - port: 8774
792 name: nova-api
793 - port: 8775
794 name: nova-metadata
795 volume:
796 volume_name:
797 type: hostPath
798 mount: /certs
799 path: /etc/certs
800 container:
801 memcached:
802 image: memcached
803 tag:2
804 ports:
805 - port: 8774
806 name: nova-api
807 - port: 8775
808 name: nova-metadata
809 variables:
810 - name: HTTP_TLS_CERTIFICATE:
811 value: /certs/domain.crt
812 - name: HTTP_TLS_KEY
813 value: /certs/domain.key
814 volumes:
815 - name: /etc/certs
816 type: hostPath
817 mount: /certs
818 path: /etc/certs
819
marcobe30c8d2016-10-11 19:16:35 +0200[diff] [blame]820PetSet manifest
821---------------------
822
823.. code-block:: yaml
824
825 service:
826 memcached:
827 apiVersion: apps/v1alpha1
828 kind: PetSet
829 service_name: 'memcached'
830 container:
831 memcached:
832 ...
833
834
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200[diff] [blame]835Configmap
836---------
837
838You are able to create configmaps using support layer between formulas.
839It works simple, eg. in nova formula there's file ``meta/config.yml`` which
840defines config files used by that service and roles.
841
842Kubernetes formula is able to generate these files using custom pillar and
843grains structure. This way you are able to run docker images built by any way
844while still re-using your configuration management.
845
846Example pillar:
847
848.. code-block:: bash
849
850 kubernetes:
851 control:
Jakub Pavlika2779722016-11-25 15:35:26 +0100[diff] [blame]852 config_type: default|kubernetes # Output is yaml k8s or default single files
Filip Pytloun9a4a40f2016-09-22 16:28:19 +0200[diff] [blame]853 configmap:
854 nova-control:
855 grains:
856 # Alternate grains as OS running in container may differ from
857 # salt minion OS. Needed only if grains matters for config
858 # generation.
859 os_family: Debian
860 pillar:
861 # Generic pillar for nova controller
862 nova:
863 controller:
864 enabled: true
865 versionn: liberty
866 ...
867
868To tell which services supports config generation, you need to ensure pillar
869structure like this to determine support:
870
871.. code-block:: yaml
872
873 nova:
874 _support:
875 config:
876 enabled: true
877
marcod4d3dbd2016-09-27 11:36:40 +0200[diff] [blame]878initContainers
879--------------
880
881Example pillar:
882
883.. code-block:: bash
884
885 kubernetes:
886 control:
887 service:
888 memcached:
889 init_containers:
890 - name: test-mysql
891 image: busybox
892 command:
893 - sleep
894 - 3600
895 volumes:
896 - name: config
897 mount: /test
898 - name: test-memcached
899 image: busybox
900 command:
901 - sleep
902 - 3600
903 volumes:
904 - name: config
905 mount: /test
906
marcoee859d32016-11-07 11:04:57 +0100[diff] [blame]907Affinity
908--------
909
910podAffinity
911===========
912
913Example pillar:
914
915.. code-block:: bash
916
917 kubernetes:
918 control:
919 service:
920 memcached:
921 affinity:
922 pod_affinity:
923 name: podAffinity
924 expression:
925 label_selector:
926 name: labelSelector
927 selectors:
928 - key: app
929 value: memcached
930 topology_key: kubernetes.io/hostname
931
932podAntiAffinity
933===============
934
935Example pillar:
936
937.. code-block:: bash
938
939 kubernetes:
940 control:
941 service:
942 memcached:
943 affinity:
944 anti_affinity:
945 name: podAntiAffinity
946 expression:
947 label_selector:
948 name: labelSelector
949 selectors:
950 - key: app
951 value: opencontrail-control
952 topology_key: kubernetes.io/hostname
953
954nodeAffinity
955===============
956
957Example pillar:
958
959.. code-block:: bash
960
961 kubernetes:
962 control:
963 service:
964 memcached:
965 affinity:
966 node_affinity:
967 name: nodeAffinity
968 expression:
969 match_expressions:
970 name: matchExpressions
971 selectors:
972 - key: key
973 operator: In
974 values:
975 - value1
976 - value2
977
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]978Volumes
979-------
980
981hostPath
Jakub Pavlik495d06f2016-06-17 11:33:05 +0200[diff] [blame]982==========
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]983
984.. code-block:: yaml
985
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]986 service:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]987 memcached:
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]988 container:
989 memcached:
990 volumes:
991 - name: volume1
992 mountPath: /volume
993 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]994 ...
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]995 volume:
996 volume1:
997 name: /etc/certs
998 type: hostPath
999 path: /etc/certs
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1000
1001emptyDir
Ales Komarek688a04c2016-07-15 15:12:30 +0200[diff] [blame]1002========
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1003
1004.. code-block:: yaml
1005
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]1006 service:
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1007 memcached:
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]1008 container:
1009 memcached:
1010 volumes:
1011 - name: volume1
1012 mountPath: /volume
1013 readOnly: True
marcoacdae7e2015-12-02 15:35:37 +0100[diff] [blame]1014 ...
marcob469f882016-09-27 09:56:13 +0200[diff] [blame]1015 volume:
1016 volume1:
1017 name: /etc/certs
1018 type: emptyDir
1019
1020configMap
1021=========
1022
1023.. code-block:: yaml
1024
1025 service:
1026 memcached:
1027 container:
1028 memcached:
1029 volumes:
1030 - name: volume1
1031 mountPath: /volume
1032 readOnly: True
1033 ...
1034 volume:
1035 volume1:
1036 type: config_map
1037 item:
1038 configMap1:
1039 key: config.conf
1040 path: config.conf
1041 configMap2:
1042 key: policy.json
1043 path: policy.json
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1044
marco0eda4fb2016-10-10 19:08:27 +0200[diff] [blame]1045To mount single configuration file instead of whole directory:
1046
1047.. code-block:: yaml
1048
1049 service:
1050 memcached:
1051 container:
1052 memcached:
1053 volumes:
1054 - name: volume1
1055 mountPath: /volume/config.conf
1056 sub_path: config.conf
1057
marcofcc20d02016-10-10 09:56:12 +0200[diff] [blame]1058Generating Jobs
1059===============
1060
1061Example pillar:
1062
1063.. code-block:: yaml
1064
1065 kubernetes:
1066 control:
1067 job:
1068 sleep:
1069 job: sleep
1070 restart_policy: Never
1071 container:
1072 sleep:
1073 image: busybox
1074 tag: latest
1075 command:
1076 - sleep
1077 - "3600"
1078
1079Volumes and Variables can be used as the same way as during Deployment generation.
1080
1081Custom params:
1082
1083.. code-block:: yaml
1084
1085 kubernetes:
1086 control:
1087 job:
1088 host_network: True
1089 host_pid: True
1090 container:
1091 sleep:
1092 privileged: True
1093 node_selector:
1094 key: node
1095 value: one
1096 image_pull_secretes: password
1097
Filip Pytlounbdba6272017-10-18 19:44:27 +0200[diff] [blame]1098Role-based access control
1099=========================
1100
1101To enable RBAC, you need to set following option on your apiserver:
1102
1103.. code-block:: yaml
1104
1105 kubernetes:
1106 master:
1107 auth:
Andrey Shestakovf32d7072017-12-27 22:18:51 +0200[diff] [blame]1108 mode: Node,RBAC
Filip Pytlounbdba6272017-10-18 19:44:27 +0200[diff] [blame]1109
1110Then you can use ``kubernetes.control.role`` state to orchestrate role and
1111rolebindings. Following example shows how to create brand new role and binding
1112for service account:
1113
1114.. code-block:: yaml
1115
1116 control:
1117 role:
1118 etcd-operator:
1119 kind: ClusterRole
1120 rules:
1121 - apiGroups:
1122 - etcd.coreos.com
1123 resources:
1124 - clusters
1125 verbs:
1126 - "*"
1127 - apiGroups:
1128 - extensions
1129 resources:
1130 - thirdpartyresources
1131 verbs:
1132 - create
1133 - apiGroups:
1134 - storage.k8s.io
1135 resources:
1136 - storageclasses
1137 verbs:
1138 - create
1139 - apiGroups:
1140 - ""
1141 resources:
1142 - replicasets
1143 verbs:
1144 - "*"
1145 binding:
1146 etcd-operator:
1147 kind: ClusterRoleBinding
1148 namespace: test # <-- if no namespace, then it's clusterrolebinding
1149 subject:
1150 etcd-operator:
1151 kind: ServiceAccount
1152
1153Simplest possible use-case, add user test edit permissions on it's test
1154namespace:
1155
1156.. code-block:: yaml
1157
1158 kubernetes:
1159 control:
1160 role:
1161 edit:
1162 kind: ClusterRole
1163 # No rules defined, so only binding will be created assuming role
1164 # already exists
1165 binding:
1166 test:
1167 namespace: test
1168 subject:
1169 test:
1170 kind: User
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1171
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]1172More Information
1173================
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1174
Ales Komarek9db8af42017-06-08 11:08:05 +0200[diff] [blame]1175* https://github.com/Juniper/kubernetes/blob
1176/opencontrail-integration/docs /getting-started-guides/opencontrail.md
1177* https://github.com/kubernetes/kubernetes/tree/master/cluster/saltbase
Jakub Pavlik27ad3a62016-08-05 11:39:45 +0200[diff] [blame]1178
Filip Pytlound06f6272017-02-02 13:02:03 +0100[diff] [blame]1179
1180Documentation and Bugs
1181======================
1182
1183To learn how to install and update salt-formulas, consult the documentation
1184available online at:
1185
1186 http://salt-formulas.readthedocs.io/
1187
1188In the unfortunate event that bugs are discovered, they should be reported to
1189the appropriate issue tracker. Use Github issue tracker for specific salt
1190formula:
1191
1192 https://github.com/salt-formulas/salt-formula-kubernetes/issues
1193
1194For feature requests, bug reports or blueprints affecting entire ecosystem,
1195use Launchpad salt-formulas project:
1196
1197 https://launchpad.net/salt-formulas
1198
1199You can also join salt-formulas-users team and subscribe to mailing list:
1200
1201 https://launchpad.net/~salt-formulas-users
1202
1203Developers wishing to work on the salt-formulas projects should always base
1204their work on master branch and submit pull request against specific formula.
1205
1206 https://github.com/salt-formulas/salt-formula-kubernetes
1207
1208Any questions or feedback is always welcome so feel free to join our IRC
1209channel:
1210
1211 #salt-formulas @ irc.freenode.net