If the cluster's VPC includes DHCP options the local-hostname includes
the DHCP zone instead of the private DNS name from AWS (which is what
k8s uses regardless of flags). This patch simply makes the
hostnameOverride implementation match by using the AWS api to get the
private DNS name
Related to #7172
Without this patch the timeout is 5m and the interval is 10m --
hard-coded with no mechanism to change, even though the config struct
already had a timeout option (which was completely unused)
klog can now support logging both to a file and to streams, so we get the output both in docker & logfiles.
A few gotchas:
* The output previously was all on stdout, now it on stderr. That is more correct
* If something writes to stdout or stderr outside of klog, it will no longer end up in the logfile.
* There's some oddities still to be ironed out about the flag syntax https://github.com/kubernetes/klog/issues/60
For the master pods (apiserver, controller manager, scheduler) this is
unlikely to ever matter (the masters aren't expected to run out of
resources and need to evict things) but evictions of kube-proxy from worker
nodes are easy to trigger in clusters with PodPriority enabled. Since these
are static pods the configuration is also somewhat difficult to change.
We don't call klog.InitFlags yet, because that will cause a flag
redefinition error until we get everyone to stop using glog. That
will happen when we update to k8s 1.13.
In 1.12 (kops & kubenetes):
* We default etcd-manager on
* We default to etcd3
* We default to full TLS for etcd (client and peer)
* We stop allowing external access to etcd
Otherwise we end up with a circular dependency where we don't run the
node-authorizer until /var/lib/kubelet has been bind-mounted, but it
can't be bind-mounted until it exists.
This bind-mounting happens on Google's ContainerOS, which is why it
isn't always seen.
Starting from Docker 18.09.0, the Docker distribution has been split in
3 packages: the Docker daemon, the Docker CLI, and for containerd. This
adds a twist to how to upgrade Docker from the base image as the daemon
and CLI packages must be installed at the same time, otherwise dpkg/rpm
will refuse to upgrade (the new CLI is incompatible with the old package
and the daemon can't be installed without first installing the CLI and
the new containerd, so the upgrade MUST happen in a single transaction).
This code change thus adds the possibility to specify additional packages
to install in the same dpkg/yum transaction, such as the Docker CLI and
containerd in nodeup, and the ability to apply the multi-package upgrade
atomically with dpkg/rpm.
We also use this new mechanism for the SELinux policy on RHEL/CentOS.
Docker 17.x with rhel-family fails to detect overlay2 correctly, and
need us to pass overlay2.override_kernel_check=true for docker to
correctly detect overlay2 support.
- removed all the systemd unit creation and use the volume mount code from kubele (SafeFormatAndMount)
- added some documentation to highlight the feature and show how it might be used in both ebs and ephemeral storage
- updated the api specs and machinery
- adding the dependecies on the services when the volume mounts are enable (should probably false this if they don't effect the docker filesystem)
On CoreOS Container Linux, `dateext` is set, which causes log rotation
based on maxsize to not run, when a previous rotation already happened
on the calendar same day.
(cherry picked from commit 585d0a0da42be1eae87fa879b0084d29d77ac605)
https://github.com/lyft/cni-ipvlan-vpc-k8s
This cni solution is slightly different in that it doesn't require running a daemonset
It requires:
* a config file in /etc/cni/net.d
* the binaries in /opt/cni/bin
* adding the --node-ip param to the kubelet
This code is modeled after the AmazonVPC cni bits.
I've left the setup of the required subnets as an exercise to the reader.
We still need the reflect helpers, but we allow for clients to
register their own pretty-printers, which avoids the package
dependency for our pretty-printer. We register our pretty printers in
an init function in the relevant package (in this case,
upup/pkg/fi/printers.go)
Fix#5551
Ubuntu 18.04 doesn't have a package for docker 17.03, but we can still
support it by using the tar.gz package.
This could be a nice fallback for other operating systems in future,
and it might prove to be more reliable than the OS packages.
But start with supporting ubuntu 18.04 with older docker versions!
- switching to using code rather than a template for the systemd unit creation as requested in review
- as part of the review, changing the name of the ca from tls-ca to tls-client-ca
- changing the api from DisableAddressCheck to EnableAddressCheck and defaulting to true if no set
- fixing up the test for node-authorizer and shifting the parsing of the certificates as suggested in reviews to a method
Kubernetes doesn't officially support bionic.
Docker has only released 18.03.1 for Bionic.
Kubernetes also doesn't officially support 18.03.1
Use at your own risk.
Only clear the flag if there is a docker config file, so that we can
continue to set the storage flag on older COS images. We could be
smarter about checking if the storage driver is actually set in the
docker config, but for now we just start by logging it.
Cilium was using the same code as Calico to retrieve etcd certs, new
builder is not Calico-specific.
calico name of certs is retained to ensure backward compatibility
Signed-off-by: Maciej Kwiek <maciej@covalent.io>
a) The current implementation use's a static kubelet which doesn't not conform to the Node authorization mode (i.e. system:nodes:<nodename>)
b) As present the kubeconfig is static and reused across all the masters and nodes
The PR firstly introduces the ability for users to use bootstrap tokens and secondly when enabled ensure the kubelets for the masters as have unique usernames. Note, this PR does not attempt to address the distribution of the bootstrap tokens themselves, that's for cluster admins. One solution for this would be a daemonset on the masters running on hostNetwork and reuse dns-controller to annotated the pods and give as the DNS
Notes:
- the master node do not use bootstrap tokens, instead given they have access to the ca anyhow, we generate certificates for each.
- when bootstrap token is not enabled the behaviour will stay the same; i.e. a kubelet configuration brought down from the store.
- when bootstrap tokens are enabled, the Nodes sit in a timeout loop waiting for the configuration to appear (by third party).
- given the nodeup docker and manifests builders are executed before the kubelet builder, the assumption here is a unit file kicks of a custom container to bootstrap the rest.
- the current firewalls on between the master and nodes are fairly open so no need to open ports between the two
- much of the work was ported from @justinsb PR [here](https://github.com/kubernetes/kops/pull/4134/)
- we add a very presumptuous server and client certificates for use with an authorizer (node-bootstrap-internal.dns_zone)
I do have an additional PR which performs the entire thing. The process being a node_authorizer which runs on the master nodes via a daemonset, the service implements a series of authorizers (i.e. alwaysallow, aws, gce etc). For aws, the process is similar to how vault authorizes nodes [here](https://www.vaultproject.io/docs/auth/aws.html). Nodeup no then calls out to the node_authorizer on bootstrap and provisions the kubelet.
We also have to stop passing the flag on ContainerOS, because it's set
in /etc/docker/default.json and it's now an error to pass the flag.
That in turn means we move those options to code, which are the last of
those legacy config options. (We still have a few tasks declaratively
defined though)
A previous PR https://github.com/kubernetes/kops/pull/5221/ introduced the --enable-admission-plugins for >= 1.10.0 as recommended, it does however cause an issue if you already have AdmissionControl is specified in the Spec as both flags get rendered
Previously the hook system would only allow extensions of ".service"
and ".timer". Any other name would have ".service" appended.
Now the hook system allows any suffix listed at
https://www.freedesktop.org/software/systemd/man/systemd.unit.html.
If no suffix is found, ".service" is still added to preserve backwards-
compatibility.
Note that backwards-compatibility may still break for users relying on
the previous behavior in odd ways. For example, a hook with name
"my-hook.slice" would previously have been installed as
"my-hook.slice.service", but it will now be installed as "my-hook.slice",
since ".slice" is a valid systemd unit file extension.
When "useRawManifest" is set to true in the hook spec, the contents of
the "manifest" field are used unmodified as a systemd unit. The
"before" and "requires" fields are ignored, kops will not construct
the "[Unit]" section of the systemd unit file, and kops will not add a
"[Service]" header.
This gives operators access to the full suite of options available in
the "[Unit]" section, and also allows creation of unit files which
don't contain a "[Service]" section (for example, .swap units; see
https://www.freedesktop.org/software/systemd/man/systemd.swap.html).
Because this functionality is gated behind a new option, backwards
compatibility is preserved for hooks currently being created using the
old style.
Justin SB