* Using Fedora 21 as the base box
* Discover the active network interfaces in the box to avoid hardcoding
them in configuration.
* Use the master IP for the certificate.
gunk when installing the google-fluentd agent.
Also let it log things by not redirecting to a file within the container
and only using -q (warning logs only) rather than -qq (error logs only).
This registry can be accessed through proxies that run on each node
listening on port 5000. We send the proxy images to the nodes directly
to avoid requests that hit the network during cluster launch. For now,
we continue to pull the registry itself over the network, especially
given its large size (we should be able to dramatically shrink the
image). On GCE we create a PD and use that for storage, otherwise we
use an emptyDir. The registry is not enabled outside of GCE. All
communication is currently plain HTTP. In order to use SSL, we will
need to be able to request a certificate/key from the apiserver signed
by the apiserver's CA cert.
separated from the apiserver running locally on the master node so that it
can be optionally enabled or disabled as needed.
Also, fix the healthchecking configuration for the master components, which
was previously only working by coincidence:
If a kubelet doesn't register with a master, it never bothers to figure out
what its local address is. In which case it ends up constructing a URL like
http://:8080/healthz for the http probe. This happens to work on the master
because all of the pods are using host networking and explicitly binding to
127.0.0.1. Once the kubelet is registered with the master and it determines
the local node address, it tries to healthcheck on an address where the pod
isn't listening and the kubelet periodically restarts each master component
when the liveness probe fails.
Currently make-ca-cert.sh uses (equiv of)
mktemp -d --tmpdir kube.XXXXX
but --tmpdir is not a valid option on OS X. Switch to
mktemp -d -t kube.XXXXX
Which is valid, but subtly different between OS X and Linux. The
directory you get back will be different on each.
Linux: ${tmpdir}/kube.y5Bsu/
OS X: ${tmpdir}/kube.XXXXX.VQ81oOui/
Instead of hard coding kube-cert and /srv/kubernetes allow these to be
overwritten by environment variables. / is immutable on some systems
and so /srv is not a possible location to store data.
The AWS API requires a signature on method calls, including the
timestamp to prevent replay attacks. A time drift of up to 5 minutes
between client and server is tolerated.
However, if the client clock drifts by >5 minutes, the server will start
to reject API calls (with the cryptic "AWS was not able to validate the
provided access credentials").
To prevent this happening, we install ntp on all nodes.
Fix#11371
Jerzy Szczepkowski