From 11d4f5396d261cbc35c136147e013cdbd9420e47 Mon Sep 17 00:00:00 2001 From: Adrien Reslinger Date: Wed, 20 Jul 2022 01:32:06 +0200 Subject: [PATCH] Update to version v3.23.3 --- .../calico-kube-controllers-Deployment.yaml | 2 +- templates/calico-node-ClusterRole.yaml | 16 +++---- templates/calico-node-DaemonSet.yaml | 47 +++++++++++++++---- templates/calicoctl-Pod.yaml | 2 +- templates/calicoctl-ServiceAccount.yaml | 6 +-- 5 files changed, 51 insertions(+), 22 deletions(-) diff --git a/templates/calico-kube-controllers-Deployment.yaml b/templates/calico-kube-controllers-Deployment.yaml index 4e00f25..0115427 100644 --- a/templates/calico-kube-controllers-Deployment.yaml +++ b/templates/calico-kube-controllers-Deployment.yaml @@ -34,7 +34,7 @@ spec: priorityClassName: system-cluster-critical containers: - name: calico-kube-controllers - image: docker.io/calico/kube-controllers:v3.23.2 + image: docker.io/calico/kube-controllers:v3.23.3 env: # Choose which controllers to run. - name: ENABLED_CONTROLLERS diff --git a/templates/calico-node-ClusterRole.yaml b/templates/calico-node-ClusterRole.yaml index 59407c8..b535ee7 100644 --- a/templates/calico-node-ClusterRole.yaml +++ b/templates/calico-node-ClusterRole.yaml @@ -6,6 +6,14 @@ apiVersion: rbac.authorization.k8s.io/v1 metadata: name: calico-node rules: + # Used for creating service account tokens to be used by the CNI plugin + - apiGroups: [""] + resources: + - serviceaccounts/token + resourceNames: + - calico-node + verbs: + - create # The CNI plugin needs to get pods, nodes, and namespaces. - apiGroups: [""] resources: @@ -68,14 +76,6 @@ rules: - pods/status verbs: - patch - # Used for creating service account tokens to be used by the CNI plugin - - apiGroups: [""] - resources: - - serviceaccounts/token - resourceNames: - - calico-node - verbs: - - create # Calico monitors various CRDs for config. - apiGroups: ["crd.projectcalico.org"] resources: diff --git a/templates/calico-node-DaemonSet.yaml b/templates/calico-node-DaemonSet.yaml index 3866d2c..9aaaf77 100644 --- a/templates/calico-node-DaemonSet.yaml +++ b/templates/calico-node-DaemonSet.yaml @@ -44,7 +44,7 @@ spec: # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam - image: docker.io/calico/cni:v3.23.2 + image: docker.io/calico/cni:v3.23.3 command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: - configMapRef: @@ -71,7 +71,7 @@ spec: # This container installs the CNI binaries # and CNI network config file on each node. - name: install-cni - image: docker.io/calico/cni:v3.23.2 + image: docker.io/calico/cni:v3.23.3 command: ["/opt/cni/bin/install"] envFrom: - configMapRef: @@ -109,12 +109,36 @@ spec: name: cni-net-dir securityContext: privileged: true + # This init container mounts the necessary filesystems needed by the BPF data plane + # i.e. bpf at /sys/fs/bpf and cgroup2 at /run/calico/cgroup. Calico-node initialisation is executed + # in best effort fashion, i.e. no failure for errors, to not disrupt pod creation in iptable mode. + - name: "mount-bpffs" + image: docker.io/calico/node:v3.23.3 + command: ["calico-node", "-init", "-best-effort"] + volumeMounts: + - mountPath: /sys/fs + name: sys-fs + # Bidirectional is required to ensure that the new mount we make at /sys/fs/bpf propagates to the host + # so that it outlives the init container. + mountPropagation: Bidirectional + - mountPath: /var/run/calico + name: var-run-calico + # Bidirectional is required to ensure that the new mount we make at /run/calico/cgroup propagates to the host + # so that it outlives the init container. + mountPropagation: Bidirectional + # Mount /proc/ from host which usually is an init program at /nodeproc. It's needed by mountns binary, + # executed by calico-node, to mount root cgroup2 fs at /run/calico/cgroup to attach CTLB programs correctly. + - mountPath: /nodeproc + name: nodeproc + readOnly: true + securityContext: + privileged: true containers: # Runs calico-node container on each Kubernetes node. This # container programs network policy and routes on each # host. - name: calico-node - image: docker.io/calico/node:v3.23.2 + image: docker.io/calico/node:v3.23.3 envFrom: - configMapRef: # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. @@ -243,11 +267,8 @@ spec: mountPath: /var/run/nodeagent # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the # parent directory. - - name: sysfs - mountPath: /sys/fs/ - # Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host. - # If the host is known to mount that filesystem already then Bidirectional can be omitted. - mountPropagation: Bidirectional + - name: bpffs + mountPath: /sys/fs/bpf - name: cni-log-dir mountPath: /var/log/calico/cni readOnly: true @@ -266,10 +287,18 @@ spec: hostPath: path: /run/xtables.lock type: FileOrCreate - - name: sysfs + - name: sys-fs hostPath: path: /sys/fs/ type: DirectoryOrCreate + - name: bpffs + hostPath: + path: /sys/fs/bpf + type: Directory + # mount /proc at /nodeproc to be used by mount-bpffs initContainer to mount root cgroup2 fs. + - name: nodeproc + hostPath: + path: /proc # Used to install CNI. - name: cni-bin-dir hostPath: diff --git a/templates/calicoctl-Pod.yaml b/templates/calicoctl-Pod.yaml index 81d4a0f..488e0b7 100644 --- a/templates/calicoctl-Pod.yaml +++ b/templates/calicoctl-Pod.yaml @@ -11,7 +11,7 @@ spec: serviceAccountName: calicoctl containers: - name: calicoctl - image: calico/ctl:v3.23.2 + image: calico/ctl:v3.23.3 command: - /calicoctl args: diff --git a/templates/calicoctl-ServiceAccount.yaml b/templates/calicoctl-ServiceAccount.yaml index 3644481..53351d9 100644 --- a/templates/calicoctl-ServiceAccount.yaml +++ b/templates/calicoctl-ServiceAccount.yaml @@ -1,7 +1,7 @@ -# Calico Version v3.23.2 -# https://projectcalico.docs.tigera.io/releases#v3.23.2 +# Calico Version v3.23.3 +# https://projectcalico.docs.tigera.io/releases#v3.23.3 # This manifest includes the following component versions: -# calico/ctl:v3.23.2 +# calico/ctl:v3.23.3 apiVersion: v1 kind: ServiceAccount