calico upgrade to v3 (#3086)

* calico upgrade to v3 * update calico_rr version * add missing file * change contents of main.yml as it was left old version * enable network policy by default * remove unneeded task * Fix kubelet calico settings * fix when statement * switch back to node-kubeconfig.yaml
2026-02-13 17:24:51 -03:30 · 2018-08-23 17:17:18 +03:00
parent f453567cce
commit 23fd3461bc
27 changed files with 399 additions and 252 deletions
--- a/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
+++ b/roles/kubernetes-apps/policy_controller/calico/tasks/main.yml
@@ -2,20 +2,12 @@
 - name: Set cert dir
  set_fact:
    calico_cert_dir: "{{ canal_cert_dir }}"
-  when: kube_network_plugin == 'canal'
+  when:
+    - kube_network_plugin == 'canal'
  tags:
    - facts
    - canal

- name: Delete the old calico-policy-controller if it exist
-  kube:
-    name: calico-policy-controller
-    kubectl: "{{bin_dir}}/kubectl"
-    resource: rs
-    namespace: "kube-system"
-    state: absent
-  run_once: true
-
 - name: Create calico-kube-controllers manifests
  template:
    src: "{{item.file}}.j2"
@@ -26,7 +18,9 @@
    - {name: calico-kube-controllers, file: calico-kube-cr.yml, type: clusterrole}
    - {name: calico-kube-controllers, file: calico-kube-crb.yml, type: clusterrolebinding}
  register: calico_kube_manifests
-  when: inventory_hostname == groups['kube-master'][0] and not item|skipped
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+    - rbac_enabled or item.type not in rbac_resources

 - name: Start of Calico kube controllers
  kube:
@@ -36,5 +30,8 @@
    resource: "{{item.item.type}}"
    filename: "{{kube_config_dir}}/{{item.item.file}}"
    state: "latest"
-  with_items: "{{ calico_kube_manifests.results }}"
-  when: inventory_hostname == groups['kube-master'][0] and not item|skipped
+  with_items:
+    - "{{ calico_kube_manifests.results }}"
+  when:
+    - inventory_hostname == groups['kube-master'][0]
+    - not item|skipped
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-controllers.yml.j2
@@ -6,8 +6,12 @@ metadata:
  labels:
    k8s-app: calico-kube-controllers
    kubernetes.io/cluster-service: "true"
+  annotations:
+    scheduler.alpha.kubernetes.io/critical-pod: ''
 spec:
  replicas: 1
+  strategy:
+    type: Recreate
  selector:
    matchLabels:
      kubernetes.io/cluster-service: "true"
@@ -45,17 +49,6 @@ spec:
              value: "{{ calico_cert_dir }}/cert.crt"
            - name: ETCD_KEY_FILE
              value: "{{ calico_cert_dir }}/key.pem"
-            # Location of the Kubernetes API - this shouldn't need to be
-            # changed so long as it is used in conjunction with
-            # CONFIGURE_ETC_HOSTS="true".
-            - name: K8S_API
-              value: "https://kubernetes.default"
-            # Configure /etc/hosts within the container to resolve
-            # the kubernetes.default Service to the correct clusterIP
-            # using the environment provided by the kubelet.
-            # This removes the need for KubeDNS to resolve the Service.
-            - name: CONFIGURE_ETC_HOSTS
-              value: "true"
          volumeMounts:
          - mountPath: {{ calico_cert_dir }}
            name: etcd-certs
--- a/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2
+++ b/roles/kubernetes-apps/policy_controller/calico/templates/calico-kube-cr.yml.j2
@@ -12,6 +12,14 @@ rules:
      - pods
      - namespaces
      - networkpolicies
+      - nodes
    verbs:
      - watch
      - list
+  - apiGroups:
+    - networking.k8s.io
+    resources:
+      - networkpolicies
+    verbs:
+      - watch
+      - list