diff --git a/cmd/kops/create_cluster.go b/cmd/kops/create_cluster.go index 6a5108790d..38437b5c63 100644 --- a/cmd/kops/create_cluster.go +++ b/cmd/kops/create_cluster.go @@ -231,9 +231,9 @@ var ( --master-zones $ZONES \ --node-count 3 \ --yes - - # Generate a cluster spec to apply later. - # Run the following, then: kops create -f filename.yamlh + + # Generate a cluster spec to apply later. + # Run the following, then: kops create -f filename.yamlh kops create cluster --name=kubernetes-cluster.example.com \ --state=s3://kops-state-1234 \ --zones=eu-west-1a \ @@ -1293,6 +1293,9 @@ func RunCreateCluster(f *util.Factory, out io.Writer, c *CreateClusterOptions) e return err } fullGroup.AddInstanceGroupNodeLabel() + if api.CloudProviderID(cluster.Spec.CloudProvider) == api.CloudProviderGCE { + fullGroup.Spec.NodeLabels["cloud.google.com/metadata-proxy-ready"] = "true" + } fullInstanceGroups = append(fullInstanceGroups, fullGroup) } diff --git a/cmd/kops/create_ig.go b/cmd/kops/create_ig.go index d73e6c9674..4a9ab179d1 100644 --- a/cmd/kops/create_ig.go +++ b/cmd/kops/create_ig.go @@ -163,6 +163,10 @@ func RunCreateInstanceGroup(f *util.Factory, cmd *cobra.Command, args []string, } ig.AddInstanceGroupNodeLabel() + if api.CloudProviderID(cluster.Spec.CloudProvider) == api.CloudProviderGCE { + fmt.Println("detected a GCE cluster; labeling nodes to receive metadata-proxy.") + ig.Spec.NodeLabels["cloud.google.com/metadata-proxy-ready"] = "true" + } if options.DryRun { diff --git a/upup/models/cloudup/resources/addons/metadata-concealment.addons.k8s.io/addon.yaml b/upup/models/cloudup/resources/addons/metadata-concealment.addons.k8s.io/addon.yaml deleted file mode 100644 index 47971aff6c..0000000000 --- a/upup/models/cloudup/resources/addons/metadata-concealment.addons.k8s.io/addon.yaml +++ /dev/null @@ -1,10 +0,0 @@ -kind: Addons -metadata: - name: metadata-concealment -spec: - addons: - - version: 0.1 - selector: - k8s-addon: metadata-concealment.addons.k8s.io - manifest: v0.1.yaml - diff --git a/upup/models/cloudup/resources/addons/metadata-proxy.addons.k8s.io/addon.yaml b/upup/models/cloudup/resources/addons/metadata-proxy.addons.k8s.io/addon.yaml new file mode 100644 index 0000000000..9e0ebe51b8 --- /dev/null +++ b/upup/models/cloudup/resources/addons/metadata-proxy.addons.k8s.io/addon.yaml @@ -0,0 +1,10 @@ +kind: Addons +metadata: + name: metadata-proxy +spec: + addons: + - version: 0.1.12 + selector: + k8s-addon: metadata-proxy.addons.k8s.io + manifest: v0.1.yaml + diff --git a/upup/models/cloudup/resources/addons/metadata-concealment.addons.k8s.io/v0.1.yaml b/upup/models/cloudup/resources/addons/metadata-proxy.addons.k8s.io/v0.1.12.yaml similarity index 76% rename from upup/models/cloudup/resources/addons/metadata-concealment.addons.k8s.io/v0.1.yaml rename to upup/models/cloudup/resources/addons/metadata-proxy.addons.k8s.io/v0.1.12.yaml index 7267a393dc..18396f03b4 100644 --- a/upup/models/cloudup/resources/addons/metadata-concealment.addons.k8s.io/v0.1.yaml +++ b/upup/models/cloudup/resources/addons/metadata-proxy.addons.k8s.io/v0.1.12.yaml @@ -1,3 +1,5 @@ +# Borrowed from https://github.com/kubernetes/kubernetes/tree/master/cluster/addons/metadata-proxy + apiVersion: v1 kind: ServiceAccount metadata: @@ -11,18 +13,18 @@ metadata: apiVersion: apps/v1 kind: DaemonSet metadata: - name: metadata-proxy-v0.1 + name: metadata-proxy-v0.12 namespace: kube-system labels: k8s-app: metadata-proxy kubernetes.io/cluster-service: "true" addonmanager.kubernetes.io/mode: Reconcile - version: v0.1 + version: v0.12 spec: selector: matchLabels: k8s-app: metadata-proxy - version: v0.1 + version: v0.12 updateStrategy: type: RollingUpdate template: @@ -30,7 +32,7 @@ spec: labels: k8s-app: metadata-proxy kubernetes.io/cluster-service: "true" - version: v0.1 + version: v0.12 spec: priorityClassName: system-node-critical serviceAccountName: metadata-proxy @@ -41,6 +43,22 @@ spec: effect: "NoExecute" - operator: "Exists" effect: "NoSchedule" + hostNetwork: true + initContainers: + - name: update-ipdtables + securityContext: + privileged: true + image: gcr.io/google_containers/k8s-custom-iptables:1.0 + imagePullPolicy: Always + command: [ "/bin/sh", "-c", "/sbin/iptables -t nat -I PREROUTING -p tcp --dport 80 -d 169.254.169.254 -j DNAT --to-destination 127.0.0.1:988" ] + volumeMounts: + - name: host + mountPath: /host + volumes: + - name: host + hostPath: + path: / + type: Directory containers: - name: metadata-proxy image: k8s.gcr.io/metadata-proxy:v0.1.12 diff --git a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go index ab7f8a8da5..a8736723e6 100644 --- a/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go +++ b/upup/pkg/fi/cloudup/bootstrapchannelbuilder.go @@ -520,24 +520,6 @@ func (b *BootstrapChannelBuilder) buildAddons() *channelsapi.Addons { } } - if kops.CloudProviderID(b.cluster.Spec.CloudProvider) == kops.CloudProviderGCE { - key := "metadata-concealment.addons.k8s.io" - version := "0.1" - - { - id := "v0.1" - location := key + "/" + id + ".yaml" - - addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{ - Name: fi.String(key), - Version: fi.String(version), - Selector: map[string]string{"k8s-addon": key}, - Manifest: fi.String(location), - Id: id, - }) - } - } - if featureflag.Spotinst.Enabled() { key := "spotinst-kubernetes-cluster-controller.addons.k8s.io" @@ -571,6 +553,26 @@ func (b *BootstrapChannelBuilder) buildAddons() *channelsapi.Addons { } } + // The metadata-proxy daemonset conceals node metadata endpoints in GCE. + // It will land on nodes labeled cloud.google.com/metadata-proxy-ready=true + if kops.CloudProviderID(b.cluster.Spec.CloudProvider) == kops.CloudProviderGCE { + key := "metadata-proxy.addons.k8s.io" + version := "0.1.12" + + { + id := "v0.1.12" + location := key + "/" + id + ".yaml" + + addons.Spec.Addons = append(addons.Spec.Addons, &channelsapi.AddonSpec{ + Name: fi.String(key), + Version: fi.String(version), + Selector: map[string]string{"k8s-addon": key}, + Manifest: fi.String(location), + Id: id, + }) + } + } + // The role.kubernetes.io/networking is used to label anything related to a networking addin, // so that if we switch networking plugins (e.g. calico -> weave or vice-versa), we'll replace the // old networking plugin, and there won't be old pods "floating around".