kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
21,189 Commits 31 Branches 256 Tags 544 MiB
Commit Graph

1328 Commits

Author SHA1 Message Date
John Gardiner Myers aef6fbdd29 Refactor UseKopsControllerForNodeBootstrap() 2023-07-11 09:45:45 -07:00
Kubernetes Prow Robot 65fe676967
Merge pull request #15613 from johngmyers/nodeup-sysctls 
Remove references to ClusterSpec from nodeup sysctls.go
 2023-07-10 01:23:05 -07:00
John Gardiner Myers f5fc710d6c Remove references to ClusterSpec from nodeup sysctls.go 2023-07-09 21:11:54 -07:00
John Gardiner Myers d926989600 v1alpha3: Rename GCE networking to GCP 2023-07-09 16:48:26 -07:00
John Gardiner Myers 11304807f2 Hold reference to VFSContext from simple.Clientset 2023-07-06 19:41:45 -07:00
justinsb 62e2b9690b ipv6: containerd routes support for IPv6 
If using IPv6 and a kubenet-style CNI (which is more common with
IPv6), we need to support an IPv6 route on the pod, or else Pods will
be unable to reach other Pods.

Co-authored-by: Ciprian Hacman <ciprian@hakman.dev>
 2023-07-05 22:53:16 -04:00
Ciprian Hacman 3a4e0717a7 hack/update-expected.sh 2023-06-20 08:11:21 +03:00
Ciprian Hacman 26198a22b2 Update tests for kOps v1.28 2023-06-20 08:11:21 +03:00
Ciprian Hacman 59b7653cc3 Update min versions for kOps v1.28 2023-06-20 08:11:21 +03:00
Kubernetes Prow Robot b4c5a75829
Merge pull request #15487 from jsafrane/add-selinux 
Add optional SELinux support to RHEL clusters
 2023-06-19 08:54:22 -07:00
Jan Safranek 0d03095fda Add SELinux support to containerd 
Add cluster.Spec.Containerd.SELinuxEnabled field that enables SELinux in
containerd.

With SELinux enabled, all pods that use HostPath volumes must run with
SELinux label `spc_t`, otherwise SELinux denies the pods to touch the host
filesystem.
 2023-06-19 15:20:08 +02:00
Kubernetes Prow Robot cddf5ba763
Merge pull request #15037 from johngmyers/nonmasq 
Don't set up masquerade if NonMasqueradeCIDR is /0
 2023-06-17 00:44:19 -07:00
Ciprian Hacman 2aff39dce5 hack/update-expected.sh 2023-06-16 21:17:16 +03:00
Leïla MARABESE dab001c3e9 scaleway authenticator and verifier 2023-06-14 15:15:17 +02:00
Alasdair Tran dde5dcca2f Fix Amazon ECR endpoint in China 2023-06-10 05:49:49 +00:00
Jan Safranek 51fbeb650b Remove python2 from RHEL9 
It's not available there.
 2023-06-08 15:00:20 +02:00
Jan Safranek 22ef857494 Remove libcgroup from RHEL9 
The package is not available there.
 2023-06-08 14:56:26 +02:00
justinsb ca67b1ca1e Refactor: rename IsGossip -> UsesLegacyGossip 
We want to be able to use "dns=none" (without peer-to-peer gossip)
even for clusters that have the k8s.local extension.  These were
previously called "gossip clusters", but really that is an
implementation; what actually matters to users is that they don't rely
on writing records into a DNS zone (such as Route53).
 2023-05-22 21:50:16 -04:00
Ciprian Hacman cd59ed1a56 Update CNI plugins to v1.2.0 for K8s 1.27+ 2023-05-20 22:01:35 +03:00
Kubernetes Prow Robot b90c78ef61
Merge pull request #15399 from zetaab/mountifneeded 
do not mount same dir twice
 2023-05-16 05:27:36 -07:00
Kubernetes Prow Robot 4885e78bfd
Merge pull request #15406 from justinsb/options_pattern_for_hostpathmapping 
nodeup: Use functional options pattern for HostPathMapping
 2023-05-12 08:37:02 -07:00
Kulwant Singh d6776bb780 use dl.k8s.io not gs://kubernetes-release 2023-05-11 09:01:31 -07:00
justinsb 6bdbbc4fd4 nodeup: Use functional options pattern for HostPathMapping 
This means that the object is not mutated after construction, making
it easier to do validity checks (such as whether we have mounted the
same path twice).
 2023-05-11 10:16:30 -04:00
Jesse Haka d67942fba0 do not mount same dir twice 2023-05-11 11:15:08 +03:00
Ciprian Hacman 81b4fbf8ac Add kubescheduler.config.k8s.io/v1 for K8s 1.25+ 2023-05-09 12:26:57 +03:00
Kubernetes Prow Robot e3a639cd73
Merge pull request #15373 from hakman/depup 
Update dependencies to K8s v1.27
 2023-05-08 02:27:17 -07:00
Ciprian Hacman 73fe92945c hack/update-expected.sh 2023-05-08 07:35:36 +03:00
justinsb 1faee9dd8c digitalocean: bootstrap nodes through kops-controller. 
We start with a simple node verifier.
 2023-05-07 13:17:56 -04:00
justinsb c89f434f1b Only use node challenge on hetzner 
DigitalOcean (and others) will follow shortly.

Also create a method for CloudProvider, so that we are more ambivalent
towards bootstrapping methods.
 2023-05-06 08:57:21 -04:00
Justin SB c67f895226 Perform challenge callbacks into a node 
In order to verify that the caller is running on the specified node,
we source the expected IP address from the cloud, and require that the
node set up a simple challenge/response server to answer requests.

Because the challenge server runs on a port outside of the nodePort
range, this also makes it harder for pods to impersonate their host
nodes - though we do combine this with TPM and similar functionality
where it is available.
 2023-05-06 08:03:21 -04:00
Ole Markus With 5d82e52c48 Use external ECR credential provider as of Kubernetes 1.27 2023-04-29 10:21:57 +02:00
Šimon Mišenčík 4f7f5dff4e
Increase max_map_count in sysctls.go 2023-04-13 09:14:17 +02:00
Justin SB d48d86f4a9 gce ipv6: nodeup should only run the AWS prefix assigner on AWS 
The Prefix task is specific to AWS, and is not needed on GCE.
 2023-03-31 09:36:50 -04:00
Peter Rifel 106e2f75cf
Dont try to install curl and python2 on AL2023 
```
W0317 01:46:07.374788   27111 executor.go:139] error running task "Package/python2" (6m1s remaining to succeed): error installing package "python2": exit status 1: Last metadata expiration check: 0:14:55 ago on Fri Mar 17 01:31:12 2023.
No match for argument: python2
Error: Unable to find a match: python2
W0317 01:46:07.374820   27111 executor.go:139] error running task "Package/curl" (6m1s remaining to succeed): error installing package "curl": exit status 1: Last metadata expiration check: 0:14:55 ago on Fri Mar 17 01:31:12 2023.
Error:
 Problem: problem with installed package curl-minimal-7.88.1-1.amzn2023.0.1.x86_64
  - package curl-minimal-7.88.1-1.amzn2023.0.1.x86_64 conflicts with curl provided by curl-7.87.0-2.amzn2023.0.2.x86_64
  - package curl-minimal-7.87.0-2.amzn2023.0.2.x86_64 conflicts with curl provided by curl-7.87.0-2.amzn2023.0.2.x86_64
  - package curl-minimal-7.88.0-1.amzn2023.0.1.x86_64 conflicts with curl provided by curl-7.87.0-2.amzn2023.0.2.x86_64
  - conflicting requests
  - package curl-minimal-7.88.1-1.amzn2023.0.1.x86_64 conflicts with curl provided by curl-7.88.0-1.amzn2023.0.1.x86_64
  - package curl-minimal-7.87.0-2.amzn2023.0.2.x86_64 conflicts with curl provided by curl-7.88.0-1.amzn2023.0.1.x86_64
  - package curl-minimal-7.88.0-1.amzn2023.0.1.x86_64 conflicts with curl provided by curl-7.88.0-1.amzn2023.0.1.x86_64
  - package curl-minimal-7.88.1-1.amzn2023.0.1.x86_64 conflicts with curl provided by curl-7.88.1-1.amzn2023.0.1.x86_64
  - package curl-minimal-7.87.0-2.amzn2023.0.2.x86_64 conflicts with curl provided by curl-7.88.1-1.amzn2023.0.1.x86_64
  - package curl-minimal-7.88.0-1.amzn2023.0.1.x86_64 conflicts with curl provided by curl-7.88.1-1.amzn2023.0.1.x86_64
(try to add '--allowerasing' to command line to replace conflicting packages or '--skip-broken' to skip uninstallable packages)
```
 2023-03-16 20:53:29 -05:00
Kubernetes Prow Robot b5dc9f6371
Merge pull request #15122 from Mia-Cross/scw_profiles 
scaleway: get credentials from Scaleway profile
 2023-02-24 07:43:34 -08:00
Kubernetes Prow Robot 553270a06a
Merge pull request #15134 from hakman/registry.k8s.io 
Update remaining references from k8s.gcr.io to registry.k8s.io
 2023-02-12 05:33:30 -08:00
Ciprian Hacman 56900bcbad hack/update-expected.sh 2023-02-12 13:48:44 +02:00
Ciprian Hacman e6e4324b85 Remove compatibility with k8s.gcr.io 2023-02-12 13:46:48 +02:00
Ciprian Hacman 0321150ae1
Revert "disable kops-configuration.service after successful execution" 2023-02-12 12:29:06 +02:00
justinsb 29d3a6f2f9 Refactor authenticator building 
Prefer explicit error checking to the "fallthrough" pattern.
 2023-02-11 11:04:32 -05:00
Justin SB 0b699832ec Use cloud-discovery on GCE in gossip mode 
It's a little simpler and should speed up our boot.
 2023-02-11 11:03:12 -05:00
Leïla MARABESE 9f950f4a3a scaleway profiles feature 2023-02-10 17:02:45 +01:00
Ciprian Hacman 48404f87fd hack/update-expected.sh 2023-02-06 08:12:15 +02:00
Ciprian Hacman 96115de2eb Switch contained config file path to `/etc/containerd/config.toml` 2023-02-06 08:12:15 +02:00
Evan Lezar 02adbc7335 Install nvidia-container-toolkit as top-level package 
As of the NVIDIA Container Toolkit v1.6.0 release the nvidia-container-toolkit
is the top-level package for installing the NVIDIA container stack with the
nvidia-container-runtime provided as a meta-package to support "legacy"
workflows such as this.

This change installs the nvidia-container-toolkit package directly instead.

Note that the nvidia-container-runtime binary is included in this package.

See https://github.com/NVIDIA/nvidia-container-toolkit/releases/tag/v1.6.0

Signed-off-by: Evan Lezar <evanlezar@gmail.com>
 2023-02-02 14:47:18 +01:00
Evan Lezar cf066cfa0f Use gpgkey from libnvidia-container repository 
The same gpgkey is served from both the nvidia-container-runtime and
libnvidia-container repos.

Signed-off-by: Evan Lezar <evanlezar@gmail.com>
 2023-02-02 14:47:10 +01:00
Evan Lezar 1f0b2eb0bf Use ubuntu18.04 repos for nvidia-container-toolkit 
The ubuntu20.04 and ubunut22.04 repositories are "mirrors" of the
ubuntu18.04 repository. This change ensures that the ubuntu18.04 repository
is used regardless of the Ubuntu distribution.

Signed-off-by: Evan Lezar <evanlezar@gmail.com>
 2023-02-02 14:46:52 +01:00
Jesse Haka 8f061dbc8e disable kops-configuration.service after successful execution 2023-01-31 11:37:36 +02:00
Ciprian Hacman 5e7b5ddd9a TMP 2023-01-25 16:08:54 +02:00
Ciprian Hacman 6f5eeb2e39 Always disable the reboot manager for Flatcar 2023-01-25 08:49:39 +02:00
Kubernetes Prow Robot b2bdd43dc4
Merge pull request #15024 from zetaab/fixauth 
make openstack kops-controller boostrap auth better
 2023-01-22 23:20:10 -08:00
John Gardiner Myers c7d0fd7dad Don't set up masquerade if NonMasqueradeCIDR is /0 2023-01-21 22:58:08 -08:00
Justin SB 89125664ef nodeup: don't set up masquerade if nonMasqueradeCIDR not set 
If the non-masquerade CIDR is not set, take that as an indication that
we don't want masquerade, rather than failing nodeup.

Not setting a non-masquerade CIDR means that we likely won't preserve
pod IPs for pod-to-pod traffic, but likely just means that more
NATting is done than might be needed.

Omitting the value can also be useful if we're using something like
the ip-masq-agent to manage masquerade rules for us.
 2023-01-21 23:13:31 -05:00
Jesse Haka cb4b796496 hack/update-expected.sh 2023-01-19 10:18:20 +02:00
Jesse Haka b3c134be06 make openstack kops-controller boostrap auth better 2023-01-19 10:07:11 +02:00
John Gardiner Myers 0c323445fb Move UsesKubenet to nodeup.Config 2023-01-15 23:12:00 -08:00
John Gardiner Myers 68c4ef1a93 Move networking-related tests to nodeup.Config 2023-01-15 23:12:00 -08:00
John Gardiner Myers cc49461849 Move several CNI tests to nodeup.Config 2023-01-15 23:11:58 -08:00
John Gardiner Myers f6debfd658 Move ServiceClusterIPRange to nodeup.Config 2023-01-15 17:19:18 -08:00
John Gardiner Myers 2e6e022eca Move EgressProxy to nodeup.Config 2023-01-15 17:19:18 -08:00
John Gardiner Myers da881fb320 Move NonMasqueradeCIDR to nodeup.Config 2023-01-15 17:19:18 -08:00
Kubernetes Prow Robot 1c8f9c8a35
Merge pull request #14894 from johngmyers/v1alpha3-oidc 
v1alpha3: Move most OIDC settings to authentication.oidc
 2023-01-15 08:40:31 -08:00
Jesse Haka 3dab0eb807 Use kops-controller to boostrap nodes in OpenStack 2023-01-14 13:54:14 +02:00
John Gardiner Myers 2365980281 openstack: use subnet type instead of topology 2023-01-12 19:33:10 -08:00
John Gardiner Myers 24841f79e3 hack/update-expected.sh 2023-01-11 19:27:42 -08:00
John Gardiner Myers d009928883 v1alpha3: Move most OIDC settings to authentication.oidc 2023-01-11 19:26:18 -08:00
Jesse Haka cc8871eede no dns for OpenStack 2023-01-11 20:02:02 +02:00
Leïla MARABESE 543d59758a removed SCW_DEFAULT_REGION and SCW_DEFAULT_ZONE env vars 2023-01-10 16:11:23 +01:00
Jesse Haka 4383f40af7 move openstack cloud config to k8s secrets 2023-01-06 19:56:35 +02:00
justinsb b7d9319fff EnsureTask should panic on error 
This means that we automatically check the error code.  A linter could
detect errors here (maybe), but in practice we can't recover from
errors here anyway.
 2023-01-04 08:29:20 -05:00
John Gardiner Myers 447220ef4e Use NodeupConfig for NTP-managed setting 2023-01-03 22:16:20 -08:00
John Gardiner Myers 4179fcce58 Use NodeupConfig for KubernetesVersion 2023-01-03 22:16:20 -08:00
John Gardiner Myers b5eef1c129 Use NodeupConfig for kube-proxy config 2023-01-03 12:29:07 -08:00
John Gardiner Myers fe448ef906 Use NodeupConfig for DockerConfig 2023-01-02 13:58:21 -08:00
John Gardiner Myers 125866792d Use NodeupConfig for ContainerdConfig 2023-01-02 13:42:11 -08:00
John Gardiner Myers b4f04a6d13 Simplify test setup 2023-01-02 12:50:24 -08:00
John Gardiner Myers 768299134c hack/update-expected.sh 2023-01-02 12:50:24 -08:00
John Gardiner Myers 25a897b691 Use NodeupConfig for ContainerRuntime 2023-01-02 12:50:23 -08:00
Jesse Haka 357e2a6a06 fix cloud config in normal nodes 2023-01-02 17:25:30 +02:00
John Gardiner Myers 99d36bd9f2 Extract NodeupModelContext.APIInternalName() 2023-01-01 13:48:01 -08:00
John Gardiner Myers 8aeefe23ed Use NodeupConfig for cluster name 2023-01-01 13:48:01 -08:00
John Gardiner Myers c08326e8c0 Separate out a VFSSecretStoreReader 2023-01-01 13:47:05 -08:00
John Gardiner Myers c68be498c6 Refactor NewAssetBuilder to not take a Cluster 2023-01-01 13:37:52 -08:00
justinsb 6c2edaee7e Add Context arg to vfs ReadFile 
This is an "action" method, so should take a context.
 2023-01-01 09:51:44 -05:00
John Gardiner Myers 08ba7918d0 etcd domains are now under .internal. 2022-12-29 13:24:03 -08:00
John Gardiner Myers 355f9e4bd2 Kubelet needs cloudconfig for in-tree cloudprovider 2022-12-26 11:25:24 -08:00
John Gardiner Myers d32a0fb3cc APIServer nodes need cloudconfig 2022-12-26 10:56:30 -08:00
John Gardiner Myers b3dfcea95f v1alpha3: Move AWS-specific CloudConfig settings to AWSSpec 2022-12-25 16:12:02 -08:00
Kubernetes Prow Robot e13c51968b
Merge pull request #14869 from johngmyers/upd-min-version 
Update min versions for 1.27
 2022-12-24 23:59:27 -08:00
Kubernetes Prow Robot b97662c6a3
Merge pull request #14837 from johngmyers/gce-cloudconfig 
v1alpha3: Move GCE-specific CloudConfig settings to GCESpec
 2022-12-24 22:31:26 -08:00
John Gardiner Myers 3823c13633 hack/update-expected.sh 2022-12-24 21:44:50 -08:00
John Gardiner Myers 005ec38972 Remove code for no-longer-supported k8s 1.21 2022-12-24 21:44:50 -08:00
justinsb 817c1e63b3 FindKeyset can return nil 
We had missed a case in nodeup; add a Context argument to force us to
revisit the codepaths.
 2022-12-24 16:12:21 -05:00
Ciprian Hacman aa04f56545 Update test for audit config 2022-12-24 07:23:10 +02:00
Ciprian Hacman e3dbff95d0 Add placeholder for the audit config test 2022-12-24 07:23:10 +02:00
Ciprian Hacman bb6d4d6c17 Mount the audit config dir for kube-apiserver 2022-12-24 07:23:10 +02:00
justinsb 90cbf75584 Context threading: more wiring 
We're aiming to use this for testing immediately and better
logging/tracing in future, but to make the changes manageable breaking
them into a smaller series that don't directly achieve much.
 2022-12-22 17:52:22 -05:00
John Gardiner Myers b38c55a2b9 Simplify nodeup references to CloudProvider 2022-12-20 19:44:32 -08:00
John Gardiner Myers 0e11075012 v1alpha3: Move GCE-specific CloudConfig settings to GCESpec 2022-12-20 19:44:32 -08:00
Kubernetes Prow Robot 5fb80f8e41
Merge pull request #14836 from justinsb/debian_logspam 
Fix logspam on debian
 2022-12-20 16:25:36 -08:00