diff --git a/cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go b/cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go index c107fae10e..7e667805e2 100644 --- a/cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go +++ b/cmd/kubeadm/app/apis/kubeadm/fuzzer/fuzzer.go @@ -66,7 +66,6 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} { obj.KubeletConfiguration = kubeadm.KubeletConfiguration{ BaseConfig: &kubeletconfigv1alpha1.KubeletConfiguration{ PodManifestPath: "foo", - AllowPrivileged: utilpointer.BoolPtr(true), ClusterDNS: []string{"foo"}, ClusterDomain: "foo", Authorization: kubeletconfigv1alpha1.KubeletAuthorization{Mode: "foo"}, diff --git a/cmd/kubeadm/app/apis/kubeadm/v1alpha1/defaults.go b/cmd/kubeadm/app/apis/kubeadm/v1alpha1/defaults.go index ea28af88e5..772a9612ee 100644 --- a/cmd/kubeadm/app/apis/kubeadm/v1alpha1/defaults.go +++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha1/defaults.go @@ -185,9 +185,6 @@ func SetDefaults_KubeletConfiguration(obj *MasterConfiguration) { if obj.KubeletConfiguration.BaseConfig.PodManifestPath == "" { obj.KubeletConfiguration.BaseConfig.PodManifestPath = DefaultManifestsDir } - if obj.KubeletConfiguration.BaseConfig.AllowPrivileged == nil { - obj.KubeletConfiguration.BaseConfig.AllowPrivileged = utilpointer.BoolPtr(true) - } if obj.KubeletConfiguration.BaseConfig.ClusterDNS == nil { dnsIP, err := constants.GetDNSIP(obj.Networking.ServiceSubnet) if err != nil { diff --git a/cmd/kubelet/app/options/options.go b/cmd/kubelet/app/options/options.go index a5ee14dc28..250da221f3 100644 --- a/cmd/kubelet/app/options/options.go +++ b/cmd/kubelet/app/options/options.go @@ -37,6 +37,7 @@ import ( "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig/v1alpha1" kubeletconfigvalidation "k8s.io/kubernetes/pkg/kubelet/apis/kubeletconfig/validation" "k8s.io/kubernetes/pkg/kubelet/config" + kubetypes "k8s.io/kubernetes/pkg/kubelet/types" utiltaints "k8s.io/kubernetes/pkg/util/taints" ) @@ -187,6 +188,19 @@ type KubeletFlags struct { KeepTerminatedPodVolumes bool // enable gathering custom metrics. EnableCustomMetrics bool + // allowPrivileged enables containers to request privileged mode. + // Defaults to false. + AllowPrivileged bool + // hostNetworkSources is a comma-separated list of sources from which the + // Kubelet allows pods to use of host network. Defaults to "*". Valid + // options are "file", "http", "api", and "*" (all sources). + HostNetworkSources []string + // hostPIDSources is a comma-separated list of sources from which the + // Kubelet allows pods to use the host pid namespace. Defaults to "*". + HostPIDSources []string + // hostIPCSources is a comma-separated list of sources from which the + // Kubelet allows pods to use the host ipc namespace. Defaults to "*". + HostIPCSources []string } // NewKubeletFlags will create a new KubeletFlags with default values @@ -221,6 +235,9 @@ func NewKubeletFlags() *KubeletFlags { VolumePluginDir: "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/", RegisterNode: true, SeccompProfileRoot: filepath.Join(v1alpha1.DefaultRootDir, "seccomp"), + HostNetworkSources: []string{kubetypes.AllSource}, + HostPIDSources: []string{kubetypes.AllSource}, + HostIPCSources: []string{kubetypes.AllSource}, } } @@ -366,6 +383,18 @@ func (f *KubeletFlags) AddFlags(fs *pflag.FlagSet) { // TODO(#54161:v1.11.0): Remove --enable-custom-metrics flag, it is deprecated. fs.BoolVar(&f.EnableCustomMetrics, "enable-custom-metrics", f.EnableCustomMetrics, "Support for gathering custom metrics.") fs.MarkDeprecated("enable-custom-metrics", "will be removed in a future version") + // TODO(#58010:v1.12.0): Remove --allow-privileged, it is deprecated + fs.BoolVar(&f.AllowPrivileged, "allow-privileged", f.AllowPrivileged, "If true, allow containers to request privileged mode.") + fs.MarkDeprecated("allow-privileged", "will be removed in a future version") + // TODO(#58010:v1.12.0): Remove --host-network-sources, it is deprecated + fs.StringSliceVar(&f.HostNetworkSources, "host-network-sources", f.HostNetworkSources, "Comma-separated list of sources from which the Kubelet allows pods to use of host network.") + fs.MarkDeprecated("host-network-sources", "will be removed in a future version") + // TODO(#58010:v1.12.0): Remove --host-pid-sources, it is deprecated + fs.StringSliceVar(&f.HostPIDSources, "host-pid-sources", f.HostPIDSources, "Comma-separated list of sources from which the Kubelet allows pods to use the host pid namespace.") + fs.MarkDeprecated("host-pid-sources", "will be removed in a future version") + // TODO(#58010:v1.12.0): Remove --host-ipc-sources, it is deprecated + fs.StringSliceVar(&f.HostIPCSources, "host-ipc-sources", f.HostIPCSources, "Comma-separated list of sources from which the Kubelet allows pods to use the host ipc namespace.") + fs.MarkDeprecated("host-ipc-sources", "will be removed in a future version") } @@ -414,10 +443,6 @@ func AddKubeletConfigFlags(fs *pflag.FlagSet, c *kubeletconfig.KubeletConfigurat "are generated for the public address and saved to the directory passed to --cert-dir.") fs.StringVar(&c.TLSPrivateKeyFile, "tls-private-key-file", c.TLSPrivateKeyFile, "File containing x509 private key matching --tls-cert-file.") - fs.BoolVar(&c.AllowPrivileged, "allow-privileged", c.AllowPrivileged, "If true, allow containers to request privileged mode.") - fs.StringSliceVar(&c.HostNetworkSources, "host-network-sources", c.HostNetworkSources, "Comma-separated list of sources from which the Kubelet allows pods to use of host network.") - fs.StringSliceVar(&c.HostPIDSources, "host-pid-sources", c.HostPIDSources, "Comma-separated list of sources from which the Kubelet allows pods to use the host pid namespace.") - fs.StringSliceVar(&c.HostIPCSources, "host-ipc-sources", c.HostIPCSources, "Comma-separated list of sources from which the Kubelet allows pods to use the host ipc namespace.") fs.Int32Var(&c.RegistryPullQPS, "registry-qps", c.RegistryPullQPS, "If > 0, limit registry pull QPS to this value. If 0, unlimited.") fs.Int32Var(&c.RegistryBurst, "registry-burst", c.RegistryBurst, "Maximum size of a bursty pulls, temporarily allows pulls to burst to this number, while still not exceeding registry-qps. Only used if --registry-qps > 0") fs.Int32Var(&c.EventRecordQPS, "event-qps", c.EventRecordQPS, "If > 0, limit event creations per second to this value. If 0, unlimited.") diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go index 3d63ad272a..a3eb633f98 100644 --- a/cmd/kubelet/app/server.go +++ b/cmd/kubelet/app/server.go @@ -662,17 +662,17 @@ func RunKubelet(kubeFlags *options.KubeletFlags, kubeCfg *kubeletconfiginternal. // prefer this to be done as part of an independent validation step on the // KubeletConfiguration. But as far as I can tell, we don't have an explicit // place for validation of the KubeletConfiguration yet. - hostNetworkSources, err := kubetypes.GetValidatedSources(kubeCfg.HostNetworkSources) + hostNetworkSources, err := kubetypes.GetValidatedSources(kubeFlags.HostNetworkSources) if err != nil { return err } - hostPIDSources, err := kubetypes.GetValidatedSources(kubeCfg.HostPIDSources) + hostPIDSources, err := kubetypes.GetValidatedSources(kubeFlags.HostPIDSources) if err != nil { return err } - hostIPCSources, err := kubetypes.GetValidatedSources(kubeCfg.HostIPCSources) + hostIPCSources, err := kubetypes.GetValidatedSources(kubeFlags.HostIPCSources) if err != nil { return err } @@ -682,7 +682,7 @@ func RunKubelet(kubeFlags *options.KubeletFlags, kubeCfg *kubeletconfiginternal. HostPIDSources: hostPIDSources, HostIPCSources: hostIPCSources, } - capabilities.Setup(kubeCfg.AllowPrivileged, privilegedSources, 0) + capabilities.Setup(kubeFlags.AllowPrivileged, privilegedSources, 0) credentialprovider.SetPreferredDockercfgPath(kubeFlags.RootDirectory) glog.V(2).Infof("Using root directory: %v", kubeFlags.RootDirectory) diff --git a/pkg/kubelet/apis/kubeletconfig/fuzzer/fuzzer.go b/pkg/kubelet/apis/kubeletconfig/fuzzer/fuzzer.go index 8fb0ca7ca5..ef1ff42506 100644 --- a/pkg/kubelet/apis/kubeletconfig/fuzzer/fuzzer.go +++ b/pkg/kubelet/apis/kubeletconfig/fuzzer/fuzzer.go @@ -56,9 +56,6 @@ func Funcs(codecs runtimeserializer.CodecFactory) []interface{} { obj.FileCheckFrequency = metav1.Duration{Duration: 20 * time.Second} obj.HealthzBindAddress = "127.0.0.1" obj.HealthzPort = 10248 - obj.HostNetworkSources = []string{kubetypes.AllSource} - obj.HostPIDSources = []string{kubetypes.AllSource} - obj.HostIPCSources = []string{kubetypes.AllSource} obj.HTTPCheckFrequency = metav1.Duration{Duration: 20 * time.Second} obj.ImageMinimumGCAge = metav1.Duration{Duration: 2 * time.Minute} obj.ImageGCHighThresholdPercent = 85 diff --git a/pkg/kubelet/apis/kubeletconfig/helpers_test.go b/pkg/kubelet/apis/kubeletconfig/helpers_test.go index 5bf10e67a3..59c3b5d05b 100644 --- a/pkg/kubelet/apis/kubeletconfig/helpers_test.go +++ b/pkg/kubelet/apis/kubeletconfig/helpers_test.go @@ -138,7 +138,6 @@ var ( // KubeletConfiguration fields that do not contain file paths. kubeletConfigurationNonPathFieldPaths = sets.NewString( "Address", - "AllowPrivileged", "Authentication.Anonymous.Enabled", "Authentication.Webhook.CacheTTL.Duration", "Authentication.Webhook.Enabled", @@ -176,9 +175,6 @@ var ( "HairpinMode", "HealthzBindAddress", "HealthzPort", - "HostIPCSources[*]", - "HostNetworkSources[*]", - "HostPIDSources[*]", "IPTablesDropBit", "IPTablesMasqueradeBit", "ImageGCHighThresholdPercent", diff --git a/pkg/kubelet/apis/kubeletconfig/types.go b/pkg/kubelet/apis/kubeletconfig/types.go index f4392f6ed6..aee0077d47 100644 --- a/pkg/kubelet/apis/kubeletconfig/types.go +++ b/pkg/kubelet/apis/kubeletconfig/types.go @@ -89,19 +89,6 @@ type KubeletConfiguration struct { Authentication KubeletAuthentication // authorization specifies how requests to the Kubelet's server are authorized Authorization KubeletAuthorization - // allowPrivileged enables containers to request privileged mode. - // Defaults to false. - AllowPrivileged bool - // hostNetworkSources is a comma-separated list of sources from which the - // Kubelet allows pods to use of host network. Defaults to "*". Valid - // options are "file", "http", "api", and "*" (all sources). - HostNetworkSources []string - // hostPIDSources is a comma-separated list of sources from which the - // Kubelet allows pods to use the host pid namespace. Defaults to "*". - HostPIDSources []string - // hostIPCSources is a comma-separated list of sources from which the - // Kubelet allows pods to use the host ipc namespace. Defaults to "*". - HostIPCSources []string // registryPullQPS is the limit of registry pulls per second. If 0, // unlimited. Set to 0 for no limit. Defaults to 5.0. RegistryPullQPS int32 diff --git a/pkg/kubelet/apis/kubeletconfig/v1alpha1/defaults.go b/pkg/kubelet/apis/kubeletconfig/v1alpha1/defaults.go index 030892ea90..fe46fb6d8a 100644 --- a/pkg/kubelet/apis/kubeletconfig/v1alpha1/defaults.go +++ b/pkg/kubelet/apis/kubeletconfig/v1alpha1/defaults.go @@ -108,15 +108,6 @@ func SetDefaults_KubeletConfiguration(obj *KubeletConfiguration) { if obj.HealthzPort == nil { obj.HealthzPort = utilpointer.Int32Ptr(10248) } - if obj.HostNetworkSources == nil { - obj.HostNetworkSources = []string{kubetypes.AllSource} - } - if obj.HostPIDSources == nil { - obj.HostPIDSources = []string{kubetypes.AllSource} - } - if obj.HostIPCSources == nil { - obj.HostIPCSources = []string{kubetypes.AllSource} - } if obj.HTTPCheckFrequency == zeroDuration { obj.HTTPCheckFrequency = metav1.Duration{Duration: 20 * time.Second} } diff --git a/pkg/kubelet/apis/kubeletconfig/v1alpha1/types.go b/pkg/kubelet/apis/kubeletconfig/v1alpha1/types.go index bc49f3361a..8d4ffe4a61 100644 --- a/pkg/kubelet/apis/kubeletconfig/v1alpha1/types.go +++ b/pkg/kubelet/apis/kubeletconfig/v1alpha1/types.go @@ -89,19 +89,6 @@ type KubeletConfiguration struct { Authentication KubeletAuthentication `json:"authentication"` // authorization specifies how requests to the Kubelet's server are authorized Authorization KubeletAuthorization `json:"authorization"` - // allowPrivileged enables containers to request privileged mode. - // Defaults to false. - AllowPrivileged *bool `json:"allowPrivileged"` - // hostNetworkSources is a comma-separated list of sources from which the - // Kubelet allows pods to use of host network. Defaults to "*". Valid - // options are "file", "http", "api", and "*" (all sources). - HostNetworkSources []string `json:"hostNetworkSources"` - // hostPIDSources is a comma-separated list of sources from which the - // Kubelet allows pods to use the host pid namespace. Defaults to "*". - HostPIDSources []string `json:"hostPIDSources"` - // hostIPCSources is a comma-separated list of sources from which the - // Kubelet allows pods to use the host ipc namespace. Defaults to "*". - HostIPCSources []string `json:"hostIPCSources"` // registryPullQPS is the limit of registry pulls per second. If 0, // unlimited. Set to 0 for no limit. Defaults to 5.0. RegistryPullQPS *int32 `json:"registryPullQPS"` diff --git a/pkg/kubelet/apis/kubeletconfig/v1alpha1/zz_generated.conversion.go b/pkg/kubelet/apis/kubeletconfig/v1alpha1/zz_generated.conversion.go index b8d27ea68e..9368d7c0a2 100644 --- a/pkg/kubelet/apis/kubeletconfig/v1alpha1/zz_generated.conversion.go +++ b/pkg/kubelet/apis/kubeletconfig/v1alpha1/zz_generated.conversion.go @@ -164,12 +164,6 @@ func autoConvert_v1alpha1_KubeletConfiguration_To_kubeletconfig_KubeletConfigura if err := Convert_v1alpha1_KubeletAuthorization_To_kubeletconfig_KubeletAuthorization(&in.Authorization, &out.Authorization, s); err != nil { return err } - if err := v1.Convert_Pointer_bool_To_bool(&in.AllowPrivileged, &out.AllowPrivileged, s); err != nil { - return err - } - out.HostNetworkSources = *(*[]string)(unsafe.Pointer(&in.HostNetworkSources)) - out.HostPIDSources = *(*[]string)(unsafe.Pointer(&in.HostPIDSources)) - out.HostIPCSources = *(*[]string)(unsafe.Pointer(&in.HostIPCSources)) if err := v1.Convert_Pointer_int32_To_int32(&in.RegistryPullQPS, &out.RegistryPullQPS, s); err != nil { return err } @@ -291,12 +285,6 @@ func autoConvert_kubeletconfig_KubeletConfiguration_To_v1alpha1_KubeletConfigura if err := Convert_kubeletconfig_KubeletAuthorization_To_v1alpha1_KubeletAuthorization(&in.Authorization, &out.Authorization, s); err != nil { return err } - if err := v1.Convert_bool_To_Pointer_bool(&in.AllowPrivileged, &out.AllowPrivileged, s); err != nil { - return err - } - out.HostNetworkSources = *(*[]string)(unsafe.Pointer(&in.HostNetworkSources)) - out.HostPIDSources = *(*[]string)(unsafe.Pointer(&in.HostPIDSources)) - out.HostIPCSources = *(*[]string)(unsafe.Pointer(&in.HostIPCSources)) if err := v1.Convert_int32_To_Pointer_int32(&in.RegistryPullQPS, &out.RegistryPullQPS, s); err != nil { return err } diff --git a/pkg/kubelet/apis/kubeletconfig/v1alpha1/zz_generated.deepcopy.go b/pkg/kubelet/apis/kubeletconfig/v1alpha1/zz_generated.deepcopy.go index 6165a73880..700a997a93 100644 --- a/pkg/kubelet/apis/kubeletconfig/v1alpha1/zz_generated.deepcopy.go +++ b/pkg/kubelet/apis/kubeletconfig/v1alpha1/zz_generated.deepcopy.go @@ -134,30 +134,6 @@ func (in *KubeletConfiguration) DeepCopyInto(out *KubeletConfiguration) { } in.Authentication.DeepCopyInto(&out.Authentication) out.Authorization = in.Authorization - if in.AllowPrivileged != nil { - in, out := &in.AllowPrivileged, &out.AllowPrivileged - if *in == nil { - *out = nil - } else { - *out = new(bool) - **out = **in - } - } - if in.HostNetworkSources != nil { - in, out := &in.HostNetworkSources, &out.HostNetworkSources - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.HostPIDSources != nil { - in, out := &in.HostPIDSources, &out.HostPIDSources - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.HostIPCSources != nil { - in, out := &in.HostIPCSources, &out.HostIPCSources - *out = make([]string, len(*in)) - copy(*out, *in) - } if in.RegistryPullQPS != nil { in, out := &in.RegistryPullQPS, &out.RegistryPullQPS if *in == nil { diff --git a/pkg/kubelet/apis/kubeletconfig/zz_generated.deepcopy.go b/pkg/kubelet/apis/kubeletconfig/zz_generated.deepcopy.go index 8a6b1a2a51..eb788f3b4c 100644 --- a/pkg/kubelet/apis/kubeletconfig/zz_generated.deepcopy.go +++ b/pkg/kubelet/apis/kubeletconfig/zz_generated.deepcopy.go @@ -107,21 +107,6 @@ func (in *KubeletConfiguration) DeepCopyInto(out *KubeletConfiguration) { } out.Authentication = in.Authentication out.Authorization = in.Authorization - if in.HostNetworkSources != nil { - in, out := &in.HostNetworkSources, &out.HostNetworkSources - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.HostPIDSources != nil { - in, out := &in.HostPIDSources, &out.HostPIDSources - *out = make([]string, len(*in)) - copy(*out, *in) - } - if in.HostIPCSources != nil { - in, out := &in.HostIPCSources, &out.HostIPCSources - *out = make([]string, len(*in)) - copy(*out, *in) - } if in.ClusterDNS != nil { in, out := &in.ClusterDNS, &out.ClusterDNS *out = make([]string, len(*in)) diff --git a/test/e2e_node/services/kubelet.go b/test/e2e_node/services/kubelet.go index aa803859a3..59b147cb63 100644 --- a/test/e2e_node/services/kubelet.go +++ b/test/e2e_node/services/kubelet.go @@ -157,9 +157,6 @@ func (e *E2EServices) startKubelet() (*server, error) { kc.VolumeStatsAggPeriod = metav1.Duration{Duration: 10 * time.Second} // Aggregate volumes frequently so tests don't need to wait as long kubeletConfigFlags = append(kubeletConfigFlags, "volume-stats-agg-period") - kc.AllowPrivileged = true - kubeletConfigFlags = append(kubeletConfigFlags, "allow-privileged") - kc.SerializeImagePulls = false kubeletConfigFlags = append(kubeletConfigFlags, "serialize-image-pulls") @@ -264,6 +261,7 @@ func (e *E2EServices) startKubelet() (*server, error) { "--root-dir", KubeletRootDirectory, "--docker-disable-shared-pid=false", "--v", LOG_VERBOSITY_LEVEL, "--logtostderr", + "--allow-privileged", "true", ) // Apply test framework feature gates by default. This could also be overridden