Update calico versions & flannel install sidecar

Signed-off-by: Abhinav Dahiya <[email protected]>

Author: Abhinav Dahiya

cmd/bootkube/render.go

@@ -56,7 +56,6 @@ var (
 	}
 
 	imageVersions = asset.DefaultImages
-	cniRelease    = asset.DefaultCNIRelease
 )
 
 func init() {
@@ -245,7 +244,6 @@ func flagsToAssetConfig() (c *asset.Config, err error) {
 		SelfHostedEtcd:      renderOpts.selfHostedEtcd,
 		CalicoNetworkPolicy: renderOpts.calicoNetworkPolicy,
 		Images:              imageVersions,
-		CNIRelease:          cniRelease,
 	}, nil
 }
 

e2e/network_test.go

@@ -70,40 +70,47 @@ func TestNetwork(t *testing.T) {
 	}
 
 	t.Run("DefaultDeny", HelperDefaultDeny)
-
-	resetNetworkPolicy := func() {
-		n, err := client.CoreV1().Namespaces().Get(namespace, metav1.GetOptions{})
-		if err != nil {
-			t.Fatalf("unable to retrieve namespace %v", err)
-		}
-
-		n.ObjectMeta.Annotations = map[string]string{}
-		n.ObjectMeta.Annotations["net.beta.kubernetes.io/network-policy"] = defaultAllowNetworkPolicy
-		_, err = client.CoreV1().Namespaces().Update(n)
-		if err != nil {
-			t.Fatalf("unable to reset namespace network policy%v", err)
-		}
-	}
-	defer resetNetworkPolicy()
-
 	t.Run("NetworkPolicy", HelperPolicy)
 }
 
 func HelperDefaultDeny(t *testing.T) {
 	//
 	// 3. set DefaultDeny policy
-	var n *v1.Namespace
-	n, err := client.CoreV1().Namespaces().Get(namespace, metav1.GetOptions{})
+	npi, _, err := api.Codecs.UniversalDecoder().Decode(defaultDenyNetworkPolicy, nil, &v1beta1.NetworkPolicy{})
 	if err != nil {
-		t.Fatalf("unable to retrieve namespace %v", err)
+		t.Fatalf("unable to decode network policy manifest: %v", err)
 	}
 
-	n.ObjectMeta.Annotations = map[string]string{}
-	n.ObjectMeta.Annotations["net.beta.kubernetes.io/network-policy"] = defaultDenyNetworkPolicy
-	_, err = client.CoreV1().Namespaces().Update(n)
-	if err != nil {
-		t.Fatalf("unable to set namespace network policy defaultdeny%v", err)
+	np, ok := npi.(*v1beta1.NetworkPolicy)
+	if !ok {
+		t.Fatalf("expected manifest to decode into *api.networkpolicy, got %T", npi)
+	}
+
+	httpRestClient := client.ExtensionsV1beta1().RESTClient()
+	uri := fmt.Sprintf("/apis/%s/%s/namespaces/%s/%s",
+		strings.ToLower("extensions"),
+		strings.ToLower("v1beta1"),
+		strings.ToLower(namespace),
+		strings.ToLower("NetworkPolicies"))
+
+	result := httpRestClient.Post().RequestURI(uri).Body(np).Do()
+	if result.Error() != nil {
+		t.Fatal(result.Error())
 	}
+	defer func() {
+		uri = fmt.Sprintf("/apis/%s/%s/namespaces/%s/%s/%s",
+			strings.ToLower("extensions"),
+			strings.ToLower("v1beta1"),
+			strings.ToLower(namespace),
+			strings.ToLower("NetworkPolicies"),
+			strings.ToLower(np.ObjectMeta.Name))
+
+		result = httpRestClient.Delete().RequestURI(uri).Do()
+		if result.Error() != nil {
+			t.Fatal(result.Error())
+		}
+
+	}()
 
 	//
 	// 4. create a wget pod that fails to hit nginx service
@@ -276,8 +283,13 @@ spec:
       targetPort: 80
 `)
 
-var defaultDenyNetworkPolicy = `{"ingress":{"isolation":"DefaultDeny"}}`
-var defaultAllowNetworkPolicy = `{"ingress":{"isolation":""}}`
+var defaultDenyNetworkPolicy = []byte(`kind: NetworkPolicy                                                      
+apiVersion: extensions/v1beta1
+metadata:
+  name: default-deny
+spec:
+  podSelector:
+`)
 
 var netPolicy = []byte(`kind: NetworkPolicy                                                      
 apiVersion: extensions/v1beta1

pkg/asset/asset.go

@@ -105,15 +105,14 @@ type Config struct {
 	CloudProvider          string
 	BootstrapSecretsSubdir string
 	Images                 ImageVersions
-	CNIRelease             string
 }
 
 // ImageVersions holds all the images (and their versions) that are rendered into the templates.
 type ImageVersions struct {
-	Alpine          string
 	Etcd            string
 	EtcdOperator    string
 	Flannel         string
+	FlannelCNI      string
 	Calico          string
 	CalicoCNI       string
 	Hyperkube       string

pkg/asset/images.go

@@ -5,15 +5,13 @@ var DefaultImages = ImageVersions{
 	Etcd:            "quay.io/coreos/etcd:v3.1.8",
 	EtcdOperator:    "quay.io/coreos/etcd-operator:v0.3.2",
 	Flannel:         "quay.io/coreos/flannel:v0.7.1-amd64",
-	Calico:          "quay.io/calico/node:v1.2.1",
-	CalicoCNI:       "quay.io/calico/cni:v1.8.3",
+	FlannelCNI:      "quay.io/coreos/flannel-cni:0.1.0",
+	Calico:          "quay.io/calico/node:v1.3.0",
+	CalicoCNI:       "quay.io/calico/cni:v1.9.1-4-g23fcd5f",
 	Hyperkube:       "quay.io/coreos/hyperkube:v1.6.4_coreos.0",
 	Kenc:            "quay.io/coreos/kenc:8f6e2e885f790030fbbb0496ea2a2d8830e58b8f",
 	KubeDNS:         "gcr.io/google_containers/k8s-dns-kube-dns-amd64:1.14.1",
 	KubeDNSMasq:     "gcr.io/google_containers/k8s-dns-dnsmasq-nanny-amd64:1.14.1",
 	KubeDNSSidecar:  "gcr.io/google_containers/k8s-dns-sidecar-amd64:1.14.1",
 	PodCheckpointer: "quay.io/coreos/pod-checkpointer:4e7a7dab10bc4d895b66c21656291c6e0b017248",
 }
-
-// DefaultCNIRelease is the default version of cni release
-var DefaultCNIRelease = "0799f5732f2a11b329d9e3d51b9c8f2e3759f2ff"

pkg/asset/internal/templates.go

@@ -1091,38 +1091,19 @@ spec:
         - name: flannel-cfg
           mountPath: /etc/kube-flannel/
       - name: install-cni
-        image: {{ .Images.Alpine }}
-        command: 
-          - '/bin/sh'
-          - '-c'
-          - >
-            set -e -x;
-            ARCH=${ARCH:-amd64};
-            CNI_RELEASE=${CNI_RELEASE:-{{ .CNIRelease }}};
-            TMP=/etc/cni/net.d/.tmp-flannel-cfg;
-            cp /etc/kube-flannel/cni-conf.json ${TMP};
-            mv ${TMP} /etc/cni/net.d/10-flannel.conf;
-
-            apk add --update ca-certificates openssl && update-ca-certificates;
-            OPT_CNI=/opt/cni;
-            mkdir -p ${OPT_CNI};
-            wget -qO- https://storage.googleapis.com/kubernetes-release/network-plugins/cni-${ARCH}-${CNI_RELEASE}.tar.gz | tar -xz -C ${OPT_CNI};
-
-            if [ -w "/host/opt/cni/bin/" ]; then
-              cp /opt/cni/bin/* /host/opt/cni/bin/;
-              echo "Wrote CNI binaries to /host/opt/cni/bin/";
-            fi;
-
-            while :; do sleep 3600; done;
+        image: {{ .Images.FlannelCNI }}
+        command: ["/install-cni.sh"]
+        env:
+        - name: CNI_NETWORK_CONFIG
+          valueFrom:
+            configMapKeyRef:
+              name: kube-flannel-cfg
+              key: cni-conf.json
         volumeMounts:
         - name: cni
-          mountPath: /etc/cni/net.d
-        - name: flannel-cfg
-          mountPath: /etc/kube-flannel/
+          mountPath: /host/etc/cni/net.d
         - name: host-cni-bin
           mountPath: /host/opt/cni/bin/
-        - name: ssl-certs
-          mountPath: /etc/ssl/certs
       hostNetwork: true
       tolerations:
       - key: node-role.kubernetes.io/master
@@ -1141,9 +1122,6 @@ spec:
         - name: host-cni-bin
           hostPath:
             path: /opt/cni/bin
-        - name: ssl-certs
-          hostPath:
-            path: /etc/ssl/certs
   updateStrategy:
     rollingUpdate:
       maxUnavailable: 1
@@ -1160,7 +1138,7 @@ data:
   cni_network_config: |-
     {
         "name": "k8s-pod-network",
-        "cniVersion": "0.1.0",
+        "cniVersion": "0.3.0",
         "type": "calico",
         "log_level": "debug",
         "datastore_type": "kubernetes",
@@ -1260,6 +1238,8 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: spec.nodeName
+            - name: SKIP_CNI_BINARIES
+              value: bridge,cnitool,dhcp,flannel,host-local,ipvlan,loopback,macvlan,noop,portmap,ptp,tuning
           volumeMounts:
             - mountPath: /host/opt/cni/bin
               name: cni-bin-dir
@@ -1278,14 +1258,18 @@ spec:
         - name: cni-net-dir
           hostPath:
             path: /etc/kubernetes/cni/net.d
-  `)
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 1
+    type: RollingUpdate
+`)
 
 var KubeCalicoServiceAccountTemplate = []byte(`apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: kube-calico
   namespace: kube-system
-  `)
+`)
 
 var KubeCalicoRoleTemplate = []byte(`apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
@@ -1354,7 +1338,14 @@ rules:
       - list
       - update
       - watch
-  `)
+  - apiGroups: ["alpha.projectcalico.org"]
+    resources:
+      - systemnetworkpolicies
+    verbs:
+      - get
+      - list
+      - watch
+`)
 
 var KubeCalicoRoleBindingTemplate = []byte(`apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding