diff --git a/build/common.sh b/build/common.sh index 5353c6fc8f2..9809b9064f8 100755 --- a/build/common.sh +++ b/build/common.sh @@ -173,7 +173,7 @@ function kube::build::docker_available_on_osx() { kube::log::status "Using Docker for MacOS" return 0 fi - + kube::log::status "No docker host is set. Checking options for setting one..." if [[ -z "$(which docker-machine)" && -z "$(which boot2docker)" ]]; then kube::log::status "It looks like you're running Mac OS X, yet none of Docker for Mac, docker-machine or boot2docker are on the path." diff --git a/cluster/addons/calico-policy-controller/MAINTAINERS.md b/cluster/addons/calico-policy-controller/MAINTAINERS.md new file mode 100644 index 00000000000..cd7d55d6518 --- /dev/null +++ b/cluster/addons/calico-policy-controller/MAINTAINERS.md @@ -0,0 +1,6 @@ +# Maintainers + +Matt Dupre , Casey Davenport and committers to the https://github.com/projectcalico/k8s-policy repository. + + +[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/cluster/addons/calico-policy-controller/MAINTAINERS.md?pixel)]() diff --git a/cluster/addons/calico-policy-controller/README.md b/cluster/addons/calico-policy-controller/README.md new file mode 100644 index 00000000000..473899338ab --- /dev/null +++ b/cluster/addons/calico-policy-controller/README.md @@ -0,0 +1,11 @@ +# Calico Policy Controller +============== + +Calico Policy Controller is an implementation of the Kubernetes network policy API. + +Learn more at: +- https://github.com/projectcalico/k8s-policy +- http://kubernetes.io/docs/user-guide/networkpolicies/ + + +[![Analytics](https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/cluster/addons/calico-policy-controller/README.md?pixel)]() diff --git a/cluster/addons/calico-policy-controller/calico-etcd-petset.yaml b/cluster/addons/calico-policy-controller/calico-etcd-petset.yaml new file mode 100644 index 00000000000..33cefee377b --- /dev/null +++ b/cluster/addons/calico-policy-controller/calico-etcd-petset.yaml @@ -0,0 +1,43 @@ +apiVersion: "apps/v1alpha1" +kind: PetSet +metadata: + name: calico-etcd + namespace: kube-system + labels: + kubernetes.io/cluster-service: "true" + k8s-app: calico-etcd +spec: + serviceName: calico-etcd + replicas: 1 + template: + metadata: + annotations: + pod.alpha.kubernetes.io/initialized: "true" + labels: + kubernetes.io/cluster-service: "true" + k8s-app: calico-etcd + spec: + hostNetwork: true + containers: + - name: calico-etcd + image: gcr.io/google_containers/etcd:2.2.1 + env: + - name: CALICO_ETCD_IP + valueFrom: + fieldRef: + fieldPath: status.podIP + command: ["/bin/sh","-c"] + args: ["/usr/local/bin/etcd --name=calico --data-dir=/var/etcd/calico-data --advertise-client-urls=http://$CALICO_ETCD_IP:6666 --listen-client-urls=http://0.0.0.0:6666 --listen-peer-urls=http://0.0.0.0:6667"] + volumeMounts: + - name: var-etcd + mountPath: /var/etcd + volumeClaimTemplates: + - metadata: + name: var-etcd + annotations: + volume.alpha.kubernetes.io/storage-class: anything + spec: + accessModes: [ "ReadWriteOnce" ] + resources: + requests: + storage: 1Gi diff --git a/cluster/addons/calico-policy-controller/calico-etcd-service.yaml b/cluster/addons/calico-policy-controller/calico-etcd-service.yaml new file mode 100644 index 00000000000..7b9e6e18ba0 --- /dev/null +++ b/cluster/addons/calico-policy-controller/calico-etcd-service.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + k8s-app: calico-etcd + kubernetes.io/cluster-service: "true" + name: calico-etcd + namespace: kube-system +spec: + clusterIP: 10.0.0.17 + ports: + - port: 6666 + selector: + k8s-app: calico-etcd diff --git a/cluster/addons/calico-policy-controller/calico-policy-controller.yaml b/cluster/addons/calico-policy-controller/calico-policy-controller.yaml new file mode 100644 index 00000000000..68d93f87e64 --- /dev/null +++ b/cluster/addons/calico-policy-controller/calico-policy-controller.yaml @@ -0,0 +1,31 @@ +apiVersion: v1 +kind: ReplicationController +metadata: + name: calico-policy-controller + namespace: kube-system + labels: + k8s-app: calico-policy + kubernetes.io/cluster-service: "true" +spec: + replicas: 1 + selector: + k8s-app: calico-policy + template: + metadata: + name: calico-policy-controller + namespace: kube-system + labels: + kubernetes.io/cluster-service: "true" + k8s-app: calico-policy + spec: + hostNetwork: true + containers: + - name: calico-policy-controller + image: calico/kube-policy-controller:v0.2.0 + env: + - name: ETCD_ENDPOINTS + value: "http://10.0.0.17:6666" + - name: K8S_API + value: "https://kubernetes.default:443" + - name: CONFIGURE_ETC_HOSTS + value: "true" diff --git a/cluster/common.sh b/cluster/common.sh index abc6701b0b4..c780336486f 100755 --- a/cluster/common.sh +++ b/cluster/common.sh @@ -555,6 +555,7 @@ CA_CERT: $(yaml-quote ${CA_CERT_BASE64:-}) KUBELET_CERT: $(yaml-quote ${KUBELET_CERT_BASE64:-}) KUBELET_KEY: $(yaml-quote ${KUBELET_KEY_BASE64:-}) NETWORK_PROVIDER: $(yaml-quote ${NETWORK_PROVIDER:-}) +NETWORK_POLICY_PROVIDER: $(yaml-quote ${NETWORK_POLICY_PROVIDER:-}) PREPULL_E2E_IMAGES: $(yaml-quote ${PREPULL_E2E_IMAGES:-}) HAIRPIN_MODE: $(yaml-quote ${HAIRPIN_MODE:-}) OPENCONTRAIL_TAG: $(yaml-quote ${OPENCONTRAIL_TAG:-}) diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index 12226574fbd..c8682bbf2d2 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -878,6 +878,9 @@ function start-kube-addons { if echo "${ADMISSION_CONTROL:-}" | grep -q "LimitRanger"; then setup-addon-manifests "admission-controls" "limit-range" fi + if [[ "${NETWORK_POLICY_PROVIDER:-}" == "calico" ]]; then + setup-addon-manifests "addons" "calico-policy-controller" + fi # Place addon manager pod manifest. cp "${src_dir}/kube-addon-manager.yaml" /etc/kubernetes/manifests diff --git a/cluster/saltbase/salt/calico/10-calico.conf b/cluster/saltbase/salt/calico/10-calico.conf index ae273c1d0ee..042dfcaa615 100644 --- a/cluster/saltbase/salt/calico/10-calico.conf +++ b/cluster/saltbase/salt/calico/10-calico.conf @@ -1,7 +1,7 @@ { "name": "k8s-pod-network", "type": "calico", - "etcd_authority": "{{ grains.api_servers }}:6666", + "etcd_authority": "10.0.0.17:6666", "log_level": "info", "ipam": { "type": "host-local", diff --git a/cluster/saltbase/salt/calico/calico-node.manifest b/cluster/saltbase/salt/calico/calico-node.manifest new file mode 100644 index 00000000000..a58de672dfb --- /dev/null +++ b/cluster/saltbase/salt/calico/calico-node.manifest @@ -0,0 +1,40 @@ +apiVersion: v1 +kind: Pod +metadata: + name: calico-node + namespace: kube-system + labels: + kubernetes.io/cluster-service: "true" + k8s-app: calico-node +spec: + hostNetwork: true + containers: + - name: calico-node + image: quay.io/calico/node:v0.20.0 + env: + - name: ETCD_ENDPOINTS + value: "http://10.0.0.17:6666" + - name: CALICO_NETWORKING + value: "false" + securityContext: + privileged: true + volumeMounts: + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /var/log/calico + name: var-log-calico + readOnly: false + - mountPath: /var/run/calico + name: var-run-calico + readOnly: false + volumes: + - name: lib-modules + hostPath: + path: /lib/modules + - name: var-run-calico + hostPath: + path: /var/run/calico + - name: var-log-calico + hostPath: + path: /var/log/calico diff --git a/cluster/saltbase/salt/calico/calico-policy-controller.manifest b/cluster/saltbase/salt/calico/calico-policy-controller.manifest deleted file mode 100644 index 13413d0a6d0..00000000000 --- a/cluster/saltbase/salt/calico/calico-policy-controller.manifest +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: calico-policy-controller - namespace: kube-system - labels: - kubernetes.io/cluster-service: "true" - k8s-app: calico-policy -spec: - hostNetwork: true - containers: - - name: policy-controller - image: calico/kube-policy-controller:v0.2.0 - env: - - name: ETCD_AUTHORITY - value: "127.0.0.1:6666" - - name: K8S_API - value: "http://127.0.0.1:8080" - - name: calico-etcd - image: gcr.io/google_containers/etcd:2.2.1 - command: - - /usr/local/bin/etcd - - --name=calico - - --data-dir=/var/etcd/calico-data - - --advertise-client-urls=http://{{ grains.id }}:6666 - - --listen-client-urls=http://0.0.0.0:6666 - - --listen-peer-urls=http://0.0.0.0:6667 - - --initial-advertise-peer-urls=http://{{ grains.id }}:6667 - - --initial-cluster=calico=http://{{ grains.id }}:6667 - volumeMounts: - - name: varetcd - mountPath: /var/etcd - volumes: - - name: varetcd - hostPath: - path: /var/calico/etcd diff --git a/cluster/saltbase/salt/calico/node.sls b/cluster/saltbase/salt/calico/node.sls index b586f487b2a..60db9a3b2dd 100644 --- a/cluster/saltbase/salt/calico/node.sls +++ b/cluster/saltbase/salt/calico/node.sls @@ -1,30 +1,25 @@ {% if pillar.get('network_policy_provider', '').lower() == 'calico' %} -calicoctl: - file.managed: - - name: /usr/bin/calicoctl - - source: https://github.com/projectcalico/calico-docker/releases/download/v0.19.0/calicoctl - - source_hash: sha256=6db00c94619e82d878d348c4e1791f8d2f0db59075f6c8e430fefae297c54d96 - - makedirs: True - - mode: 744 - calico-node: - cmd.run: - - name: calicoctl node - - unless: docker ps | grep calico-node - - env: - - ETCD_AUTHORITY: "{{ grains.api_servers }}:6666" - - CALICO_NETWORKING: "false" + file.managed: + - name: /etc/kubernetes/manifests/calico-node.manifest + - source: salt://calico/calico-node.manifest + - template: jinja + - user: root + - group: root + - mode: 644 + - makedirs: true + - dir_mode: 755 - require: - kmod: ip6_tables - kmod: xt_set - service: docker - - file: calicoctl + - service: kubelet calico-cni: file.managed: - name: /opt/cni/bin/calico - - source: https://github.com/projectcalico/calico-cni/releases/download/v1.3.1/calico + - source: https://github.com/projectcalico/calico-cni/releases/download/v1.3.1/calico - source_hash: sha256=ac05cb9254b5aaa5822cf10325983431bd25489147f2edf9dec7e43d99c43e77 - makedirs: True - mode: 744