dsk-dev kubespray 이동

2023-12-19 14:31:22 +09:00
parent a35325e16b
commit 5671a92148
2568 changed files with 0 additions and 0 deletions
--- a/ansible/kubespray/roles/network_plugin/macvlan/OWNERS
+++ b/ansible/kubespray/roles/network_plugin/macvlan/OWNERS
@@ -0,0 +1,6 @@
+# See the OWNERS docs at https://go.k8s.io/owners
+
+approvers:
+  - simon
+reviewers:
+  - simon
--- a/ansible/kubespray/roles/network_plugin/macvlan/defaults/main.yml
+++ b/ansible/kubespray/roles/network_plugin/macvlan/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+macvlan_interface: eth0
+enable_nat_default_gateway: true
+
+# sysctl_file_path to add sysctl conf to
+sysctl_file_path: "/etc/sysctl.d/99-sysctl.conf"
--- a/ansible/kubespray/roles/network_plugin/macvlan/files/ifdown-local
+++ b/ansible/kubespray/roles/network_plugin/macvlan/files/ifdown-local
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+POSTDOWNNAME="/etc/sysconfig/network-scripts/post-down-$1"
+if [ -x $POSTDOWNNAME ]; then
+  exec $POSTDOWNNAME
+fi
--- a/ansible/kubespray/roles/network_plugin/macvlan/files/ifdown-macvlan
+++ b/ansible/kubespray/roles/network_plugin/macvlan/files/ifdown-macvlan
@@ -0,0 +1,41 @@
+#!/bin/bash
+#
+# initscripts-macvlan
+# Copyright (C) 2014 Lars Kellogg-Stedman
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /etc/init.d/functions
+
+cd /etc/sysconfig/network-scripts
+. ./network-functions
+
+[ -f ../network ] && . ../network
+
+CONFIG=${1}
+
+need_config ${CONFIG}
+
+source_config
+
+OTHERSCRIPT="/etc/sysconfig/network-scripts/ifdown-${REAL_DEVICETYPE}"
+
+if [ ! -x ${OTHERSCRIPT} ]; then
+	OTHERSCRIPT="/etc/sysconfig/network-scripts/ifdown-eth"
+fi
+
+${OTHERSCRIPT} ${CONFIG}
+
+ip link del ${DEVICE} type ${TYPE:-macvlan}
+
--- a/ansible/kubespray/roles/network_plugin/macvlan/files/ifup-local
+++ b/ansible/kubespray/roles/network_plugin/macvlan/files/ifup-local
@@ -0,0 +1,6 @@
+#!/bin/bash
+
+POSTUPNAME="/etc/sysconfig/network-scripts/post-up-$1"
+if [ -x $POSTUPNAME ]; then
+  exec $POSTUPNAME
+fi
--- a/ansible/kubespray/roles/network_plugin/macvlan/files/ifup-macvlan
+++ b/ansible/kubespray/roles/network_plugin/macvlan/files/ifup-macvlan
@@ -0,0 +1,44 @@
+#!/bin/bash
+#
+# initscripts-macvlan
+# Copyright (C) 2014 Lars Kellogg-Stedman
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+. /etc/init.d/functions
+
+cd /etc/sysconfig/network-scripts
+. ./network-functions
+
+[ -f ../network ] && . ../network
+
+CONFIG=${1}
+
+need_config ${CONFIG}
+
+source_config
+
+OTHERSCRIPT="/etc/sysconfig/network-scripts/ifup-${REAL_DEVICETYPE}"
+
+if [ ! -x ${OTHERSCRIPT} ]; then
+	OTHERSCRIPT="/etc/sysconfig/network-scripts/ifup-eth"
+fi
+
+ip link add \
+	link ${MACVLAN_PARENT} \
+	name ${DEVICE} \
+	type ${TYPE:-macvlan} mode ${MACVLAN_MODE:-private}
+
+${OTHERSCRIPT} ${CONFIG}
+
--- a/ansible/kubespray/roles/network_plugin/macvlan/handlers/main.yml
+++ b/ansible/kubespray/roles/network_plugin/macvlan/handlers/main.yml
@@ -0,0 +1,19 @@
+---
+- name: Macvlan | restart network
+  command: /bin/true
+  notify:
+    - Macvlan | reload network
+  when: not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
+
+- name: Macvlan | reload network
+  service:
+    name: >-
+      {% if ansible_os_family == "RedHat" -%}
+      network
+      {%- elif ansible_distribution == "Ubuntu" and ansible_distribution_release == "bionic" -%}
+      systemd-networkd
+      {%- elif ansible_os_family == "Debian" -%}
+      networking
+      {%- endif %}
+    state: restarted
+  when: not ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"] and kube_network_plugin not in ['canal', 'calico']
--- a/ansible/kubespray/roles/network_plugin/macvlan/meta/main.yml
+++ b/ansible/kubespray/roles/network_plugin/macvlan/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: network_plugin/cni
--- a/ansible/kubespray/roles/network_plugin/macvlan/tasks/main.yml
+++ b/ansible/kubespray/roles/network_plugin/macvlan/tasks/main.yml
@@ -0,0 +1,110 @@
+---
+- name: Macvlan | Retrieve Pod Cidr
+  command: "{{ kubectl }} get nodes {{ kube_override_hostname | default(inventory_hostname) }} -o jsonpath='{.spec.podCIDR}'"
+  changed_when: false
+  register: node_pod_cidr_cmd
+  delegate_to: "{{ groups['kube_control_plane'][0] }}"
+
+- name: Macvlan | set node_pod_cidr
+  set_fact:
+    node_pod_cidr={{ node_pod_cidr_cmd.stdout }}
+
+- name: Macvlan | Retrieve default gateway network interface
+  become: false
+  raw: ip -4 route list 0/0 | sed 's/.*dev \([[:alnum:]]*\).*/\1/'
+  changed_when: false
+  register: node_default_gateway_interface_cmd
+
+- name: Macvlan | set node_default_gateway_interface
+  set_fact:
+    node_default_gateway_interface={{ node_default_gateway_interface_cmd.stdout | trim }}
+
+- name: Macvlan | Install network gateway interface on debian
+  template:
+    src: debian-network-macvlan.cfg.j2
+    dest: /etc/network/interfaces.d/60-mac0.cfg
+    mode: 0644
+  notify: Macvlan | restart network
+  when: ansible_os_family in ["Debian"]
+
+- block:
+  - name: Macvlan | Install macvlan script on centos
+    copy:
+      src: "{{ item }}"
+      dest: /etc/sysconfig/network-scripts/
+      owner: root
+      group: root
+      mode: "0755"
+    with_fileglob:
+    - files/*
+
+  - name: Macvlan | Install post-up script on centos
+    copy:
+      src: "files/ifup-local"
+      dest: /sbin/
+      owner: root
+      group: root
+      mode: "0755"
+    when: enable_nat_default_gateway
+
+  - name: Macvlan | Install network gateway interface on centos
+    template:
+      src: "{{ item.src }}.j2"
+      dest: "/etc/sysconfig/network-scripts/{{ item.dst }}"
+      mode: 0644
+    with_items:
+    - {src: centos-network-macvlan.cfg, dst: ifcfg-mac0 }
+    - {src: centos-routes-macvlan.cfg, dst: route-mac0 }
+    - {src: centos-postup-macvlan.cfg, dst: post-up-mac0 }
+    notify: Macvlan | restart network
+
+  when: ansible_os_family == "RedHat"
+
+- block:
+  - name: Macvlan | Install service nat via gateway on Flatcar Container Linux
+    template:
+      src: coreos-service-nat_ouside.j2
+      dest: /etc/systemd/system/enable_nat_ouside.service
+      mode: 0644
+    when: enable_nat_default_gateway
+
+  - name: Macvlan | Enable service nat via gateway on Flatcar Container Linux
+    command: "{{ item }}"
+    with_items:
+    - systemctl daemon-reload
+    - systemctl enable enable_nat_ouside.service
+    when: enable_nat_default_gateway
+
+  - name: Macvlan | Install network gateway interface on Flatcar Container Linux
+    template:
+      src: "{{ item.src }}.j2"
+      dest: "/etc/systemd/network/{{ item.dst }}"
+      mode: 0644
+    with_items:
+    - {src: coreos-device-macvlan.cfg, dst: macvlan.netdev }
+    - {src: coreos-interface-macvlan.cfg, dst: output.network }
+    - {src: coreos-network-macvlan.cfg, dst: macvlan.network }
+    notify: Macvlan | restart network
+
+  when: ansible_os_family in ["Flatcar", "Flatcar Container Linux by Kinvolk"]
+
+- name: Macvlan | Install cni definition for Macvlan
+  template:
+    src: 10-macvlan.conf.j2
+    dest: /etc/cni/net.d/10-macvlan.conf
+    mode: 0644
+
+- name: Macvlan | Install loopback definition for Macvlan
+  template:
+    src: 99-loopback.conf.j2
+    dest: /etc/cni/net.d/99-loopback.conf
+    mode: 0644
+
+- name: Enable net.ipv4.conf.all.arp_notify in sysctl
+  sysctl:
+    name: net.ipv4.conf.all.arp_notify
+    value: 1
+    sysctl_set: yes
+    sysctl_file: "{{ sysctl_file_path }}"
+    state: present
+    reload: yes
--- a/ansible/kubespray/roles/network_plugin/macvlan/templates/10-macvlan.conf.j2
+++ b/ansible/kubespray/roles/network_plugin/macvlan/templates/10-macvlan.conf.j2
@@ -0,0 +1,15 @@
+{
+  "cniVersion": "0.4.0",
+  "name": "mynet",
+  "type": "macvlan",
+  "master": "{{ macvlan_interface }}",
+  "hairpinMode": true,
+  "ipam": {
+    "type": "host-local",
+    "subnet": "{{ node_pod_cidr }}",
+    "routes": [
+      { "dst": "0.0.0.0/0" }
+    ],
+    "gateway": "{{ node_pod_cidr|ipaddr('net')|ipaddr(1)|ipaddr('address') }}"
+  }
+}
--- a/ansible/kubespray/roles/network_plugin/macvlan/templates/99-loopback.conf.j2
+++ b/ansible/kubespray/roles/network_plugin/macvlan/templates/99-loopback.conf.j2
@@ -0,0 +1,5 @@
+{
+  "cniVersion": "0.2.0",
+  "name": "lo",
+  "type": "loopback"
+}
--- a/ansible/kubespray/roles/network_plugin/macvlan/templates/centos-network-macvlan.cfg.j2
+++ b/ansible/kubespray/roles/network_plugin/macvlan/templates/centos-network-macvlan.cfg.j2
@@ -0,0 +1,14 @@
+DEVICE=mac0
+DEVICETYPE=macvlan
+TYPE=macvlan
+BOOTPROTO=none
+ONBOOT=yes
+NM_CONTROLLED=no
+
+MACVLAN_PARENT={{ macvlan_interface }}
+MACVLAN_MODE=bridge
+
+IPADDR={{ node_pod_cidr|ipaddr('net')|ipaddr(1)|ipaddr('address') }}
+NETMASK={{ node_pod_cidr|ipaddr('netmask') }}
+NETWORK={{ node_pod_cidr|ipaddr('network') }}
+
--- a/ansible/kubespray/roles/network_plugin/macvlan/templates/centos-postdown-macvlan.cfg.j2
+++ b/ansible/kubespray/roles/network_plugin/macvlan/templates/centos-postdown-macvlan.cfg.j2
@@ -0,0 +1,4 @@
+{% if enable_nat_default_gateway %}
+iptables -t nat -D POSTROUTING -s {{ node_pod_cidr|ipaddr('net') }} -o {{ node_default_gateway_interface }} -j MASQUERADE
+{% endif %}
+
--- a/ansible/kubespray/roles/network_plugin/macvlan/templates/centos-postup-macvlan.cfg.j2
+++ b/ansible/kubespray/roles/network_plugin/macvlan/templates/centos-postup-macvlan.cfg.j2
@@ -0,0 +1,4 @@
+{% if enable_nat_default_gateway %}
+iptables -t nat -I POSTROUTING -s {{ node_pod_cidr|ipaddr('net') }} -o {{ node_default_gateway_interface }} -j MASQUERADE
+{% endif %}
+
--- a/ansible/kubespray/roles/network_plugin/macvlan/templates/centos-routes-macvlan.cfg.j2
+++ b/ansible/kubespray/roles/network_plugin/macvlan/templates/centos-routes-macvlan.cfg.j2
@@ -0,0 +1,7 @@
+{% for host in groups['kube_node'] %}
+{% if hostvars[host]['access_ip'] is defined  %}
+{% if hostvars[host]['node_pod_cidr'] != node_pod_cidr  %}
+{{ hostvars[host]['node_pod_cidr'] }} via {{ hostvars[host]['access_ip'] }}
+{% endif %}
+{% endif %}
+{% endfor %}
--- a/ansible/kubespray/roles/network_plugin/macvlan/templates/coreos-device-macvlan.cfg.j2
+++ b/ansible/kubespray/roles/network_plugin/macvlan/templates/coreos-device-macvlan.cfg.j2
@@ -0,0 +1,6 @@
+[NetDev]
+Name=mac0
+Kind=macvlan
+
+[MACVLAN]
+Mode=bridge
--- a/ansible/kubespray/roles/network_plugin/macvlan/templates/coreos-interface-macvlan.cfg.j2
+++ b/ansible/kubespray/roles/network_plugin/macvlan/templates/coreos-interface-macvlan.cfg.j2
@@ -0,0 +1,6 @@
+[Match]
+Name={{ macvlan_interface }}
+
+[Network]
+MACVLAN=mac0
+DHCP=yes
--- a/ansible/kubespray/roles/network_plugin/macvlan/templates/coreos-network-macvlan.cfg.j2
+++ b/ansible/kubespray/roles/network_plugin/macvlan/templates/coreos-network-macvlan.cfg.j2
@@ -0,0 +1,18 @@
+[Match]
+Name=mac0
+
+[Network]
+Address={{ node_pod_cidr|ipaddr('net')|ipaddr(1)|ipaddr('address') }}/{{ node_pod_cidr|ipaddr('prefix') }}
+
+{% for host in groups['kube_node'] %}
+{% if hostvars[host]['access_ip'] is defined  %}
+{% if hostvars[host]['node_pod_cidr'] != node_pod_cidr  %}
+[Route]
+Gateway={{ hostvars[host]['access_ip'] }}
+Destination={{ hostvars[host]['node_pod_cidr'] }}
+GatewayOnlink=yes
+
+{% endif %}
+{% endif %}
+{% endfor %}
+
--- a/ansible/kubespray/roles/network_plugin/macvlan/templates/coreos-service-nat_ouside.j2
+++ b/ansible/kubespray/roles/network_plugin/macvlan/templates/coreos-service-nat_ouside.j2
@@ -0,0 +1,6 @@
+[Service]
+Type=oneshot
+ExecStart=/bin/bash -c "iptables -t nat -I POSTROUTING -s {{ node_pod_cidr|ipaddr('net') }} -o {{ node_default_gateway_interface }} -j MASQUERADE"
+
+[Install]
+WantedBy=sys-subsystem-net-devices-mac0.device
--- a/ansible/kubespray/roles/network_plugin/macvlan/templates/debian-network-macvlan.cfg.j2
+++ b/ansible/kubespray/roles/network_plugin/macvlan/templates/debian-network-macvlan.cfg.j2
@@ -0,0 +1,27 @@
+auto mac0
+iface mac0 inet static
+    address {{ node_pod_cidr|ipaddr('net')|ipaddr(1)|ipaddr('address') }}
+    network {{ node_pod_cidr|ipaddr('network') }}
+    netmask {{ node_pod_cidr|ipaddr('netmask') }}
+    broadcast {{ node_pod_cidr|ipaddr('broadcast') }}
+    pre-up ip link add link {{ macvlan_interface }} mac0 type macvlan mode bridge
+{% for host in groups['kube_node'] %}
+{% if hostvars[host]['access_ip'] is defined  %}
+{% if hostvars[host]['node_pod_cidr'] != node_pod_cidr  %}
+    post-up ip route add {{ hostvars[host]['node_pod_cidr'] }} via {{ hostvars[host]['access_ip'] }}
+{% endif %}
+{% endif %}
+{% endfor %}
+{% if enable_nat_default_gateway %}
+    post-up iptables -t nat -I POSTROUTING -s {{ node_pod_cidr|ipaddr('net') }} -o {{ node_default_gateway_interface }} -j MASQUERADE
+{% endif %}
+{% for host in groups['kube_node'] %}
+{% if hostvars[host]['access_ip'] is defined  %}
+{% if hostvars[host]['node_pod_cidr'] != node_pod_cidr  %}
+    post-down ip route del {{ hostvars[host]['node_pod_cidr'] }} via {{ hostvars[host]['access_ip'] }}
+{% endif %}
+{% endif %}
+{% endfor %}
+    post-down iptables -t nat -D POSTROUTING -s {{ node_pod_cidr|ipaddr('net') }} -o {{ node_default_gateway_interface }} -j MASQUERADE
+    post-down ip link delete mac0
+