diff --git a/cluster.yml b/cluster.yml index 01b033b2f85..577bc21f1fa 100644 --- a/cluster.yml +++ b/cluster.yml @@ -70,6 +70,7 @@ - { role: kargo-defaults} - { role: kubernetes/master, tags: master } - { role: kubernetes-apps/network_plugin, tags: network } + - { role: kubernetes-apps/policy_controller, tags: policy-controller } - hosts: calico-rr any_errors_fatal: true diff --git a/inventory/group_vars/k8s-cluster.yml b/inventory/group_vars/k8s-cluster.yml index cbd922c632d..5430a5e1fa6 100644 --- a/inventory/group_vars/k8s-cluster.yml +++ b/inventory/group_vars/k8s-cluster.yml @@ -80,6 +80,9 @@ kube_users: # Can also be set to 'cloud', which lets the cloud provider setup appropriate routing kube_network_plugin: calico +# Enable kubernetes network policies +enable_network_policy: false + # Kubernetes internal network for services, unused block of space. kube_service_addresses: 10.233.0.0/18 diff --git a/roles/kubernetes-apps/ansible/defaults/main.yml b/roles/kubernetes-apps/ansible/defaults/main.yml index 925dd03b8fd..6d0562fc9f9 100644 --- a/roles/kubernetes-apps/ansible/defaults/main.yml +++ b/roles/kubernetes-apps/ansible/defaults/main.yml @@ -19,12 +19,6 @@ kubednsmasq_image_tag: "{{ kubednsmasq_version }}" exechealthz_image_repo: "gcr.io/google_containers/exechealthz-amd64" exechealthz_image_tag: "{{ exechealthz_version }}" -# Limits for calico apps -calico_policy_controller_cpu_limit: 100m -calico_policy_controller_memory_limit: 256M -calico_policy_controller_cpu_requests: 30m -calico_policy_controller_memory_requests: 64M - # Netchecker deploy_netchecker: false netchecker_port: 31081 @@ -45,5 +39,4 @@ netchecker_server_memory_requests: 64M # SSL etcd_cert_dir: "/etc/ssl/etcd/ssl" -calico_cert_dir: "/etc/calico/certs" canal_cert_dir: "/etc/canal/certs" diff --git a/roles/kubernetes-apps/ansible/tasks/main.yml b/roles/kubernetes-apps/ansible/tasks/main.yml index de38d28fffc..ed0d11f2830 100644 --- a/roles/kubernetes-apps/ansible/tasks/main.yml +++ b/roles/kubernetes-apps/ansible/tasks/main.yml @@ -32,11 +32,6 @@ when: dns_mode != 'none' and inventory_hostname == groups['kube-master'][0] tags: dnsmasq -- include: tasks/calico-policy-controller.yml - when: ( enable_network_policy is defined and enable_network_policy == True ) or - ( kube_network_plugin == 'canal' ) - tags: [network, canal] - - name: Kubernetes Apps | Netchecker include: tasks/netchecker.yml when: deploy_netchecker diff --git a/roles/kubernetes-apps/meta/main.yml b/roles/kubernetes-apps/meta/main.yml index f6df2626c2b..75860a0ffc4 100644 --- a/roles/kubernetes-apps/meta/main.yml +++ b/roles/kubernetes-apps/meta/main.yml @@ -1,9 +1,4 @@ dependencies: - - role: download - file: "{{ downloads.calico_policy }}" - when: ( enable_network_policy is defined and enable_network_policy == True ) or - ( kube_network_plugin == 'canal' ) - tags: [download, network, canal] - role: download file: "{{ downloads.netcheck_server }}" when: deploy_netchecker diff --git a/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml b/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml new file mode 100644 index 00000000000..7a4db0ea831 --- /dev/null +++ b/roles/kubernetes-apps/policy_controller/calico/defaults/main.yml @@ -0,0 +1,9 @@ +# Limits for calico apps +calico_policy_controller_cpu_limit: 100m +calico_policy_controller_memory_limit: 256M +calico_policy_controller_cpu_requests: 30m +calico_policy_controller_memory_requests: 64M + +# SSL +calico_cert_dir: "/etc/calico/certs" +canal_cert_dir: "/etc/canal/certs" diff --git a/roles/kubernetes-apps/ansible/tasks/calico-policy-controller.yml b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml similarity index 92% rename from roles/kubernetes-apps/ansible/tasks/calico-policy-controller.yml rename to roles/kubernetes-apps/policy_controller/calico/tasks/main.yml index c6a6bd94da4..8b4271d6a76 100644 --- a/roles/kubernetes-apps/ansible/tasks/calico-policy-controller.yml +++ b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml @@ -1,14 +1,14 @@ ---- - set_fact: calico_cert_dir: "{{ canal_cert_dir }}" when: kube_network_plugin == 'canal' - tags: facts + tags: [facts, canal] - name: Write calico-policy-controller yaml template: src: calico-policy-controller.yml.j2 dest: "{{kube_config_dir}}/calico-policy-controller.yml" when: inventory_hostname == groups['kube-master'][0] + tags: canal - name: Start of Calico policy controller kube: @@ -18,3 +18,4 @@ namespace: "{{system_namespace}}" resource: "rs" when: inventory_hostname == groups['kube-master'][0] + tags: canal diff --git a/roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2 b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2 similarity index 96% rename from roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2 rename to roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2 index b31ae0f43a6..322d3a37bd7 100644 --- a/roles/kubernetes-apps/ansible/templates/calico-policy-controller.yml.j2 +++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-policy-controller.yml.j2 @@ -45,7 +45,7 @@ spec: # changed so long as it is used in conjunction with # CONFIGURE_ETC_HOSTS="true". - name: K8S_API - value: "https://kubernetes.default:{{ kube_apiserver_port }}" + value: "https://kubernetes.default" # Configure /etc/hosts within the container to resolve # the kubernetes.default Service to the correct clusterIP # using the environment provided by the kubelet. diff --git a/roles/kubernetes-apps/policy_controller/meta/main.yml b/roles/kubernetes-apps/policy_controller/meta/main.yml new file mode 100644 index 00000000000..e678a318c18 --- /dev/null +++ b/roles/kubernetes-apps/policy_controller/meta/main.yml @@ -0,0 +1,14 @@ +--- +dependencies: + - role: download + file: "{{ downloads.calico_policy }}" + when: enable_network_policy and + kube_network_plugin in ['calico', 'canal'] + tags: [download, canal, policy-controller] + - role: policy_controller/calico + when: kube_network_plugin == 'calico' and + enable_network_policy + tags: policy-controller + - role: policy_controller/calico + when: kube_network_plugin == 'canal' + tags: policy-controller diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 index 65a30929b41..600ade340ce 100644 --- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 @@ -64,7 +64,7 @@ spec: - --runtime-config={{ conf }} {% endfor %} {% endif %} -{% if enable_network_policy is defined and enable_network_policy == True %} +{% if enable_network_policy %} - --runtime-config=extensions/v1beta1/networkpolicies=true {% endif %} - --v={{ kube_log_level }} diff --git a/roles/network_plugin/calico/templates/cni-calico.conf.j2 b/roles/network_plugin/calico/templates/cni-calico.conf.j2 index f9427e69da0..7cd3c902d80 100644 --- a/roles/network_plugin/calico/templates/cni-calico.conf.j2 +++ b/roles/network_plugin/calico/templates/cni-calico.conf.j2 @@ -12,7 +12,7 @@ "ipam": { "type": "calico-ipam" }, -{% if enable_network_policy is defined and enable_network_policy == True %} +{% if enable_network_policy %} "policy": { "type": "k8s" },