easzlab · gjmzj · Jul 24, 2019 · Jul 23, 2019
diff --git a/docs/setup/network-plugin/kube-ovn.md b/docs/setup/network-plugin/kube-ovn.md
@@ -14,6 +14,9 @@ kube-ovn 提供了针对企业应用场景下容器网络实用功能，并为
 - 3.动态QoS;
 - 4.分布式和集中式网关;
 - 5.内嵌 LoadBalancer;
+- 6.Pod IP对外直接暴露
+- 7.流量镜像
+- 8.IPv6
 
 ### kubeasz 集成安装 kube-ovn
 
@@ -31,8 +34,10 @@ roles/kube-ovn
 ├── tasks
 │   └── main.yml		# 安装执行文件
 └── templates
+    ├── crd.yaml.j2	        # crd 模板
     ├── kube-ovn.yaml.j2	# kube-ovn yaml 模板
-    └── ovn.yaml.j2		# ovn yaml 模板
+    └── ovn.yaml.j2		    # ovn yaml 模板
+
 ```
 
 安装成功后，可以验证所有 k8s 集群功能正常，查看集群的 pod 网络如下：
@@ -63,7 +68,7 @@ kube-system   metrics-server-6c898b5b8b-zvct2         1/1     Running   0
 
 ### 测试 namespace 子网分配
 
-新建一个 namespace 测试分配一个新的 pod 子网
+新建一个 subnet 并绑定 namespace 测试分配一个新的 pod 子网
 
 ```
 # 创建一个 namespace: test-ns
@@ -72,14 +77,28 @@ apiVersion: v1
 kind: Namespace
 metadata:
   annotations:
-    ovn.kubernetes.io/cidr: 10.17.0.0/24
-    ovn.kubernetes.io/gateway: 10.17.0.1
-    ovn.kubernetes.io/logical_switch: test-ns-subnet
-    ovn.kubernetes.io/exclude_ips: "10.17.0.1..10.17.0.10"
   name: test-ns
 EOF
 $ kubectl apply -f test-ns.yaml
 
+# 创建一个 subnet: test-subnet 并绑定 namespace test-ns
+$ cat > test-subnet.yaml << EOF
+apiVersion: kubeovn.io/v1
+kind: Subnet
+metadata:
+  name: test-subnet
+spec:
+  protocol: IPv4
+  default: false
+  namespaces:
+  - test-ns
+  cidrBlock: 10.17.0.0/24
+  gateway: 10.17.0.1
+  excludeIps:
+  - 10.17.0.1..10.17.0.10
+EOF
+$ kubectl apply -f test-subnet.yaml
+
 # 在 test-ns 中创建 nginx 部署
 $ kubectl run -n test-ns nginx --image=nginx --replicas=2 --port=80 --expose
 

diff --git a/roles/kube-ovn/defaults/main.yml b/roles/kube-ovn/defaults/main.yml
@@ -2,4 +2,4 @@
 OVN_DB_NODE: "{{ groups['kube-master'][0] }}"
 
 # 离线镜像tar包
-kube_ovn_offline: "kube_ovn_0.4.0.tar"
+kube_ovn_offline: "kube_ovn_0.6.0.tar"
diff --git a/roles/kube-ovn/tasks/main.yml b/roles/kube-ovn/tasks/main.yml
@@ -5,6 +5,9 @@
   - /opt/kube/images
   - /opt/kube/kube-ovn
 
+- name: 配置 crd.yaml 文件
+  template: src=crd.yaml.j2 dest=/opt/kube/kube-ovn/crd.yaml
+
 - name: 配置 kube-ovn.yaml 文件
   template: src=kube-ovn.yaml.j2 dest=/opt/kube/kube-ovn/kube-ovn.yaml
 
@@ -51,6 +54,7 @@
 # 只需单节点执行一次
 - name: 运行 kube-ovn网络
   shell: "{{ bin_dir }}/kubectl label node {{ OVN_DB_NODE }} kube-ovn/role=master --overwrite && \
+    {{ bin_dir }}/kubectl apply -f /opt/kube/kube-ovn/crd.yaml && sleep 5 && \
 	{{ bin_dir }}/kubectl apply -f /opt/kube/kube-ovn/ovn.yaml && sleep 5 && \
 	{{ bin_dir }}/kubectl apply -f /opt/kube/kube-ovn/kube-ovn.yaml"
   run_once: true

diff --git a/roles/kube-ovn/templates/crd.yaml.j2 b/roles/kube-ovn/templates/crd.yaml.j2
@@ -0,0 +1,52 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: ips.kubeovn.io
+spec:
+  group: kubeovn.io
+  version: v1
+  scope: Cluster
+  names:
+    plural: ips
+    singular: ip
+    kind: IP
+    shortNames:
+      - ip
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: subnets.kubeovn.io
+spec:
+  group: kubeovn.io
+  version: v1
+  scope: Cluster
+  names:
+    plural: subnets
+    singular: subnet
+    kind: Subnet
+    shortNames:
+      - subnet
+  additionalPrinterColumns:
+    - name: Protocol
+      type: string
+      JSONPath: .spec.protocol
+    - name: CIDR
+      type: string
+      JSONPath: .spec.cidrBlock
+    - name: Private
+      type: boolean
+      JSONPath: .spec.private
+    - name: NAT
+      type: boolean
+      JSONPath: .spec.natOutgoing
+  validation:
+    openAPIV3Schema:
+      properties:
+        spec:
+          required: ["cidrBlock","gateway"]
+          properties:
+            cidrBlock:
+              type: "string"
+            gateway:
+              type: "string"
diff --git a/roles/kube-ovn/templates/kube-ovn.yaml.j2 b/roles/kube-ovn/templates/kube-ovn.yaml.j2
@@ -8,7 +8,7 @@ metadata:
     kubernetes.io/description: |
       kube-ovn controller
 spec:
-  replicas: 2
+  replicas: 1
   selector:
     matchLabels:
       app: kube-ovn-controller
@@ -38,12 +38,13 @@ spec:
       hostNetwork: true
       containers:
         - name: kube-ovn-controller
-          image: "index.alauda.cn/alaudak8s/kube-ovn-controller:v0.4.0"
+          image: "index.alauda.cn/alaudak8s/kube-ovn-controller:v0.6.0"
           imagePullPolicy: IfNotPresent
           command:
           - /kube-ovn/start-controller.sh
           args:
           - --default-cidr=10.16.0.0/16
+          - --default-gateway=10.16.0.1
           - --node-switch-cidr=100.64.0.0/16
           env:
             - name: POD_NAME
@@ -54,6 +55,30 @@ spec:
               valueFrom:
                 fieldRef:
                   fieldPath: metadata.namespace
+            - name: KUBE_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          readinessProbe:
+            exec:
+              command:
+                - nc
+                - -z
+                - -w3
+                - 127.0.0.1
+                - "10660"
+            periodSeconds: 3
+          livenessProbe:
+            exec:
+              command:
+                - nc
+                - -z
+                - -w3
+                - 127.0.0.1
+                - "10660"
+            initialDelaySeconds: 30
+            periodSeconds: 7
+            failureThreshold: 5
       nodeSelector:
         beta.kubernetes.io/os: "linux"
 
@@ -87,7 +112,7 @@ spec:
       hostPID: true
       initContainers:
       - name: install-cni
-        image: "index.alauda.cn/alaudak8s/kube-ovn-cni:v0.4.0"
+        image: "index.alauda.cn/alaudak8s/kube-ovn-cni:v0.6.0"
         imagePullPolicy: IfNotPresent
         command: ["/kube-ovn/install-cni.sh"]
         volumeMounts:
@@ -97,8 +122,13 @@ spec:
             name: cni-bin
       containers:
       - name: cni-server
-        image: "index.alauda.cn/alaudak8s/kube-ovn-cni:v0.4.0"
+        image: "index.alauda.cn/alaudak8s/kube-ovn-cni:v0.6.0"
         imagePullPolicy: IfNotPresent
+        command:
+          - sh
+          - /kube-ovn/start-cniserver.sh
+        args:
+          - --enable-mirror=false
         securityContext:
           runAsUser: 0
           privileged: true
@@ -114,6 +144,26 @@ spec:
         volumeMounts:
           - mountPath: /run/openvswitch
             name: host-run-ovs
+        readinessProbe:
+          exec:
+            command:
+              - nc
+              - -z
+              - -w3
+              - 127.0.0.1
+              - "10665"
+          periodSeconds: 3
+        livenessProbe:
+          exec:
+            command:
+              - nc
+              - -z
+              - -w3
+              - 127.0.0.1
+              - "10665"
+          initialDelaySeconds: 30
+          periodSeconds: 7
+          failureThreshold: 5
       nodeSelector:
         beta.kubernetes.io/os: "linux"
       volumes:

diff --git a/roles/kube-ovn/templates/ovn.yaml.j2 b/roles/kube-ovn/templates/ovn.yaml.j2
@@ -23,24 +23,36 @@ kind: ClusterRole
 metadata:
   annotations:
     rbac.authorization.k8s.io/system-only: "true"
-  name: system:ovn-reader
+  name: system:ovn
 rules:
+  - apiGroups:
+      - "kubeovn.io"
+    resources:
+      - subnets
+      - ips
+    verbs:
+      - "*"
   - apiGroups:
       - ""
-      - extensions
     resources:
       - pods
       - namespaces
-      - networkpolicies
       - nodes
+      - configmaps
     verbs:
+      - create
       - get
       - list
       - watch
+      - patch
+      - update
   - apiGroups:
+      - ""
       - networking.k8s.io
     resources:
       - networkpolicies
+      - services
+      - endpoints
     verbs:
       - get
       - list
@@ -58,37 +70,9 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: ovn-cluster-reader
-roleRef:
-  name: cluster-reader
-  kind: ClusterRole
-  apiGroup: rbac.authorization.k8s.io
-subjects:
-  - kind: ServiceAccount
-    name: ovn
-    namespace: kube-ovn
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: ovn-reader
-roleRef:
-  name: system:ovn-reader
-  kind: ClusterRole
-  apiGroup: rbac.authorization.k8s.io
-subjects:
-  - kind: ServiceAccount
-    name: ovn
-    namespace: kube-ovn
-
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: cluster-admin-0
+  name: ovn
 roleRef:
-  name: cluster-admin
+  name: system:ovn
   kind: ClusterRole
   apiGroup: rbac.authorization.k8s.io
 subjects:
@@ -170,7 +154,7 @@ spec:
       hostNetwork: true
       containers:
         - name: ovn-central
-          image: "index.alauda.cn/alaudak8s/kube-ovn-db:v0.4.0"
+          image: "index.alauda.cn/alaudak8s/kube-ovn-db:v0.6.0"
           imagePullPolicy: IfNotPresent
           env:
             - name: POD_IP
@@ -257,7 +241,7 @@ spec:
       hostPID: true
       containers:
         - name: openvswitch
-          image: "index.alauda.cn/alaudak8s/kube-ovn-node:v0.4.0"
+          image: "index.alauda.cn/alaudak8s/kube-ovn-node:v0.6.0"
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsUser: 0