Commit Graph

446 Commits (c8278053cbff2488067845eba1269fa9ecbb9b18)

Author SHA1 Message Date
Brian Downs 88f95ec409
Send systemd notifications for both server and agent (#3430)
* update agent to sent systemd notify after everything starts
2021-06-15 04:20:26 -07:00
Manuel Buil 243fd14cf1 Change Replace with ReplaceAll function
strings has a specific function to replace all matches. We should use that one instead of strings.Replace(string, old, new string, -1)

Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-06-07 09:52:26 +02:00
Manuel Buil 5153088286
Merge pull request #3385 from manuelbuil/wireguard-fix
Move wireguard's privatekey to flannel config directory
2021-06-02 09:44:27 +02:00
Manuel Buil 1576030d6b Add a path for wireguard's privatekey
Signed-off-by: Manuel Buil <mbuil@suse.com>
2021-06-01 21:54:17 +02:00
Jamie Phillips 7345ac35ae
Initial windows support for agent (#3375)
Signed-off-by: Jamie Phillips <jamie.phillips@suse.com>
2021-06-01 12:29:46 -07:00
Brad Davidson 7e175e8ad4 Handle conntrack-related sysctls in supervisor agent setup
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-05-18 13:40:44 -07:00
Brad Davidson 079620ded0 Fix passthrough of SystemDefaultRegistry from server config
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-05-13 02:18:09 -07:00
Brad Davidson e10524a6b1 Add executor.Bootstrap hook for pre-execution setup
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-05-11 18:46:15 -07:00
Brad Davidson 02a5bee62f
Add system-default-registry support and remove shared code (#3285)
* Move registries.yaml handling out to rancher/wharfie
* Add system-default-registry support
* Add CLI support for kubelet image credential providers

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-05-10 15:58:41 -07:00
Hussein Galal f410fc7d1e
Invoke cluster reset function when only reset flag is passed (#3276)
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-05-05 17:40:04 +02:00
Hussein Galal 2db3bf7a89
Export CriConnection function (#3225)
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-04-29 22:11:19 +02:00
Brad Davidson 2705431d96
Add support for dual-stack Pod/Service CIDRs and node IP addresses (#3212)
* Add support for dual-stack cluster/service CIDRs and node addresses

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-04-21 15:56:20 -07:00
Brad Davidson e8381db778 Update Kubernetes to v1.21.0
* Update Kubernetes to v1.21.0
* Update to golang v1.16.2
* Update dependent modules to track with upstream
* Switch to upstream flannel
* Track changes to upstream cloud-controller-manager and FeatureGates

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-04-14 14:51:42 -07:00
Xiao Deshi cfe7e0c734 remove duplicated func GetAddresses
refactor tunnel.go and controller.go, remove duplicated lines.

Signed-off-by: Xiao Deshi <xiaods@gmail.com>
2021-03-31 14:23:05 -07:00
Akihiro Suda cb73461a5b AkihiroSuda/containerd-fuse-overlayfs -> containerd/fuse-overlayfs-snapshotter
The repo has been moved.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-03-24 10:34:34 -07:00
Akihiro Suda 6e8284e3d4 rootless: enable resource limitation (requires cgroup v2, systemd)
Now rootless mode can be used with cgroup v2 resource limitations.
A pod is executed in a cgroup like "/user.slice/user-1001.slice/user@1001.service/k3s-rootless.service/kubepods/podd0eb6921-c81a-4214-b36c-d3b9bb212fac/63b5a253a1fd4627da16bfce9bec58d72144cf30fe833e0ca9a6d60ebf837475".

This is accomplished by running `kubelet` in a cgroup namespace, and enabling `cgroupfs` driver for the cgroup hierarchy delegated by systemd.

To enable cgroup v2 resource limitation, `k3s server --rootless` needs to be launched as `systemctl --user` service.
Please see the comment lines in `k3s-rootless.service` for the usage.

Running `k3s server --rootless` via a terminal is not supported.
When it really needs to be launched via a terminal, `systemd-run --user -p Delegate --tty` needs to be prepended to create a systemd scope.

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-03-24 00:37:30 -07:00
Jacob Blain Christen 618b0f98bf
registry mirror repository rewrites (#3064)
Support repository regex rewrite rules when fetching image content.

Example configuration:
```yaml
# /etc/rancher/k3s/registries.yaml
mirrors:
  "docker.io":
    endpoint:
    - "https://registry-1.docker.io/v2"
    rewrite:
      "^library/alpine$": "my-org/alpine"
```

This will instruct k3s containerd to fetch content for `alpine` images
from `docker.io/my-org/alpine` instead of the default
`docker.io/library/alpine` locations.

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
2021-03-15 16:17:27 -07:00
Brad Davidson 8ace8975d2 Don't start up multiple apiserver load balancers
get() is called in a loop until client configuration is successfully
retrieved. Each iteration will try to configure the apiserver proxy,
which will in turn create a new load balancer. Skip creating a new
load balancer if we already have one.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-03-08 17:05:25 -08:00
Brad Davidson c0d129003b Handle loadbalancer port in TIME_WAIT
If the port wanted by the client load balancer is in TIME_WAIT, startup
will fail. Set SO_REUSEPORT so that it can be listened on again
immediately.

The configurable Listen call wants a context, so plumb that through as
well.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-03-08 17:05:25 -08:00
Brad Davidson 7cdfaad6ce
Always use static ports for client load-balancers (#3026)
* Always use static ports for the load-balancers

This fixes an issue where RKE2 kube-proxy daemonset pods were failing to
communicate with the apiserver when RKE2 was restarted because the
load-balancer used a different port every time it started up.

This also changes the apiserver load-balancer port to be 1 below the
supervisor port instead of 1 above it. This makes the apiserver port
consistent at 6443 across servers and agents on RKE2.

Additional fixes below were required to successfully test and use this change
on etcd-only nodes.

* Actually add lb-server-port flag to CLI
* Fix nil pointer when starting server with --disable-etcd but no --server
* Don't try to use full URI as initial load-balancer endpoint
* Fix etcd load-balancer pool updates
* Update dynamiclistener to fix cert updates on etcd-only nodes
* Handle recursive initial server URL in load balancer
* Don't run the deploy controller on etcd-only nodes
2021-03-06 02:29:57 -08:00
Brian Downs 4d1f9eda9d
Etcd Snapshot/Restore to/from S3 Compatible Backends (#2902)
* Add functionality for etcd snapshot/restore to and from S3 compatible backends.
* Update etcd restore functionality to extract and write certificates and configs from snapshot.
2021-03-03 11:14:12 -07:00
Brad Davidson 4fb073e799 Log clearer error on startup if NPC cannot be started
Servers should always be upgraded before agents, but generally this
isn't required because things are compatible between versions. In this
case we're OK with failing closed if the user upgrades out of order, but
we should give a clearer message about what steps are required to fix
the issue.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-03-01 14:23:59 -08:00
Brad Davidson f970e49b7d Wait for apiserver to become healthy before starting agent controllers
It is possible that the apiserver may serve read requests but not allow
writes yet, in which case flannel will crash on startup when trying to
configure the subnet manager.

Fix this by waiting for the apiserver to become fully ready before
starting flannel and the network policy controller.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-26 19:28:53 -08:00
Brad Davidson 88dd601941 Limit zstd decoder memory
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-17 11:48:03 -08:00
Brad Davidson ec661c67d7 Add support for retagging images on load from tarball
Adds support for retagging images to appear to have been sourced from
one or more additional registries as they are imported from the tarball.
This is intended to support RKE2 use cases with system-default-registry
where the images need to appear to have been pulled from a registry
other than docker.io.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-17 11:48:03 -08:00
Hussein Galal 5749f66aa3
Add disable flags for control components (#2900)
* Add disable flags to control components

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* golint

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fixes to disable flags

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Add comments to functions

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Fix joining problem

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* golint

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix ticker

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix role labels

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-02-12 17:35:57 +02:00
Brad Davidson 65c78cc397 Replace options.KubeRouterConfig with config.Node and remove metrics/waitgroup stuff
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-03 10:41:51 -08:00
Brad Davidson 07256cf7ab Add ServiceIPRange and ServiceNodePortRange to agent config
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-03 10:41:51 -08:00
Brad Davidson 95a1a86847 Spell check upstream code
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-03 10:41:51 -08:00
Brad Davidson 29483d0651 Initial update of netpol and utils from upstream
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-03 10:41:51 -08:00
Brad Davidson 8011697175 Only container-runtime-endpoint wants RuntimeSocket path as URI
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-01-22 18:56:30 -08:00
Waqar Ahmed 3ea696815b Do not validate snapshotter argument if docker is enabled
Problem:
While using ZFS on debian and K3s with docker, I am unable to get k3s working as the snapshotter value is being validated and the validation fails.

Solution:
We should not validate snapshotter value if we are using docker as it's a no-op in that case.

Signed-off-by: Waqar Ahmed <waqarahmedjoyia@live.com>
2021-01-20 12:25:28 -08:00
Erik Wilson c71060f288
Merge pull request #2744 from erikwilson/rke2-node-password-bootstrap
Bootstrap node password with local file
2021-01-11 09:51:30 -07:00
Erik Wilson 09eb44ba53 Bootstrap node password with local file
Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>
2020-12-23 15:08:06 -07:00
JenTing Hsiao 57041f0239
Add codespell CI test and fix codespell error (#2740)
* Add codespell CI test
* Fix codespell error
2020-12-22 12:35:58 -08:00
Erik Wilson 0ae7f2d5ae
Merge pull request #2407 from erikwilson/node-passwd-cleanup
Use secrets for node-passwd entries
2020-12-08 16:25:13 -07:00
Akihiro Suda eb72d509ce pkg/agent/config: validate containerd snapshotter value
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-12-01 11:00:00 -08:00
Akihiro Suda 0b45e32486 Support cgroup v2
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2020-11-30 22:57:37 -08:00
Brad Davidson b873d3a03b Explicitly set agent paths within --data-dir
Removing the cfg.DataDir mutation in 3e4fd7b did not break anything, but
did change some paths in unwanted ways. Rather than mutating the
user-supplied command-line flags, explicitly specify the agent
subdirectory as needed.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-11-11 09:26:41 -08:00
Brad Davidson 3e4fd7b41f Respect --data-dir path for crictl.yaml
Related to rancher/rke2#474

Note that anyone who customizes the data-dir path will have to set
CRI_CONFIG_FILE to the correct path when using the wrapped binaries
(crictl, etc). This is better than dropping files in the incorrect
location.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-11-05 15:51:10 -08:00
Brad Davidson 5b318d093f Fix containerd sock path warning
Resolves warning 1 from #2471

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-11-05 15:51:10 -08:00
Brad Davidson d1424626ac Disable containerd experimental snapshot labels
Related to #2455 and containerd/containerd#4684

These were not meant to be enabled by default, break images with many
layers, and will be disabled by default on the next containerd release.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-11-05 15:51:10 -08:00
Erik Wilson 992ca52c31
Enable go test in ci 2020-11-05 09:48:53 -07:00
Chris Kim 96fc4c4b21 Add iptable_nat to modprobe list
Signed-off-by: Chris Kim <oats87g@gmail.com>
2020-10-27 14:22:14 -04:00
Erik Wilson e26e333b7e
Add network policy controller CacheSyncOrTimeout 2020-10-07 12:35:44 -07:00
Erik Wilson 045cd49ab5
Add event handlers to network policy controller 2020-10-07 12:10:27 -07:00
Brad Davidson 45dd4afe50 Simplify token parsing
Improves readability, reduces round-trips to the join server to validate certs.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-09-27 03:26:24 -07:00
Brian Downs ba70c41cce
Initial Logging Output Update (#2246)
This attempts to update logging statements to make them consistent
through out the code base. It also adds additional context to messages
where possible, simplifies messages, and updates level where necessary.
2020-09-21 09:56:03 -07:00
Brad Davidson 8c6d3567fe Rename k3s-controller based on the build-time program name
Since we're replacing the k3s rolebindings.yaml in rke2, we should allow
renaming this so that we can use the white-labeled name downstream.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-09-16 10:53:07 -07:00
Erik Wilson a08e998bc5 Import containerd images with all platforms
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-09-14 20:44:58 -07:00
Brian Downs bb8e5374ea conform to repo conventions
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-09-03 18:48:30 -07:00
Brian Downs 00831f9bc8 use version.Program
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-09-03 08:51:17 -07:00
Brian Downs 301fb73952 add node ip to the request header for cert gen
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-09-02 19:15:09 -07:00
Brad Davidson a3e9d31e6c
Merge pull request #2097 from iwilltry42/registry-insecure-skip-verify
Feature: add insecure_skip_verify field to registry config template
2020-09-01 15:58:26 -07:00
Erik Wilson 447097a597
Merge pull request #2098 from erikwilson/k8s-1.19
Update to k8s 1.19
2020-08-28 18:22:15 -07:00
Erik Wilson 720197b9b1
Fix linting issues 2020-08-28 17:18:29 -07:00
Brian Downs 866dc94cea
Galal hussein etcd backup restore (#2154)
* Add etcd snapshot and restore

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix error logs

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* goimports

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix flag describtion

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Add disable snapshot and retention

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* use creation time for snapshot retention

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* unexport method, update var name

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* adjust snapshot flags

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update var name, string concat

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* revert previous change, create constants

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* updates

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* type assertion error checking

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* pr remediation

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* pr remediation

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* pr remediation

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* pr remediation

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* pr remediation

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* updates

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* updates

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* simplify logic, remove unneeded function

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update flags

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update flags

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* add comment

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* exit on restore completion, update flag names, move retention check

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* exit on restore completion, update flag names, move retention check

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* exit on restore completion, update flag names, move retention check

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update disable snapshots flag and field names

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* move function

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update field names

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update var and field names

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update var and field names

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update defaultSnapshotIntervalMinutes to 12 like rke

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update directory perms

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update etc-snapshot-dir usage

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update interval to 12 hours

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* fix usage typo

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* add cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* add cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* add cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* wire in cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* wire in cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* wire in cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* wire in cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* wire in cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* wire in cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* wire in cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update deps target to work, add build/data target for creation, and generate

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* remove dead make targets

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* error handling, cluster reset functionality

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* error handling, cluster reset functionality

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* remove intermediate dapper file

Signed-off-by: Brian Downs <brian.downs@gmail.com>

Co-authored-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2020-08-28 16:57:40 -07:00
Frederick F. Kautz IV cdce2b7e9a
Add support for compressed images when pre-loading images (#2165)
* Add support for compressed images when pre-loading images

Signed-off-by: Frederick F. Kautz IV <fkautz@alumni.cmu.edu>

* attempting to fix vendor source being dirty

Signed-off-by: Frederick F. Kautz IV <fkautz@alumni.cmu.edu>

* fixing file extension for .tar.lz4

Signed-off-by: Frederick F. Kautz IV <fkautz@alumni.cmu.edu>
2020-08-28 12:27:01 -07:00
Jacob Blain Christen e2089bea18
cli: add --selinux flag to agent/server sub-cmds (#2111)
* cli: add --selinux flag to agent/server sub-cmds

Introduces --selinux flag to affirmatively enable SELinux in containerd.
Deprecates --disable-selinux flag which now defaults to true which
auto-detection of SELinux configuration for containerd is no longer
supported.  Specifying both --selinux and --disable-selinux will result
in an error message encouraging you to pick a side.

* Update pkg/agent/containerd/containerd.go

update log warning message about enabled selinux host but disabled runtime

Co-authored-by: Brad Davidson <brad@oatmail.org>
Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
2020-08-11 16:17:32 -07:00
Thorsten Klein cf8c101b70
registry template: add insecure_skip_verify field
Signed-off-by: Thorsten Klein <iwilltry42@gmail.com>
2020-08-06 08:02:08 +02:00
Jacob Blain Christen 371bee82f9 containerd: bump to v1.3.6
Remove $NOTIFY_SOCKET, if present, from env when invoking containerd to
prevent gratuitous notifications sent to systemd.

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
2020-07-27 14:41:52 -07:00
Brian Downs 5a81fdbdc5 update cis flag implementation to propogate the rest of the way through to kubelet
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-07-20 16:31:56 -07:00
Jason e3f8789114
Add containerd snapshotter flag (#1991)
* Add containerd snapshotter flag

Signed-off-by: Jason-ZW <zhenyang@rancher.com>

* Fix CamelCase nit and option description

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Jason-ZW <zhenyang@rancher.com>

Co-authored-by: Brad Davidson <brad@oatmail.org>
2020-07-18 01:16:23 +02:00
Erik Wilson 0d6a2bfb0b
Merge pull request #1974 from mschneider82/patch-1
fixed panic in network_policy_controller
2020-07-01 09:48:00 -07:00
Erik Wilson 42f0b95ac5
Merge pull request #1800 from niusmallnan/dev
Add retry backoff for starting network-policy controller
2020-07-01 09:47:21 -07:00
niusmallnan d713683614 Add retry backoff for starting network-policy controller
Signed-off-by: niusmallnan <niusmallnan@gmail.com>
2020-06-30 09:25:09 +08:00
Matthias Schneider 56a083c812 fixed panic in network_policy_controller
I have rebooted a newly created k3s etcd cluster and this panic was triggered:

    ```
    k3s[948]: [signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x45f2945]
    k3s[948]: goroutine 1 [running]:
    k3s[948]: github.com/rancher/k3s/pkg/agent/netpol.NewNetworkPolicyController(0xc00159e180, 0x61b4a60, 0xc006294000, 0xdf8475800, 0xc011d9a360, 0xc, 0x0, 0xc00bf545b8, 0x2b2edbc)
    k3s[948]:         /home/x/git/k3s/pkg/agent/netpol/network_policy_controller.go:1698 +0x275
    ```

Signed-off-by: Matthias Schneider <ms@wck.biz>
2020-06-29 20:49:24 +02:00
Brian Downs 58aae57e12 set environment variable and create config for crictl
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-06-24 14:26:44 -07:00
Brian Downs 63dbf806df create symlink from docker sock to where crictl in k3s is looking for the sock to use
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-06-23 18:42:45 -07:00
Darren Shepherd 7e59c0801e Make program name a variable to be changed at compile time 2020-06-06 16:39:41 -07:00
Darren Shepherd e5fe184a44
Merge pull request #1757 from ibuildthecloud/separate-port
Add supervisor port
2020-05-06 21:32:45 -07:00
Darren Shepherd f38082673d
Merge pull request #1753 from ibuildthecloud/prepull
Support prepulling images on start
2020-05-05 22:11:52 -07:00
Darren Shepherd 2f5ee914f9 Add supervisor port
In k3s today the kubernetes API and the /v1-k3s API are combined into
one http server.  In rke2 we are running unmodified, non-embedded Kubernetes
and as such it is preferred to run k8s and the /v1-k3s API on different
ports.  The /v1-k3s API port is called the SupervisorPort in the code.

To support this separation of ports a new shim was added on the client in
then pkg/agent/proxy package that will launch two load balancers instead
of just one load balancer.  One load balancer for 6443 and the other
for 9345 (which is the supervisor port).
2020-05-05 15:54:51 -07:00
Darren Shepherd 61ba9171ce Only echo Waiting for kubelet every 30 seconds
Don't print a message every second while we are waiting for the
kubelet to report Ready.
2020-05-05 15:23:18 -07:00
Darren Shepherd 6932d03bb4 Support prepulling images on start
In the agent/images folder if a .txt file is found it is assumed to
be a line separated list of image names to pull on start.
2020-05-05 14:45:39 -07:00
Darren Shepherd 70ddc799bd
Merge pull request #1691 from ibuildthecloud/staticpod
Suppport static pods at ${datadir}/agent/staticpods
2020-05-05 14:35:45 -07:00
Darren Shepherd 8c7fbe3dde Suppport static pods at ${datadir}/agent/pod-manifests 2020-05-05 12:43:47 -07:00
Erik Wilson c941e1d0bb
Merge pull request #1695 from ibuildthecloud/kubeproxy
Add ability to disable kubeproxy
2020-05-04 20:26:22 -07:00
Erik Wilson 21266bab7e
Merge pull request #1692 from ibuildthecloud/err
Check for error on mkdir
2020-05-04 20:16:20 -07:00
Erik Wilson ed8cd9250b
Merge pull request #1690 from ibuildthecloud/flannel
Only need to resolve the path of host-local if Flannel is enabled
2020-05-04 20:15:59 -07:00
Erik Wilson 47bb0939e6
Merge pull request #1611 from Dirbaio/master
Correctly quote auth strings in containerd config. For #1610
2020-05-04 19:27:17 -07:00
Darren Shepherd 5715e1ba0d Add ability to disable kubeproxy 2020-04-27 11:24:00 -07:00
Darren Shepherd 7920fa48c9 Only need to resolve the path of host-local if Flannel is enabled 2020-04-27 11:17:41 -07:00
Darren Shepherd c25f1ab1b6 Check for error on mkdir 2020-04-27 11:14:21 -07:00
Knic Knic 44b8af097c fix usage of path instead of filepath 2020-04-25 00:29:18 -07:00
Darren Shepherd a8d96112d9 Updates for k8s v1.18 support 2020-04-18 23:59:08 -07:00
Dario Nieuwenhuis cd0b58e920 Correctly quote auth strings in containerd config. Fixes #1610 2020-04-03 02:42:01 +02:00
Erik Wilson 8725798578
Merge pull request #1464 from erikwilson/selinux-update
Simplify SELinux detection and add --disable-selinux flag
2020-02-28 15:42:45 -07:00
Erik Wilson a3cb9ee1f6 Simplify SELinux detection and add --disable-selinux flag 2020-02-28 10:10:55 -07:00
Erik Wilson 0aeea78060
Merge pull request #1444 from KnicKnic/k3s_build_windows
K3s build windows (no agents)
2020-02-27 11:46:21 -07:00
Darren Shepherd 4d32fe9959 Support SELinux 2020-02-24 16:03:09 -07:00
Knic Knic c2db115ec3 fix formatting 2020-02-23 00:48:26 -08:00
Knic Knic 2346ccc63f get build on windows and get api_server to work 2020-02-22 23:17:59 -08:00
Erik Wilson fe45eb008a
Merge pull request #1416 from erikwilson/device-plugins-path
Use default kubelet device-plugins path
2020-02-14 14:19:51 -07:00
galal-hussein d49ef31767 Inject node config on startup 2020-02-14 21:17:13 +02:00
Erik Wilson b15c4473cd Use default kubelet device-plugins path 2020-02-14 10:18:07 -07:00
Erik Wilson 4cacffd7e6
Merge pull request #1298 from erikwilson/warn-npc-fail
Warn if NPC can't start rather than fatal error
2020-01-20 15:36:56 -07:00
Erik Wilson 5b98d10e4b Warn if NPC can't start rather than fatal error
If the ip_set kernel module is not available we should warn
that the network policy controller can not start rather than
cause a fatal error.

Also adds module probing and config checks for ip_set.
2020-01-14 14:30:12 -07:00
Erik Wilson 7675f9f85c Clean up host-gw variable names 2020-01-08 17:43:07 -07:00
Segator c23f12765e hostgw flannel support 2020-01-08 17:43:07 -07:00
Segator 6736e24673 support hostgw 2020-01-08 17:43:07 -07:00
Erik Wilson 5c37454762
Merge pull request #1198 from narqo/tunel-addr-join-host-port
Respect IPv6 when building proxy address
2019-12-19 15:20:12 -07:00
Erik Wilson 9b2538c2c4 Set wireguard persistent-keepalive on wg set peer 2019-12-19 14:54:48 -07:00
Erik Wilson 3376f31fc2 Revert "Merge pull request #1190 from erikwilson/wireguard-keepalive"
This reverts commit e712cdf7e8, reversing
changes made to d5929bc8c8.

Wireguard docs fail to describe that persistent-keepalive is only valid
when peer is set.
2019-12-19 14:41:38 -07:00
Vladimir Varankin 0c5299c951 pkg/agent/tunnel: respect ipv6 when building proxy addresses 2019-12-19 12:08:07 +01:00
Erik Wilson 6875b11dd2 Fix identity_token -> identitytoken for containerd toml 2019-12-17 21:14:05 -07:00
Erik Wilson 97383868bd
Merge pull request #1186 from erikwilson/upgrade-k8s-1.17.0
Upgrade k8s  to v1.17.0
2019-12-16 09:40:38 -07:00
Erik Wilson e712cdf7e8
Merge pull request #1190 from erikwilson/wireguard-keepalive
Set Wireguard keepalive to 25 seconds
2019-12-16 09:40:11 -07:00
Erik Wilson 76281bf731 Update k3s for k8s 1.17.0 2019-12-15 23:28:19 -07:00
Erik Wilson 814c302d7c
Merge pull request #955 from btashton/servicelb-sysctl
Enable ip forwarding on both all and default net config
2019-12-12 17:31:02 -07:00
Erik Wilson 7b62811f98 Set Wireguard keepalive to 25 seconds 2019-12-12 10:40:41 -07:00
Erik Wilson d4959d53af
Merge pull request #1182 from erikwilson/docker-pause-image
Allow --pause-image to set docker sandbox image also
2019-12-11 10:36:07 -07:00
Brennan Ashton a952d5c32a Default device net config enables ip forwarding
The Linux kernel is inconsistent about how devconf is configured for new
network namespaces between ipv4 and ipv6. The behavior can also be
controlled via net.core.devconf_inherit_init_net in Linux 5.1+ so make
sure to enable forwarding on all and default for both ipv6 and ipv4.

This issue first came up testing on a yocto kernel that had this patch:
 ipv4: net namespace does not inherit network configurations

[0] https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html#devconf-inherit-init-net
[1] https://lkml.org/lkml/2014/7/29/119

Signed-off-by: Brennan Ashton <brennana@jfrog.com>
2019-12-10 16:29:59 -08:00
Erik Wilson 2de93d70cf Allow --pause-image to set docker sandbox image also 2019-12-10 16:16:26 -07:00
Jacob Blain Christen 063efb25bb Mutable --node-label values for server/agent sub-commands.
Values passed in via the server/agent `--node-label` flag are treated as mutable. They are passed through to the kubelet just as before but after the kubelet comes up they are applied again. This allows for passing labels a k3s start-time that may be necessary for scheduling but may change from boot to boot, e.g. `k3os.io/version` after an upgrade.

Tested locallon on my amd64 workstation with the docker container.

Addresses #1119.
2019-12-09 16:40:15 -07:00
yuzhiquan 24869ddf21 remove []byte trans, handle func error 2019-11-28 19:26:45 +08:00
yuzhiquan 7cc0110081 fix typo 2019-11-28 19:24:19 +08:00
Guangbo Chen 8ff4c3c256 Update base pause image to rancher repo 2019-11-25 16:09:05 +08:00
Darren Shepherd ff34c5c5cf Download cert/key to agent with single HTTP request
Since generated cert/keys are stored locally, each server has a different
copy.  In a HA setup we need to ensure we download the cert and key from
the same server so we combined HTTP requests to do that.
2019-11-15 21:51:51 -07:00
Erik Wilson 55c05ac500 Refactor node password location 2019-11-12 15:30:34 -07:00
Erik Wilson 2bbc356f65
Merge pull request #1008 from erikwilson/ip6-system-setup
Improve ip6 system setup & utilities
2019-11-04 14:24:55 -07:00
Erik Wilson afa9422ad9 Improve ip6 system setup & utilities 2019-11-04 11:35:14 -07:00
Darren Shepherd ba240d0611 Refactor tokens, bootstrap, and cli args 2019-10-30 19:06:49 -07:00
Erik Wilson f648a64ee3
Merge pull request #923 from AkihiroSuda/fix-rootless-kubelet-flags
rootless: add kubelet flags automatically
2019-10-25 01:40:06 -07:00
Akihiro Suda aafccdbccb rootless: add kubelet flags automatically
Fix https://github.com/rancher/k3s/issues/784

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-10-25 17:10:14 +09:00
Erik Wilson aed163b338 Remove trailing whitespace trimming from containerd template 2019-10-23 08:02:07 -07:00
Erik Wilson 2ff2baba49
Merge pull request #913 from erikwilson/kube-router-network-policy
Add network policy support
2019-10-18 16:14:18 -07:00
Erik Wilson da3a7c6bbc Add network policy controller 2019-10-18 16:11:42 -07:00
Erik Wilson 1df72d14b8 Cleanup containerd config template spacing 2019-10-18 12:34:27 -07:00
Erik Wilson 90df4a1921 Use containerd-shim-run-v2 2019-10-18 12:34:27 -07:00
Erik Wilson 12307a4a69 Fallback to /etc/strongswan for config
Needed for docker image
2019-10-17 22:38:48 -07:00
Darren Shepherd 30c14a4db6
Merge pull request #901 from erikwilson/default-kubelet-dir
Use default kubelet directory
2019-10-17 16:49:11 -07:00
galal-hussein d2c1f66496 Add k3s cloud provider 2019-10-16 21:13:15 +02:00
Erik Wilson c72ef62d2c Use default kubelet directory 2019-10-15 10:47:03 -07:00
galal-hussein 5ccc880ddb Add private registry to containerd 2019-10-08 01:54:53 +02:00
Erik Wilson 0af32bba75 Use newest flannel API 2019-09-27 18:33:05 -07:00
Erik Wilson 999e40d6d3 Add strongswan utilities for ipsec 2019-09-27 18:26:39 -07:00
Erik Wilson 959acf9c92 Add --flannel-backend flag 2019-09-27 18:26:39 -07:00
Erik Wilson 359a77939c Enable hairpin mode 2019-09-27 18:26:39 -07:00
Erik Wilson 36fa425d45 Enable extension and ipsec flannel backends 2019-09-27 18:26:39 -07:00
Erik Wilson 3cd807a657 Add --flannel-conf flag 2019-09-27 18:26:39 -07:00
Darren Shepherd b24f214a50 Update to new cri-api import 2019-08-28 20:53:36 -07:00
Erik Wilson a76ca2e887 Remove hostname requirement in `/etc/hosts` 2019-08-21 22:56:20 -07:00
Erik Wilson 98254a3412 Change load balancer logging to debug 2019-08-08 10:48:11 -07:00
Erik Wilson a17e336993 Use go tcpproxy 2019-07-30 09:53:15 -07:00
Erik Wilson 1833b65fcd
Merge pull request #647 from yamt/remove-proxy-port
Remove agent proxy config which is no longer used
2019-07-23 15:51:51 -07:00
Erik Wilson 8ce509ee6b Cleanup tunnel logs 2019-07-18 05:00:07 -07:00
Erik Wilson 23b0797578 Add context to tunnel connect 2019-07-17 18:15:15 -07:00
Erik Wilson b93b4732eb Start endpoint tunnel watch before waiting 2019-07-17 17:13:40 -07:00
YAMAMOTO Takashi dc4ebd4c67 Remove agent proxy config which is no longer used 2019-07-17 18:05:16 +09:00
Erik Wilson e77dc568bb Cleanup tunnel 2019-07-14 00:29:21 -07:00
Erik Wilson 7e6664b684 Add resource version to tunnel endpoint watch 2019-07-12 15:38:49 -07:00
Erik Wilson 034a863696 Cleanup remotedialer tunnel logs 2019-07-12 15:38:49 -07:00
Erik Wilson e0212144e8 Tunnel agent to all servers
Watch the kubernetes endpoints to create a tunnel to all servers.
2019-07-03 13:11:54 -07:00
Erik Wilson 29865fd9c9 Remove agent proxy 2019-06-25 15:04:04 -07:00
Erik Wilson 2c9444399b Refactor certs 2019-06-25 15:04:04 -07:00
Darren Shepherd c0702b0492 Port to wrangler 2019-05-26 22:28:50 -07:00
Darren Shepherd 4b4dd1b59b
Merge pull request #454 from galal-hussein/node_labels_taints
Expose node labels and taints and add node roles
2019-05-25 00:39:55 +02:00
Wenxuan Zhao f0f57c1e44
Allow using built-in modules
Signed-off-by: Wenxuan Zhao <viz@linux.com>
2019-05-09 12:23:33 -07:00
galal-hussein 930093dfe9 Expose node labels and taints and add node roles 2019-05-08 01:47:07 +02:00
haokang.ke 52f845ec84 Make pause image configurable (#345) 2019-05-03 10:36:12 -07:00
galal-hussein 5d8d9e610b Add timeout to hostname check 2019-05-03 14:41:08 +02:00
Darren Shepherd 4ec051d032
Merge pull request #422 from galal-hussein/use_cni_with_docker
Add cni plugin to kubelet if docker is used
2019-05-02 10:45:34 -07:00
galal-hussein 7e1699cda0 Check if hostname is resolvable before running agent 2019-05-01 22:54:05 +02:00
galal-hussein 191ac9371a Add cni plugin to kubelet if docker is used 2019-04-30 22:12:02 +02:00
Darren Shepherd 2950e81c23
Merge pull request #371 from warmchang/nf_conntrack
🔧 modprobe nf_conntrack
2019-04-26 16:01:13 -07:00
Darren Shepherd 9db91d7de3
Merge pull request #369 from erikwilson/node-dns
Node DNS & cert registration
2019-04-26 16:00:31 -07:00
Erik Wilson c9941895d6 Bind kubelet to all interfaces and use webhook auth 2019-04-26 15:02:30 -07:00
William Zhang 22bd3a3ce7 🔧 nf_conntrack module
Signed-off-by: William Zhang <zhang.wanmin@zte.com.cn>
2019-04-26 08:55:48 +08:00
galal-hussein bdf8a355e1 Add containerd config go template 2019-04-25 22:17:34 +02:00
Erik Wilson f584197bba Save password as text file 2019-04-25 10:53:21 -07:00
Erik Wilson e64c0298f2 Add cert per-node password authentication 2019-04-23 11:02:35 -07:00
Erik Wilson 1b2db423de Add node name to node cert generation 2019-04-19 18:20:34 +00:00
Darren Shepherd 0e3711b8b7
Merge pull request #339 from km4rcus/cluster-domain-option
Add --cluster-domain option
2019-04-15 10:06:07 -07:00
Stuart Wallace 2268e028a2 Add ability to override flannel interface 2019-04-12 21:06:43 +01:00
Marco Mancini b445bad171 Add --cluster-domain option 2019-04-12 08:06:35 +02:00
Darren Shepherd 046a817818 Add rootless support 2019-04-09 10:38:04 -07:00
galal-hussein 7794528aa1 Add extra flags for server and agent components 2019-04-09 08:20:38 +02:00
Erik Wilson a4df9f4ab1 Kubelet resolv.conf DNS update
Allow the kubelet resolv-conf flag to be set, or automatically
discovered from /etc/resolv.conf & /run/systemd/resolve/resolv.conf if
no loopback devices are present, or create our own which points to
nameserver 8.8.8.8
2019-03-26 23:13:54 +00:00
Erik Wilson 1d61576e54 Fix linting issues 2019-03-25 16:04:29 -07:00
Darren Shepherd 6e28ede2f8 Fix containerd debug log env var 2019-03-07 11:20:58 -07:00
Darren Shepherd fe9a5b1601 Remove spurious error on start 2019-03-07 10:25:21 -07:00
Fernandez Ludovic e59bd5d489 refactor: creates loadImages function. 2019-03-07 01:45:52 +01:00
Adam Liddell b430513abf Enforce lower case hostname for node, references #160 2019-03-05 18:34:24 +00:00
Darren Shepherd 4475456a83
Update pkg/agent/config/config.go
Co-Authored-By: juliens <julien.salleyron@gmail.com>
2019-03-04 23:23:17 +01:00
Julien Salleyron 164b89bce4 fix review. 2019-03-04 21:46:37 +01:00
Julien Salleyron 1895eec684 Preload images 2019-03-04 21:34:24 +01:00
Darren Shepherd ef4e34b289 Remove dead code 2019-03-04 10:10:17 -07:00
Darren Shepherd 70e6ca4ab8 Support external CRI implementations 2019-03-04 10:08:12 -07:00
Sean Duffy 10f1553564 fix 'fannel' typo. 2019-02-28 10:30:45 -07:00
Darren Shepherd cb5e425457 Set /proc/sys/net/ipv4/ip_forward on agent start 2019-02-23 22:43:59 -07:00
Darren Shepherd 04c5567346 Validate that memory cgroup exists 2019-02-07 21:45:31 -07:00
Darren Shepherd 529aa431d1 Adjust debug logging and write containerd logs to a file 2019-02-07 21:45:31 -07:00
Darren Shepherd 3f2a951564 Ensure that br_netfilter module is loaded 2019-01-25 22:09:46 -07:00
Darren Shepherd 287e0f44c9 Prepare for initial release 2019-01-22 14:20:29 -07:00
Darren Shepherd 62c62cc7b4 Continued refactoring 2019-01-11 21:52:30 -07:00