部署 Flannel

记集群网段为 CLUSTER_CIDR:

  1. CLUSTER_CIDR=10.10.0.0/16

创建 flannel 资源文件:

  1. cat <<EOF | sudo tee kube-flannel.yml
  2. apiVersion: policy/v1beta1
  3. kind: PodSecurityPolicy
  4. metadata:
  5.   name: psp.flannel.unprivileged
  6.   annotations:
  7.     seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
  8.     seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
  9.     apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
  10.     apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
  11. spec:
  12.   privileged: false
  13.   volumes:
  14.     - configMap
  15.     - secret
  16.     - emptyDir
  17.     - hostPath
  18.   allowedHostPaths:
  19.     - pathPrefix: "/etc/cni/net.d"
  20.     - pathPrefix: "/etc/kube-flannel"
  21.     - pathPrefix: "/run/flannel"
  22.   readOnlyRootFilesystem: false
  23.   # Users and groups
  24.   runAsUser:
  25.     rule: RunAsAny
  26.   supplementalGroups:
  27.     rule: RunAsAny
  28.   fsGroup:
  29.     rule: RunAsAny
  30.   # Privilege Escalation
  31.   allowPrivilegeEscalation: false
  32.   defaultAllowPrivilegeEscalation: false
  33.   # Capabilities
  34.   allowedCapabilities: ['NET_ADMIN']
  35.   defaultAddCapabilities: []
  36.   requiredDropCapabilities: []
  37.   # Host namespaces
  38.   hostPID: false
  39.   hostIPC: false
  40.   hostNetwork: true
  41.   hostPorts:
  42.   - min: 0
  43.     max: 65535
  44.   # SELinux
  45.   seLinux:
  46.     # SELinux is unsed in CaaSP
  47.     rule: 'RunAsAny'
  48. ---
  49. kind: ClusterRole
  50. apiVersion: rbac.authorization.k8s.io/v1beta1
  51. metadata:
  52.   name: flannel
  53. rules:
  54.   - apiGroups: ['extensions']
  55.     resources: ['podsecuritypolicies']
  56.     verbs: ['use']
  57.     resourceNames: ['psp.flannel.unprivileged']
  58.   - apiGroups:
  59.       - ""
  60.     resources:
  61.       - pods
  62.     verbs:
  63.       - get
  64.   - apiGroups:
  65.       - ""
  66.     resources:
  67.       - nodes
  68.     verbs:
  69.       - list
  70.       - watch
  71.   - apiGroups:
  72.       - ""
  73.     resources:
  74.       - nodes/status
  75.     verbs:
  76.       - patch
  77. ---
  78. kind: ClusterRoleBinding
  79. apiVersion: rbac.authorization.k8s.io/v1beta1
  80. metadata:
  81.   name: flannel
  82. roleRef:
  83.   apiGroup: rbac.authorization.k8s.io
  84.   kind: ClusterRole
  85.   name: flannel
  86. subjects:
  87. - kind: ServiceAccount
  88.   name: flannel
  89.   namespace: kube-system
  90. ---
  91. apiVersion: v1
  92. kind: ServiceAccount
  93. metadata:
  94.   name: flannel
  95.   namespace: kube-system
  96. ---
  97. kind: ConfigMap
  98. apiVersion: v1
  99. metadata:
  100.   name: kube-flannel-cfg
  101.   namespace: kube-system
  102.   labels:
  103.     tier: node
  104.     app: flannel
  105. data:
  106.   cni-conf.json: |
  107.     {
  108.       "cniVersion": "0.2.0",
  109.       "name": "cbr0",
  110.       "plugins": [
  111.         {
  112.           "type": "flannel",
  113.           "delegate": {
  114.             "hairpinMode": true,
  115.             "isDefaultGateway": true
  116.           }
  117.         },
  118.         {
  119.           "type": "portmap",
  120.           "capabilities": {
  121.             "portMappings": true
  122.           }
  123.         }
  124.       ]
  125.     }
  126.   net-conf.json: |
  127.     {
  128.       "Network": "${CLUSTER_CIDR}",
  129.       "Backend": {
  130.         "Type": "vxlan"
  131.       }
  132.     }
  133. ---
  134. apiVersion: apps/v1
  135. kind: DaemonSet
  136. metadata:
  137.   name: kube-flannel-ds-amd64
  138.   namespace: kube-system
  139.   labels:
  140.     tier: node
  141.     app: flannel
  142. spec:
  143.   selector:
  144.     matchLabels:
  145.       app: flannel
  146.   template:
  147.     metadata:
  148.       labels:
  149.         tier: node
  150.         app: flannel
  151.     spec:
  152.       affinity:
  153.         nodeAffinity:
  154.           requiredDuringSchedulingIgnoredDuringExecution:
  155.             nodeSelectorTerms:
  156.               - matchExpressions:
  157.                   - key: beta.kubernetes.io/os
  158.                     operator: In
  159.                     values:
  160.                       - linux
  161.                   - key: beta.kubernetes.io/arch
  162.                     operator: In
  163.                     values:
  164.                       - amd64
  165.       hostNetwork: true
  166.       tolerations:
  167.       - operator: Exists
  168.         effect: NoSchedule
  169.       serviceAccountName: flannel
  170.       initContainers:
  171.       - name: install-cni
  172.         image: quay.io/coreos/flannel:v0.11.0-amd64
  173.         command:
  174.         - cp
  175.         args:
  176.         - -f
  177.         - /etc/kube-flannel/cni-conf.json
  178.         - /etc/cni/net.d/10-flannel.conflist
  179.         volumeMounts:
  180.         - name: cni
  181.           mountPath: /etc/cni/net.d
  182.         - name: flannel-cfg
  183.           mountPath: /etc/kube-flannel/
  184.       containers:
  185.       - name: kube-flannel
  186.         image: quay.io/coreos/flannel:v0.11.0-amd64
  187.         command:
  188.         - /opt/bin/flanneld
  189.         args:
  190.         - --ip-masq
  191.         - --kube-subnet-mgr
  192.         resources:
  193.           requests:
  194.             cpu: "100m"
  195.             memory: "50Mi"
  196.           limits:
  197.             cpu: "100m"
  198.             memory: "50Mi"
  199.         securityContext:
  200.           privileged: false
  201.           capabilities:
  202.              add: ["NET_ADMIN"]
  203.         env:
  204.         - name: POD_NAME
  205.           valueFrom:
  206.             fieldRef:
  207.               fieldPath: metadata.name
  208.         - name: POD_NAMESPACE
  209.           valueFrom:
  210.             fieldRef:
  211.               fieldPath: metadata.namespace
  212.         volumeMounts:
  213.         - name: run
  214.           mountPath: /run/flannel
  215.         - name: flannel-cfg
  216.           mountPath: /etc/kube-flannel/
  217.       volumes:
  218.         - name: run
  219.           hostPath:
  220.             path: /run/flannel
  221.         - name: cni
  222.           hostPath:
  223.             path: /etc/cni/net.d
  224.         - name: flannel-cfg
  225.           configMap:
  226.             name: kube-flannel-cfg
  227. ---
  228. apiVersion: apps/v1
  229. kind: DaemonSet
  230. metadata:
  231.   name: kube-flannel-ds-arm64
  232.   namespace: kube-system
  233.   labels:
  234.     tier: node
  235.     app: flannel
  236. spec:
  237.   selector:
  238.     matchLabels:
  239.       app: flannel
  240.   template:
  241.     metadata:
  242.       labels:
  243.         tier: node
  244.         app: flannel
  245.     spec:
  246.       affinity:
  247.         nodeAffinity:
  248.           requiredDuringSchedulingIgnoredDuringExecution:
  249.             nodeSelectorTerms:
  250.               - matchExpressions:
  251.                   - key: beta.kubernetes.io/os
  252.                     operator: In
  253.                     values:
  254.                       - linux
  255.                   - key: beta.kubernetes.io/arch
  256.                     operator: In
  257.                     values:
  258.                       - arm64
  259.       hostNetwork: true
  260.       tolerations:
  261.       - operator: Exists
  262.         effect: NoSchedule
  263.       serviceAccountName: flannel
  264.       initContainers:
  265.       - name: install-cni
  266.         image: quay.io/coreos/flannel:v0.11.0-arm64
  267.         command:
  268.         - cp
  269.         args:
  270.         - -f
  271.         - /etc/kube-flannel/cni-conf.json
  272.         - /etc/cni/net.d/10-flannel.conflist
  273.         volumeMounts:
  274.         - name: cni
  275.           mountPath: /etc/cni/net.d
  276.         - name: flannel-cfg
  277.           mountPath: /etc/kube-flannel/
  278.       containers:
  279.       - name: kube-flannel
  280.         image: quay.io/coreos/flannel:v0.11.0-arm64
  281.         command:
  282.         - /opt/bin/flanneld
  283.         args:
  284.         - --ip-masq
  285.         - --kube-subnet-mgr
  286.         resources:
  287.           requests:
  288.             cpu: "100m"
  289.             memory: "50Mi"
  290.           limits:
  291.             cpu: "100m"
  292.             memory: "50Mi"
  293.         securityContext:
  294.           privileged: false
  295.           capabilities:
  296.              add: ["NET_ADMIN"]
  297.         env:
  298.         - name: POD_NAME
  299.           valueFrom:
  300.             fieldRef:
  301.               fieldPath: metadata.name
  302.         - name: POD_NAMESPACE
  303.           valueFrom:
  304.             fieldRef:
  305.               fieldPath: metadata.namespace
  306.         volumeMounts:
  307.         - name: run
  308.           mountPath: /run/flannel
  309.         - name: flannel-cfg
  310.           mountPath: /etc/kube-flannel/
  311.       volumes:
  312.         - name: run
  313.           hostPath:
  314.             path: /run/flannel
  315.         - name: cni
  316.           hostPath:
  317.             path: /etc/cni/net.d
  318.         - name: flannel-cfg
  319.           configMap:
  320.             name: kube-flannel-cfg
  321. ---
  322. apiVersion: apps/v1
  323. kind: DaemonSet
  324. metadata:
  325.   name: kube-flannel-ds-arm
  326.   namespace: kube-system
  327.   labels:
  328.     tier: node
  329.     app: flannel
  330. spec:
  331.   selector:
  332.     matchLabels:
  333.       app: flannel
  334.   template:
  335.     metadata:
  336.       labels:
  337.         tier: node
  338.         app: flannel
  339.     spec:
  340.       affinity:
  341.         nodeAffinity:
  342.           requiredDuringSchedulingIgnoredDuringExecution:
  343.             nodeSelectorTerms:
  344.               - matchExpressions:
  345.                   - key: beta.kubernetes.io/os
  346.                     operator: In
  347.                     values:
  348.                       - linux
  349.                   - key: beta.kubernetes.io/arch
  350.                     operator: In
  351.                     values:
  352.                       - arm
  353.       hostNetwork: true
  354.       tolerations:
  355.       - operator: Exists
  356.         effect: NoSchedule
  357.       serviceAccountName: flannel
  358.       initContainers:
  359.       - name: install-cni
  360.         image: quay.io/coreos/flannel:v0.11.0-arm
  361.         command:
  362.         - cp
  363.         args:
  364.         - -f
  365.         - /etc/kube-flannel/cni-conf.json
  366.         - /etc/cni/net.d/10-flannel.conflist
  367.         volumeMounts:
  368.         - name: cni
  369.           mountPath: /etc/cni/net.d
  370.         - name: flannel-cfg
  371.           mountPath: /etc/kube-flannel/
  372.       containers:
  373.       - name: kube-flannel
  374.         image: quay.io/coreos/flannel:v0.11.0-arm
  375.         command:
  376.         - /opt/bin/flanneld
  377.         args:
  378.         - --ip-masq
  379.         - --kube-subnet-mgr
  380.         resources:
  381.           requests:
  382.             cpu: "100m"
  383.             memory: "50Mi"
  384.           limits:
  385.             cpu: "100m"
  386.             memory: "50Mi"
  387.         securityContext:
  388.           privileged: false
  389.           capabilities:
  390.              add: ["NET_ADMIN"]
  391.         env:
  392.         - name: POD_NAME
  393.           valueFrom:
  394.             fieldRef:
  395.               fieldPath: metadata.name
  396.         - name: POD_NAMESPACE
  397.           valueFrom:
  398.             fieldRef:
  399.               fieldPath: metadata.namespace
  400.         volumeMounts:
  401.         - name: run
  402.           mountPath: /run/flannel
  403.         - name: flannel-cfg
  404.           mountPath: /etc/kube-flannel/
  405.       volumes:
  406.         - name: run
  407.           hostPath:
  408.             path: /run/flannel
  409.         - name: cni
  410.           hostPath:
  411.             path: /etc/cni/net.d
  412.         - name: flannel-cfg
  413.           configMap:
  414.             name: kube-flannel-cfg
  415. ---
  416. apiVersion: apps/v1
  417. kind: DaemonSet
  418. metadata:
  419.   name: kube-flannel-ds-ppc64le
  420.   namespace: kube-system
  421.   labels:
  422.     tier: node
  423.     app: flannel
  424. spec:
  425.   selector:
  426.     matchLabels:
  427.       app: flannel
  428.   template:
  429.     metadata:
  430.       labels:
  431.         tier: node
  432.         app: flannel
  433.     spec:
  434.       affinity:
  435.         nodeAffinity:
  436.           requiredDuringSchedulingIgnoredDuringExecution:
  437.             nodeSelectorTerms:
  438.               - matchExpressions:
  439.                   - key: beta.kubernetes.io/os
  440.                     operator: In
  441.                     values:
  442.                       - linux
  443.                   - key: beta.kubernetes.io/arch
  444.                     operator: In
  445.                     values:
  446.                       - ppc64le
  447.       hostNetwork: true
  448.       tolerations:
  449.       - operator: Exists
  450.         effect: NoSchedule
  451.       serviceAccountName: flannel
  452.       initContainers:
  453.       - name: install-cni
  454.         image: quay.io/coreos/flannel:v0.11.0-ppc64le
  455.         command:
  456.         - cp
  457.         args:
  458.         - -f
  459.         - /etc/kube-flannel/cni-conf.json
  460.         - /etc/cni/net.d/10-flannel.conflist
  461.         volumeMounts:
  462.         - name: cni
  463.           mountPath: /etc/cni/net.d
  464.         - name: flannel-cfg
  465.           mountPath: /etc/kube-flannel/
  466.       containers:
  467.       - name: kube-flannel
  468.         image: quay.io/coreos/flannel:v0.11.0-ppc64le
  469.         command:
  470.         - /opt/bin/flanneld
  471.         args:
  472.         - --ip-masq
  473.         - --kube-subnet-mgr
  474.         resources:
  475.           requests:
  476.             cpu: "100m"
  477.             memory: "50Mi"
  478.           limits:
  479.             cpu: "100m"
  480.             memory: "50Mi"
  481.         securityContext:
  482.           privileged: false
  483.           capabilities:
  484.              add: ["NET_ADMIN"]
  485.         env:
  486.         - name: POD_NAME
  487.           valueFrom:
  488.             fieldRef:
  489.               fieldPath: metadata.name
  490.         - name: POD_NAMESPACE
  491.           valueFrom:
  492.             fieldRef:
  493.               fieldPath: metadata.namespace
  494.         volumeMounts:
  495.         - name: run
  496.           mountPath: /run/flannel
  497.         - name: flannel-cfg
  498.           mountPath: /etc/kube-flannel/
  499.       volumes:
  500.         - name: run
  501.           hostPath:
  502.             path: /run/flannel
  503.         - name: cni
  504.           hostPath:
  505.             path: /etc/cni/net.d
  506.         - name: flannel-cfg
  507.           configMap:
  508.             name: kube-flannel-cfg
  509. ---
  510. apiVersion: apps/v1
  511. kind: DaemonSet
  512. metadata:
  513.   name: kube-flannel-ds-s390x
  514.   namespace: kube-system
  515.   labels:
  516.     tier: node
  517.     app: flannel
  518. spec:
  519.   selector:
  520.     matchLabels:
  521.       app: flannel
  522.   template:
  523.     metadata:
  524.       labels:
  525.         tier: node
  526.         app: flannel
  527.     spec:
  528.       affinity:
  529.         nodeAffinity:
  530.           requiredDuringSchedulingIgnoredDuringExecution:
  531.             nodeSelectorTerms:
  532.               - matchExpressions:
  533.                   - key: beta.kubernetes.io/os
  534.                     operator: In
  535.                     values:
  536.                       - linux
  537.                   - key: beta.kubernetes.io/arch
  538.                     operator: In
  539.                     values:
  540.                       - s390x
  541.       hostNetwork: true
  542.       tolerations:
  543.       - operator: Exists
  544.         effect: NoSchedule
  545.       serviceAccountName: flannel
  546.       initContainers:
  547.       - name: install-cni
  548.         image: quay.io/coreos/flannel:v0.11.0-s390x
  549.         command:
  550.         - cp
  551.         args:
  552.         - -f
  553.         - /etc/kube-flannel/cni-conf.json
  554.         - /etc/cni/net.d/10-flannel.conflist
  555.         volumeMounts:
  556.         - name: cni
  557.           mountPath: /etc/cni/net.d
  558.         - name: flannel-cfg
  559.           mountPath: /etc/kube-flannel/
  560.       containers:
  561.       - name: kube-flannel
  562.         image: quay.io/coreos/flannel:v0.11.0-s390x
  563.         command:
  564.         - /opt/bin/flanneld
  565.         args:
  566.         - --ip-masq
  567.         - --kube-subnet-mgr
  568.         resources:
  569.           requests:
  570.             cpu: "100m"
  571.             memory: "50Mi"
  572.           limits:
  573.             cpu: "100m"
  574.             memory: "50Mi"
  575.         securityContext:
  576.           privileged: false
  577.           capabilities:
  578.              add: ["NET_ADMIN"]
  579.         env:
  580.         - name: POD_NAME
  581.           valueFrom:
  582.             fieldRef:
  583.               fieldPath: metadata.name
  584.         - name: POD_NAMESPACE
  585.           valueFrom:
  586.             fieldRef:
  587.               fieldPath: metadata.namespace
  588.         volumeMounts:
  589.         - name: run
  590.           mountPath: /run/flannel
  591.         - name: flannel-cfg
  592.           mountPath: /etc/kube-flannel/
  593.       volumes:
  594.         - name: run
  595.           hostPath:
  596.             path: /run/flannel
  597.         - name: cni
  598.           hostPath:
  599.             path: /etc/cni/net.d
  600.         - name: flannel-cfg
  601.           configMap:
  602.             name: kube-flannel-cfg
  603. EOF

部署:

  1. kubectl apply -f kube-flannel.yml

以上资源文件参考 flannel 官方: https://raw.githubusercontent.com/coreos/flannel/master/Documentation/kube-flannel.yml (仅提取了 CLUSTER_CIDR 变量)