Automatic merge from submit-queue
Configure docker on CoreOS/ContainerOS
While the installation of docker should be skipped, docker should still be
configured to allow overriding the docker config using kops.
Fixes https://github.com/kubernetes/kops/issues/3057
//cc @aledbf
Automatic merge from submit-queue
Add `kops create secret dockerconfig` feature
This adds a well-known secret name `dockerconfig` which will automatically
be used if present to create `/root/.docker/config.json` on all nodes. This will
allow private registries to be used for kops hooks as well as any k8s images
without the need to define `imagePullSecrets` in every namespace.
closes https://github.com/kubernetes/kops/issues/2505
While the installation of docker should be skipped, docker should still be
configured to allow overriding the docker config using kops.
Fixes https://github.com/kubernetes/kops/issues/3057
This adds a well-known secret name `nodedockercfg` which will automatically
be used if present to create /root/.docker/config.json on all nodes. This will
allow private registries to be used for kops hooks as well as any k8s images
without the need to define `imagePullSecrets` in every namespace.
closes https://github.com/kubernetes/kops/issues/2505
- fixed any of the vettting / formatting issues that i'm came across on the update
- removed the commented out lines from the componentconfig as it make its increasingly difficult to find what is supported, what is not and the difference between them.
- added SerializeImagePulls, RegisterSchedulable to kubelet (by default they are ignored)
- added FeatureGates to the kube-proxy
Out of interest can someone point me to where these multi-versioned componentconfig are being used?
As present a number of secrets are downloaded to the /src/kubernetes directory regardless of role (master, node). This limits the
the node role to only donwload the ca.crt. The rest are for master nodes only
- removes basic_auth.csv, ca.key, known_tokens.csv, server.cert and server.key leaving only the ca.crt
fixes#2606
Most part of the changes are similar to current supported CNI networking
provider. Kube-router also support IPVS bassed service proxy which can
be used as replacement for kube-proxy. So the manifest for kube-router
included with this patch enables kube-router to provide pod-to-pod
networking, IPVS based service proxy and ingress pod firewall.
Fixed an oops I created in #2494 where log rotation does not function
as expected.
The kube-apiserver first has to rename the existing audit log prior to a new one
being created. Renaming is not possible when the audit file is mounted
directly as the host path. kube-apiserver will return a 'Device or
resource busy' error when it tries to do so. So instead, we mount the
directory of the path instead of the file itself. Also remove the
creation of an empty audit log file as that is no longer necessary for
Docker to mount a directory.
"If an audit log file already exists, Kubernetes appends new audit logs
to that file. Otherwise, Kubernetes creates an audit log file at the
location you specified in audit-log-path. If the audit log file exceeds
the size you specify in audit-log-maxsize, Kubernetes will rename the
current log file by appending the current timestamp on the file name
(before the file extension) and create a new audit log file. Kubernetes
may delete old log files when creating a new log file; you can configure
how many files are retained and how old they can be by specifying the
audit-log-maxbackup and audit-log-maxage options."
Source: https://kubernetes.io/docs/tasks/debug-application-cluster/audit/
Tested this on Kubernetes 1.6 and with an audit log path specified to
be:
/var/log/kube-apiserver-audit.log
The kube-apiserver container has this mounted:
/dev/xvda1 on /var/log type ext4 (rw,relatime,data=ordered)
This commit exposes kube-apiserver's audit log to the host as a host
mapping.
PR #1872 gave the ability to users to define a custom log path for the
apiserver to write its audit logs to. Prior to this commit, the log file
would stay within the container's filesystem, and getting access to it from
outside the container was a nuisance.
This change allows a logging aggregator, like fluentd, to be able
to read and tail this log from outside the kube-apiserver container.
Kubernetes Submit Queue
Johannes Würbach
Blake
Rohith
Hanfei Shen
Steele Clifton-Berry
Chris Love
alexandrst88
Jasmine Hegman
Alex Simenduev
Justin Santa Barbara
Murali Reddy
Otto Yiu
Jaipradeesh Janarthanan
Abrar Shivani
Miao Luo
prashima
SandeepPissay
Eric Hole