- Move from the old github.com/golang/glog to k8s.io/klog
- klog as explicit InitFlags() so we add them as necessary
- we update the other repositories that we vendor that made a similar
change from glog to klog
* github.com/kubernetes/repo-infra
* k8s.io/gengo/
* k8s.io/kube-openapi/
* github.com/google/cadvisor
- Entirely remove all references to glog
- Fix some tests by explicit InitFlags in their init() methods
Change-Id: I92db545ff36fcec83afe98f550c9e630098b3135
Up until now UnifiedControlPlaneImage existed as a string value as part of the
ClusterConfiguration. This provided an override for the Kubernetes core
component images with a single custom image. It is mostly used to override the
control plane images with the hyperkube image. This saves both bandwith and
disk space on the control plane nodes.
Unfortunately, this specified an entire image string (complete with its prefix,
image name and tag). This disables upgrades of setups that use hyperkube.
Therefore, to enable upgrades on hyperkube setups and to make configuration
more convenient, the UnifiedControlPlaneImage option is replaced with a boolean
option, called UseHyperKubeImage. If set to true, this option replaces the
image name of any Kubernetes core components with hyperkube, thus allowing for
upgrades and respecting the image repository and version, specified in the
ClusterConfiguration.
Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
Create CSR using the mentioned function which also encodes the
type CertificateRequestBlockType.
Without that 'certs renew' is failing with:
'PEM block type must be CERTIFICATE REQUEST'
When node lease feature is enabled, kubelet reports node status to api server
only if there is some change or it didn't report over last report interval.
Added new alpha command to pivot to self hosted
Removed slelfhosting upgrade ability
Added warning message to self hosted pivot
added certs in secrets flag to new selfhosting comand
Until now the control plane timeout was fixed to 4 minutes and users did not
have the ability to change it. This commit allows that timeout to be configured
via the new `timeoutForControlPlane` option in the API server config (itself a
member of the ClusterConfiguration).
The default timeout is still 4 minutes.
Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
Fixes lint errors in kubeapiserver/admission, kubeapiserver/authorizer,
kubeapiserver/authenticator. Also enables lint testing of these
directories.
Fixed go format.
Fixed changes from config.
Writable was added to HostPathMount in v1alpha1 in order to control if an extra
volume is mounted in read only or writable mode.
Usually, in Kubernetes, this option is referred to as ReadOnly, instead of
Writable and is defaulted to `false`. However, at the time, all extra volumes
to pods were defaulted to read-only. Therefore, to avoid changes to existing
v1alpha1 configs, this option had to be added with reversed meaning.
Hence, it's called `writable`.
Now, with the migration towards v1beta1, we can safely change this to ReadOnly
and get it in sync with the reset of Kubernetes.
Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
In v1alpha3's, control plane component config options were nested directly into
the ClusterConfiguration structure. This is cluttering the config structure and
makes it hard to maintain. Therefore the control plane config options must be
separated into different substructures in order to graduate the format to beta.
This change does the following:
- Introduces a new structure called ControlPlaneComponent, that contains fields
common to all control plane component types. These are currently extra args
and extra volumes.
- Introduce a new structure called APIServer that contains
ControlPlaneComponent and APIServerCertSANs field (from ClusterConfiguration)
- Replace all API Server, Scheduler and Controller Manager options in
ClusterConfiguration with APIServer, ControllerManager and Scheduler fields
of APIServer and ControlPlaneComponent types.
Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
Remove custom flags that were previously available per
sub-phase. Rely on the config passed to 'kubeadm init' for that.
Remove redundant functions in manifests.go.
Move the audit policy settings to the control plane phase (under
API server).
Remove the test based on these points:
- it's apparently flaky by more than one reports and it's hard to debug.
- it's not a CLI unit test.
- it's testing API objects using a fake API server which is a bad hack...
- existing e2e tests already provide coverage for all
the `expectedError: false` cases.
In the past the discovery configuration expected, that we can support multiple
API server endpoints. In practice, we always end up with a single API server
endpoint, because, even in HA setups, we use a load balancer scheme for API
servers.
Therefore, to reduce complexity and improve readability of the config, the
multiple API server endpoints support is removed from the bootstrap token
discovery join method and configuration.
Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
The service account authenticator isn't the only authenticator that
should respect API audience. The authentication config structure should
reflect that.
Order of Volumes and VolumeMounts in the pod objects created by
kubeadm is undefined as they're represended as maps in the
controlPlaneHostPathMounts struct.
This influences 'kubeadm upgrade' logic in a way that even when
manifest of the component is not changed kubeadm tries to upgrade
it because most of the time current and new pods are not equal
due to the different order of Volumes and VolumeMounts.
For example 'kubeadm apply diff' almost always shows difference
in Volumes and VolumeMounts because of this:
volumeMounts:
+ - mountPath: /etc/kubernetes/pki
+ name: k8s-certs
+ readOnly: true
- mountPath: /etc/ssl/certs
name: ca-certs
+ readOnly: true
+ - mountPath: /etc/pki
+ name: etc-pki
+ readOnly: true
+ - mountPath: /usr/share/ca-certificates
+ name: usr-share-ca-certificates
readOnly: true
- mountPath: /etc/ca-certificates
name: etc-ca-certificates
readOnly: true
- - mountPath: /etc/pki
- name: etc-pki
- readOnly: true
- - mountPath: /etc/kubernetes/pki
- name: k8s-certs
- readOnly: true
- - mountPath: /usr/share/ca-certificates
- name: usr-share-ca-certificates
- readOnly: true
Sorting Volumes and VolumeMounts should fix this issue and help
to avoid unnecessary upgrades.
In order to improve the UX of kubeadm, it was decided to introduce the
following subcommands:
- `kubeadm config print` - this is currently only a placeholder for subcommands
that deal printing of some kind of configuration.
- `kubeadm config print init-defaults` - prints the default combination of
InitConfiguration and ClusterConfiguration. Selected component configs can be
printed too if the `--component-configs` command line switch is used.
- `kubeadm config print join-defaults` - prints the default JoinConfiguration.
This command also supports the use of `--component-configs`.
- `kubeadm config print-defaults` is deprecated in favor of
`kubeadm config print init/join-defaults`.
Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
When doing upgrades kubeadm generates new manifest and
waits until kubelet restarts correspondent pod.
However, kubelet won't restart pod if there are no changes
in the manifest. That makes kubeadm stuck waiting for
restarted pod.
Skipping upgrade if new component manifest is the same as
current manifest should solve this.
Fixes: kubernetes/kubeadm#1054
This change splits out discovery fields from JoinConfiguration by performing
the following changes:
- Introduce a BootstrapTokenDiscovery structure, that houses configuration
options needed for bootstrap token based discovery.
- Introduce a FileDiscovery structure, that houses configuration options
(currently only a single option) needed for KubeConfig based discovery.
- Introduce a Discovery structure, that houses common options (such as
discovery timeout and TLS bootstrap token) as well as pointer to an instance
of either BootstrapTokenDiscovery or FileDiscovery structures.
- Replace the old discovery related JoinConfiguration members with a single
Discovery member.
This change is required in order to cleanup the code of unnecessary logic and
make the serialized JoinConfiguration more structured (and therefore, more
intuitive).
Signed-off-by: Rostislav M. Georgiev <rostislavg@vmware.com>
It makes more sense to use advertised etcd endpoints instead of using
listened client URLS.
I'm solving this use case: Listen on localhost and public IP but I don't
want to add multiple endpoints to kube-apiservers because it's targeting
same etcd server.
Without this patch SetKubernetesVersion does not set
a version in all locations where it's called, because
the passed config to it always has a default version
stable-1.
This always triggers the != "" check and the function
returns without setting a version.
Validate against DefaultKubernetesVersion and "" instead.
This fixes all cases where fetching a version from the internet
is not needed at all - e.g. "kubeadm token create".
Also make SetKubernetesVersion default to version.Get().String()
and add unit tests for the function.