apiVersion: v1 kind: ServiceAccount metadata: name: terway namespace: kube-system --- kind: ClusterRole apiVersion: rbac.authorization.k8s.io/v1 metadata: name: terway-pod-reader namespace: kube-system rules: - apiGroups: [""] resources: ["services","pods", "nodes", "namespaces", "configmaps", "serviceaccounts"] verbs: ["get", "watch", "list", "update"] - apiGroups: [""] resources: - events verbs: - create - apiGroups: ["networking.k8s.io"] resources: - networkpolicies verbs: - get - list - watch - apiGroups: ["extensions"] resources: - networkpolicies verbs: - get - list - watch - apiGroups: [ "discovery.k8s.io" ] resources: - endpointslices verbs: - get - list - watch - apiGroups: [""] resources: - pods/status verbs: - update - apiGroups: ["crd.projectcalico.org"] resources: ["*"] verbs: ["*"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: terway-binding namespace: kube-system roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: terway-pod-reader subjects: - kind: ServiceAccount name: terway namespace: kube-system --- kind: ConfigMap apiVersion: v1 metadata: name: eni-config namespace: kube-system data: eni_conf: | { "version": "1", "access_key": "_ACCESS_KEY_", "access_secret": "_ACCESS_SECRET_", "vswitches": {"cn-chengdu-a":["vsw-2vc7n0egql7ftorh06dbt"]}, "service_cidr": "172.21.0.0/24", "security_group": "sg-2vcbfz8ijj5cyzrosq6v", "max_pool_size": 5, "min_pool_size": 0 } 10-terway.conf: | { "cniVersion": "0.4.0", "name": "terway", "type": "terway", "capabilities": {"bandwidth": true}, "host_stack_cidrs": ["169.254.20.10/32"] } in_cluster_loadbalance: "true" disable_network_policy: "false" --- apiVersion: apps/v1 kind: DaemonSet metadata: name: terway namespace: kube-system spec: selector: matchLabels: app: terway template: metadata: labels: app: terway annotations: priorityClassName: '' spec: hostPID: true nodeSelector: kubernetes.io/arch: amd64 tolerations: - operator: "Exists" terminationGracePeriodSeconds: 0 serviceAccountName: terway hostNetwork: true initContainers: - name: terway-init image: registry-cn-chengdu-vpc.ack.aliyuncs.com/acs/terway:v1.5.6 imagePullPolicy: IfNotPresent securityContext: privileged: true command: ['sh', '-c', 'cp /usr/bin/terway /opt/cni/bin/; chmod +x /opt/cni/bin/terway; cp /etc/eni/10-terway.conf /etc/cni/net.d/; modprobe sch_htb || true'] volumeMounts: - name: configvolume mountPath: /etc/eni - name: cni-bin mountPath: /opt/cni/bin/ - name: cni mountPath: /etc/cni/net.d/ - mountPath: /lib/modules name: lib-modules containers: - name: terway image: registry-cn-chengdu-vpc.ack.aliyuncs.com/acs/terway:v1.5.6 imagePullPolicy: IfNotPresent securityContext: privileged: true env: - name: NODE_NAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: POD_NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace volumeMounts: - name: configvolume mountPath: /etc/eni - mountPath: /var/run/ name: eni-run - mountPath: /opt/cni/bin/ name: cni-bin - mountPath: /lib/modules name: lib-modules - mountPath: /var/lib/cni/networks name: cni-networks - mountPath: /var/lib/cni/terway name: cni-terway - mountPath: /var/lib/kubelet/device-plugins name: device-plugin-path - name: policy image: registry-cn-chengdu-vpc.ack.aliyuncs.com/acs/terway:v1.5.6 command: ["/bin/policyinit.sh"] imagePullPolicy: IfNotPresent env: - name: NODENAME valueFrom: fieldRef: fieldPath: spec.nodeName - name: DISABLE_POLICY valueFrom: configMapKeyRef: name: eni-config key: disable_network_policy optional: true securityContext: privileged: true resources: requests: cpu: 250m livenessProbe: tcpSocket: port: 9099 host: 127.0.0.1 periodSeconds: 10 initialDelaySeconds: 10 failureThreshold: 6 volumeMounts: - mountPath: /lib/modules name: lib-modules volumes: - name: configvolume configMap: name: eni-config items: - key: eni_conf path: eni.json - key: 10-terway.conf path: 10-terway.conf - name: cni-bin hostPath: path: /opt/cni/bin type: "Directory" - name: cni hostPath: path: /etc/cni/net.d - name: eni-run hostPath: path: /var/run/ type: "Directory" - name: lib-modules hostPath: path: /lib/modules - name: cni-networks hostPath: path: /var/lib/cni/networks - name: cni-terway hostPath: path: /var/lib/cni/terway - name: device-plugin-path hostPath: path: /var/lib/kubelet/device-plugins type: "Directory" --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: felixconfigurations.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org versions: - name: v1 served: true storage: true schema: openAPIV3Schema: type: object properties: host: type: string port: type: string names: kind: FelixConfiguration plural: felixconfigurations singular: felixconfiguration --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: bgpconfigurations.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org versions: - name: v1 served: true storage: true schema: openAPIV3Schema: type: object properties: host: type: string port: type: string names: kind: BGPConfiguration plural: bgpconfigurations singular: bgpconfiguration --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: ippools.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org versions: - name: v1 served: true storage: true schema: openAPIV3Schema: type: object properties: host: type: string port: type: string names: kind: IPPool plural: ippools singular: ippool --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: hostendpoints.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org versions: - name: v1 served: true storage: true schema: openAPIV3Schema: type: object properties: host: type: string port: type: string names: kind: HostEndpoint plural: hostendpoints singular: hostendpoint --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: clusterinformations.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org versions: - name: v1 served: true storage: true schema: openAPIV3Schema: type: object properties: host: type: string port: type: string names: kind: ClusterInformation plural: clusterinformations singular: clusterinformation --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: globalnetworkpolicies.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org versions: - name: v1 served: true storage: true schema: openAPIV3Schema: type: object properties: host: type: string port: type: string names: kind: GlobalNetworkPolicy plural: globalnetworkpolicies singular: globalnetworkpolicy --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: globalnetworksets.crd.projectcalico.org spec: scope: Cluster group: crd.projectcalico.org versions: - name: v1 served: true storage: true schema: openAPIV3Schema: type: object properties: host: type: string port: type: string names: kind: GlobalNetworkSet plural: globalnetworksets singular: globalnetworkset --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: networkpolicies.crd.projectcalico.org spec: scope: Namespaced group: crd.projectcalico.org versions: - name: v1 served: true storage: true schema: openAPIV3Schema: type: object properties: host: type: string port: type: string names: kind: NetworkPolicy plural: networkpolicies singular: networkpolicy