AliyunContainerService-terway
/
terway-multiip.yml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: terway
  namespace: kube-system

---

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: terway-pod-reader
  namespace: kube-system
rules:
- apiGroups: [""]
  resources: ["pods", "nodes", "namespaces", "configmaps", "serviceaccounts"]
  verbs: ["get", "watch", "list", "update"]
- apiGroups: ["networking.k8s.io"]
  resources:
  - networkpolicies
  verbs:
  - get
  - list
  - watch
- apiGroups: ["extensions"]
  resources:
  - networkpolicies
  verbs:
  - get
  - list
  - watch
- apiGroups: [""]
  resources:
  - pods/status
  verbs:
  - update
- apiGroups: ["crd.projectcalico.org"]
  resources: ["*"]
  verbs: ["*"]

---

apiVersion: rbac.authorization.k8s.io/v1beta1
kind: ClusterRoleBinding
metadata:
  name: terway-binding
  namespace: kube-system
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: terway-pod-reader
subjects:
- kind: ServiceAccount
  name: terway
  namespace: kube-system

---

kind: ConfigMap
apiVersion: v1
metadata:
  name: eni-config
  namespace: kube-system
data:
  eni_conf: |
    {
      "version": "1",
      "access_key": "ak",
      "access_secret": "ak",
      "security_group": "sg-xxx",
      "service_cidr": "10.96.0.0/12",
      "vswitches": {
        "cn-hongkong-b": ["vsw-xxx"]
      },
      "max_pool_size": 5,
      "min_pool_size": 0
    }
  10-terway.conf: |
    {
      "cniVersion": "0.3.0",
      "name": "terway",
      "type": "terway",
      "eniip_virtual_type": "Veth"
    }
  # eniip_virtual_type: virtual type for eni multi ip "Veth" || "IPVlan"

---

apiVersion: extensions/v1beta1
kind: DaemonSet
metadata:
  name: terway
  namespace: kube-system
spec:
  template:
    metadata:
      labels:
        app: terway
      annotations:
        scheduler.alpha.kubernetes.io/critical-pod: ''
    spec:
      hostPID: true
      nodeSelector:
        beta.kubernetes.io/arch: amd64
      tolerations:
      - operator: "Exists"
      terminationGracePeriodSeconds: 0
      serviceAccountName: terway
      hostNetwork: true
      initContainers:
      - name: terway-init
        image: registry.aliyuncs.com/acs/terway:v1.0.10.44-gc77da45-aliyun
        imagePullPolicy: Always
        securityContext:
          privileged: true
        command:
        - 'sh'
        - '-c'
        - 'cp /usr/bin/terway /opt/cni/bin/;
                  chmod +x /opt/cni/bin/terway;
                  cp /etc/eni/10-terway.conf /etc/cni/net.d/;
                  modprobe sch_htb || true;
                  chroot /host sh -c "systemctl disable eni.service; rm -f /etc/udev/rules.d/75-persistent-net-generator.rules /lib/udev/rules.d/60-net.rules /lib/udev/rules.d/61-eni.rules /lib/udev/write_net_rules && udevadm control --reload-rules && udevadm trigger; true"'
        volumeMounts:
        - name: configvolume
          mountPath: /etc/eni
        - name: cni-bin
          mountPath: /opt/cni/bin/
        - name: cni
          mountPath: /etc/cni/net.d/
        - mountPath: /lib/modules
          name: lib-modules
        - mountPath: /host
          name: host-root
      containers:
      - name: terway
        image: registry.aliyuncs.com/acs/terway:v1.0.10.44-gc77da45-aliyun
        imagePullPolicy: Always
        command: ['/usr/bin/terwayd', '-log-level', 'debug', '-daemon-mode', 'ENIMultiIP']
        securityContext:
          privileged: true
        env:
        - name: NODE_NAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        volumeMounts:
        - name: configvolume
          mountPath: /etc/eni
        - mountPath: /var/run/
          name: eni-run
        - mountPath: /opt/cni/bin/
          name: cni-bin
        - mountPath: /lib/modules
          name: lib-modules
        - mountPath: /var/lib/cni/networks
          name: cni-networks
        - mountPath: /var/lib/cni/terway
          name: cni-terway
        - mountPath: /var/lib/kubelet/device-plugins
          name: device-plugin-path
      - name: policy
        image: registry.aliyuncs.com/acs/terway:v1.0.10.44-gc77da45-aliyun
        imagePullPolicy: Always
        command: ["/bin/policyinit.sh"]
        env:
        - name: NODENAME
          valueFrom:
            fieldRef:
              fieldPath: spec.nodeName
        securityContext:
          privileged: true
        resources:
          requests:
            cpu: 250m
        livenessProbe:
          tcpSocket:
            port: 9099
            host: localhost
          periodSeconds: 10
          initialDelaySeconds: 10
          failureThreshold: 6
        readinessProbe:
          tcpSocket:
            port: 9099
            host: localhost
          periodSeconds: 10
        volumeMounts:
        - mountPath: /lib/modules
          name: lib-modules
      volumes:
      - name: configvolume
        configMap:
          name: eni-config
          items:
          - key: eni_conf
            path: eni.json
          - key: 10-terway.conf
            path: 10-terway.conf
      - name: cni-bin
        hostPath:
          path: /opt/cni/bin
          type: "Directory"
      - name: cni
        hostPath:
          path: /etc/cni/net.d
      - name: eni-run
        hostPath:
          path: /var/run/
          type: "Directory"
      - name: lib-modules
        hostPath:
          path: /lib/modules
      - name: cni-networks
        hostPath:
          path: /var/lib/cni/networks
      - name: cni-terway
        hostPath:
          path: /var/lib/cni/terway
      - name: device-plugin-path
        hostPath:
          path: /var/lib/kubelet/device-plugins
          type: "Directory"
      - name: host-root
        hostPath:
          path: /
          type: "Directory"


---

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: felixconfigurations.crd.projectcalico.org
spec:
  scope: Cluster
  group: crd.projectcalico.org
  version: v1
  names:
    kind: FelixConfiguration
    plural: felixconfigurations
    singular: felixconfiguration

---

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: bgpconfigurations.crd.projectcalico.org
spec:
  scope: Cluster
  group: crd.projectcalico.org
  version: v1
  names:
    kind: BGPConfiguration
    plural: bgpconfigurations
    singular: bgpconfiguration

---

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: ippools.crd.projectcalico.org
spec:
  scope: Cluster
  group: crd.projectcalico.org
  version: v1
  names:
    kind: IPPool
    plural: ippools
    singular: ippool

---

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: hostendpoints.crd.projectcalico.org
spec:
  scope: Cluster
  group: crd.projectcalico.org
  version: v1
  names:
    kind: HostEndpoint
    plural: hostendpoints
    singular: hostendpoint

---

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: clusterinformations.crd.projectcalico.org
spec:
  scope: Cluster
  group: crd.projectcalico.org
  version: v1
  names:
    kind: ClusterInformation
    plural: clusterinformations
    singular: clusterinformation

---

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: globalnetworkpolicies.crd.projectcalico.org
spec:
  scope: Cluster
  group: crd.projectcalico.org
  version: v1
  names:
    kind: GlobalNetworkPolicy
    plural: globalnetworkpolicies
    singular: globalnetworkpolicy

---

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: globalnetworksets.crd.projectcalico.org
spec:
  scope: Cluster
  group: crd.projectcalico.org
  version: v1
  names:
    kind: GlobalNetworkSet
    plural: globalnetworksets
    singular: globalnetworkset

---

apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
  name: networkpolicies.crd.projectcalico.org
spec:
  scope: Namespaced
  group: crd.projectcalico.org
  version: v1
  names:
    kind: NetworkPolicy
    plural: networkpolicies
    singular: networkpolicy