# 导入 master 到空间 kube-system tar -xf release-v3.23.1.tgz cd release-v3.23.1/images/ for i in $(ls) ; do ctr -n=kube-system image import ${i}; done ctr -n=kube-system images list cd ~/
--- apiVersion:v1 kind:Secret type:Opaque metadata: name:calico-etcd-secrets namespace:kube-system data: etcd-key:LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBdTYzMm9DWEJDem9BSm1Bc3JKb01PbHdLTktDemltNEFaUXdpWnZPRmRsOFlocUplClhJYlZiSXJxbTZZSGg1K0twcy9jc2RzWEZrOXhtVHN6M3NCcVFHYVgvRlNjc003eElmUHF0R3dSTHoyc2xJSXIKZ2FsRW1sUEhZb25WMUU3RUR3YUQ0S0ZrQVNhSm4zZUxOUHVtRGg4VHNzS3drQW44bmlSMkhIRlA5bzczdWlsVwp3MTkwWnNFNUNSbXhxaUlwT3JDNUtpY1gyTkM0eHhpT05LdEZ3UlJwem14Z0M5SnZvRTllWmYzZ2dpOG1DSGZGCklTb3VpbFVBVlhpQUVPNGpTVitIWG9pQ01IQUN3WnJYQ01ycE4wN3c3WmhDQ1g5ZHZBMmZPMW0wVFJpM2NxTWMKaVNmb2xBTGR6OFNZbnl1ZU1sWUZmYVl4elU0aVduQXppRTV4MlFJREFRQUJBb0lCQUFvZmpSRUFXRlJSc1paZwpVNmlQdXA4ZlBkR3U1V0JQSktoT3FrQmhYRTZSUEpKdWlhWjJBMmNTYXlzd0huSGJVakJEUUFVNzZ4ZmgreCtuCnlObDRDWU1seFlidnpXL2dDYk9xSTN2TjVITm00VHMxZGtGTkx3MGYvYjQ3N3hPL2wrV3psVU4xa1I1YXhNdWMKT0I4SWYrRjlIYVBqeW9CS2VaelNIS2pXRjlrVnIwOHE4bm9DSEltRy8weWhLSTFsMFdYZzA2amVLdWVEbUhwOAppNlpnQlZiNUhDQUtMK1Z1K1N3NkJSSlJLdG5vdXMySFNOVTFtdndXRENXa00yZFVwVU1KYnA1KzlqZWpVSUV1CklZRW5kdjZwYUpaRHFOb0k2Y3RCdEl1NGMrSXM4dndmSUVoMGk0bjBZS0w2Nmt3aUl4czNyNjNGemZzOW9SOXUKc2x3SG9ZMENnWUVBeEhDK2ZaQjVkZjI5MnhwVWltQ1lxMFUrYnVyMUZWN1BVdmh0QThNUGJWVXY1WHdWZ25KYQpnUzM2ZHY1ektTZjNudGhLeWJsSUlYQjdxcXBLVFBKYU16b1VtOXc3UklUSVp6RVRoYjNXQnRBcVRPVUJSMHZ2CmREWGpvcFpwNDdFdC9EMWZPbFdFelA1cmFPelpjQ3FBMit6VG1teEZWZjBNb1NWRU5OKytndDhDZ1lFQTlKVTQKblpuNjRoN2o0SnBlaGVYdlFVcy9EUk0vN2pqdjhnRC8wNFVjL1JEVWJzMXRycUNUTUhwYkxzanRlNnlEemtqZApPUkliaVp4cTRSamVtN25YQnVVRnRtNXF2RzZqd2xoYnJBTkRxa1R1cTd2TzROWXpsejZCZTZMRHF3ejVmam4yCjM0MXk0Smx2bFdCaFUwQnI5RndMOHVSZkVPU2lPcy94a1dZQ21rY0NnWUVBb29sdTlGSWdUY0tmM3JTUWt0YU8KTzloVmFrMDZjRzQ4T1RpWWF1NXd5MVFiQjFSK0w2c1N1NlFoZzJmU1BaRjJUNVpEZTFtMUZ3WU5MUTh0M3pELwo5VGJ2YW03MUV5S1M5dDhpZWh5ekJId2xJKzZ2K2lBWWh4MDN0b1dpSStXc1dQTW00Z3Qwa0hGS3lreC9OVkhWCndTTFppd0plOUdFbW5BZEx3andIVkIwQ2dZQmlpZ3c1VXVSRlhmU3BkUWhJSWc5MjJ2NFlJbjFMV1IweS96d1MKMkRxSnF0SXJvaEJpbnNjdWJOMTN4L1FHTThjV3dUeC8xYy9LYlg2U0doYjEzclhIVFZZejNlQ2E4bWgvMEdGKwp1QUgzQTdhMDhnR3pqQmxWQWhYZzNmNi9WNGJkV0RVaWREYW9UcWtxSVo2VWtBdnVjM2RNOEwxc2JQRC9pTy9tCmlKYmIyUUtCZ1FDTmRWNHMrRHYzV3lWQldRSWt5UWdJd3VzQ00rMmg2SUFoU1hqd2NRUVlKYkwxcmErcXRVRkIKeHVxWnF1bmRkZzM0aG5XMHA4ZjhCVWdodm5lemlVdlhGNzNDbjRPNFBjTzJLcE85a000bkJzSnhoSUMrMmlWWgo2Tkc4NXUzczZSNzV2aTZVQkRZdUp1QlVvU0pvK0VCVS9reWg2Z2UrU2ZqWDBMenVTdFIvbWc9PQotLS0tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo= etcd-cert:LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUVuakNDQTRhZ0F3SUJBZ0lVRE9FOU1CWGhQVUFoejl1aFh6SEdKWFZtVys0d0RRWUpLb1pJaHZjTkFRRUwKQlFBd2NURUxNQWtHQTFVRUJoTUNRMDR4RVRBUEJnTlZCQWdUQ0VwcFlXNW5JRk4xTVJBd0RnWURWUVFIRXdkTwpZVzVLYVc1bk1STXdFUVlEVlFRS0V3cHRZWGg2YUdGdkxXTmhNUll3RkFZRFZRUUxFdzFsZEdOa0lGTmxZM1Z5CmFYUjVNUkF3RGdZRFZRUURFd2R0WVhoNmFHRnZNQjRYRFRJeU1EWXdNakEyTVRnd01Gb1hEVFF5TURVeU9EQTIKTVRnd01Gb3djakVMTUFrR0ExVUVCaE1DUTA0eEVUQVBCZ05WQkFnVENFcHBZVzVuSUZOMU1SQXdEZ1lEVlFRSApFd2RPWVc1S2FXNW5NUk13RVFZRFZRUUtFd3B0WVhoNmFHRnZMV05oTVJZd0ZBWURWUVFMRXcxbGRHTmtJRk5sClkzVnlhWFI1TVJFd0R3WURWUVFERXdobGRHTmtMVEUxT0RDQ0FTSXdEUVlKS29aSWh2Y05BUUVCQlFBRGdnRVAKQURDQ0FRb0NnZ0VCQUx1dDlxQWx3UXM2QUNaZ0xLeWFERHBjQ2pTZ3M0cHVBR1VNSW1iemhYWmZHSWFpWGx5RwoxV3lLNnB1bUI0ZWZpcWJQM0xIYkZ4WlBjWms3TTk3QWFrQm1sL3hVbkxETzhTSHo2clJzRVM4OXJKU0NLNEdwClJKcFR4MktKMWRST3hBOEdnK0NoWkFFbWlaOTNpelQ3cGc0ZkU3TENzSkFKL0o0a2RoeHhUL2FPOTdvcFZzTmYKZEdiQk9Ra1pzYW9pS1Rxd3VTb25GOWpRdU1jWWpqU3JSY0VVYWM1c1lBdlNiNkJQWG1YOTRJSXZKZ2gzeFNFcQpMb3BWQUZWNGdCRHVJMGxmaDE2SWdqQndBc0dhMXdqSzZUZE84TzJZUWdsL1hid05uenRadEUwWXQzS2pISWtuCjZKUUMzYy9FbUo4cm5qSldCWDJtTWMxT0lscHdNNGhPY2RrQ0F3RUFBYU9DQVNzd2dnRW5NQTRHQTFVZER3RUIKL3dRRUF3SUZvREFkQmdOVkhTVUVGakFVQmdnckJnRUZCUWNEQVFZSUt3WUJCUVVIQXdJd0RBWURWUjBUQVFILwpCQUl3QURBZEJnTlZIUTRFRmdRVWUrSkRPOTZ6R05La1lXeDBpV2dOYUtyYTIxRXdId1lEVlIwakJCZ3dGb0FVCjlsbGNvUm15Ui9aSjF3STY3T21CZ0hwRUtiTXdnYWNHQTFVZEVRU0JuekNCbklJS2EzVmlaWEp1WlhSbGM0SVMKYTNWaVpYSnVaWFJsY3k1a1pXWmhkV3gwZ2hacmRXSmxjbTVsZEdWekxtUmxabUYxYkhRdWMzWmpnaDVyZFdKbApjbTVsZEdWekxtUmxabUYxYkhRdWMzWmpMbU5zZFhOMFpYS0NKR3QxWW1WeWJtVjBaWE11WkdWbVlYVnNkQzV6CmRtTXVZMngxYzNSbGNpNXNiMk5oYkljRWZ3QUFBWWNFd0tnQ25vY0V3S2dDbjRjRXdLZ0NvSWNFd0tnQ29UQU4KQmdrcWhraUc5dzBCQVFzRkFBT0NBUUVBVTJvNU10b1c1cHZFbWVpWnRuNnM1U2EyNGRILzQ2RmkvTHNWNjYySwpvZTlBdENqbjBrczlnUTFLN29oSFI1MHVHUEJyL21rYXlWYXVnVmhpb2tNQWVjK2VoNWtWbXh4NnJtcHNQV3JsCmUwd2ZJR3lwUDkrVHNtUGN6ekNoUzNUVHFpMGljdFhVMEs5ZHFRZmYvTmtBUTBZZU9RcVNwSWoxcXZpeklNT3oKc1hTVzdwZ2xwZVFzeXFMYTFQNE0yemc0WkhRTEVla0hoNExnTHV6MlNleXRrL25vazluMnBCWTZYdEVlc1llagpZZjVDMEdlVm1mSHpWTlBNNTcwTXhBdFlmMndoOUVkUHNlYlp0cUoyb1Y3ZHp2TVRkNE9temdpcDljWGErUG50CkpqbTlZdXQwVGRsaU1XYi9FVmVCbFdiSlNod0x3U05HUFhoVWJwdVg4QXFZa1E9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== etcd-ca:LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURzakNDQXBxZ0F3SUJBZ0lVTjB5TG1uVnF4aEMrenJqTllxb2pvOXlxaGpjd0RRWUpLb1pJaHZjTkFRRUwKQlFBd2NURUxNQWtHQTFVRUJoTUNRMDR4RVRBUEJnTlZCQWdUQ0VwcFlXNW5JRk4xTVJBd0RnWURWUVFIRXdkTwpZVzVLYVc1bk1STXdFUVlEVlFRS0V3cHRZWGg2YUdGdkxXTmhNUll3RkFZRFZRUUxFdzFsZEdOa0lGTmxZM1Z5CmFYUjVNUkF3RGdZRFZRUURFd2R0WVhoNmFHRnZNQjRYRFRJeU1EWXdNakExTXprd01Gb1hEVEkzTURZd01UQTEKTXprd01Gb3djVEVMTUFrR0ExVUVCaE1DUTA0eEVUQVBCZ05WQkFnVENFcHBZVzVuSUZOMU1SQXdEZ1lEVlFRSApFd2RPWVc1S2FXNW5NUk13RVFZRFZRUUtFd3B0WVhoNmFHRnZMV05oTVJZd0ZBWURWUVFMRXcxbGRHTmtJRk5sClkzVnlhWFI1TVJBd0RnWURWUVFERXdkdFlYaDZhR0Z2TUlJQklqQU5CZ2txaGtpRzl3MEJBUUVGQUFPQ0FROEEKTUlJQkNnS0NBUUVBeGZWQmo0YnBPUTlFZ1h3M2tESm5jbzhrRmxuMDFkdE9XbllQNDM0b092K0hrSGlkK0R2NQo3OERkQTZodVJnL1JYbTkxbTN2TVg2ZDFQQkl1ckNoU2IyZTE1b3ZVaEZrK3B6U29qNFp1ckFNYVdPbXJmbWgrCnJsR3RwRkdqeFU5VG5kQlVlSkVVbEEvTkRhNXZtRkNpSGpmYUJ5VjhVa3lybUFZbDJGUlN2V0FIdkdjbHZOZUEKOHc5NHNSVEV2OVFzOUJrV1V1RmFPQ2FUVkVRWWE1dnBwNVZJWE5CNUFYSDNLWjZIOGU4N0NnVHlTQUNUTTFrOApHUWVsVE0wamxYU1JNdE13MlNkR3VsaTJ1dTRrUjczNWhDNXAzeEJRMTBhUEJDZVB2WTFPTUkzOFVjT01qZTFGCjNiK0FxUk9mTGl1Rm5abGJDMHZPbklnZ0tvMEhwelFtRXdJREFRQUJvMEl3UURBT0JnTlZIUThCQWY4RUJBTUMKQVFZd0R3WURWUjBUQVFIL0JBVXdBd0VCL3pBZEJnTlZIUTRFRmdRVTlsbGNvUm15Ui9aSjF3STY3T21CZ0hwRQpLYk13RFFZSktvWklodmNOQVFFTEJRQURnZ0VCQUh2QTEwbVQ4bGkzeWlQSEs1bnN2UGs4UTVRSWJDTkM5L1h5CnRNeUdaZThHYXlHODdqa3JQazB4MEdUOE5DcU42TWU2Y0NQWjZmcXRRT0pVY3dHWC9BT2JCTmFaZ1BzdHhvMHAKYVZNaStYcmZTNEF3bTNsdzJGa09nK1V6eHhoalJGYThiVWNXazJxQ21qYzNhQ0x6R1Y2MWptU2llQjFUbzdndwpIZTN6NUxHcHNFR24rR1p4bVIxd1BrMFZLRTRKQWg5R2lpa0hhMFBOWitZRGw5RXJtYVdtV0RWNGU3d1BTTFh1CkdsR0dhdmh5RmZBNDNDWTNMVlRQNlhVT0VkZHNPdEtaR0ttYkc0QjV2OElyc3laWkxid0dMWWNzWU83bGhQWjAKUGY3bEdidHVDWXNQTjZWdGREY0U1dDJvaXN1T0t6OTV0bVUvTzN3UmhDVUtsY2NNRzc0PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== --- # Source: calico/templates/calico-config.yaml # This ConfigMap is used to configure a self-hosted Calico installation. kind:ConfigMap apiVersion:v1 metadata: name:calico-config namespace:kube-system data: # Configure this with the location of your etcd cluster. etcd_endpoints:"https://192.168.2.158:2379,https://192.168.2.159:2379,https://192.168.2.160:2379" # If you're using TLS enabled etcd uncomment the following. # You must also populate the Secret below with these files. etcd_ca:"/calico-secrets/etcd-ca"# "/calico-secrets/etcd-ca" etcd_cert:"/calico-secrets/etcd-cert"# "/calico-secrets/etcd-cert" etcd_key:"/calico-secrets/etcd-key"# "/calico-secrets/etcd-key" # Typha is disabled. typha_service_name:"none" # Configure the backend to use. calico_backend:"bird"
# Configure the MTU to use for workload interfaces and tunnels. # By default, MTU is auto-detected, and explicitly setting this field should not be required. # You can override auto-detection by providing a non-zero value. veth_mtu:"0"
# The CNI network configuration to install on each node. The special # values in this config will be automatically populated. cni_network_config:|- { "name": "k8s-pod-network", "cniVersion": "0.3.1", "plugins": [ { "type": "calico", "log_level": "info", "log_file_path": "/var/log/calico/cni/cni.log", "etcd_endpoints": "__ETCD_ENDPOINTS__", "etcd_key_file": "__ETCD_KEY_FILE__", "etcd_cert_file": "__ETCD_CERT_FILE__", "etcd_ca_cert_file": "__ETCD_CA_CERT_FILE__", "mtu": __CNI_MTU__, "ipam": { "type": "calico-ipam" }, "policy": { "type": "k8s" }, "kubernetes": { "kubeconfig": "__KUBECONFIG_FILEPATH__" } }, { "type": "portmap", "snat": true, "capabilities": {"portMappings": true} }, { "type": "bandwidth", "capabilities": {"bandwidth": true} } ] } --- # Source: calico/templates/calico-kube-controllers-rbac.yaml
# Include a clusterrole for the kube-controllers component, # and bind it to the calico-kube-controllers serviceaccount. kind:ClusterRole apiVersion:rbac.authorization.k8s.io/v1 metadata: name:calico-kube-controllers rules: # Pods are monitored for changing labels. # The node controller monitors Kubernetes nodes. # Namespace and serviceaccount labels are used for policy. -apiGroups: [""] resources: -pods -nodes -namespaces -serviceaccounts verbs: -watch -list -get # Watch for changes to Kubernetes NetworkPolicies. -apiGroups: ["networking.k8s.io"] resources: -networkpolicies verbs: -watch -list --- kind:ClusterRoleBinding apiVersion:rbac.authorization.k8s.io/v1 metadata: name:calico-kube-controllers roleRef: apiGroup:rbac.authorization.k8s.io kind:ClusterRole name:calico-kube-controllers subjects: -kind:ServiceAccount name:calico-kube-controllers namespace:kube-system --- --- # Source: calico/templates/calico-node-rbac.yaml # Include a clusterrole for the calico-node DaemonSet, # and bind it to the calico-node serviceaccount. kind:ClusterRole apiVersion:rbac.authorization.k8s.io/v1 metadata: name:calico-node rules: # The CNI plugin needs to get pods, nodes, and namespaces. -apiGroups: [""] resources: -pods -nodes -namespaces verbs: -get # EndpointSlices are used for Service-based network policy rule # enforcement. -apiGroups: ["discovery.k8s.io"] resources: -endpointslices verbs: -watch -list -apiGroups: [""] resources: -endpoints -services verbs: # Used to discover service IPs for advertisement. -watch -list # Pod CIDR auto-detection on kubeadm needs access to config maps. -apiGroups: [""] resources: -configmaps verbs: -get -apiGroups: [""] resources: -nodes/status verbs: # Needed for clearing NodeNetworkUnavailable flag. -patch
--- # Source: calico/templates/calico-node.yaml # This manifest installs the calico-node container, as well # as the CNI plugins and network config on # each master and worker node in a Kubernetes cluster. kind:DaemonSet apiVersion:apps/v1 metadata: name:calico-node namespace:kube-system labels: k8s-app:calico-node spec: selector: matchLabels: k8s-app:calico-node updateStrategy: type:RollingUpdate rollingUpdate: maxUnavailable:1 template: metadata: labels: k8s-app:calico-node spec: nodeSelector: kubernetes.io/os:linux hostNetwork:true tolerations: # Make sure calico-node gets scheduled on all nodes. -effect:NoSchedule operator:Exists # Mark the pod as a critical add-on for rescheduling. -key:CriticalAddonsOnly operator:Exists -effect:NoExecute operator:Exists serviceAccountName:calico-node # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. terminationGracePeriodSeconds:0 priorityClassName:system-node-critical initContainers: # This container installs the CNI binaries # and CNI network config file on each node. -name:install-cni image:docker.io/calico/cni:v3.23.1 command: ["/opt/cni/bin/install"] envFrom: -configMapRef: # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. name:kubernetes-services-endpoint optional:true env: # Name of the CNI config file to create. -name:CNI_CONF_NAME value:"10-calico.conflist" # The CNI network config to install on each node. -name:CNI_NETWORK_CONFIG valueFrom: configMapKeyRef: name:calico-config key:cni_network_config # The location of the etcd cluster. -name:ETCD_ENDPOINTS valueFrom: configMapKeyRef: name:calico-config key:etcd_endpoints # CNI MTU Config variable -name:CNI_MTU valueFrom: configMapKeyRef: name:calico-config key:veth_mtu # Prevents the container from sleeping forever. -name:SLEEP value:"false" volumeMounts: -mountPath:/host/opt/cni/bin name:cni-bin-dir -mountPath:/host/etc/cni/net.d name:cni-net-dir -mountPath:/calico-secrets name:etcd-certs securityContext: privileged:true containers: # Runs calico-node container on each Kubernetes node. This # container programs network policy and routes on each # host. -name:calico-node image:docker.io/calico/node:v3.23.1 envFrom: -configMapRef: # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. name:kubernetes-services-endpoint optional:true env: # The location of the etcd cluster. -name:ETCD_ENDPOINTS valueFrom: configMapKeyRef: name:calico-config key:etcd_endpoints # Location of the CA certificate for etcd. -name:ETCD_CA_CERT_FILE valueFrom: configMapKeyRef: name:calico-config key:etcd_ca # Location of the client key for etcd. -name:ETCD_KEY_FILE valueFrom: configMapKeyRef: name:calico-config key:etcd_key # Location of the client certificate for etcd. -name:ETCD_CERT_FILE valueFrom: configMapKeyRef: name:calico-config key:etcd_cert # Set noderef for node controller. -name:CALICO_K8S_NODE_REF valueFrom: fieldRef: fieldPath:spec.nodeName # Choose the backend to use. -name:CALICO_NETWORKING_BACKEND valueFrom: configMapKeyRef: name:calico-config key:calico_backend # Cluster type to identify the deployment type -name:CLUSTER_TYPE value:"k8s,bgp" # Auto-detect the BGP IP address. -name:IP value:"autodetect" # Enable IPIP -name:CALICO_IPV4POOL_IPIP value:"Always" # Enable or Disable VXLAN on the default IP pool. -name:CALICO_IPV4POOL_VXLAN value:"Never" # Enable or Disable VXLAN on the default IPv6 IP pool. -name:CALICO_IPV6POOL_VXLAN value:"Never" # Set MTU for tunnel device used if ipip is enabled -name:FELIX_IPINIPMTU valueFrom: configMapKeyRef: name:calico-config key:veth_mtu # Set MTU for the VXLAN tunnel device. -name:FELIX_VXLANMTU valueFrom: configMapKeyRef: name:calico-config key:veth_mtu # Set MTU for the Wireguard tunnel device. -name:FELIX_WIREGUARDMTU valueFrom: configMapKeyRef: name:calico-config key:veth_mtu # The default IPv4 pool to create on startup if none exists. Pod IPs will be # chosen from this range. Changing this value after installation will have # no effect. This should fall within `--cluster-cidr`. # KubeProxyConfiguration.clusterCIDR -name:CALICO_IPV4POOL_CIDR value:"10.244.0.0/16" # Disable file logging so `kubectl logs` works. -name:CALICO_DISABLE_FILE_LOGGING value:"true" # Set Felix endpoint to host default action to ACCEPT. -name:FELIX_DEFAULTENDPOINTTOHOSTACTION value:"ACCEPT" # Disable IPv6 on Kubernetes. -name:FELIX_IPV6SUPPORT value:"false" -name:FELIX_HEALTHENABLED value:"true" securityContext: privileged:true resources: requests: cpu:250m lifecycle: preStop: exec: command: -/bin/calico-node --shutdown livenessProbe: exec: command: -/bin/calico-node --felix-live --bird-live periodSeconds:10 initialDelaySeconds:10 failureThreshold:6 timeoutSeconds:10 readinessProbe: exec: command: -/bin/calico-node --felix-ready --bird-ready periodSeconds:10 timeoutSeconds:10 volumeMounts: # For maintaining CNI plugin API credentials. -mountPath:/host/etc/cni/net.d name:cni-net-dir readOnly:false -mountPath:/lib/modules name:lib-modules readOnly:true -mountPath:/run/xtables.lock name:xtables-lock readOnly:false -mountPath:/var/run/calico name:var-run-calico readOnly:false -mountPath:/var/lib/calico name:var-lib-calico readOnly:false -mountPath:/calico-secrets name:etcd-certs -name:policysync mountPath:/var/run/nodeagent # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the # parent directory. -name:sysfs mountPath:/sys/fs/ # Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host. # If the host is known to mount that filesystem already then Bidirectional can be omitted. mountPropagation:Bidirectional -name:cni-log-dir mountPath:/var/log/calico/cni readOnly:true volumes: # Used by calico-node. -name:lib-modules hostPath: path:/lib/modules -name:var-run-calico hostPath: path:/var/run/calico -name:var-lib-calico hostPath: path:/var/lib/calico -name:xtables-lock hostPath: path:/run/xtables.lock type:FileOrCreate -name:sysfs hostPath: path:/sys/fs/ type:DirectoryOrCreate # Used to install CNI. -name:cni-bin-dir hostPath: path:/opt/cni/bin -name:cni-net-dir hostPath: path:/etc/cni/net.d # Used to access CNI logs. -name:cni-log-dir hostPath: path:/var/log/calico/cni # Mount in the etcd TLS secrets with mode 400. # See https://kubernetes.io/docs/concepts/configuration/secret/ -name:etcd-certs secret: secretName:calico-etcd-secrets defaultMode:0400 # Used to create per-pod Unix Domain Sockets -name:policysync hostPath: type:DirectoryOrCreate path:/var/run/nodeagent --- apiVersion:v1 kind:ServiceAccount metadata: name:calico-node namespace:kube-system
--- # Source: calico/templates/calico-kube-controllers.yaml # See https://github.com/projectcalico/kube-controllers apiVersion:apps/v1 kind:Deployment metadata: name:calico-kube-controllers namespace:kube-system labels: k8s-app:calico-kube-controllers spec: # The controllers can only have a single active instance. replicas:1 selector: matchLabels: k8s-app:calico-kube-controllers strategy: type:Recreate template: metadata: name:calico-kube-controllers namespace:kube-system labels: k8s-app:calico-kube-controllers spec: nodeSelector: kubernetes.io/os:linux tolerations: # Mark the pod as a critical add-on for rescheduling. -key:CriticalAddonsOnly operator:Exists -key:node-role.kubernetes.io/master effect:NoSchedule serviceAccountName:calico-kube-controllers priorityClassName:system-cluster-critical # The controllers must run in the host network namespace so that # it isn't governed by policy that would prevent it from working. hostNetwork:true containers: -name:calico-kube-controllers image:docker.io/calico/kube-controllers:v3.23.1 env: # The location of the etcd cluster. -name:ETCD_ENDPOINTS valueFrom: configMapKeyRef: name:calico-config key:etcd_endpoints # Location of the CA certificate for etcd. -name:ETCD_CA_CERT_FILE valueFrom: configMapKeyRef: name:calico-config key:etcd_ca # Location of the client key for etcd. -name:ETCD_KEY_FILE valueFrom: configMapKeyRef: name:calico-config key:etcd_key # Location of the client certificate for etcd. -name:ETCD_CERT_FILE valueFrom: configMapKeyRef: name:calico-config key:etcd_cert # Choose which controllers to run. -name:ENABLED_CONTROLLERS value:policy,namespace,serviceaccount,workloadendpoint,node volumeMounts: # Mount in the etcd TLS secrets. -mountPath:/calico-secrets name:etcd-certs livenessProbe: exec: command: -/usr/bin/check-status --l periodSeconds:10 initialDelaySeconds:10 failureThreshold:6 timeoutSeconds:10 readinessProbe: exec: command: -/usr/bin/check-status --r periodSeconds:10 volumes: # Mount in the etcd TLS secrets with mode 400. # See https://kubernetes.io/docs/concepts/configuration/secret/ -name:etcd-certs secret: secretName:calico-etcd-secrets defaultMode:0440
failed to query kubeadm's config map error=Get "https://10.244.0.1:443/api/v1/namespaces/kube-system/configmaps/kubeadm-config?timeout=2s": net/http: request canceled while waiting for connection (Client.Timeout exceeded while awaiting headers)
sed -i 's/UUID=6695c513-e9fa-4d7b-83c1-b795ce225485-122/UUID=6695c513-e9fa-4d7b-83c1-b795ce225485-158/g' /etc/sysconfig/network-scripts/ifcfg-ens33 sed -i 's/IPADDR=192.168.2.122/IPADDR=192.168.2.158/g' /etc/sysconfig/network-scripts/ifcfg-ens33 sed -i 's/host122/host158/g' /etc/hostname