Move calico-policy-controller into separate role

By default Calico CNI does not create any network access policies or profiles if 'policy' is enabled in CNI config. And without any policies/profiles network access to/from PODs is blocked. K8s related policies are created by calico-policy-controller in such case. So we need to start it as soon as possible, before any real workloads. This patch also fixes kube-api port in calico-policy-controller yaml template. Closes #1132
2026-02-21 21:20:15 -03:30 · 2017-03-13 16:04:31 +01:00
parent 565d4a53b0
commit 3a39904011
11 changed files with 33 additions and 22 deletions
--- a/roles/network_plugin/calico/templates/cni-calico.conf.j2
+++ b/roles/network_plugin/calico/templates/cni-calico.conf.j2
@@ -12,7 +12,7 @@
  "ipam": {
    "type": "calico-ipam"
  },
-{% if enable_network_policy is defined and enable_network_policy == True %}
+{% if enable_network_policy %}
  "policy": {
    "type": "k8s"
  },