From 8b357ca4246275a50d32a82faf9632b584fbe917 Mon Sep 17 00:00:00 2001 From: Apurup Chevuru Date: Tue, 9 Nov 2021 00:12:57 -0800 Subject: [PATCH 1/2] Doc and manifest updates --- README.md | 28 +- charts/cni-metrics-helper/Chart.yaml | 4 +- charts/cni-metrics-helper/values.yaml | 2 +- config/master/aws-k8s-cni-cn.yaml | 519 +++++++++--------- config/master/aws-k8s-cni-us-gov-east-1.yaml | 519 +++++++++--------- config/master/aws-k8s-cni-us-gov-west-1.yaml | 519 +++++++++--------- config/master/aws-k8s-cni.yaml | 519 +++++++++--------- config/master/calico-operator.yaml | 28 +- config/master/cni-metrics-helper-cn.yaml | 185 +++---- .../master/cni-metrics-helper-us-east-1.yaml | 82 --- .../cni-metrics-helper-us-gov-east-1.yaml | 185 +++---- .../cni-metrics-helper-us-gov-west-1.yaml | 185 +++---- config/master/cni-metrics-helper.yaml | 185 +++---- config/master/manifests.jsonnet | 3 +- 14 files changed, 1457 insertions(+), 1506 deletions(-) delete mode 100644 config/master/cni-metrics-helper-us-east-1.yaml diff --git a/README.md b/README.md index fc715d6b76..cd8d8a1242 100644 --- a/README.md +++ b/README.md @@ -267,7 +267,7 @@ Default: None Specifies the number of free IP addresses that the `ipamd` daemon should attempt to keep available for pod assignment on the node. Setting this to a non-positive value is same as setting this to 0 or not setting the variable. With `ENABLE_PREFIX_DELEGATION` set to `true` then `ipamd` daemon will check if the existing (/28) prefixes are enough to maintain the -`WARM_IP_TARGET` if it is not sufficent then more prefixes will be attached. +`WARM_IP_TARGET` if it is not sufficient then more prefixes will be attached. For example, @@ -509,7 +509,7 @@ limit on private IPs allowed by your instance. Setting or resetting of `ENABLE_P Setting ENABLE_PREFIX_DELEGATION to true will not increase the density of branch ENI pods. The limit on number of branch network interfaces per instance type will remain the same - https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html#supported-instance-types. Each branch network will be allocated a primary IP and this IP will be allocated for the branch ENI pods. -Please refer to `VPC CNI Support Matrix` section below for additional information around using Prefix delegation with Custom Networking and Security Groups Per Pod features. +Please refer to `VPC CNI Feature Matrix` section below for additional information around using Prefix delegation with Custom Networking and Security Groups Per Pod features. **Note:** `ENABLE_PREFIX_DELEGATION` needs to be set to `true` when VPC CNI is configured to operate in IPv6 mode (supported in v1.10.0+). @@ -546,7 +546,7 @@ Setting `ENABLE_BANDWIDTH_PLUGIN` to `true` will update `10-aws.conflist` to inc --- -#### `ANNOTATE_POD_IP` (v1.10.0+) +#### `ANNOTATE_POD_IP` (v1.9.3+) Type: Boolean as a String @@ -554,8 +554,24 @@ Default: `false` Setting `ANNOTATE_POD_IP` to `true` will allow IPAMD to add an annotation `vpc.amazonaws.com/pod-ips` to the pod with pod IP. -There is a known [issue](https://github.com/kubernetes/kubernetes/issues/39113) with kubelet taking time to update `Pod.Status.PodIP` leading to calico being blocked on programming the policy. Setting `ANNOTATE_POD_IP` to `true` will enable AWS VPC CNI similar to the optimization added in Calico CNI plugin to write the IP address back to the pod as an annotation to close this race condition. +There is a known [issue](https://github.com/kubernetes/kubernetes/issues/39113) with kubelet taking time to update `Pod.Status.PodIP` leading to calico being blocked on programming the policy. Setting `ANNOTATE_POD_IP` to `true` will enable AWS VPC CNI plugin to add Pod IP as an annotation to the pod spec to address this race condition. +To annotate the pod with pod IP, you will have to add "patch" permission for pods resource in aws-node clusterrole. You can use the below command - + +``` +cat << EOF > append.yaml +- apiGroups: + - "" + resources: + - pods + verbs: + - patch +EOF +``` + +``` +kubectl apply -f <(cat <(kubectl get clusterrole aws-node -o yaml) append.yaml) +``` --- #### `ENABLE_IPv4` (v1.10.0+) @@ -581,13 +597,13 @@ will configure it in IPv6 mode. IPv6 is only supported in Prefix Delegation mode configured to operate in IPv6 mode. Prefix delegation is only supported on nitro instances. -**Note:** Please make sure that the required IPv6 IAM policy is applied (Refer to `IAM Policy` section above). Dual stack mode isn't yet supported. So, enabling both IPv4 and IPv6 will be treated as invalid configuration. Please refer to the `VPC CNI Support Matrix` section below for additional information. +**Note:** Please make sure that the required IPv6 IAM policy is applied (Refer to `IAM Policy` section above). Dual stack mode isn't yet supported. So, enabling both IPv4 and IPv6 will be treated as invalid configuration. Please refer to the `VPC CNI Feature Matrix` section below for additional information. --- ### VPC CNI Feature Matrix -IP Mode | Secondary IP Mode | Prefix Delegation | Security Group Per Pod | WARM & MIN IP/Prefix Targets | External SNAT +IP Mode | Secondary IP Mode | Prefix Delegation | Security Groups Per Pod | WARM & MIN IP/Prefix Targets | External SNAT ------ | ------ | ------ | ------ | ------ | ------ `IPv4` | Yes| Yes | Yes | Yes | Yes | Yes `IPv6` | No | Yes | No | No | No | No diff --git a/charts/cni-metrics-helper/Chart.yaml b/charts/cni-metrics-helper/Chart.yaml index 59b4fdb092..8d9f0506e2 100644 --- a/charts/cni-metrics-helper/Chart.yaml +++ b/charts/cni-metrics-helper/Chart.yaml @@ -15,9 +15,9 @@ type: application # This is the chart version. This version number should be incremented each time you make changes # to the chart and its templates, including the app version. # Versions are expected to follow Semantic Versioning (https://semver.org/) -version: 0.1.2 +version: 0.1.5 # This is the version number of the application being deployed. This version number should be # incremented each time you make changes to the application. Versions are not expected to # follow Semantic Versioning. They should reflect the version the application is using. -appVersion: v1.9.0 +appVersion: v1.10.0 diff --git a/charts/cni-metrics-helper/values.yaml b/charts/cni-metrics-helper/values.yaml index 7b0252cc58..33764fbe9f 100644 --- a/charts/cni-metrics-helper/values.yaml +++ b/charts/cni-metrics-helper/values.yaml @@ -4,7 +4,7 @@ nameOverride: cni-metrics-helper image: region: us-west-2 - tag: v1.9.0 + tag: v1.10.0 account: "602401143452" domain: "amazonaws.com" # Set to use custom image diff --git a/config/master/aws-k8s-cni-cn.yaml b/config/master/aws-k8s-cni-cn.yaml index 1736008cc7..9d0fe6ca89 100644 --- a/config/master/aws-k8s-cni-cn.yaml +++ b/config/master/aws-k8s-cni-cn.yaml @@ -1,260 +1,269 @@ --- -"apiVersion": "v1" -"kind": "ServiceAccount" -"metadata": - "name": "aws-node" - "namespace": "kube-system" +# Source: aws-vpc-cni/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: aws-node + namespace: kube-system + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + app.kubernetes.io/version: "v1.10.0" --- -"apiVersion": "rbac.authorization.k8s.io/v1" -"kind": "ClusterRoleBinding" -"metadata": - "name": "aws-node" -"roleRef": - "apiGroup": "rbac.authorization.k8s.io" - "kind": "ClusterRole" - "name": "aws-node" -"subjects": -- "kind": "ServiceAccount" - "name": "aws-node" - "namespace": "kube-system" +# Source: aws-vpc-cni/templates/customresourcedefinition.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: eniconfigs.crd.k8s.amazonaws.com + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + app.kubernetes.io/version: "v1.10.0" +spec: + scope: Cluster + group: crd.k8s.amazonaws.com + preserveUnknownFields: false + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + names: + plural: eniconfigs + singular: eniconfig + kind: ENIConfig --- -"apiVersion": "rbac.authorization.k8s.io/v1" -"kind": "ClusterRole" -"metadata": - "name": "aws-node" -"rules": -- "apiGroups": - - "crd.k8s.amazonaws.com" - "resources": - - "eniconfigs" - "verbs": - - "get" - - "list" - - "watch" -- "apiGroups": - - "" - "resources": - - "namespaces" - "verbs": - - "list" - - "watch" - - "get" -- "apiGroups": - - "" - "resources": - - "pods" - "verbs": - - "list" - - "watch" - - "get" - - "patch" -- "apiGroups": - - "" - "resources": - - "nodes" - "verbs": - - "list" - - "watch" - - "get" - - "update" -- "apiGroups": - - "extensions" - "resources": - - "*" - "verbs": - - "list" - - "watch" +# Source: aws-vpc-cni/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aws-node + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + app.kubernetes.io/version: "v1.10.0" +rules: + - apiGroups: + - crd.k8s.amazonaws.com + resources: + - eniconfigs + verbs: ["list", "watch", "get"] + - apiGroups: [""] + resources: + - namespaces + verbs: ["list", "watch", "get"] + - apiGroups: [""] + resources: + - pods + verbs: ["list", "watch", "get"] + - apiGroups: [""] + resources: + - nodes + verbs: ["list", "watch", "get", "update"] + - apiGroups: ["extensions"] + resources: + - '*' + verbs: ["list", "watch"] --- -"apiVersion": "apiextensions.k8s.io/v1" -"kind": "CustomResourceDefinition" -"metadata": - "name": "eniconfigs.crd.k8s.amazonaws.com" -"spec": - "group": "crd.k8s.amazonaws.com" - "names": - "kind": "ENIConfig" - "plural": "eniconfigs" - "singular": "eniconfig" - "preserveUnknownFields": false - "scope": "Cluster" - "versions": - - "name": "v1alpha1" - "schema": - "openAPIV3Schema": - "type": "object" - "x-kubernetes-preserve-unknown-fields": true - "served": true - "storage": true +# Source: aws-vpc-cni/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: aws-node + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + app.kubernetes.io/version: "v1.10.0" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: aws-node +subjects: + - kind: ServiceAccount + name: aws-node + namespace: kube-system --- -"apiVersion": "apps/v1" -"kind": "DaemonSet" -"metadata": - "labels": - "k8s-app": "aws-node" - "name": "aws-node" - "namespace": "kube-system" -"spec": - "selector": - "matchLabels": - "k8s-app": "aws-node" - "template": - "metadata": - "labels": - "k8s-app": "aws-node" - "spec": - "affinity": - "nodeAffinity": - "requiredDuringSchedulingIgnoredDuringExecution": - "nodeSelectorTerms": - - "matchExpressions": - - "key": "kubernetes.io/os" - "operator": "In" - "values": - - "linux" - - "key": "kubernetes.io/arch" - "operator": "In" - "values": - - "amd64" - - "arm64" - - "key": "eks.amazonaws.com/compute-type" - "operator": "NotIn" - "values": - - "fargate" - "containers": - - "env": - - "name": "ADDITIONAL_ENI_TAGS" - "value": "{}" - - "name": "AWS_VPC_CNI_NODE_PORT_SUPPORT" - "value": "true" - - "name": "AWS_VPC_ENI_MTU" - "value": "9001" - - "name": "AWS_VPC_K8S_CNI_CONFIGURE_RPFILTER" - "value": "false" - - "name": "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG" - "value": "false" - - "name": "AWS_VPC_K8S_CNI_EXTERNALSNAT" - "value": "false" - - "name": "AWS_VPC_K8S_CNI_LOGLEVEL" - "value": "DEBUG" - - "name": "AWS_VPC_K8S_CNI_LOG_FILE" - "value": "/host/var/log/aws-routed-eni/ipamd.log" - - "name": "AWS_VPC_K8S_CNI_RANDOMIZESNAT" - "value": "prng" - - "name": "AWS_VPC_K8S_CNI_VETHPREFIX" - "value": "eni" - - "name": "AWS_VPC_K8S_PLUGIN_LOG_FILE" - "value": "/var/log/aws-routed-eni/plugin.log" - - "name": "AWS_VPC_K8S_PLUGIN_LOG_LEVEL" - "value": "DEBUG" - - "name": "DISABLE_INTROSPECTION" - "value": "false" - - "name": "DISABLE_METRICS" - "value": "false" - - "name": "DISABLE_NETWORK_RESOURCE_PROVISIONING" - "value": "false" - - "name": "ENABLE_IPv4" - "value": "true" - - "name": "ENABLE_IPv6" - "value": "false" - - "name": "ENABLE_POD_ENI" - "value": "false" - - "name": "ENABLE_PREFIX_DELEGATION" - "value": "false" - - "name": "MY_NODE_NAME" - "valueFrom": - "fieldRef": - "fieldPath": "spec.nodeName" - - "name": "WARM_ENI_TARGET" - "value": "1" - - "name": "WARM_PREFIX_TARGET" - "value": "1" - "image": "961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon-k8s-cni:v1.10.0" - "livenessProbe": - "exec": - "command": - - "/app/grpc-health-probe" - - "-addr=:50051" - "initialDelaySeconds": 60 - "name": "aws-node" - "ports": - - "containerPort": 61678 - "name": "metrics" - "protocol": "TCP" - "readinessProbe": - "exec": - "command": - - "/app/grpc-health-probe" - - "-addr=:50051" - "initialDelaySeconds": 1 - "resources": - "requests": - "cpu": "10m" - "securityContext": - "capabilities": - "add": - - "NET_ADMIN" - "volumeMounts": - - "mountPath": "/host/opt/cni/bin" - "name": "cni-bin-dir" - - "mountPath": "/host/etc/cni/net.d" - "name": "cni-net-dir" - - "mountPath": "/host/var/log/aws-routed-eni" - "name": "log-dir" - - "mountPath": "/var/run/aws-node" - "name": "run-dir" - - "mountPath": "/var/run/dockershim.sock" - "name": "dockershim" - - "mountPath": "/run/xtables.lock" - "name": "xtables-lock" - "hostNetwork": true - "initContainers": - - "env": - - "name": "DISABLE_TCP_EARLY_DEMUX" - "value": "false" - - "name": "ENABLE_IPv6" - "value": "false" - "image": "961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon-k8s-cni-init:v1.10.0" - "name": "aws-vpc-cni-init" - "resources": - "limits": - "cpu": "50m" - "memory": "64Mi" - "requests": - "cpu": "10m" - "memory": "32Mi" - "securityContext": - "privileged": true - "volumeMounts": - - "mountPath": "/host/opt/cni/bin" - "name": "cni-bin-dir" - "priorityClassName": "system-node-critical" - "serviceAccountName": "aws-node" - "terminationGracePeriodSeconds": 10 - "tolerations": - - "operator": "Exists" - "volumes": - - "hostPath": - "path": "/opt/cni/bin" - "name": "cni-bin-dir" - - "hostPath": - "path": "/etc/cni/net.d" - "name": "cni-net-dir" - - "hostPath": - "path": "/var/run/dockershim.sock" - "name": "dockershim" - - "hostPath": - "path": "/run/xtables.lock" - "name": "xtables-lock" - - "hostPath": - "path": "/var/log/aws-routed-eni" - "type": "DirectoryOrCreate" - "name": "log-dir" - - "hostPath": - "path": "/var/run/aws-node" - "type": "DirectoryOrCreate" - "name": "run-dir" - "updateStrategy": - "rollingUpdate": - "maxUnavailable": "10%" - "type": "RollingUpdate" -... +# Source: aws-vpc-cni/templates/daemonset.yaml +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: aws-node + namespace: kube-system + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + app.kubernetes.io/version: "v1.10.0" +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 10% + type: RollingUpdate + selector: + matchLabels: + k8s-app: aws-node + template: + metadata: + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + spec: + priorityClassName: "system-node-critical" + serviceAccountName: aws-node + hostNetwork: true + initContainers: + - name: aws-vpc-cni-init + image: "961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon-k8s-cni-init:v1.10.0" + env: + - name: DISABLE_TCP_EARLY_DEMUX + value: "false" + - name: ENABLE_IPv6 + value: "false" + securityContext: + privileged: true + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + terminationGracePeriodSeconds: 10 + tolerations: + - operator: Exists + securityContext: + {} + containers: + - name: aws-node + image: "961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/amazon-k8s-cni:v1.10.0" + ports: + - containerPort: 61678 + name: metrics + livenessProbe: + exec: + command: + - /app/grpc-health-probe + - -addr=:50051 + - -connect-timeout=2s + - -rpc-timeout=2s + initialDelaySeconds: 60 + timeoutSeconds: 5 + readinessProbe: + exec: + command: + - /app/grpc-health-probe + - -addr=:50051 + - -connect-timeout=2s + - -rpc-timeout=2s + initialDelaySeconds: 1 + timeoutSeconds: 5 + env: + - name: ADDITIONAL_ENI_TAGS + value: "{}" + - name: AWS_VPC_CNI_NODE_PORT_SUPPORT + value: "true" + - name: AWS_VPC_ENI_MTU + value: "9001" + - name: AWS_VPC_K8S_CNI_CONFIGURE_RPFILTER + value: "false" + - name: AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG + value: "false" + - name: AWS_VPC_K8S_CNI_EXTERNALSNAT + value: "false" + - name: AWS_VPC_K8S_CNI_LOGLEVEL + value: "DEBUG" + - name: AWS_VPC_K8S_CNI_LOG_FILE + value: "/host/var/log/aws-routed-eni/ipamd.log" + - name: AWS_VPC_K8S_CNI_RANDOMIZESNAT + value: "prng" + - name: AWS_VPC_K8S_CNI_VETHPREFIX + value: "eni" + - name: AWS_VPC_K8S_PLUGIN_LOG_FILE + value: "/var/log/aws-routed-eni/plugin.log" + - name: AWS_VPC_K8S_PLUGIN_LOG_LEVEL + value: "DEBUG" + - name: DISABLE_INTROSPECTION + value: "false" + - name: DISABLE_METRICS + value: "false" + - name: DISABLE_NETWORK_RESOURCE_PROVISIONING + value: "false" + - name: ENABLE_IPv4 + value: "true" + - name: ENABLE_IPv6 + value: "false" + - name: ENABLE_POD_ENI + value: "false" + - name: ENABLE_PREFIX_DELEGATION + value: "false" + - name: WARM_ENI_TARGET + value: "1" + - name: WARM_PREFIX_TARGET + value: "1" + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + resources: + requests: + cpu: 10m + securityContext: + capabilities: + add: + - NET_ADMIN + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /host/var/log/aws-routed-eni + name: log-dir + - mountPath: /var/run/dockershim.sock + name: dockershim + - mountPath: /var/run/aws-node + name: run-dir + - mountPath: /run/xtables.lock + name: xtables-lock + volumes: + - name: cni-bin-dir + hostPath: + path: /opt/cni/bin + - name: cni-net-dir + hostPath: + path: /etc/cni/net.d + - name: dockershim + hostPath: + path: /var/run/dockershim.sock + - name: log-dir + hostPath: + path: /var/log/aws-routed-eni + type: DirectoryOrCreate + - name: run-dir + hostPath: + path: /var/run/aws-node + type: DirectoryOrCreate + - name: xtables-lock + hostPath: + path: /run/xtables.lock + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - key: eks.amazonaws.com/compute-type + operator: NotIn + values: + - fargate diff --git a/config/master/aws-k8s-cni-us-gov-east-1.yaml b/config/master/aws-k8s-cni-us-gov-east-1.yaml index 96c93bbaab..7054b0d87f 100644 --- a/config/master/aws-k8s-cni-us-gov-east-1.yaml +++ b/config/master/aws-k8s-cni-us-gov-east-1.yaml @@ -1,260 +1,269 @@ --- -"apiVersion": "v1" -"kind": "ServiceAccount" -"metadata": - "name": "aws-node" - "namespace": "kube-system" +# Source: aws-vpc-cni/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: aws-node + namespace: kube-system + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + app.kubernetes.io/version: "v1.10.0" --- -"apiVersion": "rbac.authorization.k8s.io/v1" -"kind": "ClusterRoleBinding" -"metadata": - "name": "aws-node" -"roleRef": - "apiGroup": "rbac.authorization.k8s.io" - "kind": "ClusterRole" - "name": "aws-node" -"subjects": -- "kind": "ServiceAccount" - "name": "aws-node" - "namespace": "kube-system" +# Source: aws-vpc-cni/templates/customresourcedefinition.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: eniconfigs.crd.k8s.amazonaws.com + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + app.kubernetes.io/version: "v1.10.0" +spec: + scope: Cluster + group: crd.k8s.amazonaws.com + preserveUnknownFields: false + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + names: + plural: eniconfigs + singular: eniconfig + kind: ENIConfig --- -"apiVersion": "rbac.authorization.k8s.io/v1" -"kind": "ClusterRole" -"metadata": - "name": "aws-node" -"rules": -- "apiGroups": - - "crd.k8s.amazonaws.com" - "resources": - - "eniconfigs" - "verbs": - - "get" - - "list" - - "watch" -- "apiGroups": - - "" - "resources": - - "namespaces" - "verbs": - - "list" - - "watch" - - "get" -- "apiGroups": - - "" - "resources": - - "pods" - "verbs": - - "list" - - "watch" - - "get" - - "patch" -- "apiGroups": - - "" - "resources": - - "nodes" - "verbs": - - "list" - - "watch" - - "get" - - "update" -- "apiGroups": - - "extensions" - "resources": - - "*" - "verbs": - - "list" - - "watch" +# Source: aws-vpc-cni/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aws-node + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + app.kubernetes.io/version: "v1.10.0" +rules: + - apiGroups: + - crd.k8s.amazonaws.com + resources: + - eniconfigs + verbs: ["list", "watch", "get"] + - apiGroups: [""] + resources: + - namespaces + verbs: ["list", "watch", "get"] + - apiGroups: [""] + resources: + - pods + verbs: ["list", "watch", "get"] + - apiGroups: [""] + resources: + - nodes + verbs: ["list", "watch", "get", "update"] + - apiGroups: ["extensions"] + resources: + - '*' + verbs: ["list", "watch"] --- -"apiVersion": "apiextensions.k8s.io/v1" -"kind": "CustomResourceDefinition" -"metadata": - "name": "eniconfigs.crd.k8s.amazonaws.com" -"spec": - "group": "crd.k8s.amazonaws.com" - "names": - "kind": "ENIConfig" - "plural": "eniconfigs" - "singular": "eniconfig" - "preserveUnknownFields": false - "scope": "Cluster" - "versions": - - "name": "v1alpha1" - "schema": - "openAPIV3Schema": - "type": "object" - "x-kubernetes-preserve-unknown-fields": true - "served": true - "storage": true +# Source: aws-vpc-cni/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: aws-node + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + app.kubernetes.io/version: "v1.10.0" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: aws-node +subjects: + - kind: ServiceAccount + name: aws-node + namespace: kube-system --- -"apiVersion": "apps/v1" -"kind": "DaemonSet" -"metadata": - "labels": - "k8s-app": "aws-node" - "name": "aws-node" - "namespace": "kube-system" -"spec": - "selector": - "matchLabels": - "k8s-app": "aws-node" - "template": - "metadata": - "labels": - "k8s-app": "aws-node" - "spec": - "affinity": - "nodeAffinity": - "requiredDuringSchedulingIgnoredDuringExecution": - "nodeSelectorTerms": - - "matchExpressions": - - "key": "kubernetes.io/os" - "operator": "In" - "values": - - "linux" - - "key": "kubernetes.io/arch" - "operator": "In" - "values": - - "amd64" - - "arm64" - - "key": "eks.amazonaws.com/compute-type" - "operator": "NotIn" - "values": - - "fargate" - "containers": - - "env": - - "name": "ADDITIONAL_ENI_TAGS" - "value": "{}" - - "name": "AWS_VPC_CNI_NODE_PORT_SUPPORT" - "value": "true" - - "name": "AWS_VPC_ENI_MTU" - "value": "9001" - - "name": "AWS_VPC_K8S_CNI_CONFIGURE_RPFILTER" - "value": "false" - - "name": "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG" - "value": "false" - - "name": "AWS_VPC_K8S_CNI_EXTERNALSNAT" - "value": "false" - - "name": "AWS_VPC_K8S_CNI_LOGLEVEL" - "value": "DEBUG" - - "name": "AWS_VPC_K8S_CNI_LOG_FILE" - "value": "/host/var/log/aws-routed-eni/ipamd.log" - - "name": "AWS_VPC_K8S_CNI_RANDOMIZESNAT" - "value": "prng" - - "name": "AWS_VPC_K8S_CNI_VETHPREFIX" - "value": "eni" - - "name": "AWS_VPC_K8S_PLUGIN_LOG_FILE" - "value": "/var/log/aws-routed-eni/plugin.log" - - "name": "AWS_VPC_K8S_PLUGIN_LOG_LEVEL" - "value": "DEBUG" - - "name": "DISABLE_INTROSPECTION" - "value": "false" - - "name": "DISABLE_METRICS" - "value": "false" - - "name": "DISABLE_NETWORK_RESOURCE_PROVISIONING" - "value": "false" - - "name": "ENABLE_IPv4" - "value": "true" - - "name": "ENABLE_IPv6" - "value": "false" - - "name": "ENABLE_POD_ENI" - "value": "false" - - "name": "ENABLE_PREFIX_DELEGATION" - "value": "false" - - "name": "MY_NODE_NAME" - "valueFrom": - "fieldRef": - "fieldPath": "spec.nodeName" - - "name": "WARM_ENI_TARGET" - "value": "1" - - "name": "WARM_PREFIX_TARGET" - "value": "1" - "image": "151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon-k8s-cni:v1.10.0" - "livenessProbe": - "exec": - "command": - - "/app/grpc-health-probe" - - "-addr=:50051" - "initialDelaySeconds": 60 - "name": "aws-node" - "ports": - - "containerPort": 61678 - "name": "metrics" - "protocol": "TCP" - "readinessProbe": - "exec": - "command": - - "/app/grpc-health-probe" - - "-addr=:50051" - "initialDelaySeconds": 1 - "resources": - "requests": - "cpu": "10m" - "securityContext": - "capabilities": - "add": - - "NET_ADMIN" - "volumeMounts": - - "mountPath": "/host/opt/cni/bin" - "name": "cni-bin-dir" - - "mountPath": "/host/etc/cni/net.d" - "name": "cni-net-dir" - - "mountPath": "/host/var/log/aws-routed-eni" - "name": "log-dir" - - "mountPath": "/var/run/aws-node" - "name": "run-dir" - - "mountPath": "/var/run/dockershim.sock" - "name": "dockershim" - - "mountPath": "/run/xtables.lock" - "name": "xtables-lock" - "hostNetwork": true - "initContainers": - - "env": - - "name": "DISABLE_TCP_EARLY_DEMUX" - "value": "false" - - "name": "ENABLE_IPv6" - "value": "false" - "image": "151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon-k8s-cni-init:v1.10.0" - "name": "aws-vpc-cni-init" - "resources": - "limits": - "cpu": "50m" - "memory": "64Mi" - "requests": - "cpu": "10m" - "memory": "32Mi" - "securityContext": - "privileged": true - "volumeMounts": - - "mountPath": "/host/opt/cni/bin" - "name": "cni-bin-dir" - "priorityClassName": "system-node-critical" - "serviceAccountName": "aws-node" - "terminationGracePeriodSeconds": 10 - "tolerations": - - "operator": "Exists" - "volumes": - - "hostPath": - "path": "/opt/cni/bin" - "name": "cni-bin-dir" - - "hostPath": - "path": "/etc/cni/net.d" - "name": "cni-net-dir" - - "hostPath": - "path": "/var/run/dockershim.sock" - "name": "dockershim" - - "hostPath": - "path": "/run/xtables.lock" - "name": "xtables-lock" - - "hostPath": - "path": "/var/log/aws-routed-eni" - "type": "DirectoryOrCreate" - "name": "log-dir" - - "hostPath": - "path": "/var/run/aws-node" - "type": "DirectoryOrCreate" - "name": "run-dir" - "updateStrategy": - "rollingUpdate": - "maxUnavailable": "10%" - "type": "RollingUpdate" -... +# Source: aws-vpc-cni/templates/daemonset.yaml +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: aws-node + namespace: kube-system + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + app.kubernetes.io/version: "v1.10.0" +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 10% + type: RollingUpdate + selector: + matchLabels: + k8s-app: aws-node + template: + metadata: + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + spec: + priorityClassName: "system-node-critical" + serviceAccountName: aws-node + hostNetwork: true + initContainers: + - name: aws-vpc-cni-init + image: "151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon-k8s-cni-init:v1.10.0" + env: + - name: DISABLE_TCP_EARLY_DEMUX + value: "false" + - name: ENABLE_IPv6 + value: "false" + securityContext: + privileged: true + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + terminationGracePeriodSeconds: 10 + tolerations: + - operator: Exists + securityContext: + {} + containers: + - name: aws-node + image: "151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/amazon-k8s-cni:v1.10.0" + ports: + - containerPort: 61678 + name: metrics + livenessProbe: + exec: + command: + - /app/grpc-health-probe + - -addr=:50051 + - -connect-timeout=2s + - -rpc-timeout=2s + initialDelaySeconds: 60 + timeoutSeconds: 5 + readinessProbe: + exec: + command: + - /app/grpc-health-probe + - -addr=:50051 + - -connect-timeout=2s + - -rpc-timeout=2s + initialDelaySeconds: 1 + timeoutSeconds: 5 + env: + - name: ADDITIONAL_ENI_TAGS + value: "{}" + - name: AWS_VPC_CNI_NODE_PORT_SUPPORT + value: "true" + - name: AWS_VPC_ENI_MTU + value: "9001" + - name: AWS_VPC_K8S_CNI_CONFIGURE_RPFILTER + value: "false" + - name: AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG + value: "false" + - name: AWS_VPC_K8S_CNI_EXTERNALSNAT + value: "false" + - name: AWS_VPC_K8S_CNI_LOGLEVEL + value: "DEBUG" + - name: AWS_VPC_K8S_CNI_LOG_FILE + value: "/host/var/log/aws-routed-eni/ipamd.log" + - name: AWS_VPC_K8S_CNI_RANDOMIZESNAT + value: "prng" + - name: AWS_VPC_K8S_CNI_VETHPREFIX + value: "eni" + - name: AWS_VPC_K8S_PLUGIN_LOG_FILE + value: "/var/log/aws-routed-eni/plugin.log" + - name: AWS_VPC_K8S_PLUGIN_LOG_LEVEL + value: "DEBUG" + - name: DISABLE_INTROSPECTION + value: "false" + - name: DISABLE_METRICS + value: "false" + - name: DISABLE_NETWORK_RESOURCE_PROVISIONING + value: "false" + - name: ENABLE_IPv4 + value: "true" + - name: ENABLE_IPv6 + value: "false" + - name: ENABLE_POD_ENI + value: "false" + - name: ENABLE_PREFIX_DELEGATION + value: "false" + - name: WARM_ENI_TARGET + value: "1" + - name: WARM_PREFIX_TARGET + value: "1" + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + resources: + requests: + cpu: 10m + securityContext: + capabilities: + add: + - NET_ADMIN + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /host/var/log/aws-routed-eni + name: log-dir + - mountPath: /var/run/dockershim.sock + name: dockershim + - mountPath: /var/run/aws-node + name: run-dir + - mountPath: /run/xtables.lock + name: xtables-lock + volumes: + - name: cni-bin-dir + hostPath: + path: /opt/cni/bin + - name: cni-net-dir + hostPath: + path: /etc/cni/net.d + - name: dockershim + hostPath: + path: /var/run/dockershim.sock + - name: log-dir + hostPath: + path: /var/log/aws-routed-eni + type: DirectoryOrCreate + - name: run-dir + hostPath: + path: /var/run/aws-node + type: DirectoryOrCreate + - name: xtables-lock + hostPath: + path: /run/xtables.lock + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - key: eks.amazonaws.com/compute-type + operator: NotIn + values: + - fargate diff --git a/config/master/aws-k8s-cni-us-gov-west-1.yaml b/config/master/aws-k8s-cni-us-gov-west-1.yaml index 5bd47ae00a..850f9b8687 100644 --- a/config/master/aws-k8s-cni-us-gov-west-1.yaml +++ b/config/master/aws-k8s-cni-us-gov-west-1.yaml @@ -1,260 +1,269 @@ --- -"apiVersion": "v1" -"kind": "ServiceAccount" -"metadata": - "name": "aws-node" - "namespace": "kube-system" +# Source: aws-vpc-cni/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: aws-node + namespace: kube-system + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + app.kubernetes.io/version: "v1.10.0" --- -"apiVersion": "rbac.authorization.k8s.io/v1" -"kind": "ClusterRoleBinding" -"metadata": - "name": "aws-node" -"roleRef": - "apiGroup": "rbac.authorization.k8s.io" - "kind": "ClusterRole" - "name": "aws-node" -"subjects": -- "kind": "ServiceAccount" - "name": "aws-node" - "namespace": "kube-system" +# Source: aws-vpc-cni/templates/customresourcedefinition.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: eniconfigs.crd.k8s.amazonaws.com + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + app.kubernetes.io/version: "v1.10.0" +spec: + scope: Cluster + group: crd.k8s.amazonaws.com + preserveUnknownFields: false + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + names: + plural: eniconfigs + singular: eniconfig + kind: ENIConfig --- -"apiVersion": "rbac.authorization.k8s.io/v1" -"kind": "ClusterRole" -"metadata": - "name": "aws-node" -"rules": -- "apiGroups": - - "crd.k8s.amazonaws.com" - "resources": - - "eniconfigs" - "verbs": - - "get" - - "list" - - "watch" -- "apiGroups": - - "" - "resources": - - "namespaces" - "verbs": - - "list" - - "watch" - - "get" -- "apiGroups": - - "" - "resources": - - "pods" - "verbs": - - "list" - - "watch" - - "get" - - "patch" -- "apiGroups": - - "" - "resources": - - "nodes" - "verbs": - - "list" - - "watch" - - "get" - - "update" -- "apiGroups": - - "extensions" - "resources": - - "*" - "verbs": - - "list" - - "watch" +# Source: aws-vpc-cni/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aws-node + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + app.kubernetes.io/version: "v1.10.0" +rules: + - apiGroups: + - crd.k8s.amazonaws.com + resources: + - eniconfigs + verbs: ["list", "watch", "get"] + - apiGroups: [""] + resources: + - namespaces + verbs: ["list", "watch", "get"] + - apiGroups: [""] + resources: + - pods + verbs: ["list", "watch", "get"] + - apiGroups: [""] + resources: + - nodes + verbs: ["list", "watch", "get", "update"] + - apiGroups: ["extensions"] + resources: + - '*' + verbs: ["list", "watch"] --- -"apiVersion": "apiextensions.k8s.io/v1" -"kind": "CustomResourceDefinition" -"metadata": - "name": "eniconfigs.crd.k8s.amazonaws.com" -"spec": - "group": "crd.k8s.amazonaws.com" - "names": - "kind": "ENIConfig" - "plural": "eniconfigs" - "singular": "eniconfig" - "preserveUnknownFields": false - "scope": "Cluster" - "versions": - - "name": "v1alpha1" - "schema": - "openAPIV3Schema": - "type": "object" - "x-kubernetes-preserve-unknown-fields": true - "served": true - "storage": true +# Source: aws-vpc-cni/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: aws-node + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + app.kubernetes.io/version: "v1.10.0" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: aws-node +subjects: + - kind: ServiceAccount + name: aws-node + namespace: kube-system --- -"apiVersion": "apps/v1" -"kind": "DaemonSet" -"metadata": - "labels": - "k8s-app": "aws-node" - "name": "aws-node" - "namespace": "kube-system" -"spec": - "selector": - "matchLabels": - "k8s-app": "aws-node" - "template": - "metadata": - "labels": - "k8s-app": "aws-node" - "spec": - "affinity": - "nodeAffinity": - "requiredDuringSchedulingIgnoredDuringExecution": - "nodeSelectorTerms": - - "matchExpressions": - - "key": "kubernetes.io/os" - "operator": "In" - "values": - - "linux" - - "key": "kubernetes.io/arch" - "operator": "In" - "values": - - "amd64" - - "arm64" - - "key": "eks.amazonaws.com/compute-type" - "operator": "NotIn" - "values": - - "fargate" - "containers": - - "env": - - "name": "ADDITIONAL_ENI_TAGS" - "value": "{}" - - "name": "AWS_VPC_CNI_NODE_PORT_SUPPORT" - "value": "true" - - "name": "AWS_VPC_ENI_MTU" - "value": "9001" - - "name": "AWS_VPC_K8S_CNI_CONFIGURE_RPFILTER" - "value": "false" - - "name": "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG" - "value": "false" - - "name": "AWS_VPC_K8S_CNI_EXTERNALSNAT" - "value": "false" - - "name": "AWS_VPC_K8S_CNI_LOGLEVEL" - "value": "DEBUG" - - "name": "AWS_VPC_K8S_CNI_LOG_FILE" - "value": "/host/var/log/aws-routed-eni/ipamd.log" - - "name": "AWS_VPC_K8S_CNI_RANDOMIZESNAT" - "value": "prng" - - "name": "AWS_VPC_K8S_CNI_VETHPREFIX" - "value": "eni" - - "name": "AWS_VPC_K8S_PLUGIN_LOG_FILE" - "value": "/var/log/aws-routed-eni/plugin.log" - - "name": "AWS_VPC_K8S_PLUGIN_LOG_LEVEL" - "value": "DEBUG" - - "name": "DISABLE_INTROSPECTION" - "value": "false" - - "name": "DISABLE_METRICS" - "value": "false" - - "name": "DISABLE_NETWORK_RESOURCE_PROVISIONING" - "value": "false" - - "name": "ENABLE_IPv4" - "value": "true" - - "name": "ENABLE_IPv6" - "value": "false" - - "name": "ENABLE_POD_ENI" - "value": "false" - - "name": "ENABLE_PREFIX_DELEGATION" - "value": "false" - - "name": "MY_NODE_NAME" - "valueFrom": - "fieldRef": - "fieldPath": "spec.nodeName" - - "name": "WARM_ENI_TARGET" - "value": "1" - - "name": "WARM_PREFIX_TARGET" - "value": "1" - "image": "013241004608.dkr.ecr.us-gov-west-1.amazonaws.com/amazon-k8s-cni:v1.10.0" - "livenessProbe": - "exec": - "command": - - "/app/grpc-health-probe" - - "-addr=:50051" - "initialDelaySeconds": 60 - "name": "aws-node" - "ports": - - "containerPort": 61678 - "name": "metrics" - "protocol": "TCP" - "readinessProbe": - "exec": - "command": - - "/app/grpc-health-probe" - - "-addr=:50051" - "initialDelaySeconds": 1 - "resources": - "requests": - "cpu": "10m" - "securityContext": - "capabilities": - "add": - - "NET_ADMIN" - "volumeMounts": - - "mountPath": "/host/opt/cni/bin" - "name": "cni-bin-dir" - - "mountPath": "/host/etc/cni/net.d" - "name": "cni-net-dir" - - "mountPath": "/host/var/log/aws-routed-eni" - "name": "log-dir" - - "mountPath": "/var/run/aws-node" - "name": "run-dir" - - "mountPath": "/var/run/dockershim.sock" - "name": "dockershim" - - "mountPath": "/run/xtables.lock" - "name": "xtables-lock" - "hostNetwork": true - "initContainers": - - "env": - - "name": "DISABLE_TCP_EARLY_DEMUX" - "value": "false" - - "name": "ENABLE_IPv6" - "value": "false" - "image": "013241004608.dkr.ecr.us-gov-west-1.amazonaws.com/amazon-k8s-cni-init:v1.10.0" - "name": "aws-vpc-cni-init" - "resources": - "limits": - "cpu": "50m" - "memory": "64Mi" - "requests": - "cpu": "10m" - "memory": "32Mi" - "securityContext": - "privileged": true - "volumeMounts": - - "mountPath": "/host/opt/cni/bin" - "name": "cni-bin-dir" - "priorityClassName": "system-node-critical" - "serviceAccountName": "aws-node" - "terminationGracePeriodSeconds": 10 - "tolerations": - - "operator": "Exists" - "volumes": - - "hostPath": - "path": "/opt/cni/bin" - "name": "cni-bin-dir" - - "hostPath": - "path": "/etc/cni/net.d" - "name": "cni-net-dir" - - "hostPath": - "path": "/var/run/dockershim.sock" - "name": "dockershim" - - "hostPath": - "path": "/run/xtables.lock" - "name": "xtables-lock" - - "hostPath": - "path": "/var/log/aws-routed-eni" - "type": "DirectoryOrCreate" - "name": "log-dir" - - "hostPath": - "path": "/var/run/aws-node" - "type": "DirectoryOrCreate" - "name": "run-dir" - "updateStrategy": - "rollingUpdate": - "maxUnavailable": "10%" - "type": "RollingUpdate" -... +# Source: aws-vpc-cni/templates/daemonset.yaml +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: aws-node + namespace: kube-system + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + app.kubernetes.io/version: "v1.10.0" +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 10% + type: RollingUpdate + selector: + matchLabels: + k8s-app: aws-node + template: + metadata: + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + spec: + priorityClassName: "system-node-critical" + serviceAccountName: aws-node + hostNetwork: true + initContainers: + - name: aws-vpc-cni-init + image: "013241004608.dkr.ecr.us-gov-west-1.amazonaws.com/amazon-k8s-cni-init:v1.10.0" + env: + - name: DISABLE_TCP_EARLY_DEMUX + value: "false" + - name: ENABLE_IPv6 + value: "false" + securityContext: + privileged: true + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + terminationGracePeriodSeconds: 10 + tolerations: + - operator: Exists + securityContext: + {} + containers: + - name: aws-node + image: "013241004608.dkr.ecr.us-gov-west-1.amazonaws.com/amazon-k8s-cni:v1.10.0" + ports: + - containerPort: 61678 + name: metrics + livenessProbe: + exec: + command: + - /app/grpc-health-probe + - -addr=:50051 + - -connect-timeout=2s + - -rpc-timeout=2s + initialDelaySeconds: 60 + timeoutSeconds: 5 + readinessProbe: + exec: + command: + - /app/grpc-health-probe + - -addr=:50051 + - -connect-timeout=2s + - -rpc-timeout=2s + initialDelaySeconds: 1 + timeoutSeconds: 5 + env: + - name: ADDITIONAL_ENI_TAGS + value: "{}" + - name: AWS_VPC_CNI_NODE_PORT_SUPPORT + value: "true" + - name: AWS_VPC_ENI_MTU + value: "9001" + - name: AWS_VPC_K8S_CNI_CONFIGURE_RPFILTER + value: "false" + - name: AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG + value: "false" + - name: AWS_VPC_K8S_CNI_EXTERNALSNAT + value: "false" + - name: AWS_VPC_K8S_CNI_LOGLEVEL + value: "DEBUG" + - name: AWS_VPC_K8S_CNI_LOG_FILE + value: "/host/var/log/aws-routed-eni/ipamd.log" + - name: AWS_VPC_K8S_CNI_RANDOMIZESNAT + value: "prng" + - name: AWS_VPC_K8S_CNI_VETHPREFIX + value: "eni" + - name: AWS_VPC_K8S_PLUGIN_LOG_FILE + value: "/var/log/aws-routed-eni/plugin.log" + - name: AWS_VPC_K8S_PLUGIN_LOG_LEVEL + value: "DEBUG" + - name: DISABLE_INTROSPECTION + value: "false" + - name: DISABLE_METRICS + value: "false" + - name: DISABLE_NETWORK_RESOURCE_PROVISIONING + value: "false" + - name: ENABLE_IPv4 + value: "true" + - name: ENABLE_IPv6 + value: "false" + - name: ENABLE_POD_ENI + value: "false" + - name: ENABLE_PREFIX_DELEGATION + value: "false" + - name: WARM_ENI_TARGET + value: "1" + - name: WARM_PREFIX_TARGET + value: "1" + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + resources: + requests: + cpu: 10m + securityContext: + capabilities: + add: + - NET_ADMIN + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /host/var/log/aws-routed-eni + name: log-dir + - mountPath: /var/run/dockershim.sock + name: dockershim + - mountPath: /var/run/aws-node + name: run-dir + - mountPath: /run/xtables.lock + name: xtables-lock + volumes: + - name: cni-bin-dir + hostPath: + path: /opt/cni/bin + - name: cni-net-dir + hostPath: + path: /etc/cni/net.d + - name: dockershim + hostPath: + path: /var/run/dockershim.sock + - name: log-dir + hostPath: + path: /var/log/aws-routed-eni + type: DirectoryOrCreate + - name: run-dir + hostPath: + path: /var/run/aws-node + type: DirectoryOrCreate + - name: xtables-lock + hostPath: + path: /run/xtables.lock + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - key: eks.amazonaws.com/compute-type + operator: NotIn + values: + - fargate diff --git a/config/master/aws-k8s-cni.yaml b/config/master/aws-k8s-cni.yaml index e29fe3d6ad..95ea6d532f 100644 --- a/config/master/aws-k8s-cni.yaml +++ b/config/master/aws-k8s-cni.yaml @@ -1,260 +1,269 @@ --- -"apiVersion": "v1" -"kind": "ServiceAccount" -"metadata": - "name": "aws-node" - "namespace": "kube-system" +# Source: aws-vpc-cni/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: aws-node + namespace: kube-system + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + app.kubernetes.io/version: "v1.10.0" --- -"apiVersion": "rbac.authorization.k8s.io/v1" -"kind": "ClusterRoleBinding" -"metadata": - "name": "aws-node" -"roleRef": - "apiGroup": "rbac.authorization.k8s.io" - "kind": "ClusterRole" - "name": "aws-node" -"subjects": -- "kind": "ServiceAccount" - "name": "aws-node" - "namespace": "kube-system" +# Source: aws-vpc-cni/templates/customresourcedefinition.yaml +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: eniconfigs.crd.k8s.amazonaws.com + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + app.kubernetes.io/version: "v1.10.0" +spec: + scope: Cluster + group: crd.k8s.amazonaws.com + preserveUnknownFields: false + versions: + - name: v1alpha1 + served: true + storage: true + schema: + openAPIV3Schema: + type: object + x-kubernetes-preserve-unknown-fields: true + names: + plural: eniconfigs + singular: eniconfig + kind: ENIConfig --- -"apiVersion": "rbac.authorization.k8s.io/v1" -"kind": "ClusterRole" -"metadata": - "name": "aws-node" -"rules": -- "apiGroups": - - "crd.k8s.amazonaws.com" - "resources": - - "eniconfigs" - "verbs": - - "get" - - "list" - - "watch" -- "apiGroups": - - "" - "resources": - - "namespaces" - "verbs": - - "list" - - "watch" - - "get" -- "apiGroups": - - "" - "resources": - - "pods" - "verbs": - - "list" - - "watch" - - "get" - - "patch" -- "apiGroups": - - "" - "resources": - - "nodes" - "verbs": - - "list" - - "watch" - - "get" - - "update" -- "apiGroups": - - "extensions" - "resources": - - "*" - "verbs": - - "list" - - "watch" +# Source: aws-vpc-cni/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: aws-node + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + app.kubernetes.io/version: "v1.10.0" +rules: + - apiGroups: + - crd.k8s.amazonaws.com + resources: + - eniconfigs + verbs: ["list", "watch", "get"] + - apiGroups: [""] + resources: + - namespaces + verbs: ["list", "watch", "get"] + - apiGroups: [""] + resources: + - pods + verbs: ["list", "watch", "get"] + - apiGroups: [""] + resources: + - nodes + verbs: ["list", "watch", "get", "update"] + - apiGroups: ["extensions"] + resources: + - '*' + verbs: ["list", "watch"] --- -"apiVersion": "apiextensions.k8s.io/v1" -"kind": "CustomResourceDefinition" -"metadata": - "name": "eniconfigs.crd.k8s.amazonaws.com" -"spec": - "group": "crd.k8s.amazonaws.com" - "names": - "kind": "ENIConfig" - "plural": "eniconfigs" - "singular": "eniconfig" - "preserveUnknownFields": false - "scope": "Cluster" - "versions": - - "name": "v1alpha1" - "schema": - "openAPIV3Schema": - "type": "object" - "x-kubernetes-preserve-unknown-fields": true - "served": true - "storage": true +# Source: aws-vpc-cni/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: aws-node + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + app.kubernetes.io/version: "v1.10.0" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: aws-node +subjects: + - kind: ServiceAccount + name: aws-node + namespace: kube-system --- -"apiVersion": "apps/v1" -"kind": "DaemonSet" -"metadata": - "labels": - "k8s-app": "aws-node" - "name": "aws-node" - "namespace": "kube-system" -"spec": - "selector": - "matchLabels": - "k8s-app": "aws-node" - "template": - "metadata": - "labels": - "k8s-app": "aws-node" - "spec": - "affinity": - "nodeAffinity": - "requiredDuringSchedulingIgnoredDuringExecution": - "nodeSelectorTerms": - - "matchExpressions": - - "key": "kubernetes.io/os" - "operator": "In" - "values": - - "linux" - - "key": "kubernetes.io/arch" - "operator": "In" - "values": - - "amd64" - - "arm64" - - "key": "eks.amazonaws.com/compute-type" - "operator": "NotIn" - "values": - - "fargate" - "containers": - - "env": - - "name": "ADDITIONAL_ENI_TAGS" - "value": "{}" - - "name": "AWS_VPC_CNI_NODE_PORT_SUPPORT" - "value": "true" - - "name": "AWS_VPC_ENI_MTU" - "value": "9001" - - "name": "AWS_VPC_K8S_CNI_CONFIGURE_RPFILTER" - "value": "false" - - "name": "AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG" - "value": "false" - - "name": "AWS_VPC_K8S_CNI_EXTERNALSNAT" - "value": "false" - - "name": "AWS_VPC_K8S_CNI_LOGLEVEL" - "value": "DEBUG" - - "name": "AWS_VPC_K8S_CNI_LOG_FILE" - "value": "/host/var/log/aws-routed-eni/ipamd.log" - - "name": "AWS_VPC_K8S_CNI_RANDOMIZESNAT" - "value": "prng" - - "name": "AWS_VPC_K8S_CNI_VETHPREFIX" - "value": "eni" - - "name": "AWS_VPC_K8S_PLUGIN_LOG_FILE" - "value": "/var/log/aws-routed-eni/plugin.log" - - "name": "AWS_VPC_K8S_PLUGIN_LOG_LEVEL" - "value": "DEBUG" - - "name": "DISABLE_INTROSPECTION" - "value": "false" - - "name": "DISABLE_METRICS" - "value": "false" - - "name": "DISABLE_NETWORK_RESOURCE_PROVISIONING" - "value": "false" - - "name": "ENABLE_IPv4" - "value": "true" - - "name": "ENABLE_IPv6" - "value": "false" - - "name": "ENABLE_POD_ENI" - "value": "false" - - "name": "ENABLE_PREFIX_DELEGATION" - "value": "false" - - "name": "MY_NODE_NAME" - "valueFrom": - "fieldRef": - "fieldPath": "spec.nodeName" - - "name": "WARM_ENI_TARGET" - "value": "1" - - "name": "WARM_PREFIX_TARGET" - "value": "1" - "image": "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.10.0" - "livenessProbe": - "exec": - "command": - - "/app/grpc-health-probe" - - "-addr=:50051" - "initialDelaySeconds": 60 - "name": "aws-node" - "ports": - - "containerPort": 61678 - "name": "metrics" - "protocol": "TCP" - "readinessProbe": - "exec": - "command": - - "/app/grpc-health-probe" - - "-addr=:50051" - "initialDelaySeconds": 1 - "resources": - "requests": - "cpu": "10m" - "securityContext": - "capabilities": - "add": - - "NET_ADMIN" - "volumeMounts": - - "mountPath": "/host/opt/cni/bin" - "name": "cni-bin-dir" - - "mountPath": "/host/etc/cni/net.d" - "name": "cni-net-dir" - - "mountPath": "/host/var/log/aws-routed-eni" - "name": "log-dir" - - "mountPath": "/var/run/aws-node" - "name": "run-dir" - - "mountPath": "/var/run/dockershim.sock" - "name": "dockershim" - - "mountPath": "/run/xtables.lock" - "name": "xtables-lock" - "hostNetwork": true - "initContainers": - - "env": - - "name": "DISABLE_TCP_EARLY_DEMUX" - "value": "false" - - "name": "ENABLE_IPv6" - "value": "false" - "image": "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-init:v1.10.0" - "name": "aws-vpc-cni-init" - "resources": - "limits": - "cpu": "50m" - "memory": "64Mi" - "requests": - "cpu": "10m" - "memory": "32Mi" - "securityContext": - "privileged": true - "volumeMounts": - - "mountPath": "/host/opt/cni/bin" - "name": "cni-bin-dir" - "priorityClassName": "system-node-critical" - "serviceAccountName": "aws-node" - "terminationGracePeriodSeconds": 10 - "tolerations": - - "operator": "Exists" - "volumes": - - "hostPath": - "path": "/opt/cni/bin" - "name": "cni-bin-dir" - - "hostPath": - "path": "/etc/cni/net.d" - "name": "cni-net-dir" - - "hostPath": - "path": "/var/run/dockershim.sock" - "name": "dockershim" - - "hostPath": - "path": "/run/xtables.lock" - "name": "xtables-lock" - - "hostPath": - "path": "/var/log/aws-routed-eni" - "type": "DirectoryOrCreate" - "name": "log-dir" - - "hostPath": - "path": "/var/run/aws-node" - "type": "DirectoryOrCreate" - "name": "run-dir" - "updateStrategy": - "rollingUpdate": - "maxUnavailable": "10%" - "type": "RollingUpdate" -... +# Source: aws-vpc-cni/templates/daemonset.yaml +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: aws-node + namespace: kube-system + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + app.kubernetes.io/version: "v1.10.0" +spec: + updateStrategy: + rollingUpdate: + maxUnavailable: 10% + type: RollingUpdate + selector: + matchLabels: + k8s-app: aws-node + template: + metadata: + labels: + app.kubernetes.io/name: aws-node + app.kubernetes.io/instance: aws-vpc-cni + k8s-app: aws-node + spec: + priorityClassName: "system-node-critical" + serviceAccountName: aws-node + hostNetwork: true + initContainers: + - name: aws-vpc-cni-init + image: "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni-init:v1.10.0" + env: + - name: DISABLE_TCP_EARLY_DEMUX + value: "false" + - name: ENABLE_IPv6 + value: "false" + securityContext: + privileged: true + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + terminationGracePeriodSeconds: 10 + tolerations: + - operator: Exists + securityContext: + {} + containers: + - name: aws-node + image: "602401143452.dkr.ecr.us-west-2.amazonaws.com/amazon-k8s-cni:v1.10.0" + ports: + - containerPort: 61678 + name: metrics + livenessProbe: + exec: + command: + - /app/grpc-health-probe + - -addr=:50051 + - -connect-timeout=2s + - -rpc-timeout=2s + initialDelaySeconds: 60 + timeoutSeconds: 5 + readinessProbe: + exec: + command: + - /app/grpc-health-probe + - -addr=:50051 + - -connect-timeout=2s + - -rpc-timeout=2s + initialDelaySeconds: 1 + timeoutSeconds: 5 + env: + - name: ADDITIONAL_ENI_TAGS + value: "{}" + - name: AWS_VPC_CNI_NODE_PORT_SUPPORT + value: "true" + - name: AWS_VPC_ENI_MTU + value: "9001" + - name: AWS_VPC_K8S_CNI_CONFIGURE_RPFILTER + value: "false" + - name: AWS_VPC_K8S_CNI_CUSTOM_NETWORK_CFG + value: "false" + - name: AWS_VPC_K8S_CNI_EXTERNALSNAT + value: "false" + - name: AWS_VPC_K8S_CNI_LOGLEVEL + value: "DEBUG" + - name: AWS_VPC_K8S_CNI_LOG_FILE + value: "/host/var/log/aws-routed-eni/ipamd.log" + - name: AWS_VPC_K8S_CNI_RANDOMIZESNAT + value: "prng" + - name: AWS_VPC_K8S_CNI_VETHPREFIX + value: "eni" + - name: AWS_VPC_K8S_PLUGIN_LOG_FILE + value: "/var/log/aws-routed-eni/plugin.log" + - name: AWS_VPC_K8S_PLUGIN_LOG_LEVEL + value: "DEBUG" + - name: DISABLE_INTROSPECTION + value: "false" + - name: DISABLE_METRICS + value: "false" + - name: DISABLE_NETWORK_RESOURCE_PROVISIONING + value: "false" + - name: ENABLE_IPv4 + value: "true" + - name: ENABLE_IPv6 + value: "false" + - name: ENABLE_POD_ENI + value: "false" + - name: ENABLE_PREFIX_DELEGATION + value: "false" + - name: WARM_ENI_TARGET + value: "1" + - name: WARM_PREFIX_TARGET + value: "1" + - name: MY_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + resources: + requests: + cpu: 10m + securityContext: + capabilities: + add: + - NET_ADMIN + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + - mountPath: /host/var/log/aws-routed-eni + name: log-dir + - mountPath: /var/run/dockershim.sock + name: dockershim + - mountPath: /var/run/aws-node + name: run-dir + - mountPath: /run/xtables.lock + name: xtables-lock + volumes: + - name: cni-bin-dir + hostPath: + path: /opt/cni/bin + - name: cni-net-dir + hostPath: + path: /etc/cni/net.d + - name: dockershim + hostPath: + path: /var/run/dockershim.sock + - name: log-dir + hostPath: + path: /var/log/aws-routed-eni + type: DirectoryOrCreate + - name: run-dir + hostPath: + path: /var/run/aws-node + type: DirectoryOrCreate + - name: xtables-lock + hostPath: + path: /run/xtables.lock + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/os + operator: In + values: + - linux + - key: kubernetes.io/arch + operator: In + values: + - amd64 + - arm64 + - key: eks.amazonaws.com/compute-type + operator: NotIn + values: + - fargate diff --git a/config/master/calico-operator.yaml b/config/master/calico-operator.yaml index e44ed5e95d..e260043003 100644 --- a/config/master/calico-operator.yaml +++ b/config/master/calico-operator.yaml @@ -4903,6 +4903,20 @@ spec: max: 65535 readOnlyRootFilesystem: false --- +# Source: aws-calico/templates/tigera-operator/02-rolebinding-tigera-operator.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: tigera-operator +subjects: +- kind: ServiceAccount + name: tigera-operator + namespace: tigera-operator +roleRef: + kind: ClusterRole + name: tigera-operator + apiGroup: rbac.authorization.k8s.io +--- # Source: aws-calico/templates/tigera-operator/02-role-tigera-operator.yaml apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole @@ -5097,20 +5111,6 @@ rules: verbs: - list --- -# Source: aws-calico/templates/tigera-operator/02-rolebinding-tigera-operator.yaml -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: tigera-operator -subjects: -- kind: ServiceAccount - name: tigera-operator - namespace: tigera-operator -roleRef: - kind: ClusterRole - name: tigera-operator - apiGroup: rbac.authorization.k8s.io ---- # Source: aws-calico/templates/tigera-operator/02-serviceaccount-tigera-operator.yaml apiVersion: v1 kind: ServiceAccount diff --git a/config/master/cni-metrics-helper-cn.yaml b/config/master/cni-metrics-helper-cn.yaml index 0dd7baa49a..86ef3ee8b0 100644 --- a/config/master/cni-metrics-helper-cn.yaml +++ b/config/master/cni-metrics-helper-cn.yaml @@ -1,99 +1,94 @@ --- -"apiVersion": "v1" -"kind": "ServiceAccount" -"metadata": - "name": "cni-metrics-helper" - "namespace": "kube-system" +# Source: cni-metrics-helper/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cni-metrics-helper + namespace: kube-system + labels: + app.kubernetes.io/name: cni-metrics-helper + app.kubernetes.io/instance: cni-metrics-helper + app.kubernetes.io/version: "v1.10.0" --- -"apiVersion": "rbac.authorization.k8s.io/v1" -"kind": "ClusterRoleBinding" -"metadata": - "name": "cni-metrics-helper" -"roleRef": - "apiGroup": "rbac.authorization.k8s.io" - "kind": "ClusterRole" - "name": "cni-metrics-helper" -"subjects": -- "kind": "ServiceAccount" - "name": "cni-metrics-helper" - "namespace": "kube-system" +# Source: cni-metrics-helper/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cni-metrics-helper +rules: + - apiGroups: [""] + resources: + - nodes + - pods + - pods/proxy + - services + - resourcequotas + - replicationcontrollers + - limitranges + - persistentvolumeclaims + - persistentvolumes + - namespaces + - endpoints + verbs: ["list", "watch", "get"] + - apiGroups: ["extensions"] + resources: + - daemonsets + - deployments + - replicasets + verbs: ["list", "watch"] + - apiGroups: ["apps"] + resources: + - statefulsets + verbs: ["list", "watch"] + - apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: ["list", "watch"] + - apiGroups: ["autoscaling"] + resources: + - horizontalpodautoscalers + verbs: ["list", "watch"] --- -"apiVersion": "rbac.authorization.k8s.io/v1" -"kind": "ClusterRole" -"metadata": - "name": "cni-metrics-helper" -"rules": -- "apiGroups": - - "" - "resources": - - "nodes" - - "pods" - - "pods/proxy" - - "services" - - "resourcequotas" - - "replicationcontrollers" - - "limitranges" - - "persistentvolumeclaims" - - "persistentvolumes" - - "namespaces" - - "endpoints" - "verbs": - - "list" - - "watch" - - "get" -- "apiGroups": - - "extensions" - "resources": - - "daemonsets" - - "deployments" - - "replicasets" - "verbs": - - "list" - - "watch" -- "apiGroups": - - "apps" - "resources": - - "statefulsets" - "verbs": - - "list" - - "watch" -- "apiGroups": - - "batch" - "resources": - - "cronjobs" - - "jobs" - "verbs": - - "list" - - "watch" -- "apiGroups": - - "autoscaling" - "resources": - - "horizontalpodautoscalers" - "verbs": - - "list" - - "watch" +# Source: cni-metrics-helper/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cni-metrics-helper + labels: + app.kubernetes.io/name: cni-metrics-helper + app.kubernetes.io/instance: cni-metrics-helper + app.kubernetes.io/version: "v1.10.0" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cni-metrics-helper +subjects: + - kind: ServiceAccount + name: cni-metrics-helper + namespace: kube-system --- -"apiVersion": "apps/v1" -"kind": "Deployment" -"metadata": - "labels": - "k8s-app": "cni-metrics-helper" - "name": "cni-metrics-helper" - "namespace": "kube-system" -"spec": - "selector": - "matchLabels": - "k8s-app": "cni-metrics-helper" - "template": - "metadata": - "labels": - "k8s-app": "cni-metrics-helper" - "spec": - "containers": - - "env": - - "name": "USE_CLOUDWATCH" - "value": "true" - "image": "961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/cni-metrics-helper:v1.10.0" - "name": "cni-metrics-helper" - "serviceAccountName": "cni-metrics-helper" -... +# Source: cni-metrics-helper/templates/deployment.yaml +kind: Deployment +apiVersion: apps/v1 +metadata: + name: cni-metrics-helper + namespace: kube-system + labels: + k8s-app: cni-metrics-helper +spec: + selector: + matchLabels: + k8s-app: cni-metrics-helper + template: + metadata: + labels: + k8s-app: cni-metrics-helper + spec: + containers: + - env: + - name: USE_CLOUDWATCH + value: "true" + name: cni-metrics-helper + image: "961992271922.dkr.ecr.cn-northwest-1.amazonaws.com.cn/cni-metrics-helper:v1.10.0" + serviceAccountName: cni-metrics-helper diff --git a/config/master/cni-metrics-helper-us-east-1.yaml b/config/master/cni-metrics-helper-us-east-1.yaml deleted file mode 100644 index 9b252faea3..0000000000 --- a/config/master/cni-metrics-helper-us-east-1.yaml +++ /dev/null @@ -1,82 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: cni-metrics-helper -rules: - - apiGroups: [""] - resources: - - nodes - - pods - - pods/proxy - - services - - resourcequotas - - replicationcontrollers - - limitranges - - persistentvolumeclaims - - persistentvolumes - - namespaces - - endpoints - verbs: ["list", "watch", "get"] - - apiGroups: ["extensions"] - resources: - - daemonsets - - deployments - - replicasets - verbs: ["list", "watch"] - - apiGroups: ["apps"] - resources: - - statefulsets - verbs: ["list", "watch"] - - apiGroups: ["batch"] - resources: - - cronjobs - - jobs - verbs: ["list", "watch"] - - apiGroups: ["autoscaling"] - resources: - - horizontalpodautoscalers - verbs: ["list", "watch"] ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: cni-metrics-helper - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: cni-metrics-helper -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cni-metrics-helper -subjects: - - kind: ServiceAccount - name: cni-metrics-helper - namespace: kube-system ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: cni-metrics-helper - namespace: kube-system - labels: - k8s-app: cni-metrics-helper -spec: - selector: - matchLabels: - k8s-app: cni-metrics-helper - template: - metadata: - labels: - k8s-app: cni-metrics-helper - spec: - serviceAccountName: cni-metrics-helper - containers: - - image: 151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/cni-metrics-helper:v1.10.0 - name: cni-metrics-helper - env: - - name: USE_CLOUDWATCH - value: "true" diff --git a/config/master/cni-metrics-helper-us-gov-east-1.yaml b/config/master/cni-metrics-helper-us-gov-east-1.yaml index 0ba35f82e2..16412e7fd1 100644 --- a/config/master/cni-metrics-helper-us-gov-east-1.yaml +++ b/config/master/cni-metrics-helper-us-gov-east-1.yaml @@ -1,99 +1,94 @@ --- -"apiVersion": "v1" -"kind": "ServiceAccount" -"metadata": - "name": "cni-metrics-helper" - "namespace": "kube-system" +# Source: cni-metrics-helper/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cni-metrics-helper + namespace: kube-system + labels: + app.kubernetes.io/name: cni-metrics-helper + app.kubernetes.io/instance: cni-metrics-helper + app.kubernetes.io/version: "v1.10.0" --- -"apiVersion": "rbac.authorization.k8s.io/v1" -"kind": "ClusterRoleBinding" -"metadata": - "name": "cni-metrics-helper" -"roleRef": - "apiGroup": "rbac.authorization.k8s.io" - "kind": "ClusterRole" - "name": "cni-metrics-helper" -"subjects": -- "kind": "ServiceAccount" - "name": "cni-metrics-helper" - "namespace": "kube-system" +# Source: cni-metrics-helper/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cni-metrics-helper +rules: + - apiGroups: [""] + resources: + - nodes + - pods + - pods/proxy + - services + - resourcequotas + - replicationcontrollers + - limitranges + - persistentvolumeclaims + - persistentvolumes + - namespaces + - endpoints + verbs: ["list", "watch", "get"] + - apiGroups: ["extensions"] + resources: + - daemonsets + - deployments + - replicasets + verbs: ["list", "watch"] + - apiGroups: ["apps"] + resources: + - statefulsets + verbs: ["list", "watch"] + - apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: ["list", "watch"] + - apiGroups: ["autoscaling"] + resources: + - horizontalpodautoscalers + verbs: ["list", "watch"] --- -"apiVersion": "rbac.authorization.k8s.io/v1" -"kind": "ClusterRole" -"metadata": - "name": "cni-metrics-helper" -"rules": -- "apiGroups": - - "" - "resources": - - "nodes" - - "pods" - - "pods/proxy" - - "services" - - "resourcequotas" - - "replicationcontrollers" - - "limitranges" - - "persistentvolumeclaims" - - "persistentvolumes" - - "namespaces" - - "endpoints" - "verbs": - - "list" - - "watch" - - "get" -- "apiGroups": - - "extensions" - "resources": - - "daemonsets" - - "deployments" - - "replicasets" - "verbs": - - "list" - - "watch" -- "apiGroups": - - "apps" - "resources": - - "statefulsets" - "verbs": - - "list" - - "watch" -- "apiGroups": - - "batch" - "resources": - - "cronjobs" - - "jobs" - "verbs": - - "list" - - "watch" -- "apiGroups": - - "autoscaling" - "resources": - - "horizontalpodautoscalers" - "verbs": - - "list" - - "watch" +# Source: cni-metrics-helper/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cni-metrics-helper + labels: + app.kubernetes.io/name: cni-metrics-helper + app.kubernetes.io/instance: cni-metrics-helper + app.kubernetes.io/version: "v1.10.0" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cni-metrics-helper +subjects: + - kind: ServiceAccount + name: cni-metrics-helper + namespace: kube-system --- -"apiVersion": "apps/v1" -"kind": "Deployment" -"metadata": - "labels": - "k8s-app": "cni-metrics-helper" - "name": "cni-metrics-helper" - "namespace": "kube-system" -"spec": - "selector": - "matchLabels": - "k8s-app": "cni-metrics-helper" - "template": - "metadata": - "labels": - "k8s-app": "cni-metrics-helper" - "spec": - "containers": - - "env": - - "name": "USE_CLOUDWATCH" - "value": "true" - "image": "151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/cni-metrics-helper:v1.10.0" - "name": "cni-metrics-helper" - "serviceAccountName": "cni-metrics-helper" -... +# Source: cni-metrics-helper/templates/deployment.yaml +kind: Deployment +apiVersion: apps/v1 +metadata: + name: cni-metrics-helper + namespace: kube-system + labels: + k8s-app: cni-metrics-helper +spec: + selector: + matchLabels: + k8s-app: cni-metrics-helper + template: + metadata: + labels: + k8s-app: cni-metrics-helper + spec: + containers: + - env: + - name: USE_CLOUDWATCH + value: "true" + name: cni-metrics-helper + image: "151742754352.dkr.ecr.us-gov-east-1.amazonaws.com/cni-metrics-helper:v1.10.0" + serviceAccountName: cni-metrics-helper diff --git a/config/master/cni-metrics-helper-us-gov-west-1.yaml b/config/master/cni-metrics-helper-us-gov-west-1.yaml index cef350bea0..0c6b6a2aae 100644 --- a/config/master/cni-metrics-helper-us-gov-west-1.yaml +++ b/config/master/cni-metrics-helper-us-gov-west-1.yaml @@ -1,99 +1,94 @@ --- -"apiVersion": "v1" -"kind": "ServiceAccount" -"metadata": - "name": "cni-metrics-helper" - "namespace": "kube-system" +# Source: cni-metrics-helper/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cni-metrics-helper + namespace: kube-system + labels: + app.kubernetes.io/name: cni-metrics-helper + app.kubernetes.io/instance: cni-metrics-helper + app.kubernetes.io/version: "v1.10.0" --- -"apiVersion": "rbac.authorization.k8s.io/v1" -"kind": "ClusterRoleBinding" -"metadata": - "name": "cni-metrics-helper" -"roleRef": - "apiGroup": "rbac.authorization.k8s.io" - "kind": "ClusterRole" - "name": "cni-metrics-helper" -"subjects": -- "kind": "ServiceAccount" - "name": "cni-metrics-helper" - "namespace": "kube-system" +# Source: cni-metrics-helper/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cni-metrics-helper +rules: + - apiGroups: [""] + resources: + - nodes + - pods + - pods/proxy + - services + - resourcequotas + - replicationcontrollers + - limitranges + - persistentvolumeclaims + - persistentvolumes + - namespaces + - endpoints + verbs: ["list", "watch", "get"] + - apiGroups: ["extensions"] + resources: + - daemonsets + - deployments + - replicasets + verbs: ["list", "watch"] + - apiGroups: ["apps"] + resources: + - statefulsets + verbs: ["list", "watch"] + - apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: ["list", "watch"] + - apiGroups: ["autoscaling"] + resources: + - horizontalpodautoscalers + verbs: ["list", "watch"] --- -"apiVersion": "rbac.authorization.k8s.io/v1" -"kind": "ClusterRole" -"metadata": - "name": "cni-metrics-helper" -"rules": -- "apiGroups": - - "" - "resources": - - "nodes" - - "pods" - - "pods/proxy" - - "services" - - "resourcequotas" - - "replicationcontrollers" - - "limitranges" - - "persistentvolumeclaims" - - "persistentvolumes" - - "namespaces" - - "endpoints" - "verbs": - - "list" - - "watch" - - "get" -- "apiGroups": - - "extensions" - "resources": - - "daemonsets" - - "deployments" - - "replicasets" - "verbs": - - "list" - - "watch" -- "apiGroups": - - "apps" - "resources": - - "statefulsets" - "verbs": - - "list" - - "watch" -- "apiGroups": - - "batch" - "resources": - - "cronjobs" - - "jobs" - "verbs": - - "list" - - "watch" -- "apiGroups": - - "autoscaling" - "resources": - - "horizontalpodautoscalers" - "verbs": - - "list" - - "watch" +# Source: cni-metrics-helper/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cni-metrics-helper + labels: + app.kubernetes.io/name: cni-metrics-helper + app.kubernetes.io/instance: cni-metrics-helper + app.kubernetes.io/version: "v1.10.0" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cni-metrics-helper +subjects: + - kind: ServiceAccount + name: cni-metrics-helper + namespace: kube-system --- -"apiVersion": "apps/v1" -"kind": "Deployment" -"metadata": - "labels": - "k8s-app": "cni-metrics-helper" - "name": "cni-metrics-helper" - "namespace": "kube-system" -"spec": - "selector": - "matchLabels": - "k8s-app": "cni-metrics-helper" - "template": - "metadata": - "labels": - "k8s-app": "cni-metrics-helper" - "spec": - "containers": - - "env": - - "name": "USE_CLOUDWATCH" - "value": "true" - "image": "013241004608.dkr.ecr.us-gov-west-1.amazonaws.com/cni-metrics-helper:v1.10.0" - "name": "cni-metrics-helper" - "serviceAccountName": "cni-metrics-helper" -... +# Source: cni-metrics-helper/templates/deployment.yaml +kind: Deployment +apiVersion: apps/v1 +metadata: + name: cni-metrics-helper + namespace: kube-system + labels: + k8s-app: cni-metrics-helper +spec: + selector: + matchLabels: + k8s-app: cni-metrics-helper + template: + metadata: + labels: + k8s-app: cni-metrics-helper + spec: + containers: + - env: + - name: USE_CLOUDWATCH + value: "true" + name: cni-metrics-helper + image: "013241004608.dkr.ecr.us-gov-west-1.amazonaws.com/cni-metrics-helper:v1.10.0" + serviceAccountName: cni-metrics-helper diff --git a/config/master/cni-metrics-helper.yaml b/config/master/cni-metrics-helper.yaml index d549a7f7bd..0e2381ffb3 100644 --- a/config/master/cni-metrics-helper.yaml +++ b/config/master/cni-metrics-helper.yaml @@ -1,99 +1,94 @@ --- -"apiVersion": "v1" -"kind": "ServiceAccount" -"metadata": - "name": "cni-metrics-helper" - "namespace": "kube-system" +# Source: cni-metrics-helper/templates/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: cni-metrics-helper + namespace: kube-system + labels: + app.kubernetes.io/name: cni-metrics-helper + app.kubernetes.io/instance: cni-metrics-helper + app.kubernetes.io/version: "v1.10.0" --- -"apiVersion": "rbac.authorization.k8s.io/v1" -"kind": "ClusterRoleBinding" -"metadata": - "name": "cni-metrics-helper" -"roleRef": - "apiGroup": "rbac.authorization.k8s.io" - "kind": "ClusterRole" - "name": "cni-metrics-helper" -"subjects": -- "kind": "ServiceAccount" - "name": "cni-metrics-helper" - "namespace": "kube-system" +# Source: cni-metrics-helper/templates/clusterrole.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cni-metrics-helper +rules: + - apiGroups: [""] + resources: + - nodes + - pods + - pods/proxy + - services + - resourcequotas + - replicationcontrollers + - limitranges + - persistentvolumeclaims + - persistentvolumes + - namespaces + - endpoints + verbs: ["list", "watch", "get"] + - apiGroups: ["extensions"] + resources: + - daemonsets + - deployments + - replicasets + verbs: ["list", "watch"] + - apiGroups: ["apps"] + resources: + - statefulsets + verbs: ["list", "watch"] + - apiGroups: ["batch"] + resources: + - cronjobs + - jobs + verbs: ["list", "watch"] + - apiGroups: ["autoscaling"] + resources: + - horizontalpodautoscalers + verbs: ["list", "watch"] --- -"apiVersion": "rbac.authorization.k8s.io/v1" -"kind": "ClusterRole" -"metadata": - "name": "cni-metrics-helper" -"rules": -- "apiGroups": - - "" - "resources": - - "nodes" - - "pods" - - "pods/proxy" - - "services" - - "resourcequotas" - - "replicationcontrollers" - - "limitranges" - - "persistentvolumeclaims" - - "persistentvolumes" - - "namespaces" - - "endpoints" - "verbs": - - "list" - - "watch" - - "get" -- "apiGroups": - - "extensions" - "resources": - - "daemonsets" - - "deployments" - - "replicasets" - "verbs": - - "list" - - "watch" -- "apiGroups": - - "apps" - "resources": - - "statefulsets" - "verbs": - - "list" - - "watch" -- "apiGroups": - - "batch" - "resources": - - "cronjobs" - - "jobs" - "verbs": - - "list" - - "watch" -- "apiGroups": - - "autoscaling" - "resources": - - "horizontalpodautoscalers" - "verbs": - - "list" - - "watch" +# Source: cni-metrics-helper/templates/clusterrolebinding.yaml +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cni-metrics-helper + labels: + app.kubernetes.io/name: cni-metrics-helper + app.kubernetes.io/instance: cni-metrics-helper + app.kubernetes.io/version: "v1.10.0" +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cni-metrics-helper +subjects: + - kind: ServiceAccount + name: cni-metrics-helper + namespace: kube-system --- -"apiVersion": "apps/v1" -"kind": "Deployment" -"metadata": - "labels": - "k8s-app": "cni-metrics-helper" - "name": "cni-metrics-helper" - "namespace": "kube-system" -"spec": - "selector": - "matchLabels": - "k8s-app": "cni-metrics-helper" - "template": - "metadata": - "labels": - "k8s-app": "cni-metrics-helper" - "spec": - "containers": - - "env": - - "name": "USE_CLOUDWATCH" - "value": "true" - "image": "602401143452.dkr.ecr.us-west-2.amazonaws.com/cni-metrics-helper:v1.10.0" - "name": "cni-metrics-helper" - "serviceAccountName": "cni-metrics-helper" -... +# Source: cni-metrics-helper/templates/deployment.yaml +kind: Deployment +apiVersion: apps/v1 +metadata: + name: cni-metrics-helper + namespace: kube-system + labels: + k8s-app: cni-metrics-helper +spec: + selector: + matchLabels: + k8s-app: cni-metrics-helper + template: + metadata: + labels: + k8s-app: cni-metrics-helper + spec: + containers: + - env: + - name: USE_CLOUDWATCH + value: "true" + name: cni-metrics-helper + image: "602401143452.dkr.ecr.us-west-2.amazonaws.com/cni-metrics-helper:v1.10.0" + serviceAccountName: cni-metrics-helper diff --git a/config/master/manifests.jsonnet b/config/master/manifests.jsonnet index 3b09e43441..2eb73cdeab 100644 --- a/config/master/manifests.jsonnet +++ b/config/master/manifests.jsonnet @@ -155,9 +155,10 @@ local awsnode = { name: "aws-node", readinessProbe: { exec: { - command: ["/app/grpc-health-probe", "-addr=:50051"], + command: ["/app/grpc-health-probe", "-addr=:50051", "-connect-timeout=2s", "-rpc-timeout=2s"], }, initialDelaySeconds: 1, + timeoutSeconds: 5, }, livenessProbe: self.readinessProbe + { initialDelaySeconds: 60, From 93ce9c5aa7a6e4f9dfc9ccebed62164a7bf0b95c Mon Sep 17 00:00:00 2001 From: Apurup Chevuru Date: Tue, 9 Nov 2021 10:42:09 -0800 Subject: [PATCH 2/2] Readme updates - release1.10 branch --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index cd8d8a1242..aafd65b46f 100644 --- a/README.md +++ b/README.md @@ -509,7 +509,7 @@ limit on private IPs allowed by your instance. Setting or resetting of `ENABLE_P Setting ENABLE_PREFIX_DELEGATION to true will not increase the density of branch ENI pods. The limit on number of branch network interfaces per instance type will remain the same - https://docs.aws.amazon.com/eks/latest/userguide/security-groups-for-pods.html#supported-instance-types. Each branch network will be allocated a primary IP and this IP will be allocated for the branch ENI pods. -Please refer to `VPC CNI Feature Matrix` section below for additional information around using Prefix delegation with Custom Networking and Security Groups Per Pod features. +Please refer to [VPC CNI Feature Matrix](https://github.com/aws/amazon-vpc-cni-k8s#vpc-cni-feature-matrix) section below for additional information around using Prefix delegation with Custom Networking and Security Groups Per Pod features. **Note:** `ENABLE_PREFIX_DELEGATION` needs to be set to `true` when VPC CNI is configured to operate in IPv6 mode (supported in v1.10.0+). @@ -597,7 +597,7 @@ will configure it in IPv6 mode. IPv6 is only supported in Prefix Delegation mode configured to operate in IPv6 mode. Prefix delegation is only supported on nitro instances. -**Note:** Please make sure that the required IPv6 IAM policy is applied (Refer to `IAM Policy` section above). Dual stack mode isn't yet supported. So, enabling both IPv4 and IPv6 will be treated as invalid configuration. Please refer to the `VPC CNI Feature Matrix` section below for additional information. +**Note:** Please make sure that the required IPv6 IAM policy is applied (Refer to [IAM Policy](https://github.com/aws/amazon-vpc-cni-k8s#iam-policy) section above). Dual stack mode isn't yet supported. So, enabling both IPv4 and IPv6 will be treated as invalid configuration. Please refer to the [VPC CNI Feature Matrix](https://github.com/aws/amazon-vpc-cni-k8s#vpc-cni-feature-matrix) section below for additional information. ---