'kubeadm reset' uses incorrect way of unmounting /var/lib/kubelet
directories. It queries /proc/mounts for /var/lib/kubelet mount point.
If /var/lib/kubelet directory is also mounted it makes 'kubelet reset'
to unmount it too, which is incorrect. It also makes it fail as it
can't unmount /var/lib/kubelet before unmounting mounts inside it.
Fixed by querying /var/lib/kubelet/ instead of /var/lib/kubelet.
This should exclude /var/lib/kubelet from the query results even if
it's mounted.
Fixes: kubernetes/kubeadm#1294
As localApiEndpoint is ignored by json.Unmarshaller this should be
localAPIEndpoint as defined in the json tag of the source code.
Signed-off-by: André Martins <aanm90@gmail.com>
'kubeadm init' silently ignores --node-name and --cri-socket
command line options if --config option is specified.
Implemented setting 'name' and 'criSocket' options from the command
line even if --config command line option is used.
kubeadm config migrate uses AnyConfigFileAndDefaultsToInternal, which can
unmarshal config from file only if InitConfiguration or JoinConfiguration are
present. Even with that in mind, it can only return a singlie config object,
with InitConfiguration taking precendence over JoinConfiguration. Thus, the
following cases were not handled properly, while they were perfectly valid for
kubeadm init/join:
- ClusterConfiguration only file caused kubeadm config migrate to exit with
error.
- Init + Join configurations in the same file caused Init + Cluster
configuration to be produced (ignoring JoinConfiguration). The same is valid
when the combo is Init + Cluster + Join configurations.
- Cluster + Join configuration ignores ClusterConfiguration and only
JoinConfiguration gets migrated.
To fix this, the following is done:
- Introduce MigrateOldConfigFromFile which migrates old config from a file,
while ensuring that all kubeadm originated input config kinds are taken care
of. Add comprehensive unit tests for this.
- Replace the use of AnyConfigFileAndDefaultsToInternal in
kubeadm config migrate with MigrateOldConfigFromFile.
- Remove the no longer used and error prone AnyConfigFileAndDefaultsToInternal.
Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
'kubeadm join' silently ignores --node-name and --cri-socket
command line options if --config option is specified.
In some cases it's much easier for users to override these parameters
from the command line instead of updating config, especially for
multi-node automatic deployments where only node name should be changed.
Implemented setting 'name' and 'criSocket' options from the command
line even if --config command line option is used.
Bump MinimumControlPlaneVersion and MinimumKubeletVersion to v1.12 and update
any related tests.
Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
Added hostport and host/port parts to the error messages
produced by ParseHostPort API.
This should help users to better identify parsing issues.
Fixes: kubernetes/kubeadm#1159
- make the whole config example actually pass strict verification
(i.e. make the config work with --config)
- add print init-defaults/join defaults
- other small fixes
kubeadm uses certificate rotation to replace the initial high-power
cert provided in --kubeconfig with a less powerful certificate on
the masters. This requires that we pass the contents of the client
config certData and keyData down into the cert store to populate
the initial client.
Add better comments to describe why the flow is required. Add a test
that verifies initial cert contents are written to disk. Change
the cert manager to not use MustRegister for prometheus so that
it can be tested.
Expose both a Stop() method (for cleanup) and a method to force
cert rotation, but only expose Stop() on the interface.
Verify that we choose the correct client.
Ensure that bootstrap+clientcert-rotation in the Kubelet can:
1. happen in the background so that static pods aren't blocked by bootstrap
2. collapse down to a single call path for requesting a CSR
3. reorganize the code to allow future flexibility in retrieving bootstrap creds
Fetching the first certificate and later certificates when the kubelet
is using client rotation and bootstrapping should share the same code
path. We also want to start the Kubelet static pod loop before
bootstrapping completes. Finally, we want to take an incremental step
towards improving how the bootstrap credentials are loaded from disk
(potentially allowing for a CLI call to get credentials, or a remote
plugin that better integrates with cloud providers or KSMs).
Reorganize how the kubelet client config is determined. If rotation is
off, simplify the code path. If rotation is on, load the config
from disk, and then pass that into the cert manager. The cert manager
creates a client each time it tries to request a new cert.
Preserve existing behavior where:
1. bootstrap kubeconfig is used if the current kubeconfig is invalid/expired
2. we create the kubeconfig file based on the bootstrap kubeconfig, pointing to
the location that new client certs will be placed
3. the newest client cert is used once it has been loaded
When 'kubeadm init ...' is used with an IPv6 kubeadm configuration,
kubeadm currently generates an etcd.yaml manifest that uses IP:port
combinatins where the IP is an IPv6 address, but it is not enclosed
in square brackets, e.g.:
- --advertise-client-urls=https://fd00:20::2:2379
For IPv6 advertise addresses, this should be of the form:
- --advertise-client-urls=https://[fd00:20::2]:2379
The lack of brackets around IPv6 addresses in cases like this is
causing failures to bring up IPv6-only clusters with Kubeadm as
described in kubernetes/kubeadm Issues #1212.
This format error is fixed by using net.JoinHostPort() to generate
URLs as shown above.
Fixes kubernetes/kubeadm Issue #1212
ChooseAPIServerBindAddress is silently overriding the requested bind IP
address for the API server if that address is deemed unsuitable. This is
currently done only if the IP is a loopback one (127.0.0.0/8; ::1/128).
It's best to at least issue a warning if such override occurs, so that there
are no surprised users by this.
Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
The reason for the bump is the new functionality of the
k8s.io/utils/exec package which allows
- to get a hold of the process' std{out,err} as `io.Reader`s
- to `Start` a process and `Wait` for it
This should help on addressing #70890 by allowing to wrap std{out,err}
of the process to be wrapped with a `io.limitedReader`.
It also updates
- k8s.io/kubernetes/pkg/probe/exec.FakeCmd
- k8s.io/kubernetes/pkg/kubelet/prober.execInContainer
- k8s.io/kubernetes/cmd/kubeadm/app/phases/kubelet.fakeCmd
to implement the changed interface.
The dependency on 'k8s.io/utils/pointer' to the new version has also
been bumped in some staging repos:
- apiserver
- kube-controller-manager
- kube-scheduler
andrewsykim