486577df17
Restore "Make bootstrap client cert loading part of rotation""
...
This reverts the revert of commit 3464222267
2018-11-17 13:44:58 -05:00
3464222267
Revert "Make bootstrap client cert loading part of rotation"
...
This reverts commit 0af19875adde293b2d7d
2018-11-17 10:24:39 -05:00
de293b2d7d
Ensure the bootstrap rotation code is tested by forcing rotation
...
Expose both a Stop() method (for cleanup) and a method to force
cert rotation, but only expose Stop() on the interface.
Verify that we choose the correct client.
2018-11-16 21:50:52 -05:00
0af19875ad
Make bootstrap client cert loading part of rotation
...
Ensure that bootstrap+clientcert-rotation in the Kubelet can:
1. happen in the background so that static pods aren't blocked by bootstrap
2. collapse down to a single call path for requesting a CSR
3. reorganize the code to allow future flexibility in retrieving bootstrap creds
Fetching the first certificate and later certificates when the kubelet
is using client rotation and bootstrapping should share the same code
path. We also want to start the Kubelet static pod loop before
bootstrapping completes. Finally, we want to take an incremental step
towards improving how the bootstrap credentials are loaded from disk
(potentially allowing for a CLI call to get credentials, or a remote
plugin that better integrates with cloud providers or KSMs).
Reorganize how the kubelet client config is determined. If rotation is
off, simplify the code path. If rotation is on, load the config
from disk, and then pass that into the cert manager. The cert manager
creates a client each time it tries to request a new cert.
Preserve existing behavior where:
1. bootstrap kubeconfig is used if the current kubeconfig is invalid/expired
2. we create the kubeconfig file based on the bootstrap kubeconfig, pointing to
the location that new client certs will be placed
3. the newest client cert is used once it has been loaded
2018-11-16 21:50:26 -05:00
440a5ad7cb
Don't allow --csr-only for CA certs or all
2018-11-16 15:22:37 -08:00
f4fd7b0b2b
Merge pull request #71069 from fabriziopandini/kubeadm-phases-add-all-subcommands
...
Kubeadm - add all subcommands to phases
2018-11-16 15:17:03 -08:00
5ec9349276
Merge pull request #70917 from dims/add-log-file-option-to-kubelet-flags
...
add log_file option to kubelet flags
2018-11-16 15:16:53 -08:00
fab7009997
Merge pull request #71135 from luxas/kubeadm_repo_flag
...
kubeadm: Allow customizing the image repository via flags
2018-11-16 13:20:16 -08:00
99887716c5
Fix kubeadm etcd manifests to use brackets around IPv6 addrs
...
When 'kubeadm init ...' is used with an IPv6 kubeadm configuration,
kubeadm currently generates an etcd.yaml manifest that uses IP:port
combinatins where the IP is an IPv6 address, but it is not enclosed
in square brackets, e.g.:
- --advertise-client-urls=https://fd00:20::2:2379
For IPv6 advertise addresses, this should be of the form:
- --advertise-client-urls=https://[fd00:20::2]:2379
The lack of brackets around IPv6 addresses in cases like this is
causing failures to bring up IPv6-only clusters with Kubeadm as
described in kubernetes/kubeadm Issues #1212 .
This format error is fixed by using net.JoinHostPort() to generate
URLs as shown above.
Fixes kubernetes/kubeadm Issue #1212
2018-11-16 15:12:29 -05:00
7ff49c99d3
Merge pull request #71126 from rosti/warn-api-bind-override
...
kubeadm: Warn on API server bind address override
2018-11-16 12:04:10 -08:00
a666003b36
kubeadm: Allow customizing the image repository via flags
2018-11-16 23:52:56 +08:00
1308c7d2f5
kubeadm phases add all subcommands
2018-11-16 16:39:04 +01:00
e94a9f9321
Merge pull request #71085 from bsalamat/leader-election-fix
...
Report kube-scheduler unhealthy if leader election is wedged
2018-11-16 05:13:28 -08:00
a5f06fdd16
Merge pull request #71066 from fabriziopandini/kubeadm-fix-validateMixedArgs
...
Kubeadm - Fix validateMixedArgs for phases
2018-11-16 03:57:01 -08:00
0908af5e09
Merge pull request #71061 from yagonobre/init-todo
...
Remove todo from init phase
2018-11-16 03:56:52 -08:00
b46fbbc4e6
kubeadm: Warn on API server bind address override
...
ChooseAPIServerBindAddress is silently overriding the requested bind IP
address for the API server if that address is deemed unsuitable. This is
currently done only if the IP is a loopback one (127.0.0.0/8; ::1/128).
It's best to at least issue a warning if such override occurs, so that there
are no surprised users by this.
Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
2018-11-16 13:00:52 +02:00
973b5d291d
Merge pull request #71053 from yagonobre/upload-config-fix
...
Fix `kubeadm upload-config kubeadm` example
2018-11-16 01:53:50 -08:00
dc6632ad4c
Merge pull request #71046 from liztio/certs-renew-use-api-fix
...
Certs renew use api fix
2018-11-16 01:53:40 -08:00
4b98060f4e
Merge pull request #70901 from neolit123/kubeadm-strict-config
...
kubeadm: enable strict config unmarhaling
2018-11-15 23:52:36 -08:00
8797db339d
Merge pull request #69827 from tomkukral/kadm-etcd
...
use etcd endpoints from advertise-client-urls
2018-11-15 17:25:17 -08:00
2473bba9e5
kubeadm: update autogenerated bazel
2018-11-16 02:22:04 +02:00
cc60625930
kubeadm: handle strict config unmarshaling
2018-11-16 02:21:31 +02:00
3d3cc63cc8
Merge pull request #70809 from liztio/csr
...
Generate CSRs for kubeadm
2018-11-15 15:00:02 -08:00
6afb9a117b
Fix renewing certificates via the API
...
Poll for events, print CSR name, and parse PEM instead of CSR
2018-11-15 14:02:47 -08:00
7b4d4bc8ac
Merge pull request #70508 from dashpole/pod_resources_socket
...
Add socket-based kubelet pod resources API.
2018-11-15 13:43:44 -08:00
504466c4e6
Merge pull request #68267 from liggitt/node-label-update
...
Limit kubelets from updating their own labels when NodeRestriction is enabled
2018-11-15 11:11:02 -08:00
34b4a5bbee
Add watchdog for leader election logic getting wedged
2018-11-15 11:02:14 -08:00
5fc1a9a87c
Option to generate CSRs instead of issued certificates
2018-11-15 10:47:54 -08:00
630cb53f82
add kubelet grpc server for pod-resources service
2018-11-15 09:43:20 -08:00
0d4b5c98f8
Bump k8s.io/uitls to 8e7ff06
...
The reason for the bump is the new functionality of the
k8s.io/utils/exec package which allows
- to get a hold of the process' std{out,err} as `io.Reader`s
- to `Start` a process and `Wait` for it
This should help on addressing #70890 by allowing to wrap std{out,err}
of the process to be wrapped with a `io.limitedReader`.
It also updates
- k8s.io/kubernetes/pkg/probe/exec.FakeCmd
- k8s.io/kubernetes/pkg/kubelet/prober.execInContainer
- k8s.io/kubernetes/cmd/kubeadm/app/phases/kubelet.fakeCmd
to implement the changed interface.
The dependency on 'k8s.io/utils/pointer' to the new version has also
been bumped in some staging repos:
- apiserver
- kube-controller-manager
- kube-scheduler
2018-11-15 13:25:12 +00:00
b1a52a38e9
Merge pull request #67257 from pbarker/audit
...
dynamic audit configuration
2018-11-15 02:42:59 -08:00
807338e96a
Fix validateMixedArgs for phases
2018-11-15 11:38:18 +01:00
f48e18faa4
Merge pull request #70971 from cheftako/leaseCheck
...
Report KCM as unhealthy if leader election is wedged.
2018-11-15 01:30:59 -08:00
4fdac19603
Merge pull request #71059 from timothysc/kubeadmmsg
...
Minor update to the comment block characters for kubeadm
2018-11-14 23:20:07 -08:00
8b110e27fc
Remove todo from init phase
2018-11-15 01:43:56 -02:00
aea4a4e0fb
Minor update to the comment block characters for kubeadm
2018-11-14 20:31:11 -06:00
e3ddaaad1d
Merge pull request #71045 from neolit123/kubeadm-go-docs-1.13
...
kubeadm: fix godocs indentation for v1beta1
2018-11-14 17:25:50 -08:00
2965d24547
Merge pull request #71043 from chuckha/etcd-doc
...
kubeadm: document required etcd configuration
2018-11-14 17:25:40 -08:00
bb2fcd90f3
Merge pull request #71040 from fabriziopandini/kubeadm-phases-local-flags
...
Kubeadm phases - add local flags
2018-11-14 17:25:30 -08:00
9c43ee6d6e
Report KCM as unhealthy if leader election is wedged.
...
Feedback from lavalamp and deads2k.
Changed Check() logic to be central to LeaderElector.
Further changes, especially cleaning up the test code.
2018-11-14 16:57:37 -08:00
eb89d3dddd
adds dynamic audit configuration
2018-11-14 17:54:06 -07:00
606bbc0457
Fix kubeadm upload-config kubeadm example
2018-11-14 22:28:51 -02:00
1240274204
Merge pull request #71037 from rdodev/reset-iptables
...
Reset helptext alignment
2018-11-14 15:39:46 -08:00
da49adb52f
kubeadm: fix godocs indentation for v1beta1
2018-11-15 00:13:58 +02:00
02ec1e84b0
kubeadm: document required etcd configuration
...
Signed-off-by: Chuck Ha <ha.chuck@gmail.com>
2018-11-14 17:05:24 -05:00
0df79e4daa
Merge pull request #71008 from neolit123/kubeadm-go-docs-1.13
...
kubeadm: update notes and example config in v1beta1 godocs
2018-11-14 13:16:54 -08:00
1a9fd268a9
Merge pull request #71005 from mikedanese/certpubfix
...
rootcacertpublisher: trigger resync on namespace add and update
2018-11-14 11:38:07 -08:00
1b9986b219
Kubeadm phases - add local flags
2018-11-14 20:29:52 +01:00
ba7d3c3ba8
Merge pull request #71009 from timothysc/phaseflow
...
Fixup language on help message to denote phases
2018-11-14 09:26:20 -08:00
98f3fb5059
kubeadm: remove leftover DynamicKubeletConfig constant
2018-11-14 17:32:45 +02:00
d5cd412ae0
reset helptext alignment
...
Signed-off-by: Ruben Orduz <rubenoz@gmail.com>
2018-11-14 09:59:48 -05:00
3e6d414b55
Merge pull request #70967 from mikedanese/fixtropts
...
Fix broken defaulting and validation in TokenRequest enablement
2018-11-13 22:03:42 -08:00
9fb2dcad5e
Limit kubelets from updating their own labels
2018-11-13 23:48:47 -05:00
ef3380b42d
Fixup language on help message to denote phases
...
Signed-off-by: Timothy St. Clair <timothysc@gmail.com>
2018-11-13 20:16:15 -06:00
90295640ef
Merge pull request #71010 from neolit123/revert-68890-dnspolicy
...
Revert "kubeadm: Create control plane with ClusterFirstWithHostNet dns policy"
2018-11-13 18:07:33 -08:00
20bad760fc
cleanup error handling in apiserver opts validation
2018-11-13 17:27:13 -08:00
06935e1c90
split TokenRequest initialization out of run and into complete and validate
2018-11-13 17:27:13 -08:00
8d27e5683c
Merge pull request #70874 from rdodev/reset-iptables
...
iptables reset text message
2018-11-13 16:14:04 -08:00
48d788de6f
Merge pull request #71001 from Deepomatic/recognize_docker_1809_version
...
Recognize newer docker versions without -ce/-ee suffix: 18.09.0
2018-11-13 14:59:36 -08:00
4d9c01d747
replace golang.org/x/exp/inotify with standalone library
...
The inotify code was removed from golang.org/x/exp several years ago. Therefore
importing it from that path prevents downstream consumers from using any module
that makes use of more recent features of golang.org/x/exp.
This change is a followup to google/cadvisor#2060 which was merged with #70889
This fixes #68478
2018-11-13 14:51:40 -08:00
24b4280e3f
Revert "kubeadm: Create control plane with ClusterFirstWithHostNet dns policy"
2018-11-14 00:18:32 +02:00
865904d0e1
kubeadm: update notes and example config in v1beta1 godocs
2018-11-13 23:52:42 +02:00
bea07c0dc6
Merge pull request #70935 from neolit123/kubeadm-update-cmd-go
...
kubeadm: update the state in app/cmd.go
2018-11-13 13:45:41 -08:00
8b562218b7
Merge pull request #70876 from chuckha/idempotency
...
kubeadm: Adds tests to node patching
2018-11-13 13:45:31 -08:00
3cba75ea60
Merge pull request #70603 from chuckha/pod-infra-container-image
...
kubeadm: set pod-infra-container-image for the kubelet
2018-11-13 13:45:02 -08:00
bf02f55147
rootcacertpublisher: trigger resync on namespace add and update
...
Last cleanup was a bit overzealous.
2018-11-13 11:38:45 -08:00
766aab509a
dedup APIAudiences config in kube-apiserver, use GenericConfig field
2018-11-13 11:07:31 -08:00
7a9a8f5f35
kubeadm graduate addons phase
2018-11-13 16:33:59 -02:00
bfb95290b9
Merge pull request #70795 from yuexiao-wang/print-join-command
...
kubeadm: print the join command
2018-11-13 10:11:21 -08:00
9a37f2d878
kubeadm: set pod-infra-container-image for the kubelet
...
The kubelet allows you to set `--pod-infra-container-image`
(also called `PodSandboxImage` in the kubelet config),
which can be a custom location to the "pause" image in the case
of Docker. Other CRIs are not supported.
Set the CLI flag for the Docker case in flags.go using
WriteKubeletDynamicEnvFile().
2018-11-13 13:10:22 -05:00
068cdaa56c
Recognize newer docker versions without -ce/-ee suffix
...
Since docker 18.09, the ServerVersion field format changed: the `-ce`
or `-ee` suffix disappeared:
- docker 18.06: `18.06.1-ce`
- docker 18.09: `18.09.0`
This was not expected by the docker_validator version regexp, which
assumed newer docker versions ended with `-[a-z]{2}`.
This made the validator return an error, whereas we expect it to
return only a warning (by recognizing it as a newer but not yet
supported docker version).
This commit relax the version regexp to also recognize `18.09.0`.
The docker validator now returns a warning, as tested.
2018-11-13 18:55:29 +01:00
db3d636f91
updates license year
...
Signed-off-by: Chuck Ha <ha.chuck@gmail.com>
2018-11-13 12:49:42 -05:00
5792eeb137
kubeadm: Adds tests to node patching
...
Signed-off-by: Chuck Ha <ha.chuck@gmail.com>
2018-11-13 12:48:54 -05:00
9199025b24
Merge pull request #70849 from yagonobre/rm-dynamic-kubelet
...
Remove DynamicKubeletConfig from init and join workflow
2018-11-13 08:54:34 -08:00
bd2cb5a72d
Merge pull request #70831 from mikedanese/securesvcacct
...
add BoundServiceAccountTokenVolume feature
2018-11-13 08:54:25 -08:00
89a5d5cadd
iptables reset text message
...
Signed-off-by: Ruben Orduz <rubenoz@gmail.com>
2018-11-13 10:36:43 -05:00
62c9303ecf
Remove DynamicKubeletConfig from init and join workflow, also remove DynamicKubeletConfig feature gate
2018-11-13 11:56:24 -02:00
43574d1be3
remove kube-controller-manager dependency on the legacyscheme, using client-go scheme
2018-11-13 19:45:59 +08:00
5851fd556b
kubeadm: print the join command should happen after all the phases in init have finished
...
Signed-off-by: yuexiao-wang <wang.yuexiao@zte.com.cn>
2018-11-13 19:05:10 +08:00
7f1b2a62a7
fix kubeadm upgrade
2018-11-13 09:14:16 +01:00
bcef72bf06
Merge pull request #70877 from yagonobre/reset
...
Handler error when kubeconfig file not exist on kubeadm reset
2018-11-12 23:56:57 -08:00
3c5c6025bf
Merge pull request #70807 from Klaven/kubeadm_1221
...
kubeadm: Remove AuditPolicyConfiguration
2018-11-12 15:43:23 -08:00
f4ff26679f
add BoundServiceAccountTokenVolume feature
...
* require TokenRequest to be enabled and configured
* bind ca.crt publisher to this feature rather than to TokenRequest
2018-11-12 13:11:47 -08:00
08784ad9af
Merge pull request #70842 from mikedanese/simplify
...
combine syncs in rootcacertpublisher
2018-11-12 12:01:45 -08:00
064f74b2e8
fixes kubeadm 1221 to remove AuditPolicyConfiguration
...
Added conversion test and failure.
2018-11-12 14:33:26 -05:00
5e31a6bb74
Handler error when kubeconfig file not exist on kubeadm reset
2018-11-12 10:36:35 -02:00
fb73574d77
use glog.info instead glog.infof when no var
2018-11-12 17:30:37 +08:00
99811e2540
Merge pull request #70870 from fabriziopandini/kubeadm-config-JoinControlPlane
...
Kubeadm config refactor JoinControlPlane
2018-11-12 00:53:09 -08:00
5fb8229218
Merge pull request #70024 from fabriziopandini/kubeadm-addons-config
...
kubeadm - addon configuration in the kubeadm config API.
2018-11-12 00:52:59 -08:00
04bb2171a7
Merge pull request #70885 from neolit123/phase-mark-control-plane
...
kubeadm: graduate the mark-control-plane-phase
2018-11-11 19:07:10 -08:00
b99c8b994f
Merge pull request #70743 from bart0sh/PR0039-kubeadm-dont-prepull-etcd-if-not-required
...
kubeadm: prepull Etcd image only if required
2018-11-11 19:07:00 -08:00
c46e949799
kubeadm: update the state in app/cmd.go
...
- BETA->GA
- master->control-plane
- exclude @ mentions as only members can use them
2018-11-12 04:04:56 +02:00
206f5892a7
combine syncs in rootcacertpublisher
...
and some misc simplifications.
2018-11-11 11:29:32 -08:00
529dbd27ac
auto-generated file
2018-11-11 17:19:38 +08:00
a77652e9ab
kube-scheduler: output flags in logical sections
2018-11-11 17:19:38 +08:00
cf142a2d21
add log_file option to kubelet flags
...
Change-Id: I5e75902739e2f869244d1b8b229be2580aca8149
2018-11-10 22:22:01 -05:00
daae2a86ea
kubeadm: graduate mark-control-plane phase
...
Co-authored-by: Lubomir I. Ivanov <lubomirivanov@vmware.com>
2018-11-11 04:56:55 +02:00
fa161370f0
autogenerated
2018-11-10 17:37:00 +01:00
d484c8c087
kubeadm refactor joinControlPlane config
2018-11-10 17:36:49 +01:00
446d80693c
autogenerated
2018-11-10 17:27:51 +01:00
Clayton Coleman