dsk-dev kubespray 이동

ansible/kubespray/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml

@@ -0,0 +1,11 @@
+---
+# Limits for calico apps
+calico_policy_controller_cpu_limit: 1000m
+calico_policy_controller_memory_limit: 256M
+calico_policy_controller_cpu_requests: 30m
+calico_policy_controller_memory_requests: 64M
+calico_policy_controller_deployment_nodeselector: "kubernetes.io/os: linux"
+
+# SSL
+calico_cert_dir: "/etc/calico/certs"
+canal_cert_dir: "/etc/canal/certs"

ansible/kubespray/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml

@@ -0,0 +1,43 @@
+---
+- name: Set cert dir
+  set_fact:
+    calico_cert_dir: "{{ canal_cert_dir }}"
+  when:
+    - kube_network_plugin == 'canal'
+  tags:
+    - facts
+    - canal
+
+- name: Create calico-kube-controllers manifests
+  template:
+    src: "{{ item.file }}.j2"
+    dest: "{{ kube_config_dir }}/{{ item.file }}"
+    mode: 0644
+  with_items:
+    - {name: calico-kube-controllers, file: calico-kube-controllers.yml, type: deployment}
+    - {name: calico-kube-controllers, file: calico-kube-sa.yml, type: sa}
+    - {name: calico-kube-controllers, file: calico-kube-cr.yml, type: clusterrole}
+    - {name: calico-kube-controllers, file: calico-kube-crb.yml, type: clusterrolebinding}
+  register: calico_kube_manifests
+  when:
+    - inventory_hostname == groups['kube_control_plane'][0]
+    - rbac_enabled or item.type not in rbac_resources
+
+- name: Start of Calico kube controllers
+  kube:
+    name: "{{ item.item.name }}"
+    namespace: "kube-system"
+    kubectl: "{{ bin_dir }}/kubectl"
+    resource: "{{ item.item.type }}"
+    filename: "{{ kube_config_dir }}/{{ item.item.file }}"
+    state: "latest"
+  with_items:
+    - "{{ calico_kube_manifests.results }}"
+  register: calico_kube_controller_start
+  until: calico_kube_controller_start is succeeded
+  retries: 4
+  when:
+    - inventory_hostname == groups['kube_control_plane'][0]
+    - not item is skipped
+  loop_control:
+    label: "{{ item.item.file }}"

ansible/kubespray/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2

@@ -0,0 +1,87 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: calico-kube-controllers
+  namespace: kube-system
+  labels:
+    k8s-app: calico-kube-controllers
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      k8s-app: calico-kube-controllers
+  template:
+    metadata:
+      name: calico-kube-controllers
+      namespace: kube-system
+      labels:
+        k8s-app: calico-kube-controllers
+    spec:
+      nodeSelector:
+        {{ calico_policy_controller_deployment_nodeselector }}
+{% if calico_datastore == "etcd" %}
+      hostNetwork: true
+{% endif %}
+      serviceAccountName: calico-kube-controllers
+      tolerations:
+        - key: CriticalAddonsOnly
+          operator: Exists
+        - key: node-role.kubernetes.io/master
+          effect: NoSchedule
+        - key: node-role.kubernetes.io/control-plane
+          effect: NoSchedule
+{% if policy_controller_extra_tolerations is defined %}
+        {{ policy_controller_extra_tolerations | list | to_nice_yaml(indent=2) | indent(8) }}
+{% endif %}
+      priorityClassName: system-cluster-critical
+      containers:
+        - name: calico-kube-controllers
+          image: {{ calico_policy_image_repo }}:{{ calico_policy_image_tag }}
+          imagePullPolicy: {{ k8s_image_pull_policy }}
+          resources:
+            limits:
+              cpu: {{ calico_policy_controller_cpu_limit }}
+              memory: {{ calico_policy_controller_memory_limit }}
+            requests:
+              cpu: {{ calico_policy_controller_cpu_requests }}
+              memory: {{ calico_policy_controller_memory_requests }}
+          livenessProbe:
+            exec:
+              command:
+              - /usr/bin/check-status
+              - -l
+            periodSeconds: 10
+            initialDelaySeconds: 10
+            failureThreshold: 6
+          readinessProbe:
+            exec:
+              command:
+              - /usr/bin/check-status
+              - -r
+            periodSeconds: 10
+          env:
+{% if calico_datastore == "kdd" %}
+            - name: ENABLED_CONTROLLERS
+              value: node
+            - name: DATASTORE_TYPE
+              value: kubernetes
+{% else %}
+            - name: ETCD_ENDPOINTS
+              value: "{{ etcd_access_addresses }}"
+            - name: ETCD_CA_CERT_FILE
+              value: "{{ calico_cert_dir }}/ca_cert.crt"
+            - name: ETCD_CERT_FILE
+              value: "{{ calico_cert_dir }}/cert.crt"
+            - name: ETCD_KEY_FILE
+              value: "{{ calico_cert_dir }}/key.pem"
+          volumeMounts:
+          - mountPath: {{ calico_cert_dir }}
+            name: etcd-certs
+            readOnly: true
+      volumes:
+      - hostPath:
+          path: {{ calico_cert_dir }}
+        name: etcd-certs
+{% endif %}

ansible/kubespray/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2

@@ -0,0 +1,110 @@
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: calico-kube-controllers
+  namespace: kube-system
+rules:
+{% if calico_datastore == "etcd"  %}
+  - apiGroups:
+    - ""
+    - extensions
+    resources:
+      - pods
+      - namespaces
+      - networkpolicies
+      - nodes
+      - serviceaccounts
+    verbs:
+      - watch
+      - list
+      - get
+  - apiGroups:
+    - ""
+    resources:
+      - nodes
+    verbs:
+      - get
+  - apiGroups:
+    - networking.k8s.io
+    resources:
+      - networkpolicies
+    verbs:
+      - watch
+      - list
+{% elif calico_datastore == "kdd" %}
+  # Nodes are watched to monitor for deletions.
+  - apiGroups: [""]
+    resources:
+      - nodes
+    verbs:
+      - watch
+      - list
+      - get
+  # Pods are queried to check for existence.
+  - apiGroups: [""]
+    resources:
+      - pods
+    verbs:
+      - watch
+      - list
+      - get
+  # IPAM resources are manipulated when nodes are deleted.
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - ipreservations
+    verbs:
+      - list
+  # Pools are watched to maintain a mapping of blocks to IP pools.
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - ippools
+    verbs:
+      - list
+      - watch
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - blockaffinities
+      - ipamblocks
+      - ipamhandles
+    verbs:
+      - get
+      - list
+      - create
+      - update
+      - delete
+      - watch
+  # kube-controllers manages hostendpoints.
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - hostendpoints
+    verbs:
+      - get
+      - list
+      - create
+      - update
+      - delete
+  # Needs access to update clusterinformations.
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - clusterinformations
+    verbs:
+      - get
+      - list
+      - create
+      - update
+      - watch
+  # KubeControllersConfiguration is where it gets its config
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - kubecontrollersconfigurations
+    verbs:
+      # read its own config
+      - get
+      # create a default if none exists
+      - create
+      # update status
+      - update
+      # watch for changes
+      - watch
+{% endif %}

ansible/kubespray/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-crb.yml.j2

@@ -0,0 +1,13 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: calico-kube-controllers
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-kube-controllers
+subjects:
+- kind: ServiceAccount
+  name: calico-kube-controllers
+  namespace: kube-system

ansible/kubespray/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-sa.yml.j2

@@ -0,0 +1,6 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: calico-kube-controllers
+  namespace: kube-system