openstack-helm-infra/calico/templates/daemonset-calico-node.yaml
Doug Aaser 200b5e902b Run Calico containers as unprivileged
These changes aim to remove blanket privileges from Calico and replace them
with the default pod privileges granted by Docker plus the few extended
privileges that Calico needs

Change-Id: I1342ef02086877bc69f752403a33278c9670ed86
2019-03-26 16:59:44 +00:00

416 lines
15 KiB
YAML

{{/*
Copyright 2017 The Openstack-Helm Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/}}
{{- if .Values.manifests.daemonset_calico_node }}
{{- $envAll := . }}
{{/* Robustness, Calico 3.x wants things as Titlecase; this causes pain */}}
{{- $_ := set .Values.conf.node "CALICO_IPV4POOL_IPIP" (title .Values.conf.node.CALICO_IPV4POOL_IPIP ) -}}
{{- $_ := set .Values.conf.node "CALICO_STARTUP_LOGLEVEL" (title .Values.conf.node.CALICO_STARTUP_LOGLEVEL ) -}}
{{- $_ := set .Values.conf.node "FELIX_LOGSEVERITYSCREEN" (title .Values.conf.node.FELIX_LOGSEVERITYSCREEN ) -}}
{{/* If using tunnels, and FELIX_IPINIPMTU is not set, make it 20 less than the physical to account for IPIP overhead */}}
{{- if empty .Values.conf.node.FELIX_IPINIPMTU -}}
{{- if ne .Values.conf.node.CALICO_IPV4POOL_IPIP "Never" -}}
{{- $_ := set .Values.conf.node "FELIX_IPINIPMTU" (sub .Values.networking.mtu 20) -}}
# Setting tunnel MTU to {{ .Values.conf.node.FELIX_IPINIPMTU }}
{{- end -}}
{{- end -}}
{{/* CNI_MTU is >= than the IPIP mtu, usually the physical MTU of the system */}}
{{- if empty .Values.conf.node.CNI_MTU -}}
{{- $_ := set .Values.conf.node "CNI_MTU" .Values.networking.mtu -}}
{{- end -}}
{{- if empty .Values.conf.node.CALICO_IPV4POOL_CIDR -}}
{{- $_ := set .Values.conf.node "CALICO_IPV4POOL_CIDR" .Values.networking.podSubnet -}}
{{- end -}}
{{- $serviceAccountName := "calico-node" }}
{{ tuple $envAll "calico_node" $serviceAccountName | include "helm-toolkit.snippets.kubernetes_pod_rbac_serviceaccount" }}
---
apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
name: calico-node
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: calico-node
subjects:
- kind: ServiceAccount
name: {{ $serviceAccountName }}
namespace: {{ .Release.Namespace }}
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
name: {{ $serviceAccountName }}
rules:
- apiGroups: [""]
resources:
- pods
- nodes
- namespaces
verbs:
- get
- apiGroups: ["batch" ]
resources: ["jobs"]
verbs: ["get" ]
---
# This manifest installs the calico/node container, as well
# as the Calico CNI plugins and network config on
# each master and worker node in a Kubernetes cluster.
kind: DaemonSet
apiVersion: apps/v1
metadata:
name: calico-node
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" }}
labels:
k8s-app: calico-node
{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 4 }}
spec:
selector:
matchLabels:
k8s-app: calico-node
{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 6 }}
updateStrategy:
type: RollingUpdate
rollingUpdate:
maxUnavailable: 1
template:
metadata:
labels:
k8s-app: calico-node
{{ tuple $envAll "calico" "node" | include "helm-toolkit.snippets.kubernetes_metadata_labels" | indent 8 }}
annotations:
{{ tuple $envAll | include "helm-toolkit.snippets.release_uuid" | indent 8 }}
configmap-etc-hash: {{ tuple "configmap-etc.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-bin-hash: {{ tuple "configmap-bin.yaml" . | include "helm-toolkit.utils.hash" }}
configmap-bird-hash: {{ tuple "configmap-bird.yaml" . | include "helm-toolkit.utils.hash" }}
# This, along with the CriticalAddonsOnly toleration below,
# marks the pod as a critical add-on, ensuring it gets
# priority scheduling and that its resources are reserved
# if it ever gets evicted.
scheduler.alpha.kubernetes.io/critical-pod: ''
{{ dict "envAll" $envAll "podName" "calico-node" "containerNames" (list "calico-node") | include "helm-toolkit.snippets.kubernetes_mandatory_access_control_annotation" | indent 8 }}
{{- if .Values.monitoring.prometheus.enabled }}
{{- $prometheus_annotations := $envAll.Values.monitoring.prometheus.calico_node }}
{{ tuple $prometheus_annotations | include "helm-toolkit.snippets.prometheus_pod_annotations" | indent 8 }}
{{- end }}
spec:
securityContext:
readOnlyRootFilesystem: true
nodeSelector:
beta.kubernetes.io/os: linux
hostNetwork: true
tolerations:
# Make sure calico-node gets scheduled on all nodes.
- effect: NoSchedule
operator: Exists
# Mark the pod as a critical add-on for rescheduling.
- key: CriticalAddonsOnly
operator: Exists
- effect: NoExecute
operator: Exists
serviceAccountName: {{ $serviceAccountName }}
# Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
# deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
terminationGracePeriodSeconds: 0
initContainers:
{{ tuple $envAll "calico_node" list | include "helm-toolkit.snippets.kubernetes_entrypoint_init_container" | indent 8 }}
{{ if .Values.manifests.daemonset_calico_node_calicoctl }}
- name: install-calicoctl
{{ tuple $envAll "calico_ctl" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_ctl | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
command:
- /tmp/install-calicoctl.sh
env:
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: calico-etc
key: etcd_endpoints
{{ if .Values.endpoints.etcd.auth.client.tls.ca }}
- name: ETCD_CA_CERT_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.ca }}
- name: ETCD_CA_CERT
valueFrom:
secretKeyRef:
name: calico-etcd-secrets
key: tls.ca
{{ end }}
{{ if .Values.endpoints.etcd.auth.client.tls.key }}
- name: ETCD_KEY_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.key }}
- name: ETCD_KEY
valueFrom:
secretKeyRef:
name: calico-etcd-secrets
key: tls.key
{{ end }}
{{ if .Values.endpoints.etcd.auth.client.tls.crt }}
- name: ETCD_CERT_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.crt }}
- name: ETCD_CERT
valueFrom:
secretKeyRef:
name: calico-etcd-secrets
key: tls.crt
{{ end }}
volumeMounts:
- mountPath: /host/etc/calico
name: calico-cert-dir
- mountPath: /host/opt/cni/bin
name: cni-bin-dir
- mountPath: /tmp/install-calicoctl.sh
name: calico-bin
subPath: install-calicoctl.sh
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
subPath: tls.ca
readOnly: true
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
subPath: tls.crt
readOnly: true
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
subPath: tls.key
readOnly: true
{{ end }}
# This container installs the Calico CNI binaries
# and CNI network config file on each node.
- name: install-cni
{{ tuple $envAll "calico_cni" | include "helm-toolkit.snippets.image" | indent 10 }}
command: ["/install-cni.sh"]
env:
# Prevents the container from sleeping forever.
- name: SLEEP
value: "false"
# Name of the CNI config file to create.
#
# NOTE: Calico v3 needs to end in .conflist; Calico v2 is
# different!
- name: CNI_CONF_NAME
value: "10-calico.conflist"
# The location of the Calico etcd cluster.
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: calico-etc
key: etcd_endpoints
# The CNI network config to install on each node.
- name: CNI_NETWORK_CONFIG
valueFrom:
configMapKeyRef:
name: calico-etc
key: cni_network_config
volumeMounts:
- name: cni-bin-dir
mountPath: /host/opt/cni/bin
- name: cni-net-dir
mountPath: /host/etc/cni/net.d
{{ if .Values.conf.etcd.credentials.ca }}
- name: calico-etcd-secrets
mountPath: /calico-secrets/etcd-ca
subPath: etcd.ca
readOnly: true
{{ end }}
{{ if .Values.conf.etcd.credentials.certificate }}
- name: calico-etcd-secrets
mountPath: /calico-secrets/etcd-cert
subPath: etcd.crt
readOnly: true
{{ end }}
{{ if .Values.conf.etcd.credentials.key }}
- name: calico-etcd-secrets
mountPath: /calico-secrets/etcd-key
subPath: etcd.key
readOnly: true
{{ end }}
volumes:
# Used by calico/node.
- name: lib-modules
hostPath:
path: /lib/modules
- name: var-run-calico
hostPath:
path: /var/run/calico
- name: var-lib-calico
hostPath:
path: /var/lib/calico
- name: xtables-lock
hostPath:
path: /run/xtables.lock
type: FileOrCreate
# Used to install CNI.
- name: cni-bin-dir
hostPath:
path: /opt/cni/bin
- name: cni-net-dir
hostPath:
path: /etc/cni/net.d
- name: calico-cert-dir
hostPath:
path: /etc/calico
- name: calico-etc
configMap:
name: calico-etc
defaultMode: 0444
- name: calico-bird
configMap:
name: calico-bird
defaultMode: 0444
- name: calico-bin
configMap:
name: calico-bin
defaultMode: 0555
- name: calico-etcd-secrets
secret:
secretName: calico-etcd-secrets
containers:
# Runs calico/node container on each Kubernetes node. This
# container programs network policy and routes on each
# host.
- name: calico-node
{{ tuple $envAll "calico_node" | include "helm-toolkit.snippets.image" | indent 10 }}
{{ tuple $envAll $envAll.Values.pod.resources.calico_node | include "helm-toolkit.snippets.kubernetes_resources" | indent 10 }}
env:
# Values expanded explicitly from conf.node (some of which
# might be derived from elsewhere, see values.yaml for an
# explanation of this)
#
{{ include "helm-toolkit.utils.to_k8s_env_vars" .Values.conf.node | indent 12 }}
# Values explicit in the chart not expected to be found in
# conf.node
#
# The location of the Calico etcd cluster.
- name: ETCD_ENDPOINTS
valueFrom:
configMapKeyRef:
name: calico-etc
key: etcd_endpoints
# etcd certs
{{ if .Values.endpoints.etcd.auth.client.tls.ca }}
- name: ETCD_CA_CERT_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.ca }}
{{ end }}
{{ if .Values.endpoints.etcd.auth.client.tls.key }}
- name: ETCD_KEY_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.key }}
{{ end }}
{{ if .Values.endpoints.etcd.auth.client.tls.crt }}
- name: ETCD_CERT_FILE
value: {{ .Values.endpoints.etcd.auth.client.path.crt }}
{{ end }}
# Set noderef for node controller.
- name: CALICO_K8S_NODE_REF
valueFrom:
fieldRef:
fieldPath: spec.nodeName
securityContext:
capabilities:
add:
- 'NET_ADMIN'
- 'SYS_ADMIN'
resources:
requests:
cpu: 250m
livenessProbe:
httpGet:
path: /liveness
port: 9099
host: localhost
periodSeconds: 10
initialDelaySeconds: 10
failureThreshold: 6
# Only for Calico v3
readinessProbe:
exec:
command:
- /bin/calico-node
- -bird-ready
- -felix-ready
periodSeconds: 10
volumeMounts:
- mountPath: /lib/modules
name: lib-modules
readOnly: true
- mountPath: /run/xtables.lock
name: xtables-lock
readOnly: false
- mountPath: /var/run/calico
name: var-run-calico
readOnly: false
# bird template replacements
# bird cfg
- mountPath: /etc/calico/confd/templates/bird.cfg.template
name: calico-bird
subPath: bird.cfg.template
# bird ipam
- mountPath: /etc/calico/confd/templates/bird_ipam.cfg.template
name: calico-bird
subPath: bird_ipam.cfg.template
# bird6 cfg
- mountPath: /etc/calico/confd/templates/bird6.cfg.template
name: calico-bird
subPath: bird6.cfg.template
# bird6 ipam
- mountPath: /etc/calico/confd/templates/bird6_ipam.cfg.template
name: calico-bird
subPath: bird6_ipam.cfg.template
# etcd secrets
- mountPath: /var/lib/calico
name: var-lib-calico
readOnly: false
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.ca }}
subPath: tls.ca
readOnly: true
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.crt }}
subPath: tls.crt
readOnly: true
- name: calico-etcd-secrets
mountPath: {{ .Values.endpoints.etcd.auth.client.path.key }}
subPath: tls.key
readOnly: true
{{- end }}