1 # Calico Version v2.6.3
2 # https://docs.projectcalico.org/v2.6/releases#v2.6.3
3 # This manifest includes the following component versions:
6 # calico/kube-controllers:v1.0.1
8 # This ConfigMap is used to configure a self-hosted Calico installation.
13 namespace: kube-system
15 # The location of your etcd cluster. This uses the Service clusterIP
17 etcd_endpoints: "http://10.96.232.136:6666"
19 # Configure the Calico backend to use.
20 calico_backend: "bird"
22 # The CNI network configuration to install on each node.
23 cni_network_config: |-
25 "name": "k8s-pod-network",
26 "cniVersion": "0.1.0",
28 "etcd_endpoints": "__ETCD_ENDPOINTS__",
36 "k8s_api_root": "https://__KUBERNETES_SERVICE_HOST__:__KUBERNETES_SERVICE_PORT__",
37 "k8s_auth_token": "__SERVICEACCOUNT_TOKEN__"
40 "kubeconfig": "/etc/cni/net.d/__KUBECONFIG_FILENAME__"
46 # This manifest installs the Calico etcd on the kubeadm master. This uses a DaemonSet
47 # to force it to run on the master even when the master isn't schedulable, and uses
48 # nodeSelector to ensure it only runs on the master.
49 apiVersion: extensions/v1beta1
53 namespace: kube-system
62 # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
63 # reserves resources for critical add-on pods so that they can be rescheduled after
64 # a failure. This annotation works in tandem with the toleration below.
65 scheduler.alpha.kubernetes.io/critical-pod: ''
67 # Only run this pod on the master.
69 # this taint is set by all kubelets running `--cloud-provider=external`
70 # so we should tolerate it to schedule the calico pods
71 - key: node.cloudprovider.kubernetes.io/uninitialized
74 - key: node-role.kubernetes.io/master
76 # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
77 # This, along with the annotation above marks this pod as a critical add-on.
78 - key: CriticalAddonsOnly
81 node-role.kubernetes.io/master: ""
85 image: quay.io/coreos/etcd:v3.1.10
87 - name: CALICO_ETCD_IP
90 fieldPath: status.podIP
91 command: ["/bin/sh","-c"]
92 args: ["/usr/local/bin/etcd --name=calico --data-dir=/var/etcd/calico-data --advertise-client-urls=http://$CALICO_ETCD_IP:6666 --listen-client-urls=http://0.0.0.0:6666 --listen-peer-urls=http://0.0.0.0:6667"]
103 # This manifest installs the Service which gets traffic to the Calico
111 namespace: kube-system
113 # Select the calico-etcd pod running on the master.
116 # This ClusterIP needs to be known in advance, since we cannot rely
117 # on DNS to get access to etcd.
118 clusterIP: 10.96.232.136
124 # This manifest installs the calico/node container, as well
125 # as the Calico CNI plugins and network config on
126 # each master and worker node in a Kubernetes cluster.
128 apiVersion: extensions/v1beta1
131 namespace: kube-system
143 # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
144 # reserves resources for critical add-on pods so that they can be rescheduled after
145 # a failure. This annotation works in tandem with the toleration below.
146 scheduler.alpha.kubernetes.io/critical-pod: ''
150 # this taint is set by all kubelets running `--cloud-provider=external`
151 # so we should tolerate it to schedule the calico pods
152 - key: node.cloudprovider.kubernetes.io/uninitialized
155 - key: node-role.kubernetes.io/master
157 # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
158 # This, along with the annotation above marks this pod as a critical add-on.
159 - key: CriticalAddonsOnly
161 serviceAccountName: calico-cni-plugin
162 # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force
163 # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods.
164 terminationGracePeriodSeconds: 0
166 # Runs calico/node container on each Kubernetes node. This
167 # container programs network policy and routes on each
170 image: quay.io/calico/node:v2.6.3
172 # The location of the Calico etcd cluster.
173 - name: ETCD_ENDPOINTS
178 # Enable BGP. Disable to enforce policy only.
179 - name: CALICO_NETWORKING_BACKEND
184 # Cluster type to identify the deployment type
187 # Set noderef for node controller.
188 - name: CALICO_K8S_NODE_REF
191 fieldPath: spec.nodeName
192 # Disable file logging so `kubectl logs` works.
193 - name: CALICO_DISABLE_FILE_LOGGING
195 # Set Felix endpoint to host default action to ACCEPT.
196 - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
198 # Configure the IP Pool from which Pod IPs will be chosen.
199 - name: CALICO_IPV4POOL_CIDR
200 value: "192.168.0.0/16"
201 - name: CALICO_IPV4POOL_IPIP
203 # Disable IPv6 on Kubernetes.
204 - name: FELIX_IPV6SUPPORT
206 # Set MTU for tunnel device used if ipip is enabled
207 - name: FELIX_IPINIPMTU
209 # Set Felix logging to "info"
210 - name: FELIX_LOGSEVERITYSCREEN
212 # Auto-detect the BGP IP address.
215 - name: FELIX_HEALTHENABLED
227 initialDelaySeconds: 10
235 - mountPath: /lib/modules
238 - mountPath: /var/run/calico
241 # This container installs the Calico CNI binaries
242 # and CNI network config file on each node.
244 image: quay.io/calico/cni:v1.11.1
245 command: ["/install-cni.sh"]
247 # The location of the Calico etcd cluster.
248 - name: ETCD_ENDPOINTS
253 # The CNI network config to install on each node.
254 - name: CNI_NETWORK_CONFIG
258 key: cni_network_config
260 - mountPath: /host/opt/cni/bin
262 - mountPath: /host/etc/cni/net.d
265 # Used by calico/node.
269 - name: var-run-calico
271 path: /var/run/calico
272 # Used to install CNI.
282 # This manifest deploys the Calico Kubernetes controllers.
283 # See https://github.com/projectcalico/kube-controllers
284 apiVersion: extensions/v1beta1
287 name: calico-kube-controllers
288 namespace: kube-system
290 k8s-app: calico-kube-controllers
292 # The controllers can only have a single active instance.
298 name: calico-kube-controllers
299 namespace: kube-system
301 k8s-app: calico-kube-controllers
303 # Mark this pod as a critical add-on; when enabled, the critical add-on scheduler
304 # reserves resources for critical add-on pods so that they can be rescheduled after
305 # a failure. This annotation works in tandem with the toleration below.
306 scheduler.alpha.kubernetes.io/critical-pod: ''
308 # The controllers must run in the host network namespace so that
309 # it isn't governed by policy that would prevent it from working.
312 # this taint is set by all kubelets running `--cloud-provider=external`
313 # so we should tolerate it to schedule the calico pods
314 - key: node.cloudprovider.kubernetes.io/uninitialized
317 - key: node-role.kubernetes.io/master
319 # Allow this pod to be rescheduled while the node is in "critical add-ons only" mode.
320 # This, along with the annotation above marks this pod as a critical add-on.
321 - key: CriticalAddonsOnly
323 serviceAccountName: calico-kube-controllers
325 - name: calico-kube-controllers
326 image: quay.io/calico/kube-controllers:v1.0.1
328 # The location of the Calico etcd cluster.
329 - name: ETCD_ENDPOINTS
334 # The location of the Kubernetes API. Use the default Kubernetes
335 # service for API access.
337 value: "https://kubernetes.default:443"
338 # Choose which controllers to run.
339 - name: ENABLED_CONTROLLERS
340 value: policy,profile,workloadendpoint,node
341 # Since we're running in the host namespace and might not have KubeDNS
342 # access, configure the container's /etc/hosts to resolve
343 # kubernetes.default to the correct service clusterIP.
344 - name: CONFIGURE_ETC_HOSTS
349 # This deployment turns off the old "policy-controller". It should remain at 0 replicas, and then
350 # be removed entirely once the new kube-controllers deployment has been deployed above.
351 apiVersion: extensions/v1beta1
354 name: calico-policy-controller
355 namespace: kube-system
357 k8s-app: calico-policy-controller
359 # Turn this deployment off in favor of the kube-controllers deployment above.
365 name: calico-policy-controller
366 namespace: kube-system
368 k8s-app: calico-policy-controller
371 serviceAccountName: calico-kube-controllers
373 - name: calico-policy-controller
374 image: quay.io/calico/kube-controllers:v1.0.1
376 - name: ETCD_ENDPOINTS
384 apiVersion: rbac.authorization.k8s.io/v1beta1
385 kind: ClusterRoleBinding
387 name: calico-cni-plugin
389 apiGroup: rbac.authorization.k8s.io
391 name: calico-cni-plugin
393 - kind: ServiceAccount
394 name: calico-cni-plugin
395 namespace: kube-system
400 apiVersion: rbac.authorization.k8s.io/v1beta1
402 name: calico-cni-plugin
416 name: calico-cni-plugin
417 namespace: kube-system
421 apiVersion: rbac.authorization.k8s.io/v1beta1
422 kind: ClusterRoleBinding
424 name: calico-kube-controllers
426 apiGroup: rbac.authorization.k8s.io
428 name: calico-kube-controllers
430 - kind: ServiceAccount
431 name: calico-kube-controllers
432 namespace: kube-system
437 apiVersion: rbac.authorization.k8s.io/v1beta1
439 name: calico-kube-controllers
458 name: calico-kube-controllers
459 namespace: kube-system