1 # Calico Version v2.4.1
2 # https://docs.projectcalico.org/v2.4/releases#v2.4.1
3 # This manifest includes the following component versions:
6 # calico/kube-policy-controller:v0.7.0
8 # This ConfigMap is used to configure a self-hosted Calico installation.
13 namespace: kube-system
15 # The location of your etcd cluster. This uses the Service clusterIP
17 etcd_endpoints: "http://10.96.232.136:6666"
19 # Configure the Calico backend to use.
20 calico_backend: "bird"
22 # The CNI network configuration to install on each node.
23 cni_network_config: |-
25 "name": "k8s-pod-network",
26 "cniVersion": "0.1.0",
28 "etcd_endpoints": "__ETCD_ENDPOINTS__",
36 "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
37 "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
40 "kubeconfig": "/etc/cni/net.d/__KUBECONFIG_FILENAME__"
46 # This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet
47 # to force it to run on the master even when the master isn't schedulable, and uses
48 # nodeSelector to ensure it only runs on the master.
49 apiVersion: extensions/v1beta1
53 namespace: kube-system
62 # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
63 # reserves resources for critical add-on pods so that they can be rescheduled after
64 # a failure. This annotation works in tandem with the toleration below.
65 scheduler.alpha.kubernetes.io/critical-pod: ''
67 # Only run this pod on the master.
69 - key: node-role.kubernetes.io/master
71 # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
72 # This, along with the annotation above marks this pod as a critical add-on.
73 - key: CriticalAddonsOnly
76 node-role.kubernetes.io/master: ""
80 image: quay.io/coreos/etcd:v3.1.10
82 - name: CALICO_ETCD_IP
85 fieldPath: status.podIP
86 command: ["/bin/sh","-c"]
87 args: ["/usr/local/bin/etcd --name=calico --data-dir=/var/etcd/calico-data --advertise-client-urls=http://$CALICO_ETCD_IP:6666 --listen-client-urls=http://0.0.0.0:6666 --listen-peer-urls=http://0.0.0.0:6667"]
98 # This manifest installs the Service which gets traffic to the Calico
106 namespace: kube-system
108 # Select the calico-etcd pod running on the master.
111 # This ClusterIP needs to be known in advance, since we cannot rely
112 # on DNS to get access to etcd.
113 clusterIP: 10.96.232.136
119 # This manifest installs the calico/node container, as well
120 # as the Calico CNI plugins and network config on
121 # each master and worker node in a Kubernetes cluster.
123 apiVersion: extensions/v1beta1
126 namespace: kube-system
138 # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
139 # reserves resources for critical add-on pods so that they can be rescheduled after
140 # a failure. This annotation works in tandem with the toleration below.
141 scheduler.alpha.kubernetes.io/critical-pod: ''
145 - key: node-role.kubernetes.io/master
147 # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
148 # This, along with the annotation above marks this pod as a critical add-on.
149 - key: CriticalAddonsOnly
151 serviceAccountName: calico-cni-plugin
153 # Runs calico/node container on each Kubernetes node. This
154 # container programs network policy and routes on each
157 image: quay.io/calico/node:v2.4.1
159 # The location of the Calico etcd cluster.
160 - name: ETCD_ENDPOINTS
165 # Enable BGP. Disable to enforce policy only.
166 - name: CALICO_NETWORKING_BACKEND
171 # Cluster type to identify the deployment type
174 # Disable file logging so `kubectl logs` works.
175 - name: CALICO_DISABLE_FILE_LOGGING
177 # Set Felix endpoint to host default action to ACCEPT.
178 - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
180 # Configure the IP Pool from which Pod IPs will be chosen.
181 - name: CALICO_IPV4POOL_CIDR
182 value: "192.168.0.0/16"
183 - name: CALICO_IPV4POOL_IPIP
185 # Disable IPv6 on Kubernetes.
186 - name: FELIX_IPV6SUPPORT
188 # Set MTU for tunnel device used if ipip is enabled
189 - name: FELIX_IPINIPMTU
191 # Set Felix logging to "info"
192 - name: FELIX_LOGSEVERITYSCREEN
194 - name: FELIX_HEALTHENABLED
196 # Auto-detect the BGP IP address.
209 initialDelaySeconds: 10
217 - mountPath: /lib/modules
220 - mountPath: /var/run/calico
223 # This container installs the Calico CNI binaries
224 # and CNI network config file on each node.
226 image: quay.io/calico/cni:v1.10.0
227 command: ["/install-cni.sh"]
229 # The location of the Calico etcd cluster.
230 - name: ETCD_ENDPOINTS
235 # The CNI network config to install on each node.
236 - name: CNI_NETWORK_CONFIG
240 key: cni_network_config
242 - mountPath: /host/opt/cni/bin
244 - mountPath: /host/etc/cni/net.d
247 # Used by calico/node.
251 - name: var-run-calico
253 path: /var/run/calico
254 # Used to install CNI.
264 # This manifest deploys the Calico policy controller on Kubernetes.
265 # See https://github.com/projectcalico/k8s-policy
266 apiVersion: extensions/v1beta1
269 name: calico-policy-controller
270 namespace: kube-system
272 k8s-app: calico-policy
274 # The policy controller can only have a single active instance.
280 name: calico-policy-controller
281 namespace: kube-system
283 k8s-app: calico-policy-controller
285 # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
286 # reserves resources for critical add-on pods so that they can be rescheduled after
287 # a failure. This annotation works in tandem with the toleration below.
288 scheduler.alpha.kubernetes.io/critical-pod: ''
290 # The policy controller must run in the host network namespace so that
291 # it isn't governed by policy that would prevent it from working.
294 - key: node-role.kubernetes.io/master
296 # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
297 # This, along with the annotation above marks this pod as a critical add-on.
298 - key: CriticalAddonsOnly
300 serviceAccountName: calico-policy-controller
302 - name: calico-policy-controller
303 image: quay.io/calico/kube-policy-controller:v0.7.0
305 # The location of the Calico etcd cluster.
306 - name: ETCD_ENDPOINTS
311 # The location of the Kubernetes API. Use the default Kubernetes
312 # service for API access.
314 value: "https://kubernetes.default:443"
315 # Since we're running in the host namespace and might not have KubeDNS
316 # access, configure the container's /etc/hosts to resolve
317 # kubernetes.default to the correct service clusterIP.
318 - name: CONFIGURE_ETC_HOSTS
321 apiVersion: rbac.authorization.k8s.io/v1beta1
322 kind: ClusterRoleBinding
324 name: calico-cni-plugin
326 apiGroup: rbac.authorization.k8s.io
328 name: calico-cni-plugin
330 - kind: ServiceAccount
331 name: calico-cni-plugin
332 namespace: kube-system
335 apiVersion: rbac.authorization.k8s.io/v1beta1
337 name: calico-cni-plugin
338 namespace: kube-system
350 name: calico-cni-plugin
351 namespace: kube-system
353 apiVersion: rbac.authorization.k8s.io/v1beta1
354 kind: ClusterRoleBinding
356 name: calico-policy-controller
358 apiGroup: rbac.authorization.k8s.io
360 name: calico-policy-controller
362 - kind: ServiceAccount
363 name: calico-policy-controller
364 namespace: kube-system
367 apiVersion: rbac.authorization.k8s.io/v1beta1
369 name: calico-policy-controller
370 namespace: kube-system
386 name: calico-policy-controller
387 namespace: kube-system