More cleanup, kiam doc update
This commit is contained in:
parent
2b5103c6ee
commit
a6cc459c46
@ -1,31 +0,0 @@
|
||||
# Calico CNI
|
||||
|
||||
Current top-level still contains the deprecated Canal implementation.
|
||||
Removed once new AWS config is tested and rolled out to all existing clusters.
|
||||
|
||||
## AWS
|
||||
Calico is setup based on the upstream calico-vxlan config from
|
||||
`https://docs.projectcalico.org/v3.15/manifests/calico-vxlan.yaml`
|
||||
|
||||
Changes:
|
||||
|
||||
- VxLAN set to Always to not expose cluster communication to VPC
|
||||
|
||||
-> EC2 SecurityGroups still apply and only need to allow UDP 4789 for VxLAN traffic
|
||||
-> No need to disable source/destination check on EC2 instances
|
||||
-> Prepared for optional WireGuard encryption for all inter node traffic
|
||||
|
||||
- MTU set to 8941
|
||||
|
||||
- Removed migration init-container
|
||||
|
||||
- Disable BGB and BIRD health checks
|
||||
|
||||
- Set FELIX log level to warning
|
||||
|
||||
- Enable Prometheus metrics
|
||||
|
||||
|
||||
## Prometheus
|
||||
|
||||
See: https://grafana.com/grafana/dashboards/12175
|
@ -1,101 +0,0 @@
|
||||
--- calico-vxlan.yaml 2020-07-03 15:32:40.740506882 +0100
|
||||
+++ calico.yaml 2020-07-03 15:27:47.651499841 +0100
|
||||
@@ -10,13 +10,13 @@
|
||||
# Typha is disabled.
|
||||
typha_service_name: "none"
|
||||
# Configure the backend to use.
|
||||
- calico_backend: "bird"
|
||||
+ calico_backend: "vxlan"
|
||||
# Configure the MTU to use for workload interfaces and tunnels.
|
||||
# - If Wireguard is enabled, set to your network MTU - 60
|
||||
# - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50
|
||||
# - Otherwise, if IPIP is enabled, set to your network MTU - 20
|
||||
# - Otherwise, if not using any encapsulation, set to your network MTU.
|
||||
- veth_mtu: "1410"
|
||||
+ veth_mtu: "8941"
|
||||
|
||||
# The CNI network configuration to install on each node. The special
|
||||
# values in this config will be automatically populated.
|
||||
@@ -3451,29 +3451,6 @@
|
||||
terminationGracePeriodSeconds: 0
|
||||
priorityClassName: system-node-critical
|
||||
initContainers:
|
||||
- # This container performs upgrade from host-local IPAM to calico-ipam.
|
||||
- # It can be deleted if this is a fresh installation, or if you have already
|
||||
- # upgraded to use calico-ipam.
|
||||
- - name: upgrade-ipam
|
||||
- image: calico/cni:v3.15.0
|
||||
- command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
|
||||
- env:
|
||||
- - name: KUBERNETES_NODE_NAME
|
||||
- valueFrom:
|
||||
- fieldRef:
|
||||
- fieldPath: spec.nodeName
|
||||
- - name: CALICO_NETWORKING_BACKEND
|
||||
- valueFrom:
|
||||
- configMapKeyRef:
|
||||
- name: calico-config
|
||||
- key: calico_backend
|
||||
- volumeMounts:
|
||||
- - mountPath: /var/lib/cni/networks
|
||||
- name: host-local-net-dir
|
||||
- - mountPath: /host/opt/cni/bin
|
||||
- name: cni-bin-dir
|
||||
- securityContext:
|
||||
- privileged: true
|
||||
# This container installs the CNI binaries
|
||||
# and CNI network config file on each node.
|
||||
- name: install-cni
|
||||
@@ -3545,7 +3522,7 @@
|
||||
key: calico_backend
|
||||
# Cluster type to identify the deployment type
|
||||
- name: CLUSTER_TYPE
|
||||
- value: "k8s,bgp"
|
||||
+ value: "k8s,kubeadm"
|
||||
# Auto-detect the BGP IP address.
|
||||
- name: IP
|
||||
value: "autodetect"
|
||||
@@ -3554,7 +3531,7 @@
|
||||
value: "Never"
|
||||
# Enable or Disable VXLAN on the default IP pool.
|
||||
- name: CALICO_IPV4POOL_VXLAN
|
||||
- value: "CrossSubnet"
|
||||
+ value: "Always"
|
||||
# Set MTU for tunnel device used if ipip is enabled
|
||||
- name: FELIX_IPINIPMTU
|
||||
valueFrom:
|
||||
@@ -3595,9 +3572,17 @@
|
||||
value: "false"
|
||||
# Set Felix logging to "info"
|
||||
- name: FELIX_LOGSEVERITYSCREEN
|
||||
- value: "info"
|
||||
+ value: "Warning"
|
||||
+ - name: FELIX_LOGSEVERITYFILE
|
||||
+ value: "Warning"
|
||||
+ - name: FELIX_LOGSEVERITYSYS
|
||||
+ value: ""
|
||||
- name: FELIX_HEALTHENABLED
|
||||
value: "true"
|
||||
+ - name: FELIX_PROMETHEUSGOMETRICSENABLED
|
||||
+ value: "false"
|
||||
+ - name: FELIX_PROMETHEUSMETRICSENABLED
|
||||
+ value: "true"
|
||||
securityContext:
|
||||
privileged: true
|
||||
resources:
|
||||
@@ -3608,7 +3593,6 @@
|
||||
command:
|
||||
- /bin/calico-node
|
||||
- -felix-live
|
||||
- - -bird-live
|
||||
periodSeconds: 10
|
||||
initialDelaySeconds: 10
|
||||
failureThreshold: 6
|
||||
@@ -3617,7 +3601,6 @@
|
||||
command:
|
||||
- /bin/calico-node
|
||||
- -felix-ready
|
||||
- - -bird-ready
|
||||
periodSeconds: 10
|
||||
volumeMounts:
|
||||
- mountPath: /lib/modules
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,8 +0,0 @@
|
||||
namespace: kube-system
|
||||
|
||||
resources:
|
||||
- canal.yaml
|
||||
|
||||
patchesStrategicMerge:
|
||||
- logging.yaml
|
||||
- prometheus.yaml
|
@ -1,16 +0,0 @@
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
name: canal
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: calico-node
|
||||
env:
|
||||
- name: FELIX_LOGSEVERITYSCREEN
|
||||
value: "Warning"
|
||||
- name: FELIX_LOGSEVERITYFILE
|
||||
value: "Warning"
|
||||
- name: FELIX_LOGSEVERITYSYS
|
||||
value: ""
|
@ -1,14 +0,0 @@
|
||||
apiVersion: apps/v1
|
||||
kind: DaemonSet
|
||||
metadata:
|
||||
name: canal
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
containers:
|
||||
- name: calico-node
|
||||
env:
|
||||
- name: FELIX_PROMETHEUSGOMETRICSENABLED
|
||||
value: "false"
|
||||
- name: FELIX_PROMETHEUSMETRICSENABLED
|
||||
value: "true"
|
@ -1,50 +0,0 @@
|
||||
--- canal.yaml.orig 2020-07-02 16:56:37.279169481 +0100
|
||||
+++ canal.yaml 2020-07-02 16:56:37.285169542 +0100
|
||||
@@ -5,7 +5,6 @@
|
||||
apiVersion: v1
|
||||
metadata:
|
||||
name: canal-config
|
||||
- namespace: kube-system
|
||||
data:
|
||||
# Typha is disabled.
|
||||
typha_service_name: "none"
|
||||
@@ -3438,7 +3437,6 @@
|
||||
apiVersion: apps/v1
|
||||
metadata:
|
||||
name: canal
|
||||
- namespace: kube-system
|
||||
labels:
|
||||
k8s-app: canal
|
||||
spec:
|
||||
@@ -3683,7 +3681,6 @@
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: canal
|
||||
- namespace: kube-system
|
||||
|
||||
---
|
||||
# Source: calico/templates/calico-kube-controllers.yaml
|
||||
@@ -3692,7 +3689,6 @@
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: calico-kube-controllers
|
||||
- namespace: kube-system
|
||||
labels:
|
||||
k8s-app: calico-kube-controllers
|
||||
spec:
|
||||
@@ -3706,7 +3702,6 @@
|
||||
template:
|
||||
metadata:
|
||||
name: calico-kube-controllers
|
||||
- namespace: kube-system
|
||||
labels:
|
||||
k8s-app: calico-kube-controllers
|
||||
spec:
|
||||
@@ -3741,7 +3736,6 @@
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: calico-kube-controllers
|
||||
- namespace: kube-system
|
||||
|
||||
---
|
||||
# Source: calico/templates/calico-etcd-secrets.yaml
|
@ -25,7 +25,8 @@ The required certificates for Kiam server and agents are provided by a local cer
|
||||
[KubeZero cert-manager](../kubezero-cert-manager/README.md)
|
||||
|
||||
## Metadata restrictions
|
||||
Required for the *csi ebs plugin* and most likely various others assuming basic AWS information.
|
||||
Some services require access to some basic AWS information. One example is the `aws-ebs-csi` controller.
|
||||
By default all access to the meta-data service is blocked, expect for:
|
||||
|
||||
- `/latest/meta-data/instance-id`
|
||||
- `/latest/dynamic/instance-identity/document`
|
||||
@ -76,3 +77,5 @@ Required for the *csi ebs plugin* and most likely various others assuming basic
|
||||
## Resources
|
||||
- https://github.com/uswitch/kiam
|
||||
- https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam
|
||||
|
||||
![Kiam overview](./kiam_architecure.png)
|
||||
|
@ -19,7 +19,8 @@ The required certificates for Kiam server and agents are provided by a local cer
|
||||
[KubeZero cert-manager](../kubezero-cert-manager/README.md)
|
||||
|
||||
## Metadata restrictions
|
||||
Required for the *csi ebs plugin* and most likely various others assuming basic AWS information.
|
||||
Some services require access to some basic AWS information. One example is the `aws-ebs-csi` controller.
|
||||
By default all access to the meta-data service is blocked, expect for:
|
||||
|
||||
- `/latest/meta-data/instance-id`
|
||||
- `/latest/dynamic/instance-identity/document`
|
||||
@ -34,3 +35,5 @@ Required for the *csi ebs plugin* and most likely various others assuming basic
|
||||
## Resources
|
||||
- https://github.com/uswitch/kiam
|
||||
- https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam
|
||||
|
||||
![Kiam overview](./kiam_architecure.png)
|
||||
|
3
charts/kubezero-kiam/kiam_architecure.png
Normal file
3
charts/kubezero-kiam/kiam_architecure.png
Normal file
@ -0,0 +1,3 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:0a37511a23d3180d5c7d236c004a56c4b69afda33315920570e99e391ee1e732
|
||||
size 43992
|
Loading…
Reference in New Issue
Block a user