message

2023-06-26 18:04:29 +02:00 · 2023-06-26 18:04:29 +02:00 · e8cdf3c2dd
commit e8cdf3c2dd
parent 50bf7f4975
1 changed files with 64 additions and 10 deletions
--- a/calico.yaml
+++ b/calico.yaml
@ -1,8 +1,6 @@
 ---
 # Source: calico/templates/calico-kube-controllers.yaml
 # This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict
-#
-# this is where this comes from: https://github.com/projectcalico/calico/blob/master/manifests/calico.yaml

 apiVersion: policy/v1
 kind: PodDisruptionBudget
@ -31,6 +29,13 @@ metadata:
  name: calico-node
  namespace: kube-system
 ---
+# Source: calico/templates/calico-node.yaml
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: calico-cni-plugin
+  namespace: kube-system
+---
 # Source: calico/templates/calico-config.yaml
 # This ConfigMap is used to configure a self-hosted Calico installation.
 kind: ConfigMap
@ -1015,7 +1020,7 @@ spec:
                description: 'BPFEnforceRPF enforce strict RPF on all host interfaces
                  with BPF programs regardless of what is the per-interfaces or global
                  setting. Possible values are Disabled, Strict or Loose. [Default:
-                  Strict]'
+                  Loose]'
                type: string
              bpfExtToServiceConnmark:
                description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit
@ -4356,7 +4361,7 @@ rules:
    resources:
      - serviceaccounts/token
    resourceNames:
-      - calico-node
+      - calico-cni-plugin
    verbs:
      - create
  # The CNI plugin needs to get pods, nodes, and namespaces.
@ -4373,7 +4378,7 @@ rules:
    resources:
      - endpointslices
    verbs:
-      - watch 
+      - watch
      - list
  - apiGroups: [""]
    resources:
@ -4511,6 +4516,41 @@ rules:
    verbs:
      - get
 ---
+# Source: calico/templates/calico-node-rbac.yaml
+# CNI cluster role
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: calico-cni-plugin
+rules:
+  - apiGroups: [""]
+    resources:
+      - pods
+      - nodes
+      - namespaces
+    verbs:
+      - get
+  - apiGroups: [""]
+    resources:
+      - pods/status
+    verbs:
+      - patch
+  - apiGroups: ["crd.projectcalico.org"]
+    resources:
+      - blockaffinities
+      - ipamblocks
+      - ipamhandles
+      - clusterinformations
+      - ippools
+      - ipreservations
+      - ipamconfigs
+    verbs:
+      - get
+      - list
+      - create
+      - update
+      - delete
+---
 # Source: calico/templates/calico-kube-controllers-rbac.yaml
 kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
@ -4539,6 +4579,20 @@ subjects:
  name: calico-node
  namespace: kube-system
 ---
+# Source: calico/templates/calico-node-rbac.yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: calico-cni-plugin
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: calico-cni-plugin
+subjects:
+- kind: ServiceAccount
+  name: calico-cni-plugin
+  namespace: kube-system
+---
 # Source: calico/templates/calico-node.yaml
 # This manifest installs the calico-node container, as well
 # as the CNI plugins and network config on
@ -4585,7 +4639,7 @@ spec:
        # It can be deleted if this is a fresh installation, or if you have already
        # upgraded to use calico-ipam.
        - name: upgrade-ipam
-          image: docker.io/calico/cni:master
+          image: docker.io/calico/cni:v3.26.0
          imagePullPolicy: IfNotPresent
          command: ["/opt/cni/bin/calico-ipam", "-upgrade"]
          envFrom:
@ -4613,7 +4667,7 @@ spec:
        # This container installs the CNI binaries
        # and CNI network config file on each node.
        - name: install-cni
-          image: docker.io/calico/cni:master
+          image: docker.io/calico/cni:v3.26.0
          imagePullPolicy: IfNotPresent
          command: ["/opt/cni/bin/install"]
          envFrom:
@ -4656,7 +4710,7 @@ spec:
        # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed
        # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode.
        - name: "mount-bpffs"
-          image: docker.io/calico/node:master
+          image: docker.io/calico/node:v3.26.0
          imagePullPolicy: IfNotPresent
          command: ["calico-node", "-init", "-best-effort"]
          volumeMounts:
@ -4682,7 +4736,7 @@ spec:
        # container programs network policy and routes on each
        # host.
        - name: calico-node
-          image: docker.io/calico/node:master
+          image: docker.io/calico/node:v3.26.0
          imagePullPolicy: IfNotPresent
          envFrom:
          - configMapRef:
@ -4899,7 +4953,7 @@ spec:
      priorityClassName: system-cluster-critical
      containers:
        - name: calico-kube-controllers
-          image: docker.io/calico/kube-controllers:master
+          image: docker.io/calico/kube-controllers:v3.26.0
          imagePullPolicy: IfNotPresent
          env:
            # Choose which controllers to run.