More cleanup, kiam doc update

This commit is contained in:
Stefan Reimer 2020-07-29 15:07:41 +01:00
parent 2b5103c6ee
commit a6cc459c46
11 changed files with 11 additions and 7704 deletions

View File

@ -1,31 +0,0 @@
# Calico CNI
Current top-level still contains the deprecated Canal implementation.
Removed once new AWS config is tested and rolled out to all existing clusters.
## AWS
Calico is setup based on the upstream calico-vxlan config from
`https://docs.projectcalico.org/v3.15/manifests/calico-vxlan.yaml`
Changes:
- VxLAN set to Always to not expose cluster communication to VPC
-> EC2 SecurityGroups still apply and only need to allow UDP 4789 for VxLAN traffic
-> No need to disable source/destination check on EC2 instances
-> Prepared for optional WireGuard encryption for all inter node traffic
- MTU set to 8941
- Removed migration init-container
- Disable BGB and BIRD health checks
- Set FELIX log level to warning
- Enable Prometheus metrics
## Prometheus
See: https://grafana.com/grafana/dashboards/12175

View File

@ -1,101 +0,0 @@
--- calico-vxlan.yaml 2020-07-03 15:32:40.740506882 +0100
+++ calico.yaml 2020-07-03 15:27:47.651499841 +0100
@@ -10,13 +10,13 @@
# Typha is disabled.
typha_service_name: "none"
# Configure the backend to use.
- calico_backend: "bird"
+ calico_backend: "vxlan"
# Configure the MTU to use for workload interfaces and tunnels.
# - If Wireguard is enabled, set to your network MTU - 60
# - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50
# - Otherwise, if IPIP is enabled, set to your network MTU - 20
# - Otherwise, if not using any encapsulation, set to your network MTU.
- veth_mtu: "1410"
+ veth_mtu: "8941"
# The CNI network configuration to install on each node. The special
# values in this config will be automatically populated.
@@ -3451,29 +3451,6 @@
terminationGracePeriodSeconds: 0
priorityClassName: system-node-critical
initContainers:
- # This container performs upgrade from host-local IPAM to calico-ipam.
- # It can be deleted if this is a fresh installation, or if you have already
- # upgraded to use calico-ipam.
- - name: upgrade-ipam
- image: calico/cni:v3.15.0
- command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
- env:
- - name: KUBERNETES_NODE_NAME
- valueFrom:
- fieldRef:
- fieldPath: spec.nodeName
- - name: CALICO_NETWORKING_BACKEND
- valueFrom:
- configMapKeyRef:
- name: calico-config
- key: calico_backend
- volumeMounts:
- - mountPath: /var/lib/cni/networks
- name: host-local-net-dir
- - mountPath: /host/opt/cni/bin
- name: cni-bin-dir
- securityContext:
- privileged: true
# This container installs the CNI binaries
# and CNI network config file on each node.
- name: install-cni
@@ -3545,7 +3522,7 @@
key: calico_backend
# Cluster type to identify the deployment type
- name: CLUSTER_TYPE
- value: "k8s,bgp"
+ value: "k8s,kubeadm"
# Auto-detect the BGP IP address.
- name: IP
value: "autodetect"
@@ -3554,7 +3531,7 @@
value: "Never"
# Enable or Disable VXLAN on the default IP pool.
- name: CALICO_IPV4POOL_VXLAN
- value: "CrossSubnet"
+ value: "Always"
# Set MTU for tunnel device used if ipip is enabled
- name: FELIX_IPINIPMTU
valueFrom:
@@ -3595,9 +3572,17 @@
value: "false"
# Set Felix logging to "info"
- name: FELIX_LOGSEVERITYSCREEN
- value: "info"
+ value: "Warning"
+ - name: FELIX_LOGSEVERITYFILE
+ value: "Warning"
+ - name: FELIX_LOGSEVERITYSYS
+ value: ""
- name: FELIX_HEALTHENABLED
value: "true"
+ - name: FELIX_PROMETHEUSGOMETRICSENABLED
+ value: "false"
+ - name: FELIX_PROMETHEUSMETRICSENABLED
+ value: "true"
securityContext:
privileged: true
resources:
@@ -3608,7 +3593,6 @@
command:
- /bin/calico-node
- -felix-live
- - -bird-live
periodSeconds: 10
initialDelaySeconds: 10
failureThreshold: 6
@@ -3617,7 +3601,6 @@
command:
- /bin/calico-node
- -felix-ready
- - -bird-ready
periodSeconds: 10
volumeMounts:
- mountPath: /lib/modules

File diff suppressed because it is too large Load Diff

File diff suppressed because it is too large Load Diff

View File

@ -1,8 +0,0 @@
namespace: kube-system
resources:
- canal.yaml
patchesStrategicMerge:
- logging.yaml
- prometheus.yaml

View File

@ -1,16 +0,0 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: canal
spec:
template:
spec:
containers:
- name: calico-node
env:
- name: FELIX_LOGSEVERITYSCREEN
value: "Warning"
- name: FELIX_LOGSEVERITYFILE
value: "Warning"
- name: FELIX_LOGSEVERITYSYS
value: ""

View File

@ -1,14 +0,0 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: canal
spec:
template:
spec:
containers:
- name: calico-node
env:
- name: FELIX_PROMETHEUSGOMETRICSENABLED
value: "false"
- name: FELIX_PROMETHEUSMETRICSENABLED
value: "true"

View File

@ -1,50 +0,0 @@
--- canal.yaml.orig 2020-07-02 16:56:37.279169481 +0100
+++ canal.yaml 2020-07-02 16:56:37.285169542 +0100
@@ -5,7 +5,6 @@
apiVersion: v1
metadata:
name: canal-config
- namespace: kube-system
data:
# Typha is disabled.
typha_service_name: "none"
@@ -3438,7 +3437,6 @@
apiVersion: apps/v1
metadata:
name: canal
- namespace: kube-system
labels:
k8s-app: canal
spec:
@@ -3683,7 +3681,6 @@
kind: ServiceAccount
metadata:
name: canal
- namespace: kube-system
---
# Source: calico/templates/calico-kube-controllers.yaml
@@ -3692,7 +3689,6 @@
kind: Deployment
metadata:
name: calico-kube-controllers
- namespace: kube-system
labels:
k8s-app: calico-kube-controllers
spec:
@@ -3706,7 +3702,6 @@
template:
metadata:
name: calico-kube-controllers
- namespace: kube-system
labels:
k8s-app: calico-kube-controllers
spec:
@@ -3741,7 +3736,6 @@
kind: ServiceAccount
metadata:
name: calico-kube-controllers
- namespace: kube-system
---
# Source: calico/templates/calico-etcd-secrets.yaml

View File

@ -25,7 +25,8 @@ The required certificates for Kiam server and agents are provided by a local cer
[KubeZero cert-manager](../kubezero-cert-manager/README.md) [KubeZero cert-manager](../kubezero-cert-manager/README.md)
## Metadata restrictions ## Metadata restrictions
Required for the *csi ebs plugin* and most likely various others assuming basic AWS information. Some services require access to some basic AWS information. One example is the `aws-ebs-csi` controller.
By default all access to the meta-data service is blocked, expect for:
- `/latest/meta-data/instance-id` - `/latest/meta-data/instance-id`
- `/latest/dynamic/instance-identity/document` - `/latest/dynamic/instance-identity/document`
@ -76,3 +77,5 @@ Required for the *csi ebs plugin* and most likely various others assuming basic
## Resources ## Resources
- https://github.com/uswitch/kiam - https://github.com/uswitch/kiam
- https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam - https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam
![Kiam overview](./kiam_architecure.png)

View File

@ -19,7 +19,8 @@ The required certificates for Kiam server and agents are provided by a local cer
[KubeZero cert-manager](../kubezero-cert-manager/README.md) [KubeZero cert-manager](../kubezero-cert-manager/README.md)
## Metadata restrictions ## Metadata restrictions
Required for the *csi ebs plugin* and most likely various others assuming basic AWS information. Some services require access to some basic AWS information. One example is the `aws-ebs-csi` controller.
By default all access to the meta-data service is blocked, expect for:
- `/latest/meta-data/instance-id` - `/latest/meta-data/instance-id`
- `/latest/dynamic/instance-identity/document` - `/latest/dynamic/instance-identity/document`
@ -34,3 +35,5 @@ Required for the *csi ebs plugin* and most likely various others assuming basic
## Resources ## Resources
- https://github.com/uswitch/kiam - https://github.com/uswitch/kiam
- https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam - https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam
![Kiam overview](./kiam_architecure.png)

View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:0a37511a23d3180d5c7d236c004a56c4b69afda33315920570e99e391ee1e732
size 43992