update calico v3.2.4

down/offline_images

@@ -7,9 +7,9 @@ mirrorgooglecontainers/k8s-dns-sidecar-amd64:1.14.13
 # metrics-server 
 mirrorgooglecontainers/metrics-server-amd64:v0.3.1
 # calico 
-calico/node:v3.1.3
-calico/cni:v3.1.3
-calico/kube-controllers:v3.1.3
+calico/node:v3.2.4
+calico/cni:v3.2.4
+calico/kube-controllers:v3.2.4
 # cilium 
 cilium/cilium:v1.1.4
 # flannel 

roles/calico/defaults/main.yml

@@ -9,7 +9,7 @@ TMP_ENDPOINTS: "{% for h in groups['etcd'] %}https://{{ h }}:2379,{% endfor %}"
 ETCD_ENDPOINTS: "{{ TMP_ENDPOINTS.rstrip(',') }}"
 
 # 设置 CALICO_IPV4POOL_IPIP=“off”,可以提高网络性能，条件限制详见 docs/setup/calico.md
-CALICO_IPV4POOL_IPIP: "always"
+CALICO_IPV4POOL_IPIP: "Always"
 
 # 设置 Felix 日志级别
 FELIX_LOG_LVL: "warning"
@@ -19,9 +19,9 @@ FELIX_LOG_LVL: "warning"
 IP_AUTODETECTION_METHOD: "can-reach={{ groups.deploy[0] }}"
 
 # 镜像版本
-calico_node_ver: "v3.1.3"
-calico_cni_ver: "v3.1.3"
-calico_kube_controller_ver: "v3.1.3"
+calico_node_ver: "v3.2.4"
+calico_cni_ver: "v3.2.4"
+calico_kube_controller_ver: "v3.2.4"
 
 # 离线镜像tar包
 calico_offline: "calico_{{ calico_node_ver }}.tar"

roles/calico/templates/calico-rbac.yaml.j2

@@ -1,5 +1,5 @@
-# Calico Version v3.1.3
-# https://docs.projectcalico.org/v3.1/releases#v3.1.3
+# Calico Version v3.2.4
+# https://docs.projectcalico.org/v3.2/releases#v3.2.4
 
 ---
 
@@ -16,6 +16,7 @@ rules:
       - namespaces
       - networkpolicies
       - nodes
+      - serviceaccounts
     verbs:
       - watch
       - list

roles/calico/templates/calico.yaml.j2

@@ -1,5 +1,5 @@
 # Calico Version {{ calico_node_ver }} 
-# https://docs.projectcalico.org/v3.1/releases#{{ calico_node_ver }}
+# https://docs.projectcalico.org/v3.2/releases#{{ calico_node_ver }}
 # This manifest includes the following component versions:
 #   calico/node:{{ calico_node_ver }}
 #   calico/cni:{{ calico_cni_ver }}
@@ -15,9 +15,17 @@ data:
   # Configure this with the location of your etcd cluster.
   etcd_endpoints: "{{ ETCD_ENDPOINTS }}"
 
+  # If you're using TLS enabled etcd uncomment the following.
+  # You must also populate the Secret below with these files.
+  etcd_ca: "/calico-secrets/etcd-ca"
+  etcd_cert: "/calico-secrets/etcd-cert"
+  etcd_key: "/calico-secrets/etcd-key"
   # Configure the Calico backend to use.
   calico_backend: "bird"
 
+  # Configure the MTU to use
+  veth_mtu: "1440"
+
   # The CNI network configuration to install on each node.
   cni_network_config: |-
     {
@@ -26,11 +34,11 @@ data:
       "plugins": [
         {
           "type": "calico",
+          "log_level": "warning",
           "etcd_endpoints": "{{ ETCD_ENDPOINTS }}",
           "etcd_key_file": "/etc/calico/ssl/calico-key.pem",
           "etcd_cert_file": "/etc/calico/ssl/calico.pem",
           "etcd_ca_cert_file": "/etc/kubernetes/ssl/ca.pem",
-          "log_level": "warning",
           "mtu": 1500,
           "ipam": {
               "type": "calico-ipam"
@@ -50,12 +58,6 @@ data:
       ]
     }
 
-  # If you're using TLS enabled etcd uncomment the following.
-  # You must also populate the Secret below with these files.
-  etcd_ca: "/calico-secrets/etcd-ca"
-  etcd_cert: "/calico-secrets/etcd-cert"
-  etcd_key: "/calico-secrets/etcd-key"
-
 ---
 
 # We use cmd-line-way( kubectl create) to create secrets 'calico-etcd-secrets',
@@ -86,11 +88,17 @@ spec:
       labels:
         k8s-app: calico-node
       annotations:
+        # This, along with the CriticalAddonsOnly toleration below,
+        # marks the pod as a critical add-on, ensuring it gets
+        # priority scheduling and that its resources are reserved
+        # if it ever gets evicted.
         scheduler.alpha.kubernetes.io/critical-pod: ''
     spec:
+      nodeSelector:
+        beta.kubernetes.io/os: linux
       hostNetwork: true
       tolerations:
-        # Make sure calico/node gets scheduled on all nodes.
+        # Make sure calico-node gets scheduled on all nodes.
         - effect: NoSchedule
           operator: Exists
         # Mark the pod as a critical add-on for rescheduling.
@@ -115,42 +123,6 @@ spec:
                 configMapKeyRef:
                   name: calico-config
                   key: etcd_endpoints
-            # Choose the backend to use.
-            - name: CALICO_NETWORKING_BACKEND
-              valueFrom:
-                configMapKeyRef:
-                  name: calico-config
-                  key: calico_backend
-            # Cluster type to identify the deployment type
-            - name: CLUSTER_TYPE
-              value: "k8s,bgp"
-            # Disable file logging so `kubectl logs` works.
-            - name: CALICO_DISABLE_FILE_LOGGING
-              value: "true"
-            # Set noderef for node controller.
-            - name: CALICO_K8S_NODE_REF
-              valueFrom:
-                fieldRef:
-                  fieldPath: spec.nodeName
-            # Set Felix endpoint to host default action to ACCEPT.
-            - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
-              value: "ACCEPT"
-            # The default IPv4 pool to create on startup if none exists. Pod IPs will be
-            # chosen from this range. Changing this value after installation will have
-            # no effect. This should fall within `--cluster-cidr`.
-            - name: CALICO_IPV4POOL_CIDR
-              value: "{{ CLUSTER_CIDR }}"
-            - name: CALICO_IPV4POOL_IPIP
-              value: "{{ CALICO_IPV4POOL_IPIP }}"
-            # Disable IPv6 on Kubernetes.
-            - name: FELIX_IPV6SUPPORT
-              value: "false"
-            # Set Felix logging 
-            - name: FELIX_LOGSEVERITYSCREEN
-              value: "{{ FELIX_LOG_LVL }}"
-            # Set MTU for tunnel device used if ipip is enabled
-            - name: FELIX_IPINIPMTU
-              value: "1440"
             # Location of the CA certificate for etcd.
             - name: ETCD_CA_CERT_FILE
               valueFrom:
@@ -169,11 +141,51 @@ spec:
                 configMapKeyRef:
                   name: calico-config
                   key: etcd_cert
+            # Set noderef for node controller.
+            - name: CALICO_K8S_NODE_REF
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+            # Choose the backend to use.
+            - name: CALICO_NETWORKING_BACKEND
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: calico_backend
+            # Cluster type to identify the deployment type
+            - name: CLUSTER_TYPE
+              value: "k8s,bgp"
             # Auto-detect the BGP IP address.
             - name: IP
               value: "autodetect"
             - name: IP_AUTODETECTION_METHOD
               value: "{{ IP_AUTODETECTION_METHOD }}"
+            # Enable IPIP
+            - name: CALICO_IPV4POOL_IPIP
+              value: "{{ CALICO_IPV4POOL_IPIP }}"
+            # Set MTU for tunnel device used if ipip is enabled
+            - name: FELIX_IPINIPMTU
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: veth_mtu
+            # The default IPv4 pool to create on startup if none exists. Pod IPs will be
+            # chosen from this range. Changing this value after installation will have
+            # no effect. This should fall within `--cluster-cidr`.
+            - name: CALICO_IPV4POOL_CIDR
+              value: "{{ CLUSTER_CIDR }}"
+            # Disable file logging so `kubectl logs` works.
+            - name: CALICO_DISABLE_FILE_LOGGING
+              value: "true"
+            # Set Felix endpoint to host default action to ACCEPT.
+            - name: FELIX_DEFAULTENDPOINTTOHOSTACTION
+              value: "ACCEPT"
+            # Disable IPv6 on Kubernetes.
+            - name: FELIX_IPV6SUPPORT
+              value: "false"
+            # Set Felix logging 
+            - name: FELIX_LOGSEVERITYSCREEN
+              value: "{{ FELIX_LOG_LVL }}"
             - name: FELIX_HEALTHENABLED
               value: "true"
           securityContext:
@@ -185,13 +197,16 @@ spec:
             httpGet:
               path: /liveness
               port: 9099
+              host: localhost
             periodSeconds: 10
             initialDelaySeconds: 10
             failureThreshold: 6
           readinessProbe:
-            httpGet:
-              path: /readiness
-              port: 9099
+            exec:
+              command:
+              - /bin/calico-node
+              - -bird-ready
+              - -felix-ready
             periodSeconds: 10
           volumeMounts:
             - mountPath: /lib/modules
@@ -226,6 +241,12 @@ spec:
                 configMapKeyRef:
                   name: calico-config
                   key: cni_network_config
+            # CNI MTU Config variable
+            - name: CNI_MTU
+              valueFrom:
+                configMapKeyRef:
+                  name: calico-config
+                  key: veth_mtu
           volumeMounts:
             - mountPath: /host/opt/cni/bin
               name: cni-bin-dir
@@ -257,6 +278,13 @@ spec:
           secret:
             secretName: calico-etcd-secrets
             defaultMode: 0400
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: calico-node
+  namespace: kube-system
 
 ---
 
@@ -286,6 +314,8 @@ spec:
       labels:
         k8s-app: calico-kube-controllers
     spec:
+      nodeSelector:
+        beta.kubernetes.io/os: linux
       # The controllers must run in the host network namespace so that
       # it isn't governed by policy that would prevent it from working.
       hostNetwork: true
@@ -338,6 +368,11 @@ spec:
             # Mount in the etcd TLS secrets.
             - mountPath: /calico-secrets
               name: etcd-certs
+          readinessProbe:
+            exec:
+              command:
+              - /usr/bin/check-status
+              - -r
       volumes:
         # Mount in the etcd TLS secrets with mode 400.
         # See https://kubernetes.io/docs/concepts/configuration/secret/
@@ -354,10 +389,3 @@ metadata:
   name: calico-kube-controllers
   namespace: kube-system
 
----
-
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: calico-node
-  namespace: kube-system