-
Notifications
You must be signed in to change notification settings - Fork 185
Expand file tree
/
Copy pathovnkube-master.yaml.j2
More file actions
383 lines (376 loc) · 12.9 KB
/
ovnkube-master.yaml.j2
File metadata and controls
383 lines (376 loc) · 12.9 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
# ovnkube-master
# daemonset version 3
# starts master daemons (ovnkube-master and ovn-northd), each in a separate container
# it is run on the master(s)
kind: Deployment
apiVersion: apps/v1
metadata:
name: ovnkube-master
# namespace set up by install
namespace: ovn-kubernetes
annotations:
kubernetes.io/description: |
This Deployment launches the ovn-kubernetes master networking components.
spec:
progressDeadlineSeconds: 600
replicas: {{ ovn_master_count | default(1|int) }}
revisionHistoryLimit: 10
selector:
matchLabels:
name: ovnkube-master
strategy:
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
labels:
name: ovnkube-master
component: network
type: infra
kubernetes.io/os: "linux"
spec:
priorityClassName: "system-cluster-critical"
# Requires fairly broad permissions - ability to read all services and network functions as well
# as all pods.
serviceAccountName: ovnkube-master
hostNetwork: true
dnsPolicy: Default
{% if ovnkube_compact_mode_enable=="true" and ovn_unprivileged_mode=="no" %}
hostPID: true
{% endif %}
# required to be scheduled on a linux node with node-role.kubernetes.io/control-plane label and
# only one instance of ovnkube-master pod per node
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: In
values:
- ""
- key: kubernetes.io/os
operator: In
values:
- "linux"
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: name
operator: In
values:
- ovnkube-master
topologyKey: kubernetes.io/hostname
containers:
# ovn-northd - v3
- name: ovn-northd
image: "{{ ovn_image | default('docker.io/ovnkube/ovn-daemonset:latest') }}"
imagePullPolicy: "{{ ovn_image_pull_policy | default('IfNotPresent') }}"
command: ["/root/ovnkube.sh", "run-ovn-northd"]
securityContext:
runAsUser: 0
capabilities:
add: ["SYS_NICE"]
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
# Run directories where we need to be able to access sockets
- mountPath: /var/run/dbus/
name: host-var-run-dbus
readOnly: true
- mountPath: /var/log/openvswitch/
name: host-var-log-ovs
- mountPath: /var/log/ovn/
name: host-var-log-ovs
- mountPath: /var/run/openvswitch/
name: host-var-run-ovs
- mountPath: /var/run/ovn/
name: host-var-run-ovs
- mountPath: /ovn-cert
name: host-ovn-cert
readOnly: true
resources:
requests:
cpu: 100m
memory: 300Mi
env:
- name: OVN_DAEMONSET_VERSION
value: "1.2.0"
- name: OVN_LOGLEVEL_NORTHD
value: "{{ ovn_loglevel_northd }}"
- name: K8S_APISERVER
valueFrom:
configMapKeyRef:
name: ovn-config
key: k8s_apiserver
- name: OVN_KUBERNETES_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: OVN_SSL_ENABLE
value: "{{ ovn_ssl_en }}"
readinessProbe:
exec:
command: ["/usr/bin/ovn-kube-util", "readiness-probe", "-t", "ovn-northd"]
initialDelaySeconds: 30
timeoutSeconds: 30
periodSeconds: 60
# end of container
- name: ovnkube-master
image: "{{ ovn_image | default('docker.io/ovnkube/ovn-daemonset:latest') }}"
imagePullPolicy: "{{ ovn_image_pull_policy | default('IfNotPresent') }}"
{% if ovnkube_compact_mode_enable=="true" %}
command: ["/root/ovnkube.sh", "ovn-master"]
securityContext:
runAsUser: 0
{% if ovn_unprivileged_mode=="no" -%}
privileged: true
{% else %}
capabilities:
add:
- NET_ADMIN
{% endif %}
{% if ovn_dummy_gateway_bridge=="true" %}
lifecycle:
postStart:
exec:
command:
- /bin/bash
- -c
- |
#!/bin/bash
ovs-vsctl --may-exist add-br br-ex
ip a a dev br-ex 10.44.0.1/32 || /bin/true
{% endif %}
{% else %}
command: ["/root/ovnkube.sh", "ovn-master"]
securityContext:
runAsUser: 0
{% endif %}
terminationMessagePolicy: FallbackToLogsOnError
volumeMounts:
# Run directories where we need to be able to access sockets
- mountPath: /var/run/dbus/
name: host-var-run-dbus
readOnly: true
- mountPath: /var/log/ovn-kubernetes/
name: host-var-log-ovnkube
- mountPath: /var/run/openvswitch/
name: host-var-run-ovs
- mountPath: /var/run/ovn/
name: host-var-run-ovs
- mountPath: /ovn-cert
name: host-ovn-cert
readOnly: true
- mountPath: /run/ovnkube-config
name: ovnkube-config
readOnly: true
{% if ovnkube_compact_mode_enable=="true" %}
# Common mounts
# for the iptables wrapper
- mountPath: /host
name: host-slash
readOnly: true
# CNI related mounts which we take over
- mountPath: /opt/cni/bin
name: host-opt-cni-bin
- mountPath: /etc/cni/net.d
name: host-etc-cni-netd
- mountPath: /var/run/netns
name: host-netns
mountPropagation: HostToContainer
- mountPath: /etc/openvswitch/
name: host-var-lib-ovs
readOnly: true
- mountPath: /etc/ovn/
name: host-var-lib-ovs
readOnly: true
- mountPath: /var/run/ovn-kubernetes
name: host-var-run-ovn-kubernetes
{% endif %}
resources:
requests:
cpu: 100m
memory: 300Mi
env:
{% if (enable_coredumps | default("false")) == "true" -%}
- name: GOTRACEBACK
value: "crash"
{% endif -%}
- name: OVN_DAEMONSET_VERSION
value: "1.2.0"
- name: OVNKUBE_LOGLEVEL
value: "{{ ovnkube_master_loglevel }}"
- name: OVNKUBE_LOGFILE_MAXSIZE
value: "{{ ovnkube_logfile_maxsize }}"
- name: OVNKUBE_LOGFILE_MAXBACKUPS
value: "{{ ovnkube_logfile_maxbackups }}"
- name: OVNKUBE_LOGFILE_MAXAGE
value: "{{ ovnkube_logfile_maxage }}"
- name: OVNKUBE_LIBOVSDB_CLIENT_LOGFILE
value: "{{ ovnkube_libovsdb_client_logfile }}"
- name: OVNKUBE_CONFIG_DURATION_ENABLE
value: "{{ ovnkube_config_duration_enable }}"
- name: OVNKUBE_METRICS_SCALE_ENABLE
value: "{{ ovnkube_metrics_scale_enable }}"
- name: METRICS_IP
value: "{{ metrics_ip }}"
- name: OVNKUBE_COMPACT_MODE_ENABLE
value: "{{ ovnkube_compact_mode_enable }}"
- name: OVN_NET_CIDR
valueFrom:
configMapKeyRef:
name: ovn-config
key: net_cidr
- name: OVN_SVC_CIDR
valueFrom:
configMapKeyRef:
name: ovn-config
key: svc_cidr
- name: K8S_APISERVER
valueFrom:
configMapKeyRef:
name: ovn-config
key: k8s_apiserver
- name: K8S_NODE
valueFrom:
fieldRef:
fieldPath: spec.nodeName
- name: K8S_NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
- name: OVN_KUBERNETES_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: OVN_HYBRID_OVERLAY_ENABLE
value: "{{ ovn_hybrid_overlay_enable }}"
- name: OVN_ADMIN_NETWORK_POLICY_ENABLE
value: "{{ ovn_admin_network_policy_enable }}"
- name: OVN_EGRESSIP_ENABLE
value: "{{ ovn_egress_ip_enable }}"
- name: OVN_EGRESSIP_HEALTHCHECK_PORT
value: "{{ ovn_egress_ip_healthcheck_port }}"
- name: OVN_EGRESSFIREWALL_ENABLE
value: "{{ ovn_egress_firewall_enable }}"
- name: OVN_EGRESSQOS_ENABLE
value: "{{ ovn_egress_qos_enable }}"
- name: OVN_MULTI_NETWORK_ENABLE
value: "{{ ovn_multi_network_enable }}"
- name: OVN_NETWORK_SEGMENTATION_ENABLE
value: "{{ ovn_network_segmentation_enable }}"
- name: OVN_ROUTE_ADVERTISEMENTS_ENABLE
value: "{{ ovn_route_advertisements_enable }}"
- name: OVN_EVPN_ENABLE
value: "{{ ovn_evpn_enable }}"
- name: OVN_ADVERTISED_UDN_ISOLATION_MODE
value: "{{ ovn_advertised_udn_isolation_mode }}"
- name: OVN_DYNAMIC_UDN_ALLOCATION
value: "{{ ovn_enable_dynamic_udn_allocation }}"
- name: OVN_DYNAMIC_UDN_GRACE_PERIOD
value: "{{ ovn_dynamic_udn_grace_period }}"
- name: OVN_NO_OVERLAY_ENABLE
value: "{{ ovn_no_overlay_enable }}"
- name: OVN_EGRESSSERVICE_ENABLE
value: "{{ ovn_egress_service_enable }}"
- name: OVN_HYBRID_OVERLAY_NET_CIDR
value: "{{ ovn_hybrid_overlay_net_cidr }}"
- name: OVN_DISABLE_SNAT_MULTIPLE_GWS
value: "{{ ovn_disable_snat_multiple_gws }}"
- name: OVN_DISABLE_FORWARDING
value: "{{ ovn_disable_forwarding }}"
- name: OVN_ENCAP_PORT
value: "{{ ovn_encap_port }}"
- name: OVN_EMPTY_LB_EVENTS
value: "{{ ovn_empty_lb_events }}"
- name: OVN_V4_JOIN_SUBNET
value: "{{ ovn_v4_join_subnet }}"
- name: OVN_V6_JOIN_SUBNET
value: "{{ ovn_v6_join_subnet }}"
- name: OVN_V4_MASQUERADE_SUBNET
value: "{{ ovn_v4_masquerade_subnet }}"
- name: OVN_V6_MASQUERADE_SUBNET
value: "{{ ovn_v6_masquerade_subnet }}"
- name: OVN_SSL_ENABLE
value: "{{ ovn_ssl_en }}"
- name: OVN_GATEWAY_MODE
value: "{{ ovn_gateway_mode }}"
- name: OVN_GATEWAY_OPTS
value: "{{ ovn_gateway_opts }}"
- name: OVN_MULTICAST_ENABLE
value: "{{ ovn_multicast_enable }}"
- name: OVN_ACL_LOGGING_RATE_LIMIT
value: "{{ ovn_acl_logging_rate_limit }}"
- name: OVN_STATELESS_NETPOL_ENABLE
value: "{{ ovn_stateless_netpol_enable }}"
- name: OVN_ENABLE_MULTI_EXTERNAL_GATEWAY
value: "{{ ovn_enable_multi_external_gateway }}"
- name: OVN_ENABLE_SVC_TEMPLATE_SUPPORT
value: "{{ ovn_enable_svc_template_support }}"
- name: OVN_NOHOSTSUBNET_LABEL
value: "{{ ovn_nohostsubnet_label }}"
- name: OVN_DISABLE_REQUESTEDCHASSIS
value: "{{ ovn_disable_requestedchassis }}"
- name: OVN_HOST_NETWORK_NAMESPACE
valueFrom:
configMapKeyRef:
name: ovn-config
key: host_network_namespace
- name: OVN_ENABLE_PERSISTENT_IPS
value: "{{ ovn_enable_persistent_ips }}"
- name: OVN_NETWORK_QOS_ENABLE
value: "{{ ovn_network_qos_enable }}"
- name: OVN_ENABLE_DNSNAMERESOLVER
value: "{{ ovn_enable_dnsnameresolver }}"
- name: OVN_ALLOW_ICMP_NETPOL
value: "{{ ovn_allow_icmp_netpol }}"
# end of container
volumes:
# TODO: Need to check why we need this?
- name: host-var-run-dbus
hostPath:
path: /var/run/dbus
- name: host-var-log-ovs
hostPath:
path: /var/log/openvswitch
- name: host-var-log-ovnkube
hostPath:
path: /var/log/ovn-kubernetes
- name: host-var-run-ovs
hostPath:
path: /var/run/openvswitch
- name: host-ovn-cert
hostPath:
path: /etc/ovn
type: DirectoryOrCreate
- name: ovnkube-config
configMap:
name: ovnkube-config
{% if ovnkube_compact_mode_enable=="true" %}
- name: host-slash
hostPath:
path: /
- name: host-opt-cni-bin
hostPath:
path: /opt/cni/bin
- name: host-etc-cni-netd
hostPath:
path: /etc/cni/net.d
- name: host-netns
hostPath:
path: /var/run/netns
- name: host-run-ovs
hostPath:
path: /run/openvswitch
- name: host-var-lib-ovs
hostPath:
path: /var/lib/openvswitch
- name: host-var-run-ovn-kubernetes
hostPath:
path: /var/run/ovn-kubernetes
{% endif %}
tolerations:
- operator: "Exists"