More cleanup, kiam doc update
This commit is contained in:
parent
2b5103c6ee
commit
a6cc459c46
@ -1,31 +0,0 @@
|
|||||||
# Calico CNI
|
|
||||||
|
|
||||||
Current top-level still contains the deprecated Canal implementation.
|
|
||||||
Removed once new AWS config is tested and rolled out to all existing clusters.
|
|
||||||
|
|
||||||
## AWS
|
|
||||||
Calico is setup based on the upstream calico-vxlan config from
|
|
||||||
`https://docs.projectcalico.org/v3.15/manifests/calico-vxlan.yaml`
|
|
||||||
|
|
||||||
Changes:
|
|
||||||
|
|
||||||
- VxLAN set to Always to not expose cluster communication to VPC
|
|
||||||
|
|
||||||
-> EC2 SecurityGroups still apply and only need to allow UDP 4789 for VxLAN traffic
|
|
||||||
-> No need to disable source/destination check on EC2 instances
|
|
||||||
-> Prepared for optional WireGuard encryption for all inter node traffic
|
|
||||||
|
|
||||||
- MTU set to 8941
|
|
||||||
|
|
||||||
- Removed migration init-container
|
|
||||||
|
|
||||||
- Disable BGB and BIRD health checks
|
|
||||||
|
|
||||||
- Set FELIX log level to warning
|
|
||||||
|
|
||||||
- Enable Prometheus metrics
|
|
||||||
|
|
||||||
|
|
||||||
## Prometheus
|
|
||||||
|
|
||||||
See: https://grafana.com/grafana/dashboards/12175
|
|
@ -1,101 +0,0 @@
|
|||||||
--- calico-vxlan.yaml 2020-07-03 15:32:40.740506882 +0100
|
|
||||||
+++ calico.yaml 2020-07-03 15:27:47.651499841 +0100
|
|
||||||
@@ -10,13 +10,13 @@
|
|
||||||
# Typha is disabled.
|
|
||||||
typha_service_name: "none"
|
|
||||||
# Configure the backend to use.
|
|
||||||
- calico_backend: "bird"
|
|
||||||
+ calico_backend: "vxlan"
|
|
||||||
# Configure the MTU to use for workload interfaces and tunnels.
|
|
||||||
# - If Wireguard is enabled, set to your network MTU - 60
|
|
||||||
# - Otherwise, if VXLAN or BPF mode is enabled, set to your network MTU - 50
|
|
||||||
# - Otherwise, if IPIP is enabled, set to your network MTU - 20
|
|
||||||
# - Otherwise, if not using any encapsulation, set to your network MTU.
|
|
||||||
- veth_mtu: "1410"
|
|
||||||
+ veth_mtu: "8941"
|
|
||||||
|
|
||||||
# The CNI network configuration to install on each node. The special
|
|
||||||
# values in this config will be automatically populated.
|
|
||||||
@@ -3451,29 +3451,6 @@
|
|
||||||
terminationGracePeriodSeconds: 0
|
|
||||||
priorityClassName: system-node-critical
|
|
||||||
initContainers:
|
|
||||||
- # This container performs upgrade from host-local IPAM to calico-ipam.
|
|
||||||
- # It can be deleted if this is a fresh installation, or if you have already
|
|
||||||
- # upgraded to use calico-ipam.
|
|
||||||
- - name: upgrade-ipam
|
|
||||||
- image: calico/cni:v3.15.0
|
|
||||||
- command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
|
|
||||||
- env:
|
|
||||||
- - name: KUBERNETES_NODE_NAME
|
|
||||||
- valueFrom:
|
|
||||||
- fieldRef:
|
|
||||||
- fieldPath: spec.nodeName
|
|
||||||
- - name: CALICO_NETWORKING_BACKEND
|
|
||||||
- valueFrom:
|
|
||||||
- configMapKeyRef:
|
|
||||||
- name: calico-config
|
|
||||||
- key: calico_backend
|
|
||||||
- volumeMounts:
|
|
||||||
- - mountPath: /var/lib/cni/networks
|
|
||||||
- name: host-local-net-dir
|
|
||||||
- - mountPath: /host/opt/cni/bin
|
|
||||||
- name: cni-bin-dir
|
|
||||||
- securityContext:
|
|
||||||
- privileged: true
|
|
||||||
# This container installs the CNI binaries
|
|
||||||
# and CNI network config file on each node.
|
|
||||||
- name: install-cni
|
|
||||||
@@ -3545,7 +3522,7 @@
|
|
||||||
key: calico_backend
|
|
||||||
# Cluster type to identify the deployment type
|
|
||||||
- name: CLUSTER_TYPE
|
|
||||||
- value: "k8s,bgp"
|
|
||||||
+ value: "k8s,kubeadm"
|
|
||||||
# Auto-detect the BGP IP address.
|
|
||||||
- name: IP
|
|
||||||
value: "autodetect"
|
|
||||||
@@ -3554,7 +3531,7 @@
|
|
||||||
value: "Never"
|
|
||||||
# Enable or Disable VXLAN on the default IP pool.
|
|
||||||
- name: CALICO_IPV4POOL_VXLAN
|
|
||||||
- value: "CrossSubnet"
|
|
||||||
+ value: "Always"
|
|
||||||
# Set MTU for tunnel device used if ipip is enabled
|
|
||||||
- name: FELIX_IPINIPMTU
|
|
||||||
valueFrom:
|
|
||||||
@@ -3595,9 +3572,17 @@
|
|
||||||
value: "false"
|
|
||||||
# Set Felix logging to "info"
|
|
||||||
- name: FELIX_LOGSEVERITYSCREEN
|
|
||||||
- value: "info"
|
|
||||||
+ value: "Warning"
|
|
||||||
+ - name: FELIX_LOGSEVERITYFILE
|
|
||||||
+ value: "Warning"
|
|
||||||
+ - name: FELIX_LOGSEVERITYSYS
|
|
||||||
+ value: ""
|
|
||||||
- name: FELIX_HEALTHENABLED
|
|
||||||
value: "true"
|
|
||||||
+ - name: FELIX_PROMETHEUSGOMETRICSENABLED
|
|
||||||
+ value: "false"
|
|
||||||
+ - name: FELIX_PROMETHEUSMETRICSENABLED
|
|
||||||
+ value: "true"
|
|
||||||
securityContext:
|
|
||||||
privileged: true
|
|
||||||
resources:
|
|
||||||
@@ -3608,7 +3593,6 @@
|
|
||||||
command:
|
|
||||||
- /bin/calico-node
|
|
||||||
- -felix-live
|
|
||||||
- - -bird-live
|
|
||||||
periodSeconds: 10
|
|
||||||
initialDelaySeconds: 10
|
|
||||||
failureThreshold: 6
|
|
||||||
@@ -3617,7 +3601,6 @@
|
|
||||||
command:
|
|
||||||
- /bin/calico-node
|
|
||||||
- -felix-ready
|
|
||||||
- - -bird-ready
|
|
||||||
periodSeconds: 10
|
|
||||||
volumeMounts:
|
|
||||||
- mountPath: /lib/modules
|
|
File diff suppressed because it is too large
Load Diff
File diff suppressed because it is too large
Load Diff
@ -1,8 +0,0 @@
|
|||||||
namespace: kube-system
|
|
||||||
|
|
||||||
resources:
|
|
||||||
- canal.yaml
|
|
||||||
|
|
||||||
patchesStrategicMerge:
|
|
||||||
- logging.yaml
|
|
||||||
- prometheus.yaml
|
|
@ -1,16 +0,0 @@
|
|||||||
apiVersion: apps/v1
|
|
||||||
kind: DaemonSet
|
|
||||||
metadata:
|
|
||||||
name: canal
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: calico-node
|
|
||||||
env:
|
|
||||||
- name: FELIX_LOGSEVERITYSCREEN
|
|
||||||
value: "Warning"
|
|
||||||
- name: FELIX_LOGSEVERITYFILE
|
|
||||||
value: "Warning"
|
|
||||||
- name: FELIX_LOGSEVERITYSYS
|
|
||||||
value: ""
|
|
@ -1,14 +0,0 @@
|
|||||||
apiVersion: apps/v1
|
|
||||||
kind: DaemonSet
|
|
||||||
metadata:
|
|
||||||
name: canal
|
|
||||||
spec:
|
|
||||||
template:
|
|
||||||
spec:
|
|
||||||
containers:
|
|
||||||
- name: calico-node
|
|
||||||
env:
|
|
||||||
- name: FELIX_PROMETHEUSGOMETRICSENABLED
|
|
||||||
value: "false"
|
|
||||||
- name: FELIX_PROMETHEUSMETRICSENABLED
|
|
||||||
value: "true"
|
|
@ -1,50 +0,0 @@
|
|||||||
--- canal.yaml.orig 2020-07-02 16:56:37.279169481 +0100
|
|
||||||
+++ canal.yaml 2020-07-02 16:56:37.285169542 +0100
|
|
||||||
@@ -5,7 +5,6 @@
|
|
||||||
apiVersion: v1
|
|
||||||
metadata:
|
|
||||||
name: canal-config
|
|
||||||
- namespace: kube-system
|
|
||||||
data:
|
|
||||||
# Typha is disabled.
|
|
||||||
typha_service_name: "none"
|
|
||||||
@@ -3438,7 +3437,6 @@
|
|
||||||
apiVersion: apps/v1
|
|
||||||
metadata:
|
|
||||||
name: canal
|
|
||||||
- namespace: kube-system
|
|
||||||
labels:
|
|
||||||
k8s-app: canal
|
|
||||||
spec:
|
|
||||||
@@ -3683,7 +3681,6 @@
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: canal
|
|
||||||
- namespace: kube-system
|
|
||||||
|
|
||||||
---
|
|
||||||
# Source: calico/templates/calico-kube-controllers.yaml
|
|
||||||
@@ -3692,7 +3689,6 @@
|
|
||||||
kind: Deployment
|
|
||||||
metadata:
|
|
||||||
name: calico-kube-controllers
|
|
||||||
- namespace: kube-system
|
|
||||||
labels:
|
|
||||||
k8s-app: calico-kube-controllers
|
|
||||||
spec:
|
|
||||||
@@ -3706,7 +3702,6 @@
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
name: calico-kube-controllers
|
|
||||||
- namespace: kube-system
|
|
||||||
labels:
|
|
||||||
k8s-app: calico-kube-controllers
|
|
||||||
spec:
|
|
||||||
@@ -3741,7 +3736,6 @@
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: calico-kube-controllers
|
|
||||||
- namespace: kube-system
|
|
||||||
|
|
||||||
---
|
|
||||||
# Source: calico/templates/calico-etcd-secrets.yaml
|
|
@ -25,7 +25,8 @@ The required certificates for Kiam server and agents are provided by a local cer
|
|||||||
[KubeZero cert-manager](../kubezero-cert-manager/README.md)
|
[KubeZero cert-manager](../kubezero-cert-manager/README.md)
|
||||||
|
|
||||||
## Metadata restrictions
|
## Metadata restrictions
|
||||||
Required for the *csi ebs plugin* and most likely various others assuming basic AWS information.
|
Some services require access to some basic AWS information. One example is the `aws-ebs-csi` controller.
|
||||||
|
By default all access to the meta-data service is blocked, expect for:
|
||||||
|
|
||||||
- `/latest/meta-data/instance-id`
|
- `/latest/meta-data/instance-id`
|
||||||
- `/latest/dynamic/instance-identity/document`
|
- `/latest/dynamic/instance-identity/document`
|
||||||
@ -76,3 +77,5 @@ Required for the *csi ebs plugin* and most likely various others assuming basic
|
|||||||
## Resources
|
## Resources
|
||||||
- https://github.com/uswitch/kiam
|
- https://github.com/uswitch/kiam
|
||||||
- https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam
|
- https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam
|
||||||
|
|
||||||
|
![Kiam overview](./kiam_architecure.png)
|
||||||
|
@ -19,7 +19,8 @@ The required certificates for Kiam server and agents are provided by a local cer
|
|||||||
[KubeZero cert-manager](../kubezero-cert-manager/README.md)
|
[KubeZero cert-manager](../kubezero-cert-manager/README.md)
|
||||||
|
|
||||||
## Metadata restrictions
|
## Metadata restrictions
|
||||||
Required for the *csi ebs plugin* and most likely various others assuming basic AWS information.
|
Some services require access to some basic AWS information. One example is the `aws-ebs-csi` controller.
|
||||||
|
By default all access to the meta-data service is blocked, expect for:
|
||||||
|
|
||||||
- `/latest/meta-data/instance-id`
|
- `/latest/meta-data/instance-id`
|
||||||
- `/latest/dynamic/instance-identity/document`
|
- `/latest/dynamic/instance-identity/document`
|
||||||
@ -34,3 +35,5 @@ Required for the *csi ebs plugin* and most likely various others assuming basic
|
|||||||
## Resources
|
## Resources
|
||||||
- https://github.com/uswitch/kiam
|
- https://github.com/uswitch/kiam
|
||||||
- https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam
|
- https://www.bluematador.com/blog/iam-access-in-kubernetes-kube2iam-vs-kiam
|
||||||
|
|
||||||
|
![Kiam overview](./kiam_architecure.png)
|
||||||
|
3
charts/kubezero-kiam/kiam_architecure.png
Normal file
3
charts/kubezero-kiam/kiam_architecure.png
Normal file
@ -0,0 +1,3 @@
|
|||||||
|
version https://git-lfs.github.com/spec/v1
|
||||||
|
oid sha256:0a37511a23d3180d5c7d236c004a56c4b69afda33315920570e99e391ee1e732
|
||||||
|
size 43992
|
Loading…
Reference in New Issue
Block a user