--- # This manifest installs the calico/node container, as well # as the Calico CNI plugins and network config on # each master and worker node in a Kubernetes cluster. kind: DaemonSet apiVersion: apps/v1 metadata: name: calico-node namespace: kube-system labels: k8s-app: calico-node spec: selector: matchLabels: k8s-app: calico-node template: metadata: labels: k8s-app: calico-node annotations: spec: nodeSelector: kubernetes.io/os: linux priorityClassName: system-node-critical hostNetwork: true dnsPolicy: ClusterFirstWithHostNet serviceAccountName: calico-node tolerations: - operator: Exists # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. terminationGracePeriodSeconds: 0 initContainers: # This container performs upgrade from host-local IPAM to calico-ipam. # It can be deleted if this is a fresh installation, or if you have already # upgraded to use calico-ipam. - name: upgrade-ipam image: quay.io/calico/cni:v3.26.4 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/calico-ipam", "-upgrade"] envFrom: - configMapRef: # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. name: kubernetes-services-endpoint optional: true env: - name: KUBERNETES_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: CALICO_NETWORKING_BACKEND valueFrom: configMapKeyRef: name: calico-config key: calico_backend volumeMounts: - mountPath: /var/lib/cni/networks name: host-local-net-dir - mountPath: /host/opt/cni/bin name: cni-bin-dir securityContext: privileged: true # This container installs the Calico CNI binaries # and CNI network config file on each node. - name: install-cni image: quay.io/calico/cni:v3.26.4 imagePullPolicy: IfNotPresent command: ["/opt/cni/bin/install"] envFrom: - configMapRef: # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. name: kubernetes-services-endpoint optional: true env: # The CNI network config to install on each node. - name: CNI_NETWORK_CONFIG valueFrom: configMapKeyRef: name: calico-config key: cni_network_config # Name of the CNI config file to create. - name: CNI_CONF_NAME value: "10-calico.conflist" # Install CNI binaries - name: UPDATE_CNI_BINARIES value: "true" # Prevents the container from sleeping forever. - name: SLEEP value: "false" # Set the hostname based on the k8s node name. - name: KUBERNETES_NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName volumeMounts: - mountPath: /host/etc/cni/net.d name: cni-net-dir - mountPath: /host/opt/cni/bin name: cni-bin-dir securityContext: privileged: true # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes # to communicate with Felix over the Policy Sync API. - name: flexvol-driver image: quay.io/calico/pod2daemon-flexvol:v3.26.4 imagePullPolicy: IfNotPresent volumeMounts: - name: flexvol-driver-host mountPath: /host/driver securityContext: privileged: true containers: # Runs calico/node container on each Kubernetes node. This # container programs network policy and routes on each # host. - name: calico-node image: quay.io/calico/node:v3.26.4 imagePullPolicy: IfNotPresent envFrom: - configMapRef: # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. name: kubernetes-services-endpoint optional: true env: # The location of the Calico etcd cluster. # Use Kubernetes API as the backing datastore. - name: DATASTORE_TYPE value: "kubernetes" # Wait for the datastore. - name: WAIT_FOR_DATASTORE value: "true" - name: FELIX_VXLANVNI value: "4096" - name: FELIX_VXLANPORT value: "4789" # Choose the backend to use. - name: CALICO_NETWORKING_BACKEND valueFrom: configMapKeyRef: name: calico-config key: calico_backend # Cluster type to identify the deployment type - name: CLUSTER_TYPE valueFrom: configMapKeyRef: name: calico-config key: cluster_type # Set noderef for node controller. - name: CALICO_K8S_NODE_REF valueFrom: fieldRef: fieldPath: spec.nodeName # Disable file logging so `kubectl logs` works. - name: CALICO_DISABLE_FILE_LOGGING value: "true" # Set Felix endpoint to host default action to ACCEPT. - name: FELIX_DEFAULTENDPOINTTOHOSTACTION value: "RETURN" - name: FELIX_HEALTHHOST value: "localhost" - name: FELIX_IPTABLESBACKEND value: "Auto" - name: FELIX_IPTABLESLOCKTIMEOUTSECS value: "10" # should be set in etcd before deployment # # Configure the IP Pool from which Pod IPs will be chosen. # - name: CALICO_IPV4POOL_CIDR # value: "10.233.64.0/18" - name: CALICO_IPV4POOL_IPIP value: "Off" - name: FELIX_IPV6SUPPORT value: "False" # Set Felix logging to "info" - name: FELIX_LOGSEVERITYSCREEN value: "info" # Set Calico startup logging to "error" - name: CALICO_STARTUP_LOGLEVEL value: "error" # Enable or disable usage report - name: FELIX_USAGEREPORTINGENABLED value: "False" # Set MTU for tunnel device used if ipip is enabled - name: FELIX_CHAININSERTMODE value: "Insert" - name: FELIX_PROMETHEUSMETRICSENABLED value: "False" - name: FELIX_PROMETHEUSMETRICSPORT value: "9091" - name: FELIX_PROMETHEUSGOMETRICSENABLED value: "True" - name: FELIX_PROMETHEUSPROCESSMETRICSENABLED value: "True" - name: NODEIP valueFrom: fieldRef: fieldPath: status.hostIP - name: IP_AUTODETECTION_METHOD value: "can-reach=$(NODEIP)" - name: IP value: "autodetect" - name: NODENAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: FELIX_HEALTHENABLED value: "true" - name: FELIX_IGNORELOOSERPF value: "False" - name: CALICO_MANAGE_CNI value: "true" securityContext: privileged: true resources: limits: cpu: 300m memory: 500M requests: cpu: 150m memory: 64M lifecycle: preStop: exec: command: - /bin/calico-node - -shutdown livenessProbe: exec: command: - /bin/calico-node - -felix-live periodSeconds: 10 initialDelaySeconds: 10 timeoutSeconds: 10 failureThreshold: 6 readinessProbe: exec: command: - /bin/calico-node - -felix-ready periodSeconds: 10 timeoutSeconds: 10 failureThreshold: 6 volumeMounts: - mountPath: /lib/modules name: lib-modules readOnly: true - mountPath: /var/run/calico name: var-run-calico readOnly: false - mountPath: /var/lib/calico name: var-lib-calico readOnly: false - name: xtables-lock mountPath: /run/xtables.lock readOnly: false # For maintaining CNI plugin API credentials. - mountPath: /host/etc/cni/net.d name: cni-net-dir readOnly: false - name: policysync mountPath: /var/run/nodeagent - name: cni-log-dir mountPath: /var/log/calico/cni readOnly: true volumes: # Used by calico/node. - name: lib-modules hostPath: path: /lib/modules - name: var-run-calico hostPath: path: /var/run/calico - name: var-lib-calico hostPath: path: /var/lib/calico # Used to install CNI. - name: cni-net-dir hostPath: path: /etc/cni/net.d - name: cni-bin-dir hostPath: path: /opt/cni/bin # Mount the global iptables lock file, used by calico/node - name: xtables-lock hostPath: path: /run/xtables.lock type: FileOrCreate # Mount in the directory for host-local IPAM allocations. This is # used when upgrading from host-local to calico-ipam, and can be removed # if not using the upgrade-ipam init container. - name: host-local-net-dir hostPath: path: /var/lib/cni/networks # Used to access CNI logs. - name: cni-log-dir hostPath: path: /var/log/calico/cni # Used to create per-pod Unix Domain Sockets - name: policysync hostPath: type: DirectoryOrCreate path: /var/run/nodeagent # Used to install Flex Volume Driver - name: flexvol-driver-host hostPath: type: DirectoryOrCreate path: "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds" updateStrategy: rollingUpdate: maxUnavailable: 20% type: RollingUpdate