-
Notifications
You must be signed in to change notification settings - Fork 363
/
antrea-windows-with-ovs.yml
405 lines (373 loc) · 17.2 KB
/
antrea-windows-with-ovs.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
apiVersion: v1
data:
Install-WindowsCNI-Containerd.ps1: |
$ErrorActionPreference = "Stop";
mkdir -force c:/var/log/antrea
$mountPath = $env:CONTAINER_SANDBOX_MOUNT_POINT
$mountPath = ($mountPath.Replace('\', '/')).TrimEnd('/')
# From containerd version 1.7 onwards, the servcieaccount directory, the ca.cert and token files will automatically be created.
$serviceAccountPath = "C:\var\run\secrets\kubernetes.io\serviceaccount"
if (-Not $(Test-Path $serviceAccountPath)) {
mkdir -force $serviceAccountPath
}
$localTokenFile = "$serviceAccountPath/token"
$localCAFile="$serviceAccountPath/ca.crt"
$tokenPath = "$mountPath/var/run/secrets/kubernetes.io/serviceaccount/token"
$caPath = "$mountPath/var/run/secrets/kubernetes.io/serviceaccount/ca.crt"
# Check if the local token file is not present or its content is different
if (-Not (Test-Path $localTokenFile) -or (Get-Content -Raw $localTokenFile) -ne (Get-Content -Raw $tokenPath)) {
Copy-Item -Path $tokenPath -Destination $localTokenFile -Force
}
# Check if the local ca.crt file is not present or its content is different
if (-Not (Test-Path $localCAFile) -or (Get-Content -Raw $localCAFile) -ne (Get-Content -Raw $caPath)) {
Copy-Item -Path $caPath -Destination $localCAFile -Force
}
mkdir -force c:/opt/cni/bin/
mkdir -force c:/etc/cni/net.d/
cp $mountPath/k/antrea/cni/* c:/opt/cni/bin/
cp $mountPath/etc/antrea/antrea-cni.conflist c:/etc/cni/net.d/10-antrea.conflist
mkdir -force c:/k/antrea/bin
cp $mountPath/k/antrea/bin/antctl.exe c:/k/antrea/bin/antctl.exe
Run-AntreaAgent-Containerd.ps1: |
$ErrorActionPreference = "Stop"
$mountPath = $env:CONTAINER_SANDBOX_MOUNT_POINT
$mountPath = ($mountPath.Replace('\', '/')).TrimEnd('/')
$env:PATH = $env:PATH + ";$mountPath/Windows/System32;$mountPath/k/antrea/bin;$mountPath/openvswitch/usr/bin;$mountPath/openvswitch/usr/sbin"
& antrea-agent --config=$mountPath/etc/antrea/antrea-agent.conf --logtostderr=false --log_dir=c:/var/log/antrea --alsologtostderr --log_file_max_size=100 --log_file_max_num=4 --v=0
Run-AntreaOVS-Containerd.ps1: |
$ErrorActionPreference = "Stop"
$mountPath = $env:CONTAINER_SANDBOX_MOUNT_POINT
$mountPath = ($mountPath.Replace('\', '/')).TrimEnd('/')
$env:PATH = $env:PATH + ";$mountPath/Windows/System32;$mountPath/openvswitch/usr/bin;$mountPath/openvswitch/usr/sbin"
$OVSDriverDir="$mountPath\openvswitch\driver"
# Check if OVSExt driver is already installed
$driverStatus = netcfg -q ovsext
if ($driverStatus -like '*not installed*') {
# Install OVS Driver
netcfg -l $OVSDriverDir/ovsext.inf -c s -i OVSExt
}
# Configure OVS processes
$OVS_DB_SCHEMA_PATH = "$mountPath/openvswitch/usr/share/openvswitch/vswitch.ovsschema"
$OVS_DB_PATH = "C:\openvswitch\etc\openvswitch\conf.db"
if ($(Test-Path $OVS_DB_SCHEMA_PATH) -and !$(Test-Path $OVS_DB_PATH)) {
mkdir -force C:\openvswitch\etc\openvswitch\
ovsdb-tool create "$OVS_DB_PATH" "$OVS_DB_SCHEMA_PATH"
}
$OVS_RUN_PATH = "C:\openvswitch\var\run\openvswitch"
if (!$(Test-Path $OVS_RUN_PATH)) {
mkdir -force $OVS_RUN_PATH
}
ovsdb-server $OVS_DB_PATH -vfile:info --remote=punix:db.sock --log-file=/var/log/antrea/openvswitch/ovsdb-server.log --pidfile --detach
ovs-vsctl --no-wait init
# Set OVS version.
$OVS_VERSION=$(Get-Item $OVSDriverDir\OVSExt.sys).VersionInfo.ProductVersion
ovs-vsctl --no-wait set Open_vSwitch . ovs_version=$OVS_VERSION
ovs-vswitchd --log-file=/var/log/antrea/openvswitch/ovs-vswitchd.log --pidfile -vfile:info --detach
$SleepInterval = 30
Write-Host "Started the loop that checks OVS status every $SleepInterval seconds"
while ($true) {
if ( !( Get-Process ovsdb-server ) ) {
Write-Host "ovsdb-server is not running, starting it again..."
ovsdb-server $OVS_DB_PATH -vfile:info --remote=punix:db.sock --log-file=/var/log/antrea/openvswitch/ovsdb-server.log --pidfile --detach
}
if ( !( Get-Process ovs-vswitchd ) ) {
Write-Host "ovs-vswitchd is not running, starting it again..."
ovs-vswitchd --log-file=/var/log/antrea/openvswitch/ovs-vswitchd.log --pidfile -vfile:info --detach
}
Start-Sleep -Seconds $SleepInterval
}
VMSwitchExtension-AntreaAgent-Containerd.ps1: |
Param(
[parameter(Mandatory = $false)] [ValidateSet("enable", "disable")] [string] $VMSwitchExtension = "disable"
)
$networkName = "antrea-hnsnetwork"
$net=$(Get-HnsNetwork | Where-Object {$_.Name -eq $networkName})
if ($net -ne $null) {
switch ($VMSwitchExtension)
{
"enable" {
Enable-VMSwitchExtension -Name "Open vSwitch Extension" -VMSwitchName $networkName
}
"disable" {
Disable-VMSwitchExtension -Name "Open vSwitch Extension" -VMSwitchName $networkName
}
}
}
kind: ConfigMap
metadata:
labels:
app: antrea
name: antrea-agent-windows
namespace: kube-system
---
apiVersion: v1
data:
antrea-agent.conf: |
# FeatureGates is a map of feature names to bools that enable or disable experimental features.
featureGates:
# Enable antrea proxy which provides ServiceLB for in-cluster services in antrea agent.
# It should be enabled on Windows, otherwise NetworkPolicy will not take effect on
# Service traffic. Note that this feature gate is deprecated since this feature was
# promoted to GA in v1.14.
# AntreaProxy: true
# Enable NodePortLocal feature to make the Pods reachable externally through NodePort
# NodePortLocal: true
# Enable flowexporter which exports polled conntrack connections as IPFIX flow records from each agent to a configured collector.
# FlowExporter: false
# Name of the OpenVSwitch bridge antrea-agent will create and use.
# Make sure it doesn't conflict with your existing OpenVSwitch bridges.
#ovsBridge: br-int
# Name of the interface antrea-agent will create and use for host <--> pod communication.
# Make sure it doesn't conflict with your existing interfaces.
#hostGateway: antrea-gw0
# Encapsulation mode for communication between Pods across Nodes, supported values:
# - geneve (default)
# - vxlan
# - stt
#tunnelType: geneve
# TunnelPort is the destination port for UDP and TCP based tunnel protocols
# (Geneve, VXLAN, and STT). If zero, it will use the assigned IANA port for the
# protocol, i.e. 6081 for Geneve, 4789 for VXLAN, and 7471 for STT.
#tunnelPort: 0
# Default MTU to use for the host gateway interface and the network interface of each Pod.
# If omitted, antrea-agent will discover the MTU of the Node's primary interface and
# also adjust MTU to accommodate for tunnel encapsulation overhead.
#defaultMTU: 1450
# ClusterIP CIDR range for Services. It's required when AntreaProxy is not enabled, and should be
# set to the same value as the one specified by --service-cluster-ip-range for kube-apiserver. When
# AntreaProxy is enabled, this parameter is not needed and will be ignored if provided.
#serviceCIDR: 10.96.0.0/12
# The port for the antrea-agent APIServer to serve on.
#apiPort: 10350
# Enable metrics exposure via Prometheus. Initializes Prometheus metrics listener.
#enablePrometheusMetrics: true
# Provide the IPFIX collector address as a string with format <HOST>:[<PORT>][:<PROTO>].
# HOST can either be the DNS name, IP, or Service name of the Flow Collector. If
# using an IP, it can be either IPv4 or IPv6. However, IPv6 address should be
# wrapped with []. When the collector is running in-cluster as a Service, set
# <HOST> to <Service namespace>/<Service name>. For example,
# "flow-aggregator/flow-aggregator" can be provided to connect to the Antrea
# Flow Aggregator Service.
# If PORT is empty, we default to 4739, the standard IPFIX port.
# If no PROTO is given, we consider "tls" as default. We support "tls", "tcp" and
# "udp" protocols. "tls" is used for securing communication between flow exporter and
# flow aggregator.
#flowCollectorAddr: "flow-aggregator/flow-aggregator:4739:tls"
# Provide flow poll interval as a duration string. This determines how often the
# flow exporter dumps connections from the conntrack module. Flow poll interval
# should be greater than or equal to 1s (one second).
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
#flowPollInterval: "5s"
# Provide the active flow export timeout, which is the timeout after which a flow
# record is sent to the collector for active flows. Thus, for flows with a continuous
# stream of packets, a flow record will be exported to the collector once the elapsed
# time since the last export event is equal to the value of this timeout.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
#activeFlowExportTimeout: "30s"
# Provide the idle flow export timeout, which is the timeout after which a flow
# record is sent to the collector for idle flows. A flow is considered idle if no
# packet matching this flow has been observed since the last export event.
# Valid time units are "ns", "us" (or "µs"), "ms", "s", "m", "h".
#idleFlowExportTimeout: "15s"
# Enable TLS communication from flow exporter to flow aggregator.
#enableTLSToFlowAggregator: true
# Determines how traffic is encapsulated. It has the following options:
# encap(default): Inter-node Pod traffic is always encapsulated and Pod to external network
# traffic is SNAT'd.
# noEncap: Inter-node Pod traffic is not encapsulated; Pod to external network traffic is
# SNAT'd if noSNAT is not set to true. Underlying network must be capable of
# supporting Pod traffic across IP subnets.
# hybrid: noEncap if source and destination Nodes are on the same subnet, otherwise encap.
#
#trafficEncapMode: encap
# The name of the interface on Node which is used for tunneling or routing the traffic across Nodes.
# If there are multiple IP addresses configured on the interface, the first one is used. The IP
# address used for tunneling or routing traffic to remote Nodes is decided in the following order of
# preference (from highest to lowest):
# 1. transportInterface
# 2. transportInterfaceCIDRs
# 3. The Node IP
#transportInterface:
# The network CIDRs of the interface on Node which is used for tunneling or routing the traffic across
# Nodes. If there are multiple interfaces configured the same network CIDR, the first one is used. The
# IP address used for tunneling or routing traffic to remote Nodes is decided in the following order of
# preference (from highest to lowest):
# 1. transportInterface
# 2. transportInterfaceCIDRs
# 3. The Node IP
#transportInterfaceCIDRs: [<IPv4 CIDR>,<IPv6 CIDR>]
# Provide the address of Kubernetes apiserver, to override any value provided in kubeconfig or InClusterConfig.
# Defaults to "". It must be a host string, a host:port pair, or a URL to the base of the apiserver.
#kubeAPIServerOverride: ""
# Option antreaProxy contains AntreaProxy related configuration options.
antreaProxy:
# To disable AntreaProxy, set this to false. It should be enabled on Windows, otherwise NetworkPolicy will
# not take effect on Service traffic.
enable: true
# ProxyAll tells antrea-agent to proxy ClusterIP Service traffic, regardless of where they come from.
# Therefore, running kube-proxy is no longer required. This requires the AntreaProxy feature to be enabled.
# Note that this option is experimental. If kube-proxy is removed, option kubeAPIServerOverride must be used to access
# apiserver directly.
proxyAll: true
# The value of the "service.kubernetes.io/service-proxy-name" label for AntreaProxy to match. If it is set,
# then AntreaProxy will only handle Services with the label that equals the provided value. If it is not set,
# then AntreaProxy will only handle Services without the "service.kubernetes.io/service-proxy-name" label,
# but ignore Services with the label no matter what is the value.
serviceProxyName: ""
nodePortLocal:
# Enable NodePortLocal, a feature used to make Pods reachable using port forwarding on the host. To
# enable this feature, you need to set "enable" to true, and ensure that the NodePortLocal feature
# gate is also enabled (which is the default).
# enable: false
# Provide the port range used by NodePortLocal. When the NodePortLocal feature is enabled, a port
# from that range will be assigned whenever a Pod's container defines a specific port to be exposed
# (each container can define a list of ports as pod.spec.containers[].ports), and all Node traffic
# directed to that port will be forwarded to the Pod.
# portRange: 40000-41000
antrea-cni.conflist: |
{
"cniVersion":"0.3.0",
"name": "antrea",
"plugins": [
{
"type": "antrea",
"ipam": {
"type": "host-local"
},
"capabilities": {"dns": true}
}
]
}
kind: ConfigMap
metadata:
labels:
app: antrea
name: antrea-windows-config
namespace: kube-system
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app: antrea
component: antrea-agent
name: antrea-agent-windows
namespace: kube-system
spec:
selector:
matchLabels:
app: antrea
component: antrea-agent
template:
metadata:
annotations:
checksum/agent-windows: bb43d8d5840ffd71ff946d44052fefc5bd88ca5ad58ac5048d85a5cf26a7ef13
checksum/windows-config: 6ff4f8bd0b310ebe4d4612bdd9697ffb3d79e0e0eab3936420417dd5a8fc128d
microsoft.com/hostprocess-inherit-user: "true"
labels:
app: antrea
component: antrea-agent
spec:
containers:
- args:
- -file
- $env:CONTAINER_SANDBOX_MOUNT_POINT/var/lib/antrea-windows/Run-AntreaAgent-Containerd.ps1
command:
- powershell
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: NODE_NAME
valueFrom:
fieldRef:
fieldPath: spec.nodeName
image: antrea/antrea-windows:latest
imagePullPolicy: IfNotPresent
lifecycle:
postStart:
exec:
command:
- powershell
- -file
- $env:CONTAINER_SANDBOX_MOUNT_POINT/var/lib/antrea-windows/VMSwitchExtension-AntreaAgent-Containerd.ps1
- -VMSwitchExtension
- enable
preStop:
exec:
command:
- powershell
- -file
- $env:CONTAINER_SANDBOX_MOUNT_POINT/var/lib/antrea-windows/VMSwitchExtension-AntreaAgent-Containerd.ps1
- -VMSwitchExtension
- disable
name: antrea-agent
volumeMounts:
- mountPath: /etc/antrea
name: antrea-windows-config
- mountPath: /var/lib/antrea-windows
name: antrea-agent-windows
- mountPath: /var/log/antrea/
name: var-log-antrea
- args:
- -file
- $env:CONTAINER_SANDBOX_MOUNT_POINT/var/lib/antrea-windows/Run-AntreaOVS-Containerd.ps1
command:
- powershell
image: antrea/antrea-windows:latest
imagePullPolicy: IfNotPresent
name: antrea-ovs
volumeMounts:
- mountPath: /var/lib/antrea-windows
name: antrea-agent-windows
- mountPath: /var/log/openvswitch
name: var-log-antrea
subPath: openvswitch
hostNetwork: true
initContainers:
- args:
- -file
- $env:CONTAINER_SANDBOX_MOUNT_POINT/var/lib/antrea-windows/Install-WindowsCNI-Containerd.ps1
command:
- powershell
image: antrea/antrea-windows:latest
imagePullPolicy: IfNotPresent
name: install-cni
volumeMounts:
- mountPath: /etc/antrea
name: antrea-windows-config
readOnly: true
- mountPath: /var/lib/antrea-windows
name: antrea-agent-windows
nodeSelector:
kubernetes.io/os: windows
priorityClassName: system-node-critical
securityContext:
windowsOptions:
hostProcess: true
runAsUserName: NT AUTHORITY\SYSTEM
serviceAccountName: antrea-agent
tolerations:
- key: CriticalAddonsOnly
operator: Exists
- effect: NoSchedule
operator: Exists
volumes:
- configMap:
name: antrea-windows-config
name: antrea-windows-config
- configMap:
defaultMode: 420
name: antrea-agent-windows
name: antrea-agent-windows
- hostPath:
path: /var/log/antrea/
type: DirectoryOrCreate
name: var-log-antrea
updateStrategy:
type: RollingUpdate