• 部署 Flannel

    部署 Flannel

    记集群网段为 CLUSTER_CIDR:

    1. CLUSTER_CIDR=10.10.0.0/16

    创建 flannel 资源文件:

    1. cat <<EOF | sudo tee kube-flannel.yml
    2. apiVersion: policy/v1beta1
    3. kind: PodSecurityPolicy
    4. metadata:
    5.   name: psp.flannel.unprivileged
    6.   annotations:
    7.     seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
    8.     seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
    9.     apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
    10.     apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
    11. spec:
    12.   privileged: false
    13.   volumes:
    14.     - configMap
    15.     - secret
    16.     - emptyDir
    17.     - hostPath
    18.   allowedHostPaths:
    19.     - pathPrefix: "/etc/cni/net.d"
    20.     - pathPrefix: "/etc/kube-flannel"
    21.     - pathPrefix: "/run/flannel"
    22.   readOnlyRootFilesystem: false
    23.   # Users and groups
    24.   runAsUser:
    25.     rule: RunAsAny
    26.   supplementalGroups:
    27.     rule: RunAsAny
    28.   fsGroup:
    29.     rule: RunAsAny
    30.   # Privilege Escalation
    31.   allowPrivilegeEscalation: false
    32.   defaultAllowPrivilegeEscalation: false
    33.   # Capabilities
    34.   allowedCapabilities: ['NET_ADMIN']
    35.   defaultAddCapabilities: []
    36.   requiredDropCapabilities: []
    37.   # Host namespaces
    38.   hostPID: false
    39.   hostIPC: false
    40.   hostNetwork: true
    41.   hostPorts:
    42.   - min: 0
    43.     max: 65535
    44.   # SELinux
    45.   seLinux:
    46.     # SELinux is unsed in CaaSP
    47.     rule: 'RunAsAny'
    48. ---
    49. kind: ClusterRole
    50. apiVersion: rbac.authorization.k8s.io/v1beta1
    51. metadata:
    52.   name: flannel
    53. rules:
    54.   - apiGroups: ['extensions']
    55.     resources: ['podsecuritypolicies']
    56.     verbs: ['use']
    57.     resourceNames: ['psp.flannel.unprivileged']
    58.   - apiGroups:
    59.       - ""
    60.     resources:
    61.       - pods
    62.     verbs:
    63.       - get
    64.   - apiGroups:
    65.       - ""
    66.     resources:
    67.       - nodes
    68.     verbs:
    69.       - list
    70.       - watch
    71.   - apiGroups:
    72.       - ""
    73.     resources:
    74.       - nodes/status
    75.     verbs:
    76.       - patch
    77. ---
    78. kind: ClusterRoleBinding
    79. apiVersion: rbac.authorization.k8s.io/v1beta1
    80. metadata:
    81.   name: flannel
    82. roleRef:
    83.   apiGroup: rbac.authorization.k8s.io
    84.   kind: ClusterRole
    85.   name: flannel
    86. subjects:
    87. - kind: ServiceAccount
    88.   name: flannel
    89.   namespace: kube-system
    90. ---
    91. apiVersion: v1
    92. kind: ServiceAccount
    93. metadata:
    94.   name: flannel
    95.   namespace: kube-system
    96. ---
    97. kind: ConfigMap
    98. apiVersion: v1
    99. metadata:
    100.   name: kube-flannel-cfg
    101.   namespace: kube-system
    102.   labels:
    103.     tier: node
    104.     app: flannel
    105. data:
    106.   cni-conf.json: |
    107.     {
    108.       "cniVersion": "0.2.0",
    109.       "name": "cbr0",
    110.       "plugins": [
    111.         {
    112.           "type": "flannel",
    113.           "delegate": {
    114.             "hairpinMode": true,
    115.             "isDefaultGateway": true
    116.           }
    117.         },
    118.         {
    119.           "type": "portmap",
    120.           "capabilities": {
    121.             "portMappings": true
    122.           }
    123.         }
    124.       ]
    125.     }
    126.   net-conf.json: |
    127.     {
    128.       "Network": "${CLUSTER_CIDR}",
    129.       "Backend": {
    130.         "Type": "vxlan"
    131.       }
    132.     }
    133. ---
    134. apiVersion: apps/v1
    135. kind: DaemonSet
    136. metadata:
    137.   name: kube-flannel-ds-amd64
    138.   namespace: kube-system
    139.   labels:
    140.     tier: node
    141.     app: flannel
    142. spec:
    143.   selector:
    144.     matchLabels:
    145.       app: flannel
    146.   template:
    147.     metadata:
    148.       labels:
    149.         tier: node
    150.         app: flannel
    151.     spec:
    152.       affinity:
    153.         nodeAffinity:
    154.           requiredDuringSchedulingIgnoredDuringExecution:
    155.             nodeSelectorTerms:
    156.               - matchExpressions:
    157.                   - key: beta.kubernetes.io/os
    158.                     operator: In
    159.                     values:
    160.                       - linux
    161.                   - key: beta.kubernetes.io/arch
    162.                     operator: In
    163.                     values:
    164.                       - amd64
    165.       hostNetwork: true
    166.       tolerations:
    167.       - operator: Exists
    168.         effect: NoSchedule
    169.       serviceAccountName: flannel
    170.       initContainers:
    171.       - name: install-cni
    172.         image: quay.io/coreos/flannel:v0.11.0-amd64
    173.         command:
    174.         - cp
    175.         args:
    176.         - -f
    177.         - /etc/kube-flannel/cni-conf.json
    178.         - /etc/cni/net.d/10-flannel.conflist
    179.         volumeMounts:
    180.         - name: cni
    181.           mountPath: /etc/cni/net.d
    182.         - name: flannel-cfg
    183.           mountPath: /etc/kube-flannel/
    184.       containers:
    185.       - name: kube-flannel
    186.         image: quay.io/coreos/flannel:v0.11.0-amd64
    187.         command:
    188.         - /opt/bin/flanneld
    189.         args:
    190.         - --ip-masq
    191.         - --kube-subnet-mgr
    192.         resources:
    193.           requests:
    194.             cpu: "100m"
    195.             memory: "50Mi"
    196.           limits:
    197.             cpu: "100m"
    198.             memory: "50Mi"
    199.         securityContext:
    200.           privileged: false
    201.           capabilities:
    202.              add: ["NET_ADMIN"]
    203.         env:
    204.         - name: POD_NAME
    205.           valueFrom:
    206.             fieldRef:
    207.               fieldPath: metadata.name
    208.         - name: POD_NAMESPACE
    209.           valueFrom:
    210.             fieldRef:
    211.               fieldPath: metadata.namespace
    212.         volumeMounts:
    213.         - name: run
    214.           mountPath: /run/flannel
    215.         - name: flannel-cfg
    216.           mountPath: /etc/kube-flannel/
    217.       volumes:
    218.         - name: run
    219.           hostPath:
    220.             path: /run/flannel
    221.         - name: cni
    222.           hostPath:
    223.             path: /etc/cni/net.d
    224.         - name: flannel-cfg
    225.           configMap:
    226.             name: kube-flannel-cfg
    227. ---
    228. apiVersion: apps/v1
    229. kind: DaemonSet
    230. metadata:
    231.   name: kube-flannel-ds-arm64
    232.   namespace: kube-system
    233.   labels:
    234.     tier: node
    235.     app: flannel
    236. spec:
    237.   selector:
    238.     matchLabels:
    239.       app: flannel
    240.   template:
    241.     metadata:
    242.       labels:
    243.         tier: node
    244.         app: flannel
    245.     spec:
    246.       affinity:
    247.         nodeAffinity:
    248.           requiredDuringSchedulingIgnoredDuringExecution:
    249.             nodeSelectorTerms:
    250.               - matchExpressions:
    251.                   - key: beta.kubernetes.io/os
    252.                     operator: In
    253.                     values:
    254.                       - linux
    255.                   - key: beta.kubernetes.io/arch
    256.                     operator: In
    257.                     values:
    258.                       - arm64
    259.       hostNetwork: true
    260.       tolerations:
    261.       - operator: Exists
    262.         effect: NoSchedule
    263.       serviceAccountName: flannel
    264.       initContainers:
    265.       - name: install-cni
    266.         image: quay.io/coreos/flannel:v0.11.0-arm64
    267.         command:
    268.         - cp
    269.         args:
    270.         - -f
    271.         - /etc/kube-flannel/cni-conf.json
    272.         - /etc/cni/net.d/10-flannel.conflist
    273.         volumeMounts:
    274.         - name: cni
    275.           mountPath: /etc/cni/net.d
    276.         - name: flannel-cfg
    277.           mountPath: /etc/kube-flannel/
    278.       containers:
    279.       - name: kube-flannel
    280.         image: quay.io/coreos/flannel:v0.11.0-arm64
    281.         command:
    282.         - /opt/bin/flanneld
    283.         args:
    284.         - --ip-masq
    285.         - --kube-subnet-mgr
    286.         resources:
    287.           requests:
    288.             cpu: "100m"
    289.             memory: "50Mi"
    290.           limits:
    291.             cpu: "100m"
    292.             memory: "50Mi"
    293.         securityContext:
    294.           privileged: false
    295.           capabilities:
    296.              add: ["NET_ADMIN"]
    297.         env:
    298.         - name: POD_NAME
    299.           valueFrom:
    300.             fieldRef:
    301.               fieldPath: metadata.name
    302.         - name: POD_NAMESPACE
    303.           valueFrom:
    304.             fieldRef:
    305.               fieldPath: metadata.namespace
    306.         volumeMounts:
    307.         - name: run
    308.           mountPath: /run/flannel
    309.         - name: flannel-cfg
    310.           mountPath: /etc/kube-flannel/
    311.       volumes:
    312.         - name: run
    313.           hostPath:
    314.             path: /run/flannel
    315.         - name: cni
    316.           hostPath:
    317.             path: /etc/cni/net.d
    318.         - name: flannel-cfg
    319.           configMap:
    320.             name: kube-flannel-cfg
    321. ---
    322. apiVersion: apps/v1
    323. kind: DaemonSet
    324. metadata:
    325.   name: kube-flannel-ds-arm
    326.   namespace: kube-system
    327.   labels:
    328.     tier: node
    329.     app: flannel
    330. spec:
    331.   selector:
    332.     matchLabels:
    333.       app: flannel
    334.   template:
    335.     metadata:
    336.       labels:
    337.         tier: node
    338.         app: flannel
    339.     spec:
    340.       affinity:
    341.         nodeAffinity:
    342.           requiredDuringSchedulingIgnoredDuringExecution:
    343.             nodeSelectorTerms:
    344.               - matchExpressions:
    345.                   - key: beta.kubernetes.io/os
    346.                     operator: In
    347.                     values:
    348.                       - linux
    349.                   - key: beta.kubernetes.io/arch
    350.                     operator: In
    351.                     values:
    352.                       - arm
    353.       hostNetwork: true
    354.       tolerations:
    355.       - operator: Exists
    356.         effect: NoSchedule
    357.       serviceAccountName: flannel
    358.       initContainers:
    359.       - name: install-cni
    360.         image: quay.io/coreos/flannel:v0.11.0-arm
    361.         command:
    362.         - cp
    363.         args:
    364.         - -f
    365.         - /etc/kube-flannel/cni-conf.json
    366.         - /etc/cni/net.d/10-flannel.conflist
    367.         volumeMounts:
    368.         - name: cni
    369.           mountPath: /etc/cni/net.d
    370.         - name: flannel-cfg
    371.           mountPath: /etc/kube-flannel/
    372.       containers:
    373.       - name: kube-flannel
    374.         image: quay.io/coreos/flannel:v0.11.0-arm
    375.         command:
    376.         - /opt/bin/flanneld
    377.         args:
    378.         - --ip-masq
    379.         - --kube-subnet-mgr
    380.         resources:
    381.           requests:
    382.             cpu: "100m"
    383.             memory: "50Mi"
    384.           limits:
    385.             cpu: "100m"
    386.             memory: "50Mi"
    387.         securityContext:
    388.           privileged: false
    389.           capabilities:
    390.              add: ["NET_ADMIN"]
    391.         env:
    392.         - name: POD_NAME
    393.           valueFrom:
    394.             fieldRef:
    395.               fieldPath: metadata.name
    396.         - name: POD_NAMESPACE
    397.           valueFrom:
    398.             fieldRef:
    399.               fieldPath: metadata.namespace
    400.         volumeMounts:
    401.         - name: run
    402.           mountPath: /run/flannel
    403.         - name: flannel-cfg
    404.           mountPath: /etc/kube-flannel/
    405.       volumes:
    406.         - name: run
    407.           hostPath:
    408.             path: /run/flannel
    409.         - name: cni
    410.           hostPath:
    411.             path: /etc/cni/net.d
    412.         - name: flannel-cfg
    413.           configMap:
    414.             name: kube-flannel-cfg
    415. ---
    416. apiVersion: apps/v1
    417. kind: DaemonSet
    418. metadata:
    419.   name: kube-flannel-ds-ppc64le
    420.   namespace: kube-system
    421.   labels:
    422.     tier: node
    423.     app: flannel
    424. spec:
    425.   selector:
    426.     matchLabels:
    427.       app: flannel
    428.   template:
    429.     metadata:
    430.       labels:
    431.         tier: node
    432.         app: flannel
    433.     spec:
    434.       affinity:
    435.         nodeAffinity:
    436.           requiredDuringSchedulingIgnoredDuringExecution:
    437.             nodeSelectorTerms:
    438.               - matchExpressions:
    439.                   - key: beta.kubernetes.io/os
    440.                     operator: In
    441.                     values:
    442.                       - linux
    443.                   - key: beta.kubernetes.io/arch
    444.                     operator: In
    445.                     values:
    446.                       - ppc64le
    447.       hostNetwork: true
    448.       tolerations:
    449.       - operator: Exists
    450.         effect: NoSchedule
    451.       serviceAccountName: flannel
    452.       initContainers:
    453.       - name: install-cni
    454.         image: quay.io/coreos/flannel:v0.11.0-ppc64le
    455.         command:
    456.         - cp
    457.         args:
    458.         - -f
    459.         - /etc/kube-flannel/cni-conf.json
    460.         - /etc/cni/net.d/10-flannel.conflist
    461.         volumeMounts:
    462.         - name: cni
    463.           mountPath: /etc/cni/net.d
    464.         - name: flannel-cfg
    465.           mountPath: /etc/kube-flannel/
    466.       containers:
    467.       - name: kube-flannel
    468.         image: quay.io/coreos/flannel:v0.11.0-ppc64le
    469.         command:
    470.         - /opt/bin/flanneld
    471.         args:
    472.         - --ip-masq
    473.         - --kube-subnet-mgr
    474.         resources:
    475.           requests:
    476.             cpu: "100m"
    477.             memory: "50Mi"
    478.           limits:
    479.             cpu: "100m"
    480.             memory: "50Mi"
    481.         securityContext:
    482.           privileged: false
    483.           capabilities:
    484.              add: ["NET_ADMIN"]
    485.         env:
    486.         - name: POD_NAME
    487.           valueFrom:
    488.             fieldRef:
    489.               fieldPath: metadata.name
    490.         - name: POD_NAMESPACE
    491.           valueFrom:
    492.             fieldRef:
    493.               fieldPath: metadata.namespace
    494.         volumeMounts:
    495.         - name: run
    496.           mountPath: /run/flannel
    497.         - name: flannel-cfg
    498.           mountPath: /etc/kube-flannel/
    499.       volumes:
    500.         - name: run
    501.           hostPath:
    502.             path: /run/flannel
    503.         - name: cni
    504.           hostPath:
    505.             path: /etc/cni/net.d
    506.         - name: flannel-cfg
    507.           configMap:
    508.             name: kube-flannel-cfg
    509. ---
    510. apiVersion: apps/v1
    511. kind: DaemonSet
    512. metadata:
    513.   name: kube-flannel-ds-s390x
    514.   namespace: kube-system
    515.   labels:
    516.     tier: node
    517.     app: flannel
    518. spec:
    519.   selector:
    520.     matchLabels:
    521.       app: flannel
    522.   template:
    523.     metadata:
    524.       labels:
    525.         tier: node
    526.         app: flannel
    527.     spec:
    528.       affinity:
    529.         nodeAffinity:
    530.           requiredDuringSchedulingIgnoredDuringExecution:
    531.             nodeSelectorTerms:
    532.               - matchExpressions:
    533.                   - key: beta.kubernetes.io/os
    534.                     operator: In
    535.                     values:
    536.                       - linux
    537.                   - key: beta.kubernetes.io/arch
    538.                     operator: In
    539.                     values:
    540.                       - s390x
    541.       hostNetwork: true
    542.       tolerations:
    543.       - operator: Exists
    544.         effect: NoSchedule
    545.       serviceAccountName: flannel
    546.       initContainers:
    547.       - name: install-cni
    548.         image: quay.io/coreos/flannel:v0.11.0-s390x
    549.         command:
    550.         - cp
    551.         args:
    552.         - -f
    553.         - /etc/kube-flannel/cni-conf.json
    554.         - /etc/cni/net.d/10-flannel.conflist
    555.         volumeMounts:
    556.         - name: cni
    557.           mountPath: /etc/cni/net.d
    558.         - name: flannel-cfg
    559.           mountPath: /etc/kube-flannel/
    560.       containers:
    561.       - name: kube-flannel
    562.         image: quay.io/coreos/flannel:v0.11.0-s390x
    563.         command:
    564.         - /opt/bin/flanneld
    565.         args:
    566.         - --ip-masq
    567.         - --kube-subnet-mgr
    568.         resources:
    569.           requests:
    570.             cpu: "100m"
    571.             memory: "50Mi"
    572.           limits:
    573.             cpu: "100m"
    574.             memory: "50Mi"
    575.         securityContext:
    576.           privileged: false
    577.           capabilities:
    578.              add: ["NET_ADMIN"]
    579.         env:
    580.         - name: POD_NAME
    581.           valueFrom:
    582.             fieldRef:
    583.               fieldPath: metadata.name
    584.         - name: POD_NAMESPACE
    585.           valueFrom:
    586.             fieldRef:
    587.               fieldPath: metadata.namespace
    588.         volumeMounts:
    589.         - name: run
    590.           mountPath: /run/flannel
    591.         - name: flannel-cfg
    592.           mountPath: /etc/kube-flannel/
    593.       volumes:
    594.         - name: run
    595.           hostPath:
    596.             path: /run/flannel
    597.         - name: cni
    598.           hostPath:
    599.             path: /etc/cni/net.d
    600.         - name: flannel-cfg
    601.           configMap:
    602.             name: kube-flannel-cfg
    603. EOF

    部署:

    1. kubectl apply -f kube-flannel.yml

    以上资源文件参考 flannel 官方: https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml (仅提取了 CLUSTER_CIDR 变量)