github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #50063 from dixudx/manifests_use_hostpath_type 

Automatic merge from submit-queue (batch tested with PRs 51038, 50063, 51257, 47171, 51143)

update related manifest files to use hostpath type

**What this PR does / why we need it**:
Per [discussion in #46597](https://github.com/kubernetes/kubernetes/pull/46597#pullrequestreview-53568947)

Dependes on #46597

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #

Fixes: https://github.com/kubernetes/kubeadm/issues/298

**Special notes for your reviewer**:
/cc @euank @thockin @tallclair @Random-Liu 

**Release note**:

```release-note
None
```
pull/6/head
Kubernetes Submit Queue 2017-08-25 12:31:02 -07:00 committed by GitHub
parent c02afa6e39 01e4b960d8
commit 16a438b56e
24 changed files with 182 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
cluster/addons/node-problem-detector/npd.yaml
View File

@ -76,6 +76,7 @@ spec:
- name: localtime - name: localtime
hostPath: hostPath:
path: /etc/localtime path: /etc/localtime
type: "FileOrCreate"
serviceAccountName: node-problem-detector serviceAccountName: node-problem-detector
tolerations: tolerations:
- operator: "Exists" - operator: "Exists"

10
cluster/gce/container-linux/configure-helper.sh
View File

@ -834,7 +834,7 @@ function compute-master-manifest-variables {
CLOUD_CONFIG_MOUNT="" CLOUD_CONFIG_MOUNT=""
if [[ -f /etc/gce.conf ]]; then if [[ -f /etc/gce.conf ]]; then
CLOUD_CONFIG_OPT="--cloud-config=/etc/gce.conf" CLOUD_CONFIG_OPT="--cloud-config=/etc/gce.conf"
CLOUD_CONFIG_VOLUME="{\"name\": \"cloudconfigmount\",\"hostPath\": {\"path\": \"/etc/gce.conf\"}}," CLOUD_CONFIG_VOLUME="{\"name\": \"cloudconfigmount\",\"hostPath\": {\"path\": \"/etc/gce.conf\", \"type\": \"FileOrCreate\"}},"
CLOUD_CONFIG_MOUNT="{\"name\": \"cloudconfigmount\",\"mountPath\": \"/etc/gce.conf\", \"readOnly\": true}," CLOUD_CONFIG_MOUNT="{\"name\": \"cloudconfigmount\",\"mountPath\": \"/etc/gce.conf\", \"readOnly\": true},"
fi fi
DOCKER_REGISTRY="gcr.io/google_containers" DOCKER_REGISTRY="gcr.io/google_containers"
@ -939,10 +939,10 @@ function start-kube-apiserver {
params+=" --admission-control-config-file=/etc/admission_controller.config" params+=" --admission-control-config-file=/etc/admission_controller.config"
# Mount the file to configure admission controllers if ImagePolicyWebhook is set. # Mount the file to configure admission controllers if ImagePolicyWebhook is set.
admission_controller_config_mount="{\"name\": \"admissioncontrollerconfigmount\",\"mountPath\": \"/etc/admission_controller.config\", \"readOnly\": false}," admission_controller_config_mount="{\"name\": \"admissioncontrollerconfigmount\",\"mountPath\": \"/etc/admission_controller.config\", \"readOnly\": false},"
admission_controller_config_volume="{\"name\": \"admissioncontrollerconfigmount\",\"hostPath\": {\"path\": \"/etc/admission_controller.config\"}}," admission_controller_config_volume="{\"name\": \"admissioncontrollerconfigmount\",\"hostPath\": {\"path\": \"/etc/admission_controller.config\", \"type\": \"FileOrCreate\"}},"
# Mount the file to configure the ImagePolicyWebhook's webhook. # Mount the file to configure the ImagePolicyWebhook's webhook.
image_policy_webhook_config_mount="{\"name\": \"imagepolicywebhookconfigmount\",\"mountPath\": \"/etc/gcp_image_review.config\", \"readOnly\": false}," image_policy_webhook_config_mount="{\"name\": \"imagepolicywebhookconfigmount\",\"mountPath\": \"/etc/gcp_image_review.config\", \"readOnly\": false},"
image_policy_webhook_config_volume="{\"name\": \"imagepolicywebhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_image_review.config\"}}," image_policy_webhook_config_volume="{\"name\": \"imagepolicywebhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_image_review.config\", \"type\": \"FileOrCreate\"}},"
fi fi
fi fi
@ -969,7 +969,7 @@ function start-kube-apiserver {
if [[ -n "${GCP_AUTHN_URL:-}" ]]; then if [[ -n "${GCP_AUTHN_URL:-}" ]]; then
params+=" --authentication-token-webhook-config-file=/etc/gcp_authn.config" params+=" --authentication-token-webhook-config-file=/etc/gcp_authn.config"
webhook_authn_config_mount="{\"name\": \"webhookauthnconfigmount\",\"mountPath\": \"/etc/gcp_authn.config\", \"readOnly\": false}," webhook_authn_config_mount="{\"name\": \"webhookauthnconfigmount\",\"mountPath\": \"/etc/gcp_authn.config\", \"readOnly\": false},"
webhook_authn_config_volume="{\"name\": \"webhookauthnconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authn.config\"}}," webhook_authn_config_volume="{\"name\": \"webhookauthnconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authn.config\", \"type\": \"FileOrCreate\"}},"
fi fi
local authorization_mode="RBAC" local authorization_mode="RBAC"
@ -1000,7 +1000,7 @@ function start-kube-apiserver {
authorization_mode+=",Webhook" authorization_mode+=",Webhook"
params+=" --authorization-webhook-config-file=/etc/gcp_authz.config" params+=" --authorization-webhook-config-file=/etc/gcp_authz.config"
webhook_config_mount="{\"name\": \"webhookconfigmount\",\"mountPath\": \"/etc/gcp_authz.config\", \"readOnly\": false}," webhook_config_mount="{\"name\": \"webhookconfigmount\",\"mountPath\": \"/etc/gcp_authz.config\", \"readOnly\": false},"
webhook_config_volume="{\"name\": \"webhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authz.config\"}}," webhook_config_volume="{\"name\": \"webhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authz.config\", \"type\": \"FileOrCreate\"}},"
fi fi
params+=" --authorization-mode=${authorization_mode}" params+=" --authorization-mode=${authorization_mode}"

14
cluster/gce/gci/configure-helper.sh
View File

@ -1160,7 +1160,7 @@ function compute-master-manifest-variables {
CLOUD_CONFIG_MOUNT="" CLOUD_CONFIG_MOUNT=""
if [[ -f /etc/gce.conf ]]; then if [[ -f /etc/gce.conf ]]; then
CLOUD_CONFIG_OPT="--cloud-config=/etc/gce.conf" CLOUD_CONFIG_OPT="--cloud-config=/etc/gce.conf"
CLOUD_CONFIG_VOLUME="{\"name\": \"cloudconfigmount\",\"hostPath\": {\"path\": \"/etc/gce.conf\"}}," CLOUD_CONFIG_VOLUME="{\"name\": \"cloudconfigmount\",\"hostPath\": {\"path\": \"/etc/gce.conf\", \"type\": \"FileOrCreate\"}},"
CLOUD_CONFIG_MOUNT="{\"name\": \"cloudconfigmount\",\"mountPath\": \"/etc/gce.conf\", \"readOnly\": true}," CLOUD_CONFIG_MOUNT="{\"name\": \"cloudconfigmount\",\"mountPath\": \"/etc/gce.conf\", \"readOnly\": true},"
fi fi
DOCKER_REGISTRY="gcr.io/google_containers" DOCKER_REGISTRY="gcr.io/google_containers"
@ -1288,7 +1288,7 @@ function start-kube-apiserver {
# Create the audit policy file, and mount it into the apiserver pod. # Create the audit policy file, and mount it into the apiserver pod.
create-master-audit-policy "${audit_policy_file}" create-master-audit-policy "${audit_policy_file}"
audit_policy_config_mount="{\"name\": \"auditpolicyconfigmount\",\"mountPath\": \"${audit_policy_file}\", \"readOnly\": true}," audit_policy_config_mount="{\"name\": \"auditpolicyconfigmount\",\"mountPath\": \"${audit_policy_file}\", \"readOnly\": true},"
audit_policy_config_volume="{\"name\": \"auditpolicyconfigmount\",\"hostPath\": {\"path\": \"${audit_policy_file}\"}}," audit_policy_config_volume="{\"name\": \"auditpolicyconfigmount\",\"hostPath\": {\"path\": \"${audit_policy_file}\", \"type\": \"FileOrCreate\"}},"
if [[ "${ADVANCED_AUDIT_BACKEND:-log}" == *"log"* ]]; then if [[ "${ADVANCED_AUDIT_BACKEND:-log}" == *"log"* ]]; then
# The advanced audit log backend config matches the basic audit log config. # The advanced audit log backend config matches the basic audit log config.
@ -1310,7 +1310,7 @@ function start-kube-apiserver {
params+=" --audit-webhook-config-file=${audit_webhook_config_file}" params+=" --audit-webhook-config-file=${audit_webhook_config_file}"
create-master-audit-webhook-config "${audit_webhook_config_file}" create-master-audit-webhook-config "${audit_webhook_config_file}"
audit_webhook_config_mount="{\"name\": \"auditwebhookconfigmount\",\"mountPath\": \"${audit_webhook_config_file}\", \"readOnly\": true}," audit_webhook_config_mount="{\"name\": \"auditwebhookconfigmount\",\"mountPath\": \"${audit_webhook_config_file}\", \"readOnly\": true},"
audit_webhook_config_volume="{\"name\": \"auditwebhookconfigmount\",\"hostPath\": {\"path\": \"${audit_webhook_config_file}\"}}," audit_webhook_config_volume="{\"name\": \"auditwebhookconfigmount\",\"hostPath\": {\"path\": \"${audit_webhook_config_file}\", \"type\": \"FileOrCreate\"}},"
fi fi
fi fi
@ -1328,10 +1328,10 @@ function start-kube-apiserver {
params+=" --admission-control-config-file=/etc/admission_controller.config" params+=" --admission-control-config-file=/etc/admission_controller.config"
# Mount the file to configure admission controllers if ImagePolicyWebhook is set. # Mount the file to configure admission controllers if ImagePolicyWebhook is set.
admission_controller_config_mount="{\"name\": \"admissioncontrollerconfigmount\",\"mountPath\": \"/etc/admission_controller.config\", \"readOnly\": false}," admission_controller_config_mount="{\"name\": \"admissioncontrollerconfigmount\",\"mountPath\": \"/etc/admission_controller.config\", \"readOnly\": false},"
admission_controller_config_volume="{\"name\": \"admissioncontrollerconfigmount\",\"hostPath\": {\"path\": \"/etc/admission_controller.config\"}}," admission_controller_config_volume="{\"name\": \"admissioncontrollerconfigmount\",\"hostPath\": {\"path\": \"/etc/admission_controller.config\", \"type\": \"FileOrCreate\"}},"
# Mount the file to configure the ImagePolicyWebhook's webhook. # Mount the file to configure the ImagePolicyWebhook's webhook.
image_policy_webhook_config_mount="{\"name\": \"imagepolicywebhookconfigmount\",\"mountPath\": \"/etc/gcp_image_review.config\", \"readOnly\": false}," image_policy_webhook_config_mount="{\"name\": \"imagepolicywebhookconfigmount\",\"mountPath\": \"/etc/gcp_image_review.config\", \"readOnly\": false},"
image_policy_webhook_config_volume="{\"name\": \"imagepolicywebhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_image_review.config\"}}," image_policy_webhook_config_volume="{\"name\": \"imagepolicywebhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_image_review.config\", \"type\": \"FileOrCreate\"}},"
fi fi
fi fi
@ -1358,7 +1358,7 @@ function start-kube-apiserver {
if [[ -n "${GCP_AUTHN_URL:-}" ]]; then if [[ -n "${GCP_AUTHN_URL:-}" ]]; then
params+=" --authentication-token-webhook-config-file=/etc/gcp_authn.config" params+=" --authentication-token-webhook-config-file=/etc/gcp_authn.config"
webhook_authn_config_mount="{\"name\": \"webhookauthnconfigmount\",\"mountPath\": \"/etc/gcp_authn.config\", \"readOnly\": false}," webhook_authn_config_mount="{\"name\": \"webhookauthnconfigmount\",\"mountPath\": \"/etc/gcp_authn.config\", \"readOnly\": false},"
webhook_authn_config_volume="{\"name\": \"webhookauthnconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authn.config\"}}," webhook_authn_config_volume="{\"name\": \"webhookauthnconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authn.config\", \"type\": \"FileOrCreate\"}},"
fi fi
@ -1390,7 +1390,7 @@ function start-kube-apiserver {
authorization_mode+=",Webhook" authorization_mode+=",Webhook"
params+=" --authorization-webhook-config-file=/etc/gcp_authz.config" params+=" --authorization-webhook-config-file=/etc/gcp_authz.config"
webhook_config_mount="{\"name\": \"webhookconfigmount\",\"mountPath\": \"/etc/gcp_authz.config\", \"readOnly\": false}," webhook_config_mount="{\"name\": \"webhookconfigmount\",\"mountPath\": \"/etc/gcp_authz.config\", \"readOnly\": false},"
webhook_config_volume="{\"name\": \"webhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authz.config\"}}," webhook_config_volume="{\"name\": \"webhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_authz.config\", \"type\": \"FileOrCreate\"}},"
fi fi
params+=" --authorization-mode=${authorization_mode}" params+=" --authorization-mode=${authorization_mode}"

5
cluster/saltbase/salt/cluster-autoscaler/cluster-autoscaler.manifest
View File

@ -5,7 +5,7 @@
{% if grains.cloud == 'gce' and grains.cloud_config is defined -%} {% if grains.cloud == 'gce' and grains.cloud_config is defined -%}
{% set cloud_config = "--cloud-config=" + grains.cloud_config -%} {% set cloud_config = "--cloud-config=" + grains.cloud_config -%}
{% set cloud_config_mount = "{\"name\": \"cloudconfigmount\",\"mountPath\": \"" + grains.cloud_config + "\", \"readOnly\": true}," -%} {% set cloud_config_mount = "{\"name\": \"cloudconfigmount\",\"mountPath\": \"" + grains.cloud_config + "\", \"readOnly\": true}," -%}
{% set cloud_config_volume = "{\"name\": \"cloudconfigmount\",\"hostPath\": {\"path\": \"" + grains.cloud_config + "\"}}," -%} {% set cloud_config_volume = "{\"name\": \"cloudconfigmount\",\"hostPath\": {\"path\": \"" + grains.cloud_config + "\", \"type\": \"FileOrCreate\"}}," -%}
{% endif -%} {% endif -%}
{% set params = pillar['autoscaler_mig_config'] + " " + cloud_config + " " + pillar.get('autoscaler_expander_config', '') -%} {% set params = pillar['autoscaler_mig_config'] + " " + cloud_config + " " + pillar.get('autoscaler_expander_config', '') -%}
@ -95,7 +95,8 @@
{ {
"name": "logfile", "name": "logfile",
"hostPath": { "hostPath": {
"path": "/var/log/cluster-autoscaler.log" "path": "/var/log/cluster-autoscaler.log",
"type": "FileOrCreate"
} }
} }
], ],

2
cluster/saltbase/salt/e2e-image-puller/e2e-image-puller.manifest
View File

@ -50,9 +50,11 @@ spec:
volumes: volumes:
- hostPath: - hostPath:
path: /var/run/docker.sock path: /var/run/docker.sock
type: Socket
name: socket name: socket
- hostPath: - hostPath:
path: /usr/bin/docker path: /usr/bin/docker
type: File
name: docker name: docker
# This pod is really fire-and-forget. # This pod is really fire-and-forget.
restartPolicy: OnFailure restartPolicy: OnFailure

3
cluster/saltbase/salt/etcd/etcd.manifest
View File

@ -103,7 +103,8 @@
}, },
{ "name": "varlogetcd", { "name": "varlogetcd",
"hostPath": { "hostPath": {
"path": "/var/log/etcd{{ suffix }}.log"} "path": "/var/log/etcd{{ suffix }}.log",
"type": "FileOrCreate"}
}, },
{ "name": "etc", { "name": "etc",
"hostPath": { "hostPath": {

20
cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest
View File

@ -25,7 +25,7 @@
{% if grains.cloud in [ 'aws', 'gce' ] and grains.cloud_config is defined -%} {% if grains.cloud in [ 'aws', 'gce' ] and grains.cloud_config is defined -%}
{% set cloud_config = "--cloud-config=" + grains.cloud_config -%} {% set cloud_config = "--cloud-config=" + grains.cloud_config -%}
{% set cloud_config_mount = "{\"name\": \"cloudconfigmount\",\"mountPath\": \"" + grains.cloud_config + "\", \"readOnly\": true}," -%} {% set cloud_config_mount = "{\"name\": \"cloudconfigmount\",\"mountPath\": \"" + grains.cloud_config + "\", \"readOnly\": true}," -%}
{% set cloud_config_volume = "{\"name\": \"cloudconfigmount\",\"hostPath\": {\"path\": \"" + grains.cloud_config + "\"}}," -%} {% set cloud_config_volume = "{\"name\": \"cloudconfigmount\",\"hostPath\": {\"path\": \"" + grains.cloud_config + "\", \"type\": \"FileOrCreate\"}}," -%}
{% endif -%} {% endif -%}
{% if grains.cloud in ['openstack'] -%} {% if grains.cloud in ['openstack'] -%}
@ -119,7 +119,7 @@
{% if grains.webhook_authentication_config is defined -%} {% if grains.webhook_authentication_config is defined -%}
{% set webhook_authentication_config = " --authentication-token-webhook-config-file=" + grains.webhook_authentication_config -%} {% set webhook_authentication_config = " --authentication-token-webhook-config-file=" + grains.webhook_authentication_config -%}
{% set webhook_authn_config_mount = "{\"name\": \"webhookauthnconfigmount\",\"mountPath\": \"" + grains.webhook_authentication_config + "\", \"readOnly\": false}," -%} {% set webhook_authn_config_mount = "{\"name\": \"webhookauthnconfigmount\",\"mountPath\": \"" + grains.webhook_authentication_config + "\", \"readOnly\": false}," -%}
{% set webhook_authn_config_volume = "{\"name\": \"webhookauthnconfigmount\",\"hostPath\": {\"path\": \"" + grains.webhook_authentication_config + "\"}}," -%} {% set webhook_authn_config_volume = "{\"name\": \"webhookauthnconfigmount\",\"hostPath\": {\"path\": \"" + grains.webhook_authentication_config + "\", \"type\": \"FileOrCreate\"}}," -%}
{% endif -%} {% endif -%}
{% set webhook_authorization_config = "" -%} {% set webhook_authorization_config = "" -%}
@ -128,7 +128,7 @@
{% if grains.webhook_authorization_config is defined -%} {% if grains.webhook_authorization_config is defined -%}
{% set webhook_authorization_config = " --authorization-webhook-config-file=" + grains.webhook_authorization_config -%} {% set webhook_authorization_config = " --authorization-webhook-config-file=" + grains.webhook_authorization_config -%}
{% set webhook_config_mount = "{\"name\": \"webhookconfigmount\",\"mountPath\": \"" + grains.webhook_authorization_config + "\", \"readOnly\": false}," -%} {% set webhook_config_mount = "{\"name\": \"webhookconfigmount\",\"mountPath\": \"" + grains.webhook_authorization_config + "\", \"readOnly\": false}," -%}
{% set webhook_config_volume = "{\"name\": \"webhookconfigmount\",\"hostPath\": {\"path\": \"" + grains.webhook_authorization_config + "\"}}," -%} {% set webhook_config_volume = "{\"name\": \"webhookconfigmount\",\"hostPath\": {\"path\": \"" + grains.webhook_authorization_config + "\", \"type\": \"FileOrCreate\"}}," -%}
{% set authz_mode = authz_mode + ",Webhook" -%} {% set authz_mode = authz_mode + ",Webhook" -%}
{% endif -%} {% endif -%}
@ -140,9 +140,9 @@
{% if grains.image_review_config is defined -%} {% if grains.image_review_config is defined -%}
{% set image_review_config = " --admission-control-config-file=" + grains.image_review_config -%} {% set image_review_config = " --admission-control-config-file=" + grains.image_review_config -%}
{% set admission_controller_config_mount = "{\"name\": \"admissioncontrollerconfigmount\",\"mountPath\": \"" + grains.image_review_config + "\", \"readOnly\": false}," -%} {% set admission_controller_config_mount = "{\"name\": \"admissioncontrollerconfigmount\",\"mountPath\": \"" + grains.image_review_config + "\", \"readOnly\": false}," -%}
{% set admission_controller_config_volume = "{\"name\": \"admissioncontrollerconfigmount\",\"hostPath\": {\"path\": \"" + grains.image_review_config + "\"}}," -%} {% set admission_controller_config_volume = "{\"name\": \"admissioncontrollerconfigmount\",\"hostPath\": {\"path\": \"" + grains.image_review_config + "\", \"type\": \"FileOrCreate\"}}," -%}
{% set image_policy_webhook_config_mount = "{\"name\": \"imagepolicywebhookconfigmount\",\"mountPath\": \"/etc/gcp_image_review.config\", \"readOnly\": false}," -%} {% set image_policy_webhook_config_mount = "{\"name\": \"imagepolicywebhookconfigmount\",\"mountPath\": \"/etc/gcp_image_review.config\", \"readOnly\": false}," -%}
{% set image_policy_webhook_config_volume = "{\"name\": \"imagepolicywebhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_image_review.config\"}}," -%} {% set image_policy_webhook_config_volume = "{\"name\": \"imagepolicywebhookconfigmount\",\"hostPath\": {\"path\": \"/etc/gcp_image_review.config\", \"type\": \"FileOrCreate\"}}," -%}
{% endif -%} {% endif -%}
{% set admission_control = "" -%} {% set admission_control = "" -%}
@ -185,14 +185,14 @@
{% elif pillar['enable_apiserver_advanced_audit'] is defined and pillar['enable_apiserver_advanced_audit'] in ['true'] -%} {% elif pillar['enable_apiserver_advanced_audit'] is defined and pillar['enable_apiserver_advanced_audit'] in ['true'] -%}
{% set audit_log = "--audit-policy-file=/etc/audit_policy.config" -%} {% set audit_log = "--audit-policy-file=/etc/audit_policy.config" -%}
{% set audit_policy_config_mount = "{\"name\": \"auditpolicyconfigmount\",\"mountPath\": \"/etc/audit_policy.config\", \"readOnly\": true}," -%} {% set audit_policy_config_mount = "{\"name\": \"auditpolicyconfigmount\",\"mountPath\": \"/etc/audit_policy.config\", \"readOnly\": true}," -%}
{% set audit_policy_config_volume = "{\"name\": \"auditpolicyconfigmount\",\"hostPath\": {\"path\": \"/etc/audit_policy.config\"}}," -%} {% set audit_policy_config_volume = "{\"name\": \"auditpolicyconfigmount\",\"hostPath\": {\"path\": \"/etc/audit_policy.config\", \"type\": \"FileOrCreate\"}}," -%}
{% if pillar['advanced_audit_backend'] is defined and 'log' in pillar['advanced_audit_backend'] -%} {% if pillar['advanced_audit_backend'] is defined and 'log' in pillar['advanced_audit_backend'] -%}
{% set audit_log = audit_log + " --audit-log-path=/var/log/kube-apiserver-audit.log --audit-log-maxage=0 --audit-log-maxbackup=0 --audit-log-maxsize=2000000000" -%} {% set audit_log = audit_log + " --audit-log-path=/var/log/kube-apiserver-audit.log --audit-log-maxage=0 --audit-log-maxbackup=0 --audit-log-maxsize=2000000000" -%}
{% endif %} {% endif %}
{% if pillar['advanced_audit_backend'] is defined and 'webhook' in pillar['advanced_audit_backend'] -%} {% if pillar['advanced_audit_backend'] is defined and 'webhook' in pillar['advanced_audit_backend'] -%}
{% set audit_log = audit_log + " --audit-webhook-mode=batch" -%} {% set audit_log = audit_log + " --audit-webhook-mode=batch" -%}
{% set audit_webhook_config_mount = "{\"name\": \"auditwebhookconfigmount\",\"mountPath\": \"/etc/audit_webhook.config\", \"readOnly\": true}," -%} {% set audit_webhook_config_mount = "{\"name\": \"auditwebhookconfigmount\",\"mountPath\": \"/etc/audit_webhook.config\", \"readOnly\": true}," -%}
{% set audit_webhook_config_volume = "{\"name\": \"auditwebhookconfigmount\",\"hostPath\": {\"path\": \"/etc/audit_webhook.config\"}}," -%} {% set audit_webhook_config_volume = "{\"name\": \"auditwebhookconfigmount\",\"hostPath\": {\"path\": \"/etc/audit_webhook.config\", \"type\": \"FileOrCreate\"}}," -%}
{% endif %} {% endif %}
{% endif -%} {% endif -%}
@ -308,11 +308,13 @@
}, },
{ "name": "logfile", { "name": "logfile",
"hostPath": { "hostPath": {
"path": "/var/log/kube-apiserver.log"} "path": "/var/log/kube-apiserver.log",
"type": "FileOrCreate"}
}, },
{ "name": "auditlogfile", { "name": "auditlogfile",
"hostPath": { "hostPath": {
"path": "/var/log/kube-apiserver-audit.log"} "path": "/var/log/kube-apiserver-audit.log",
"type": "FileOrCreate"}
}, },
{ "name": "etcssl", { "name": "etcssl",
"hostPath": { "hostPath": {

5
cluster/saltbase/salt/kube-controller-manager/kube-controller-manager.manifest
View File

@ -49,7 +49,7 @@
{% if grains.cloud in [ 'aws', 'gce' ] and grains.cloud_config is defined -%} {% if grains.cloud in [ 'aws', 'gce' ] and grains.cloud_config is defined -%}
{% set cloud_config = "--cloud-config=" + grains.cloud_config -%} {% set cloud_config = "--cloud-config=" + grains.cloud_config -%}
{% set cloud_config_mount = "{\"name\": \"cloudconfigmount\",\"mountPath\": \"" + grains.cloud_config + "\", \"readOnly\": true}," -%} {% set cloud_config_mount = "{\"name\": \"cloudconfigmount\",\"mountPath\": \"" + grains.cloud_config + "\", \"readOnly\": true}," -%}
{% set cloud_config_volume = "{\"name\": \"cloudconfigmount\",\"hostPath\": {\"path\": \"" + grains.cloud_config + "\"}}," -%} {% set cloud_config_volume = "{\"name\": \"cloudconfigmount\",\"hostPath\": {\"path\": \"" + grains.cloud_config + "\", \"type\": \"FileOrCreate\"}}," -%}
{% endif -%} {% endif -%}
{% if grains.cloud in ['openstack'] -%} {% if grains.cloud in ['openstack'] -%}
@ -164,7 +164,8 @@
}, },
{ "name": "logfile", { "name": "logfile",
"hostPath": { "hostPath": {
"path": "/var/log/kube-controller-manager.log"} "path": "/var/log/kube-controller-manager.log",
"type": "FileOrCreate"}
}, },
{ "name": "etcssl", { "name": "etcssl",
"hostPath": { "hostPath": {

2
cluster/saltbase/salt/kube-proxy/kube-proxy.manifest
View File

@ -102,6 +102,7 @@ spec:
name: etc-ssl-certs name: etc-ssl-certs
- hostPath: - hostPath:
path: /var/lib/kube-proxy/kubeconfig path: /var/lib/kube-proxy/kubeconfig
type: FileOrCreate
name: kubeconfig name: kubeconfig
- hostPath: - hostPath:
path: /var/log path: /var/log
@ -111,4 +112,5 @@ spec:
name: run name: run
- hostPath: - hostPath:
path: /run/xtables.lock path: /run/xtables.lock
type: FileOrCreate
name: iptableslock name: iptableslock

2
cluster/saltbase/salt/kube-scheduler/kube-scheduler.manifest
View File

@ -83,7 +83,7 @@
}, },
{ {
"name": "logfile", "name": "logfile",
"hostPath": {"path": "/var/log/kube-scheduler.log"} "hostPath": {"path": "/var/log/kube-scheduler.log", "type": "FileOrCreate"}
} }
] ]
}} }}

2
cluster/saltbase/salt/l7-gcp/glbc.manifest
View File

@ -48,7 +48,9 @@ spec:
volumes: volumes:
- hostPath: - hostPath:
path: /etc/gce.conf path: /etc/gce.conf
type: FileOrCreate
name: cloudconfig name: cloudconfig
- hostPath: - hostPath:
path: /var/log/glbc.log path: /var/log/glbc.log
type: FileOrCreate
name: logfile name: logfile

1
cluster/saltbase/salt/rescheduler/rescheduler.manifest
View File

@ -32,4 +32,5 @@ spec:
volumes: volumes:
- hostPath: - hostPath:
path: /var/log/rescheduler.log path: /var/log/rescheduler.log
type: FileOrCreate
name: logfile name: logfile

2
cmd/kubeadm/app/phases/addons/proxy/manifests.go
View File

@ -81,7 +81,6 @@ spec:
volumeMounts: volumeMounts:
- mountPath: /var/lib/kube-proxy - mountPath: /var/lib/kube-proxy
name: kube-proxy name: kube-proxy
# TODO: Make this a file hostpath mount
- mountPath: /run/xtables.lock - mountPath: /run/xtables.lock
name: xtables-lock name: xtables-lock
readOnly: false readOnly: false
@ -100,5 +99,6 @@ spec:
- name: xtables-lock - name: xtables-lock
hostPath: hostPath:
path: /run/xtables.lock path: /run/xtables.lock
type: FileOrCreate
` `
) )

25
cmd/kubeadm/app/phases/controlplane/volumes.go
View File

@ -42,14 +42,16 @@ var caCertsPkiVolumePath = "/etc/pki"
// getHostPathVolumesForTheControlPlane gets the required hostPath volumes and mounts for the control plane // getHostPathVolumesForTheControlPlane gets the required hostPath volumes and mounts for the control plane
func getHostPathVolumesForTheControlPlane(cfg *kubeadmapi.MasterConfiguration) controlPlaneHostPathMounts { func getHostPathVolumesForTheControlPlane(cfg *kubeadmapi.MasterConfiguration) controlPlaneHostPathMounts {
hostPathDirectoryOrCreate := v1.HostPathDirectoryOrCreate
hostPathFileOrCreate := v1.HostPathFileOrCreate
mounts := newControlPlaneHostPathMounts() mounts := newControlPlaneHostPathMounts()
// HostPath volumes for the API Server // HostPath volumes for the API Server
// Read-only mount for the certificates directory // Read-only mount for the certificates directory
// TODO: Always mount the K8s Certificates directory to a static path inside of the container // TODO: Always mount the K8s Certificates directory to a static path inside of the container
mounts.NewHostPathMount(kubeadmconstants.KubeAPIServer, kubeadmconstants.KubeCertificatesVolumeName, cfg.CertificatesDir, cfg.CertificatesDir, true) mounts.NewHostPathMount(kubeadmconstants.KubeAPIServer, kubeadmconstants.KubeCertificatesVolumeName, cfg.CertificatesDir, cfg.CertificatesDir, true, &hostPathDirectoryOrCreate)
// Read-only mount for the ca certs (/etc/ssl/certs) directory // Read-only mount for the ca certs (/etc/ssl/certs) directory
mounts.NewHostPathMount(kubeadmconstants.KubeAPIServer, caCertsVolumeName, caCertsVolumePath, caCertsVolumePath, true) mounts.NewHostPathMount(kubeadmconstants.KubeAPIServer, caCertsVolumeName, caCertsVolumePath, caCertsVolumePath, true, &hostPathDirectoryOrCreate)
// If external etcd is specified, mount the directories needed for accessing the CA/serving certs and the private key // If external etcd is specified, mount the directories needed for accessing the CA/serving certs and the private key
if len(cfg.Etcd.Endpoints) != 0 { if len(cfg.Etcd.Endpoints) != 0 {
@ -60,23 +62,23 @@ func getHostPathVolumesForTheControlPlane(cfg *kubeadmapi.MasterConfiguration) c
// HostPath volumes for the controller manager // HostPath volumes for the controller manager
// Read-only mount for the certificates directory // Read-only mount for the certificates directory
// TODO: Always mount the K8s Certificates directory to a static path inside of the container // TODO: Always mount the K8s Certificates directory to a static path inside of the container
mounts.NewHostPathMount(kubeadmconstants.KubeControllerManager, kubeadmconstants.KubeCertificatesVolumeName, cfg.CertificatesDir, cfg.CertificatesDir, true) mounts.NewHostPathMount(kubeadmconstants.KubeControllerManager, kubeadmconstants.KubeCertificatesVolumeName, cfg.CertificatesDir, cfg.CertificatesDir, true, &hostPathDirectoryOrCreate)
// Read-only mount for the ca certs (/etc/ssl/certs) directory // Read-only mount for the ca certs (/etc/ssl/certs) directory
mounts.NewHostPathMount(kubeadmconstants.KubeControllerManager, caCertsVolumeName, caCertsVolumePath, caCertsVolumePath, true) mounts.NewHostPathMount(kubeadmconstants.KubeControllerManager, caCertsVolumeName, caCertsVolumePath, caCertsVolumePath, true, &hostPathDirectoryOrCreate)
// Read-only mount for the controller manager kubeconfig file // Read-only mount for the controller manager kubeconfig file
controllerManagerKubeConfigFile := filepath.Join(kubeadmconstants.KubernetesDir, kubeadmconstants.ControllerManagerKubeConfigFileName) controllerManagerKubeConfigFile := filepath.Join(kubeadmconstants.KubernetesDir, kubeadmconstants.ControllerManagerKubeConfigFileName)
mounts.NewHostPathMount(kubeadmconstants.KubeControllerManager, kubeadmconstants.KubeConfigVolumeName, controllerManagerKubeConfigFile, controllerManagerKubeConfigFile, true) mounts.NewHostPathMount(kubeadmconstants.KubeControllerManager, kubeadmconstants.KubeConfigVolumeName, controllerManagerKubeConfigFile, controllerManagerKubeConfigFile, true, &hostPathFileOrCreate)
// HostPath volumes for the scheduler // HostPath volumes for the scheduler
// Read-only mount for the scheduler kubeconfig file // Read-only mount for the scheduler kubeconfig file
schedulerKubeConfigFile := filepath.Join(kubeadmconstants.KubernetesDir, kubeadmconstants.SchedulerKubeConfigFileName) schedulerKubeConfigFile := filepath.Join(kubeadmconstants.KubernetesDir, kubeadmconstants.SchedulerKubeConfigFileName)
mounts.NewHostPathMount(kubeadmconstants.KubeScheduler, kubeadmconstants.KubeConfigVolumeName, schedulerKubeConfigFile, schedulerKubeConfigFile, true) mounts.NewHostPathMount(kubeadmconstants.KubeScheduler, kubeadmconstants.KubeConfigVolumeName, schedulerKubeConfigFile, schedulerKubeConfigFile, true, &hostPathFileOrCreate)
// On some systems were we host-mount /etc/ssl/certs, it is also required to mount /etc/pki. This is needed // On some systems were we host-mount /etc/ssl/certs, it is also required to mount /etc/pki. This is needed
// due to symlinks pointing from files in /etc/ssl/certs into /etc/pki/ // due to symlinks pointing from files in /etc/ssl/certs into /etc/pki/
if isPkiVolumeMountNeeded() { if isPkiVolumeMountNeeded() {
mounts.NewHostPathMount(kubeadmconstants.KubeAPIServer, caCertsPkiVolumeName, caCertsPkiVolumePath, caCertsPkiVolumePath, true) mounts.NewHostPathMount(kubeadmconstants.KubeAPIServer, caCertsPkiVolumeName, caCertsPkiVolumePath, caCertsPkiVolumePath, true, &hostPathDirectoryOrCreate)
mounts.NewHostPathMount(kubeadmconstants.KubeControllerManager, caCertsPkiVolumeName, caCertsPkiVolumePath, caCertsPkiVolumePath, true) mounts.NewHostPathMount(kubeadmconstants.KubeControllerManager, caCertsPkiVolumeName, caCertsPkiVolumePath, caCertsPkiVolumePath, true, &hostPathDirectoryOrCreate)
} }
return mounts return mounts
@ -95,8 +97,8 @@ func newControlPlaneHostPathMounts() controlPlaneHostPathMounts {
} }
} }
func (c *controlPlaneHostPathMounts) NewHostPathMount(component, mountName, hostPath, containerPath string, readOnly bool) { func (c *controlPlaneHostPathMounts) NewHostPathMount(component, mountName, hostPath, containerPath string, readOnly bool, hostPathType *v1.HostPathType) {
c.volumes[component] = append(c.volumes[component], staticpodutil.NewVolume(mountName, hostPath)) c.volumes[component] = append(c.volumes[component], staticpodutil.NewVolume(mountName, hostPath, hostPathType))
c.volumeMounts[component] = append(c.volumeMounts[component], staticpodutil.NewVolumeMount(mountName, containerPath, readOnly)) c.volumeMounts[component] = append(c.volumeMounts[component], staticpodutil.NewVolumeMount(mountName, containerPath, readOnly))
} }
@ -143,9 +145,10 @@ func getEtcdCertVolumes(etcdCfg kubeadmapi.Etcd) ([]v1.Volume, []v1.VolumeMount)
volumes := []v1.Volume{} volumes := []v1.Volume{}
volumeMounts := []v1.VolumeMount{} volumeMounts := []v1.VolumeMount{}
pathType := v1.HostPathDirectoryOrCreate
for i, certDir := range certDirs.List() { for i, certDir := range certDirs.List() {
name := fmt.Sprintf("etcd-certs-%d", i) name := fmt.Sprintf("etcd-certs-%d", i)
volumes = append(volumes, staticpodutil.NewVolume(name, certDir)) volumes = append(volumes, staticpodutil.NewVolume(name, certDir, &pathType))
volumeMounts = append(volumeMounts, staticpodutil.NewVolumeMount(name, certDir, true)) volumeMounts = append(volumeMounts, staticpodutil.NewVolumeMount(name, certDir, true))
} }
return volumes, volumeMounts return volumes, volumeMounts

113
cmd/kubeadm/app/phases/controlplane/volumes_test.go
View File

@ -29,6 +29,7 @@ import (
) )
func TestGetEtcdCertVolumes(t *testing.T) { func TestGetEtcdCertVolumes(t *testing.T) {
hostPathDirectoryOrCreate := v1.HostPathDirectoryOrCreate
var tests = []struct { var tests = []struct {
ca, cert, key string ca, cert, key string
vol []v1.Volume vol []v1.Volume
@ -67,7 +68,10 @@ func TestGetEtcdCertVolumes(t *testing.T) {
{ {
Name: "etcd-certs-0", Name: "etcd-certs-0",
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{Path: "/var/lib/certs/etcd"}, HostPath: &v1.HostPathVolumeSource{
Path: "/var/lib/certs/etcd",
Type: &hostPathDirectoryOrCreate,
},
}, },
}, },
}, },
@ -88,13 +92,19 @@ func TestGetEtcdCertVolumes(t *testing.T) {
{ {
Name: "etcd-certs-0", Name: "etcd-certs-0",
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{Path: "/etc/certs/etcd"}, HostPath: &v1.HostPathVolumeSource{
Path: "/etc/certs/etcd",
Type: &hostPathDirectoryOrCreate,
},
}, },
}, },
{ {
Name: "etcd-certs-1", Name: "etcd-certs-1",
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{Path: "/var/lib/certs/etcd"}, HostPath: &v1.HostPathVolumeSource{
Path: "/var/lib/certs/etcd",
Type: &hostPathDirectoryOrCreate,
},
}, },
}, },
}, },
@ -120,19 +130,28 @@ func TestGetEtcdCertVolumes(t *testing.T) {
{ {
Name: "etcd-certs-0", Name: "etcd-certs-0",
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{Path: "/etc/certs/etcd"}, HostPath: &v1.HostPathVolumeSource{
Path: "/etc/certs/etcd",
Type: &hostPathDirectoryOrCreate,
},
}, },
}, },
{ {
Name: "etcd-certs-1", Name: "etcd-certs-1",
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{Path: "/var/lib/certs/etcd"}, HostPath: &v1.HostPathVolumeSource{
Path: "/var/lib/certs/etcd",
Type: &hostPathDirectoryOrCreate,
},
}, },
}, },
{ {
Name: "etcd-certs-2", Name: "etcd-certs-2",
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{Path: "/var/lib/certs/private"}, HostPath: &v1.HostPathVolumeSource{
Path: "/var/lib/certs/private",
Type: &hostPathDirectoryOrCreate,
},
}, },
}, },
}, },
@ -163,7 +182,10 @@ func TestGetEtcdCertVolumes(t *testing.T) {
{ {
Name: "etcd-certs-0", Name: "etcd-certs-0",
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{Path: "/etc/certs/etcd"}, HostPath: &v1.HostPathVolumeSource{
Path: "/etc/certs/etcd",
Type: &hostPathDirectoryOrCreate,
},
}, },
}, },
}, },
@ -184,7 +206,10 @@ func TestGetEtcdCertVolumes(t *testing.T) {
{ {
Name: "etcd-certs-0", Name: "etcd-certs-0",
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{Path: "/etc/certs/etcd"}, HostPath: &v1.HostPathVolumeSource{
Path: "/etc/certs/etcd",
Type: &hostPathDirectoryOrCreate,
},
}, },
}, },
}, },
@ -222,6 +247,8 @@ func TestGetEtcdCertVolumes(t *testing.T) {
} }
func TestGetHostPathVolumesForTheControlPlane(t *testing.T) { func TestGetHostPathVolumesForTheControlPlane(t *testing.T) {
hostPathDirectoryOrCreate := v1.HostPathDirectoryOrCreate
hostPathFileOrCreate := v1.HostPathFileOrCreate
var tests = []struct { var tests = []struct {
cfg *kubeadmapi.MasterConfiguration cfg *kubeadmapi.MasterConfiguration
vol map[string][]v1.Volume vol map[string][]v1.Volume
@ -238,13 +265,19 @@ func TestGetHostPathVolumesForTheControlPlane(t *testing.T) {
{ {
Name: "k8s-certs", Name: "k8s-certs",
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{Path: testCertsDir}, HostPath: &v1.HostPathVolumeSource{
Path: testCertsDir,
Type: &hostPathDirectoryOrCreate,
},
}, },
}, },
{ {
Name: "ca-certs", Name: "ca-certs",
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{Path: "/etc/ssl/certs"}, HostPath: &v1.HostPathVolumeSource{
Path: "/etc/ssl/certs",
Type: &hostPathDirectoryOrCreate,
},
}, },
}, },
}, },
@ -252,19 +285,28 @@ func TestGetHostPathVolumesForTheControlPlane(t *testing.T) {
{ {
Name: "k8s-certs", Name: "k8s-certs",
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{Path: testCertsDir}, HostPath: &v1.HostPathVolumeSource{
Path: testCertsDir,
Type: &hostPathDirectoryOrCreate,
},
}, },
}, },
{ {
Name: "ca-certs", Name: "ca-certs",
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{Path: "/etc/ssl/certs"}, HostPath: &v1.HostPathVolumeSource{
Path: "/etc/ssl/certs",
Type: &hostPathDirectoryOrCreate,
},
}, },
}, },
{ {
Name: "kubeconfig", Name: "kubeconfig",
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{Path: "/etc/kubernetes/controller-manager.conf"}, HostPath: &v1.HostPathVolumeSource{
Path: "/etc/kubernetes/controller-manager.conf",
Type: &hostPathFileOrCreate,
},
}, },
}, },
}, },
@ -272,7 +314,10 @@ func TestGetHostPathVolumesForTheControlPlane(t *testing.T) {
{ {
Name: "kubeconfig", Name: "kubeconfig",
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{Path: "/etc/kubernetes/scheduler.conf"}, HostPath: &v1.HostPathVolumeSource{
Path: "/etc/kubernetes/scheduler.conf",
Type: &hostPathFileOrCreate,
},
}, },
}, },
}, },
@ -332,25 +377,37 @@ func TestGetHostPathVolumesForTheControlPlane(t *testing.T) {
{ {
Name: "k8s-certs", Name: "k8s-certs",
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{Path: testCertsDir}, HostPath: &v1.HostPathVolumeSource{
Path: testCertsDir,
Type: &hostPathDirectoryOrCreate,
},
}, },
}, },
{ {
Name: "ca-certs", Name: "ca-certs",
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{Path: "/etc/ssl/certs"}, HostPath: &v1.HostPathVolumeSource{
Path: "/etc/ssl/certs",
Type: &hostPathDirectoryOrCreate,
},
}, },
}, },
{ {
Name: "etcd-certs-0", Name: "etcd-certs-0",
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{Path: "/etc/certs/etcd"}, HostPath: &v1.HostPathVolumeSource{
Path: "/etc/certs/etcd",
Type: &hostPathDirectoryOrCreate,
},
}, },
}, },
{ {
Name: "etcd-certs-1", Name: "etcd-certs-1",
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{Path: "/var/lib/certs/etcd"}, HostPath: &v1.HostPathVolumeSource{
Path: "/var/lib/certs/etcd",
Type: &hostPathDirectoryOrCreate,
},
}, },
}, },
}, },
@ -358,19 +415,28 @@ func TestGetHostPathVolumesForTheControlPlane(t *testing.T) {
{ {
Name: "k8s-certs", Name: "k8s-certs",
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{Path: testCertsDir}, HostPath: &v1.HostPathVolumeSource{
Path: testCertsDir,
Type: &hostPathDirectoryOrCreate,
},
}, },
}, },
{ {
Name: "ca-certs", Name: "ca-certs",
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{Path: "/etc/ssl/certs"}, HostPath: &v1.HostPathVolumeSource{
Path: "/etc/ssl/certs",
Type: &hostPathDirectoryOrCreate,
},
}, },
}, },
{ {
Name: "kubeconfig", Name: "kubeconfig",
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{Path: "/etc/kubernetes/controller-manager.conf"}, HostPath: &v1.HostPathVolumeSource{
Path: "/etc/kubernetes/controller-manager.conf",
Type: &hostPathFileOrCreate,
},
}, },
}, },
}, },
@ -378,7 +444,10 @@ func TestGetHostPathVolumesForTheControlPlane(t *testing.T) {
{ {
Name: "kubeconfig", Name: "kubeconfig",
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{Path: "/etc/kubernetes/scheduler.conf"}, HostPath: &v1.HostPathVolumeSource{
Path: "/etc/kubernetes/scheduler.conf",
Type: &hostPathFileOrCreate,
},
}, },
}, },
}, },

3
cmd/kubeadm/app/phases/etcd/local.go
View File

@ -49,6 +49,7 @@ func CreateLocalEtcdStaticPodManifestFile(manifestDir string, cfg *kubeadmapi.Ma
// GetEtcdPodSpec returns the etcd static Pod actualized to the context of the current MasterConfiguration // GetEtcdPodSpec returns the etcd static Pod actualized to the context of the current MasterConfiguration
// NB. GetEtcdPodSpec methods holds the information about how kubeadm creates etcd static pod mainfests. // NB. GetEtcdPodSpec methods holds the information about how kubeadm creates etcd static pod mainfests.
func GetEtcdPodSpec(cfg *kubeadmapi.MasterConfiguration) v1.Pod { func GetEtcdPodSpec(cfg *kubeadmapi.MasterConfiguration) v1.Pod {
pathType := v1.HostPathDirectoryOrCreate
return staticpodutil.ComponentPod(v1.Container{ return staticpodutil.ComponentPod(v1.Container{
Name: kubeadmconstants.Etcd, Name: kubeadmconstants.Etcd,
Command: getEtcdCommand(cfg), Command: getEtcdCommand(cfg),
@ -56,7 +57,7 @@ func GetEtcdPodSpec(cfg *kubeadmapi.MasterConfiguration) v1.Pod {
// Mount the etcd datadir path read-write so etcd can store data in a more persistent manner // Mount the etcd datadir path read-write so etcd can store data in a more persistent manner
VolumeMounts: []v1.VolumeMount{staticpodutil.NewVolumeMount(etcdVolumeName, cfg.Etcd.DataDir, false)}, VolumeMounts: []v1.VolumeMount{staticpodutil.NewVolumeMount(etcdVolumeName, cfg.Etcd.DataDir, false)},
LivenessProbe: staticpodutil.ComponentProbe(2379, "/health", v1.URISchemeHTTP), LivenessProbe: staticpodutil.ComponentProbe(2379, "/health", v1.URISchemeHTTP),
}, []v1.Volume{staticpodutil.NewVolume(etcdVolumeName, cfg.Etcd.DataDir)}) }, []v1.Volume{staticpodutil.NewVolume(etcdVolumeName, cfg.Etcd.DataDir, &pathType)})
} }
// getEtcdCommand builds the right etcd command from the given config object // getEtcdCommand builds the right etcd command from the given config object

12
cmd/kubeadm/app/phases/selfhosting/podspec_mutation_test.go
View File

@ -186,6 +186,7 @@ func TestSetRightDNSPolicyOnPodSpec(t *testing.T) {
} }
func TestSetSelfHostedVolumesForAPIServer(t *testing.T) { func TestSetSelfHostedVolumesForAPIServer(t *testing.T) {
hostPathDirectoryOrCreate := v1.HostPathDirectoryOrCreate
var tests = []struct { var tests = []struct {
podSpec *v1.PodSpec podSpec *v1.PodSpec
expected v1.PodSpec expected v1.PodSpec
@ -215,6 +216,7 @@ func TestSetSelfHostedVolumesForAPIServer(t *testing.T) {
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{ HostPath: &v1.HostPathVolumeSource{
Path: "/etc/ssl/certs", Path: "/etc/ssl/certs",
Type: &hostPathDirectoryOrCreate,
}, },
}, },
}, },
@ -223,6 +225,7 @@ func TestSetSelfHostedVolumesForAPIServer(t *testing.T) {
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{ HostPath: &v1.HostPathVolumeSource{
Path: "/etc/kubernetes/pki", Path: "/etc/kubernetes/pki",
Type: &hostPathDirectoryOrCreate,
}, },
}, },
}, },
@ -252,6 +255,7 @@ func TestSetSelfHostedVolumesForAPIServer(t *testing.T) {
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{ HostPath: &v1.HostPathVolumeSource{
Path: "/etc/ssl/certs", Path: "/etc/ssl/certs",
Type: &hostPathDirectoryOrCreate,
}, },
}, },
}, },
@ -276,6 +280,8 @@ func TestSetSelfHostedVolumesForAPIServer(t *testing.T) {
} }
func TestSetSelfHostedVolumesForControllerManager(t *testing.T) { func TestSetSelfHostedVolumesForControllerManager(t *testing.T) {
hostPathFileOrCreate := v1.HostPathFileOrCreate
hostPathDirectoryOrCreate := v1.HostPathDirectoryOrCreate
var tests = []struct { var tests = []struct {
podSpec *v1.PodSpec podSpec *v1.PodSpec
expected v1.PodSpec expected v1.PodSpec
@ -310,6 +316,7 @@ func TestSetSelfHostedVolumesForControllerManager(t *testing.T) {
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{ HostPath: &v1.HostPathVolumeSource{
Path: "/etc/ssl/certs", Path: "/etc/ssl/certs",
Type: &hostPathDirectoryOrCreate,
}, },
}, },
}, },
@ -318,6 +325,7 @@ func TestSetSelfHostedVolumesForControllerManager(t *testing.T) {
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{ HostPath: &v1.HostPathVolumeSource{
Path: "/etc/kubernetes/pki", Path: "/etc/kubernetes/pki",
Type: &hostPathDirectoryOrCreate,
}, },
}, },
}, },
@ -326,6 +334,7 @@ func TestSetSelfHostedVolumesForControllerManager(t *testing.T) {
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{ HostPath: &v1.HostPathVolumeSource{
Path: "/etc/kubernetes/controller-manager.conf", Path: "/etc/kubernetes/controller-manager.conf",
Type: &hostPathFileOrCreate,
}, },
}, },
}, },
@ -360,6 +369,7 @@ func TestSetSelfHostedVolumesForControllerManager(t *testing.T) {
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{ HostPath: &v1.HostPathVolumeSource{
Path: "/etc/ssl/certs", Path: "/etc/ssl/certs",
Type: &hostPathDirectoryOrCreate,
}, },
}, },
}, },
@ -388,6 +398,7 @@ func TestSetSelfHostedVolumesForControllerManager(t *testing.T) {
} }
func TestSetSelfHostedVolumesForScheduler(t *testing.T) { func TestSetSelfHostedVolumesForScheduler(t *testing.T) {
hostPathFileOrCreate := v1.HostPathFileOrCreate
var tests = []struct { var tests = []struct {
podSpec *v1.PodSpec podSpec *v1.PodSpec
expected v1.PodSpec expected v1.PodSpec
@ -414,6 +425,7 @@ func TestSetSelfHostedVolumesForScheduler(t *testing.T) {
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{ HostPath: &v1.HostPathVolumeSource{
Path: "/etc/kubernetes/scheduler.conf", Path: "/etc/kubernetes/scheduler.conf",
Type: &hostPathFileOrCreate,
}, },
}, },
}, },

4
cmd/kubeadm/app/phases/selfhosting/selfhosting_test.go
View File

@ -249,6 +249,7 @@ spec:
name: ca-certs name: ca-certs
- hostPath: - hostPath:
path: /etc/kubernetes/controller-manager.conf path: /etc/kubernetes/controller-manager.conf
type: FileOrCreate
name: kubeconfig name: kubeconfig
- hostPath: - hostPath:
path: /etc/pki path: /etc/pki
@ -324,6 +325,7 @@ spec:
name: ca-certs name: ca-certs
- hostPath: - hostPath:
path: /etc/kubernetes/controller-manager.conf path: /etc/kubernetes/controller-manager.conf
type: FileOrCreate
name: kubeconfig name: kubeconfig
- hostPath: - hostPath:
path: /etc/pki path: /etc/pki
@ -374,6 +376,7 @@ spec:
volumes: volumes:
- hostPath: - hostPath:
path: /etc/kubernetes/scheduler.conf path: /etc/kubernetes/scheduler.conf
type: FileOrCreate
name: kubeconfig name: kubeconfig
status: {} status: {}
` `
@ -425,6 +428,7 @@ spec:
volumes: volumes:
- hostPath: - hostPath:
path: /etc/kubernetes/scheduler.conf path: /etc/kubernetes/scheduler.conf
type: FileOrCreate
name: kubeconfig name: kubeconfig
updateStrategy: {} updateStrategy: {}
status: status:

7
cmd/kubeadm/app/util/staticpod/utils.go
View File

@ -82,11 +82,14 @@ func ComponentProbe(port int, path string, scheme v1.URIScheme) *v1.Probe {
} }
// NewVolume creates a v1.Volume with a hostPath mount to the specified location // NewVolume creates a v1.Volume with a hostPath mount to the specified location
func NewVolume(name, path string) v1.Volume { func NewVolume(name, path string, pathType *v1.HostPathType) v1.Volume {
return v1.Volume{ return v1.Volume{
Name: name, Name: name,
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{Path: path}, HostPath: &v1.HostPathVolumeSource{
Path: path,
Type: pathType,
},
}, },
} }
} }

10
cmd/kubeadm/app/util/staticpod/utils_test.go
View File

@ -123,10 +123,12 @@ func TestComponentPod(t *testing.T) {
} }
func TestNewVolume(t *testing.T) { func TestNewVolume(t *testing.T) {
hostPathDirectoryOrCreate := v1.HostPathDirectoryOrCreate
var tests = []struct { var tests = []struct {
name string name string
path string path string
expected v1.Volume expected v1.Volume
pathType *v1.HostPathType
}{ }{
{ {
name: "foo", name: "foo",
@ -134,14 +136,18 @@ func TestNewVolume(t *testing.T) {
expected: v1.Volume{ expected: v1.Volume{
Name: "foo", Name: "foo",
VolumeSource: v1.VolumeSource{ VolumeSource: v1.VolumeSource{
HostPath: &v1.HostPathVolumeSource{Path: "/etc/foo"}, HostPath: &v1.HostPathVolumeSource{
Path: "/etc/foo",
Type: &hostPathDirectoryOrCreate,
},
}, },
}, },
pathType: &hostPathDirectoryOrCreate,
}, },
} }
for _, rt := range tests { for _, rt := range tests {
actual := NewVolume(rt.name, rt.path) actual := NewVolume(rt.name, rt.path, rt.pathType)
if !reflect.DeepEqual(actual, rt.expected) { if !reflect.DeepEqual(actual, rt.expected) {
t.Errorf( t.Errorf(
"failed newVolume:\n\texpected: %v\n\t actual: %v", "failed newVolume:\n\texpected: %v\n\t actual: %v",

1
examples/newrelic/newrelic-daemonset.yaml
View File

@ -52,6 +52,7 @@ spec:
- name: run - name: run
hostPath: hostPath:
path: /var/run/docker.sock path: /var/run/docker.sock
type: Socket
- name: sys - name: sys
hostPath: hostPath:
path: /sys path: /sys

3
examples/oms/omsagent-daemonset.yaml
View File

@ -27,4 +27,5 @@ spec:
volumes: volumes:
- name: docker-sock - name: docker-sock
hostPath: hostPath:
path: /var/run/docker.sock path: /var/run/docker.sock
type: Socket

1
examples/sysdig-cloud/sysdig-daemonset.yaml
View File

@ -16,6 +16,7 @@ spec:
- name: docker-sock - name: docker-sock
hostPath: hostPath:
path: /var/run/docker.sock path: /var/run/docker.sock
type: Socket
- name: dev-vol - name: dev-vol
hostPath: hostPath:
path: /dev path: /dev

1
examples/sysdig-cloud/sysdig-rc.yaml
View File

@ -14,6 +14,7 @@ spec:
- name: docker-sock - name: docker-sock
hostPath: hostPath:
path: /var/run/docker.sock path: /var/run/docker.sock
type: Socket
- name: dev-vol - name: dev-vol
hostPath: hostPath:
path: /dev path: /dev