• 部署 Flannel

    部署 Flannel

    记集群网段为 CLUSTER_CIDR:

    1. CLUSTER_CIDR=10.10.0.0/16

    创建 flannel 资源文件:

    1. cat <<EOF | sudo tee kube-flannel.yml
    2. apiVersion: policy/v1beta1
    3. kind: PodSecurityPolicy
    4. metadata:
    5. name: psp.flannel.unprivileged
    6. annotations:
    7. seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
    8. seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
    9. apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
    10. apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
    11. spec:
    12. privileged: false
    13. volumes:
    14. - configMap
    15. - secret
    16. - emptyDir
    17. - hostPath
    18. allowedHostPaths:
    19. - pathPrefix: "/etc/cni/net.d"
    20. - pathPrefix: "/etc/kube-flannel"
    21. - pathPrefix: "/run/flannel"
    22. readOnlyRootFilesystem: false
    23. # Users and groups
    24. runAsUser:
    25. rule: RunAsAny
    26. supplementalGroups:
    27. rule: RunAsAny
    28. fsGroup:
    29. rule: RunAsAny
    30. # Privilege Escalation
    31. allowPrivilegeEscalation: false
    32. defaultAllowPrivilegeEscalation: false
    33. # Capabilities
    34. allowedCapabilities: ['NET_ADMIN']
    35. defaultAddCapabilities: []
    36. requiredDropCapabilities: []
    37. # Host namespaces
    38. hostPID: false
    39. hostIPC: false
    40. hostNetwork: true
    41. hostPorts:
    42. - min: 0
    43. max: 65535
    44. # SELinux
    45. seLinux:
    46. # SELinux is unsed in CaaSP
    47. rule: 'RunAsAny'
    48. ---
    49. kind: ClusterRole
    50. apiVersion: rbac.authorization.k8s.io/v1beta1
    51. metadata:
    52. name: flannel
    53. rules:
    54. - apiGroups: ['extensions']
    55. resources: ['podsecuritypolicies']
    56. verbs: ['use']
    57. resourceNames: ['psp.flannel.unprivileged']
    58. - apiGroups:
    59. - ""
    60. resources:
    61. - pods
    62. verbs:
    63. - get
    64. - apiGroups:
    65. - ""
    66. resources:
    67. - nodes
    68. verbs:
    69. - list
    70. - watch
    71. - apiGroups:
    72. - ""
    73. resources:
    74. - nodes/status
    75. verbs:
    76. - patch
    77. ---
    78. kind: ClusterRoleBinding
    79. apiVersion: rbac.authorization.k8s.io/v1beta1
    80. metadata:
    81. name: flannel
    82. roleRef:
    83. apiGroup: rbac.authorization.k8s.io
    84. kind: ClusterRole
    85. name: flannel
    86. subjects:
    87. - kind: ServiceAccount
    88. name: flannel
    89. namespace: kube-system
    90. ---
    91. apiVersion: v1
    92. kind: ServiceAccount
    93. metadata:
    94. name: flannel
    95. namespace: kube-system
    96. ---
    97. kind: ConfigMap
    98. apiVersion: v1
    99. metadata:
    100. name: kube-flannel-cfg
    101. namespace: kube-system
    102. labels:
    103. tier: node
    104. app: flannel
    105. data:
    106. cni-conf.json: |
    107. {
    108. "cniVersion": "0.2.0",
    109. "name": "cbr0",
    110. "plugins": [
    111. {
    112. "type": "flannel",
    113. "delegate": {
    114. "hairpinMode": true,
    115. "isDefaultGateway": true
    116. }
    117. },
    118. {
    119. "type": "portmap",
    120. "capabilities": {
    121. "portMappings": true
    122. }
    123. }
    124. ]
    125. }
    126. net-conf.json: |
    127. {
    128. "Network": "${CLUSTER_CIDR}",
    129. "Backend": {
    130. "Type": "vxlan"
    131. }
    132. }
    133. ---
    134. apiVersion: apps/v1
    135. kind: DaemonSet
    136. metadata:
    137. name: kube-flannel-ds-amd64
    138. namespace: kube-system
    139. labels:
    140. tier: node
    141. app: flannel
    142. spec:
    143. selector:
    144. matchLabels:
    145. app: flannel
    146. template:
    147. metadata:
    148. labels:
    149. tier: node
    150. app: flannel
    151. spec:
    152. affinity:
    153. nodeAffinity:
    154. requiredDuringSchedulingIgnoredDuringExecution:
    155. nodeSelectorTerms:
    156. - matchExpressions:
    157. - key: beta.kubernetes.io/os
    158. operator: In
    159. values:
    160. - linux
    161. - key: beta.kubernetes.io/arch
    162. operator: In
    163. values:
    164. - amd64
    165. hostNetwork: true
    166. tolerations:
    167. - operator: Exists
    168. effect: NoSchedule
    169. serviceAccountName: flannel
    170. initContainers:
    171. - name: install-cni
    172. image: quay.io/coreos/flannel:v0.11.0-amd64
    173. command:
    174. - cp
    175. args:
    176. - -f
    177. - /etc/kube-flannel/cni-conf.json
    178. - /etc/cni/net.d/10-flannel.conflist
    179. volumeMounts:
    180. - name: cni
    181. mountPath: /etc/cni/net.d
    182. - name: flannel-cfg
    183. mountPath: /etc/kube-flannel/
    184. containers:
    185. - name: kube-flannel
    186. image: quay.io/coreos/flannel:v0.11.0-amd64
    187. command:
    188. - /opt/bin/flanneld
    189. args:
    190. - --ip-masq
    191. - --kube-subnet-mgr
    192. resources:
    193. requests:
    194. cpu: "100m"
    195. memory: "50Mi"
    196. limits:
    197. cpu: "100m"
    198. memory: "50Mi"
    199. securityContext:
    200. privileged: false
    201. capabilities:
    202. add: ["NET_ADMIN"]
    203. env:
    204. - name: POD_NAME
    205. valueFrom:
    206. fieldRef:
    207. fieldPath: metadata.name
    208. - name: POD_NAMESPACE
    209. valueFrom:
    210. fieldRef:
    211. fieldPath: metadata.namespace
    212. volumeMounts:
    213. - name: run
    214. mountPath: /run/flannel
    215. - name: flannel-cfg
    216. mountPath: /etc/kube-flannel/
    217. volumes:
    218. - name: run
    219. hostPath:
    220. path: /run/flannel
    221. - name: cni
    222. hostPath:
    223. path: /etc/cni/net.d
    224. - name: flannel-cfg
    225. configMap:
    226. name: kube-flannel-cfg
    227. ---
    228. apiVersion: apps/v1
    229. kind: DaemonSet
    230. metadata:
    231. name: kube-flannel-ds-arm64
    232. namespace: kube-system
    233. labels:
    234. tier: node
    235. app: flannel
    236. spec:
    237. selector:
    238. matchLabels:
    239. app: flannel
    240. template:
    241. metadata:
    242. labels:
    243. tier: node
    244. app: flannel
    245. spec:
    246. affinity:
    247. nodeAffinity:
    248. requiredDuringSchedulingIgnoredDuringExecution:
    249. nodeSelectorTerms:
    250. - matchExpressions:
    251. - key: beta.kubernetes.io/os
    252. operator: In
    253. values:
    254. - linux
    255. - key: beta.kubernetes.io/arch
    256. operator: In
    257. values:
    258. - arm64
    259. hostNetwork: true
    260. tolerations:
    261. - operator: Exists
    262. effect: NoSchedule
    263. serviceAccountName: flannel
    264. initContainers:
    265. - name: install-cni
    266. image: quay.io/coreos/flannel:v0.11.0-arm64
    267. command:
    268. - cp
    269. args:
    270. - -f
    271. - /etc/kube-flannel/cni-conf.json
    272. - /etc/cni/net.d/10-flannel.conflist
    273. volumeMounts:
    274. - name: cni
    275. mountPath: /etc/cni/net.d
    276. - name: flannel-cfg
    277. mountPath: /etc/kube-flannel/
    278. containers:
    279. - name: kube-flannel
    280. image: quay.io/coreos/flannel:v0.11.0-arm64
    281. command:
    282. - /opt/bin/flanneld
    283. args:
    284. - --ip-masq
    285. - --kube-subnet-mgr
    286. resources:
    287. requests:
    288. cpu: "100m"
    289. memory: "50Mi"
    290. limits:
    291. cpu: "100m"
    292. memory: "50Mi"
    293. securityContext:
    294. privileged: false
    295. capabilities:
    296. add: ["NET_ADMIN"]
    297. env:
    298. - name: POD_NAME
    299. valueFrom:
    300. fieldRef:
    301. fieldPath: metadata.name
    302. - name: POD_NAMESPACE
    303. valueFrom:
    304. fieldRef:
    305. fieldPath: metadata.namespace
    306. volumeMounts:
    307. - name: run
    308. mountPath: /run/flannel
    309. - name: flannel-cfg
    310. mountPath: /etc/kube-flannel/
    311. volumes:
    312. - name: run
    313. hostPath:
    314. path: /run/flannel
    315. - name: cni
    316. hostPath:
    317. path: /etc/cni/net.d
    318. - name: flannel-cfg
    319. configMap:
    320. name: kube-flannel-cfg
    321. ---
    322. apiVersion: apps/v1
    323. kind: DaemonSet
    324. metadata:
    325. name: kube-flannel-ds-arm
    326. namespace: kube-system
    327. labels:
    328. tier: node
    329. app: flannel
    330. spec:
    331. selector:
    332. matchLabels:
    333. app: flannel
    334. template:
    335. metadata:
    336. labels:
    337. tier: node
    338. app: flannel
    339. spec:
    340. affinity:
    341. nodeAffinity:
    342. requiredDuringSchedulingIgnoredDuringExecution:
    343. nodeSelectorTerms:
    344. - matchExpressions:
    345. - key: beta.kubernetes.io/os
    346. operator: In
    347. values:
    348. - linux
    349. - key: beta.kubernetes.io/arch
    350. operator: In
    351. values:
    352. - arm
    353. hostNetwork: true
    354. tolerations:
    355. - operator: Exists
    356. effect: NoSchedule
    357. serviceAccountName: flannel
    358. initContainers:
    359. - name: install-cni
    360. image: quay.io/coreos/flannel:v0.11.0-arm
    361. command:
    362. - cp
    363. args:
    364. - -f
    365. - /etc/kube-flannel/cni-conf.json
    366. - /etc/cni/net.d/10-flannel.conflist
    367. volumeMounts:
    368. - name: cni
    369. mountPath: /etc/cni/net.d
    370. - name: flannel-cfg
    371. mountPath: /etc/kube-flannel/
    372. containers:
    373. - name: kube-flannel
    374. image: quay.io/coreos/flannel:v0.11.0-arm
    375. command:
    376. - /opt/bin/flanneld
    377. args:
    378. - --ip-masq
    379. - --kube-subnet-mgr
    380. resources:
    381. requests:
    382. cpu: "100m"
    383. memory: "50Mi"
    384. limits:
    385. cpu: "100m"
    386. memory: "50Mi"
    387. securityContext:
    388. privileged: false
    389. capabilities:
    390. add: ["NET_ADMIN"]
    391. env:
    392. - name: POD_NAME
    393. valueFrom:
    394. fieldRef:
    395. fieldPath: metadata.name
    396. - name: POD_NAMESPACE
    397. valueFrom:
    398. fieldRef:
    399. fieldPath: metadata.namespace
    400. volumeMounts:
    401. - name: run
    402. mountPath: /run/flannel
    403. - name: flannel-cfg
    404. mountPath: /etc/kube-flannel/
    405. volumes:
    406. - name: run
    407. hostPath:
    408. path: /run/flannel
    409. - name: cni
    410. hostPath:
    411. path: /etc/cni/net.d
    412. - name: flannel-cfg
    413. configMap:
    414. name: kube-flannel-cfg
    415. ---
    416. apiVersion: apps/v1
    417. kind: DaemonSet
    418. metadata:
    419. name: kube-flannel-ds-ppc64le
    420. namespace: kube-system
    421. labels:
    422. tier: node
    423. app: flannel
    424. spec:
    425. selector:
    426. matchLabels:
    427. app: flannel
    428. template:
    429. metadata:
    430. labels:
    431. tier: node
    432. app: flannel
    433. spec:
    434. affinity:
    435. nodeAffinity:
    436. requiredDuringSchedulingIgnoredDuringExecution:
    437. nodeSelectorTerms:
    438. - matchExpressions:
    439. - key: beta.kubernetes.io/os
    440. operator: In
    441. values:
    442. - linux
    443. - key: beta.kubernetes.io/arch
    444. operator: In
    445. values:
    446. - ppc64le
    447. hostNetwork: true
    448. tolerations:
    449. - operator: Exists
    450. effect: NoSchedule
    451. serviceAccountName: flannel
    452. initContainers:
    453. - name: install-cni
    454. image: quay.io/coreos/flannel:v0.11.0-ppc64le
    455. command:
    456. - cp
    457. args:
    458. - -f
    459. - /etc/kube-flannel/cni-conf.json
    460. - /etc/cni/net.d/10-flannel.conflist
    461. volumeMounts:
    462. - name: cni
    463. mountPath: /etc/cni/net.d
    464. - name: flannel-cfg
    465. mountPath: /etc/kube-flannel/
    466. containers:
    467. - name: kube-flannel
    468. image: quay.io/coreos/flannel:v0.11.0-ppc64le
    469. command:
    470. - /opt/bin/flanneld
    471. args:
    472. - --ip-masq
    473. - --kube-subnet-mgr
    474. resources:
    475. requests:
    476. cpu: "100m"
    477. memory: "50Mi"
    478. limits:
    479. cpu: "100m"
    480. memory: "50Mi"
    481. securityContext:
    482. privileged: false
    483. capabilities:
    484. add: ["NET_ADMIN"]
    485. env:
    486. - name: POD_NAME
    487. valueFrom:
    488. fieldRef:
    489. fieldPath: metadata.name
    490. - name: POD_NAMESPACE
    491. valueFrom:
    492. fieldRef:
    493. fieldPath: metadata.namespace
    494. volumeMounts:
    495. - name: run
    496. mountPath: /run/flannel
    497. - name: flannel-cfg
    498. mountPath: /etc/kube-flannel/
    499. volumes:
    500. - name: run
    501. hostPath:
    502. path: /run/flannel
    503. - name: cni
    504. hostPath:
    505. path: /etc/cni/net.d
    506. - name: flannel-cfg
    507. configMap:
    508. name: kube-flannel-cfg
    509. ---
    510. apiVersion: apps/v1
    511. kind: DaemonSet
    512. metadata:
    513. name: kube-flannel-ds-s390x
    514. namespace: kube-system
    515. labels:
    516. tier: node
    517. app: flannel
    518. spec:
    519. selector:
    520. matchLabels:
    521. app: flannel
    522. template:
    523. metadata:
    524. labels:
    525. tier: node
    526. app: flannel
    527. spec:
    528. affinity:
    529. nodeAffinity:
    530. requiredDuringSchedulingIgnoredDuringExecution:
    531. nodeSelectorTerms:
    532. - matchExpressions:
    533. - key: beta.kubernetes.io/os
    534. operator: In
    535. values:
    536. - linux
    537. - key: beta.kubernetes.io/arch
    538. operator: In
    539. values:
    540. - s390x
    541. hostNetwork: true
    542. tolerations:
    543. - operator: Exists
    544. effect: NoSchedule
    545. serviceAccountName: flannel
    546. initContainers:
    547. - name: install-cni
    548. image: quay.io/coreos/flannel:v0.11.0-s390x
    549. command:
    550. - cp
    551. args:
    552. - -f
    553. - /etc/kube-flannel/cni-conf.json
    554. - /etc/cni/net.d/10-flannel.conflist
    555. volumeMounts:
    556. - name: cni
    557. mountPath: /etc/cni/net.d
    558. - name: flannel-cfg
    559. mountPath: /etc/kube-flannel/
    560. containers:
    561. - name: kube-flannel
    562. image: quay.io/coreos/flannel:v0.11.0-s390x
    563. command:
    564. - /opt/bin/flanneld
    565. args:
    566. - --ip-masq
    567. - --kube-subnet-mgr
    568. resources:
    569. requests:
    570. cpu: "100m"
    571. memory: "50Mi"
    572. limits:
    573. cpu: "100m"
    574. memory: "50Mi"
    575. securityContext:
    576. privileged: false
    577. capabilities:
    578. add: ["NET_ADMIN"]
    579. env:
    580. - name: POD_NAME
    581. valueFrom:
    582. fieldRef:
    583. fieldPath: metadata.name
    584. - name: POD_NAMESPACE
    585. valueFrom:
    586. fieldRef:
    587. fieldPath: metadata.namespace
    588. volumeMounts:
    589. - name: run
    590. mountPath: /run/flannel
    591. - name: flannel-cfg
    592. mountPath: /etc/kube-flannel/
    593. volumes:
    594. - name: run
    595. hostPath:
    596. path: /run/flannel
    597. - name: cni
    598. hostPath:
    599. path: /etc/cni/net.d
    600. - name: flannel-cfg
    601. configMap:
    602. name: kube-flannel-cfg
    603. EOF

    部署:

    1. kubectl apply -f kube-flannel.yml

    以上资源文件参考 flannel 官方: https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml (仅提取了 CLUSTER_CIDR 变量)