Jamie Phillips
7345ac35ae
Initial windows support for agent ( #3375 )
...
Signed-off-by: Jamie Phillips <jamie.phillips@suse.com>
2021-06-01 12:29:46 -07:00
Brad Davidson
7e175e8ad4
Handle conntrack-related sysctls in supervisor agent setup
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-05-18 13:40:44 -07:00
Brad Davidson
e10524a6b1
Add executor.Bootstrap hook for pre-execution setup
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-05-11 18:46:15 -07:00
Brad Davidson
02a5bee62f
Add system-default-registry support and remove shared code ( #3285 )
...
* Move registries.yaml handling out to rancher/wharfie
* Add system-default-registry support
* Add CLI support for kubelet image credential providers
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-05-10 15:58:41 -07:00
Siegfried Weber
e77fd18270
Sign CSRs for kubelet-serving with the server CA
...
Problem:
Only the client CA is passed to the kube-controller-manager and
therefore CSRs with the signer name "kubernetes.io/kubelet-serving" are
signed with the client CA. Serving certificates must be signed with the
server CA otherwise e.g. "kubectl logs" fails with the error message
"x509: certificate signed by unknown authority".
Solution:
Instead of providing only one CA via the kube-controller-manager
parameter "--cluster-signing-cert-file", the corresponding CA for every
signer is set with the parameters
"--cluster-signing-kube-apiserver-client-cert-file",
"--cluster-signing-kubelet-client-cert-file",
"--cluster-signing-kubelet-serving-cert-file", and
"--cluster-signing-legacy-unknown-cert-file".
Signed-off-by: Siegfried Weber <mail@siegfriedweber.net>
2021-05-05 15:59:57 -07:00
Brad Davidson
3cb4ca4b35
Use same SANs on ServingKubeAPICert as dynamiclistener
...
The kube-apiserver cert should have the same SANs in the same order,
excluding the extra user-configured SANs since this will only be used
in-cluster.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-04-28 09:58:19 -07:00
Brad Davidson
2705431d96
Add support for dual-stack Pod/Service CIDRs and node IP addresses ( #3212 )
...
* Add support for dual-stack cluster/service CIDRs and node addresses
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-04-21 15:56:20 -07:00
Brad Davidson
601c4984f5
Fix service-account-issuer
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-04-14 14:51:42 -07:00
Brad Davidson
e8381db778
Update Kubernetes to v1.21.0
...
* Update Kubernetes to v1.21.0
* Update to golang v1.16.2
* Update dependent modules to track with upstream
* Switch to upstream flannel
* Track changes to upstream cloud-controller-manager and FeatureGates
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-04-14 14:51:42 -07:00
Akihiro Suda
6e8284e3d4
rootless: enable resource limitation (requires cgroup v2, systemd)
...
Now rootless mode can be used with cgroup v2 resource limitations.
A pod is executed in a cgroup like "/user.slice/user-1001.slice/user@1001.service/k3s-rootless.service/kubepods/podd0eb6921-c81a-4214-b36c-d3b9bb212fac/63b5a253a1fd4627da16bfce9bec58d72144cf30fe833e0ca9a6d60ebf837475".
This is accomplished by running `kubelet` in a cgroup namespace, and enabling `cgroupfs` driver for the cgroup hierarchy delegated by systemd.
To enable cgroup v2 resource limitation, `k3s server --rootless` needs to be launched as `systemctl --user` service.
Please see the comment lines in `k3s-rootless.service` for the usage.
Running `k3s server --rootless` via a terminal is not supported.
When it really needs to be launched via a terminal, `systemd-run --user -p Delegate --tty` needs to be prepended to create a systemd scope.
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-03-24 00:37:30 -07:00
Brian Downs
4d1f9eda9d
Etcd Snapshot/Restore to/from S3 Compatible Backends ( #2902 )
...
* Add functionality for etcd snapshot/restore to and from S3 compatible backends.
* Update etcd restore functionality to extract and write certificates and configs from snapshot.
2021-03-03 11:14:12 -07:00
Brad Davidson
ec661c67d7
Add support for retagging images on load from tarball
...
Adds support for retagging images to appear to have been sourced from
one or more additional registries as they are imported from the tarball.
This is intended to support RKE2 use cases with system-default-registry
where the images need to appear to have been pulled from a registry
other than docker.io.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-17 11:48:03 -08:00
Hussein Galal
5749f66aa3
Add disable flags for control components ( #2900 )
...
* Add disable flags to control components
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* golint
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* more fixes
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* fixes to disable flags
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* Add comments to functions
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* Fix joining problem
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* more fixes
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* golint
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* fix ticker
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* fix role labels
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* more fixes
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2021-02-12 17:35:57 +02:00
Brad Davidson
e06119729b
Improve handling of comounted cpu,cpuacct controllers ( #2911 )
...
* Improve handling of comounted cpu,cpuacct controllers
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-09 16:12:58 -08:00
Brad Davidson
07256cf7ab
Add ServiceIPRange and ServiceNodePortRange to agent config
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-02-03 10:41:51 -08:00
Akihiro Suda
f3c41b7650
fix cgroup2 support
...
Fix issue 900
cgroup2 support was introduced in PR 2584, but got broken in f3de60ff31
It was failing with "F1210 19:13:37.305388 4955 server.go:181] cannot set feature gate SupportPodPidsLimit to false, feature is locked to true"
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-01-25 22:45:07 -08:00
Brad Davidson
8011697175
Only container-runtime-endpoint wants RuntimeSocket path as URI
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2021-01-22 18:56:30 -08:00
Yuriy
06fda7accf
Add functionality to bind custom IP address for Etcd metrics endpoint ( #2750 )
...
* Add functionality to bind custom IP address for Etcd metrics endpoint
Signed-off-by: yuriydzobak <yurii.dzobak@lotusflare.com>
2021-01-22 17:40:48 -08:00
Brian Downs
13229019f8
Add ability to perform an etcd on-demand snapshot via cli ( #2819 )
...
* add ability to perform an etcd on-demand snapshot via cli
2021-01-21 14:09:15 -07:00
Chris Kim
61ef2ce95e
use version.Program
...
Signed-off-by: Chris Kim <oats87g@gmail.com>
2020-12-09 12:34:13 -08:00
Chris Kim
48925fcb88
Simplify checkCgroups function call
...
Co-authored-by: Brian Downs <brian.downs@gmail.com>
2020-12-09 11:59:54 -08:00
Chris Kim
a3f87a81bd
Independently set kubelet-cgroups and runtime-cgroups, and detect if we are running under a systemd scope
...
Signed-off-by: Chris Kim <oats87g@gmail.com>
2020-12-09 11:39:33 -08:00
Brad Davidson
c5aad1b5ed
Disable the ServiceAccountIssuerDiscovery feature-gate.
...
We're not setting ``--service-account-issuer` to a https URL, which causes an
error message at startup when the feature gate is enabled. From the
docs on that flag:
> If this option is not a valid URI per the OpenID Discovery 1.0 spec, the
> ServiceAccountIssuerDiscovery feature will remain disabled, even if the
> feature gate is set to true. It is highly recommended that this value
> comply with the OpenID spec:
> https://openid.net/specs/openid-connect-discovery-1_0.html . In practice,
> this means that service-account-issuer must be an https URL. It is also
> highly recommended that this URL be capable of serving OpenID discovery
> documents at {service-account-issuer}/.well-known/openid-configuration.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-12-08 22:51:34 -08:00
Brad Davidson
c6950d2cb0
Update Kubernetes to v1.20.0-k3s1
...
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-12-08 22:51:34 -08:00
Chris Kim
3d1e40eaa3
Handle the case when systemd lives under `/init.scope`
...
Signed-off-by: Chris Kim <oats87g@gmail.com>
2020-12-08 10:26:54 -08:00
Chris Kim
e71e11fed0
Merge pull request #2642 from Oats87/issues/k3s/2548-cgroup
...
Set a cgroup if containerized
2020-12-08 10:05:21 -08:00
Chris Kim
f3de60ff31
When there is a defined cgroup for PID 1, assume we are containerized and set a root
...
Signed-off-by: Chris Kim <oats87g@gmail.com>
2020-12-07 13:15:15 -08:00
Hussein Galal
fadc5a8057
Add tombstone file to etcd and catch errc etcd channel ( #2592 )
...
* Add tombstone file to embedded etcd
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* go mod update
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* fixes
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* more fixes
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* more changes
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* gofmt and goimports
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* go mod update
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* go lint
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* go lint
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* go mod tidy
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2020-12-07 22:30:44 +02:00
Jacob Blain Christen
36230daa86
[migration k3s-io] update kine dependency ( #2568 )
...
rancher/kine ➡️ k3s-io/kine
Part of https://github.com/rancher/k3s/issues/2189
Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
2020-11-30 16:45:22 -07:00
Brad Davidson
58b5b21f0d
Don't pass cloud-provider flag to controller-manager
...
As per documentation, the cloud-provider flag should not be passed to
controller-manager when using cloud-controller. However, the legacy
cloud-related controllers still need to be explicitly disabled to
prevent errors from being logged.
Fixing this also prevents controller-manager from creating the
cloud-controller-manager service account that needed extra RBAC.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-11-09 13:55:09 -08:00
Brad Davidson
f50e3140f9
Disable configure-cloud-routes and external service/route programming support when using k3s stub cloud controller
...
Resolves warning 3 from #2471
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-11-05 15:51:10 -08:00
Brad Davidson
31575e407a
Add Cluster ID support to k3s stub cloud controller
...
Resolves warning 2 from #2471 .
As per https://github.com/kubernetes/cloud-provider/issues/12 the
ClusterID requirement was never really followed through on, so the
flag is probably going to be removed in the future.
One side-effect of this is that the core k8s cloud-controller-manager
also wants to watch nodes, and needs RBAC to do so.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-11-05 15:51:10 -08:00
Menna Elmasry
523ccaf3f2
Merge pull request #2448 from MonzElmasry/new_b
...
Make etcd use node private ip
2020-10-29 00:23:56 +02:00
MonzElmasry
e8436cc76b
Make etcd use node private ip
...
Signed-off-by: MonzElmasry <menna.elmasry@rancher.com>
2020-10-28 23:45:24 +02:00
Brad Davidson
de18528412
Make etcd voting members responsible for managing learners ( #2399 )
...
* Set etcd timeouts using values from k8s instead of etcdctl
Fix for one of the warnings from #2303
* Use etcd zap logger instead of deprecated capsnlog
Fix for one of the warnings from #2303
* Remove member self-promotion code paths
* Add learner promotion tracking code
* Fix RaftAppliedIndex progress check
* Remove ErrGRPCKeyNotFound check
This is not used by v3 API - it just returns a response with 0 KVs.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-10-27 11:06:26 -07:00
Brad Davidson
8c6d3567fe
Rename k3s-controller based on the build-time program name
...
Since we're replacing the k3s rolebindings.yaml in rke2, we should allow
renaming this so that we can use the white-labeled name downstream.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-09-16 10:53:07 -07:00
Erik Wilson
447097a597
Merge pull request #2098 from erikwilson/k8s-1.19
...
Update to k8s 1.19
2020-08-28 18:22:15 -07:00
Erik Wilson
c5dc09159f
Move basic authentication to k3s
2020-08-28 17:18:34 -07:00
Erik Wilson
837a943234
Update for k8s 1.19
2020-08-28 17:18:34 -07:00
Brian Downs
866dc94cea
Galal hussein etcd backup restore ( #2154 )
...
* Add etcd snapshot and restore
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* fix error logs
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* goimports
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* fix flag describtion
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* Add disable snapshot and retention
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* use creation time for snapshot retention
Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
* unexport method, update var name
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* adjust snapshot flags
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update var name, string concat
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* revert previous change, create constants
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* updates
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* type assertion error checking
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* pr remediation
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* pr remediation
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* pr remediation
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* pr remediation
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* pr remediation
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* updates
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* updates
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* simplify logic, remove unneeded function
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update flags
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update flags
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* add comment
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* exit on restore completion, update flag names, move retention check
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* exit on restore completion, update flag names, move retention check
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* exit on restore completion, update flag names, move retention check
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update disable snapshots flag and field names
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* move function
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update field names
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update var and field names
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update var and field names
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update defaultSnapshotIntervalMinutes to 12 like rke
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update directory perms
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update etc-snapshot-dir usage
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update interval to 12 hours
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* fix usage typo
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* add cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* add cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* add cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* wire in cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* wire in cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* wire in cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* wire in cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* wire in cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* wire in cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* wire in cron
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update deps target to work, add build/data target for creation, and generate
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* remove dead make targets
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* error handling, cluster reset functionality
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* error handling, cluster reset functionality
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* update
Signed-off-by: Brian Downs <brian.downs@gmail.com>
* remove intermediate dapper file
Signed-off-by: Brian Downs <brian.downs@gmail.com>
Co-authored-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
2020-08-28 16:57:40 -07:00
Brad Davidson
b1d017f892
Update dynamiclistener
...
Second round of fixes for #1621
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
2020-08-18 10:38:47 -07:00
Jacob Blain Christen
e2089bea18
cli: add --selinux flag to agent/server sub-cmds ( #2111 )
...
* cli: add --selinux flag to agent/server sub-cmds
Introduces --selinux flag to affirmatively enable SELinux in containerd.
Deprecates --disable-selinux flag which now defaults to true which
auto-detection of SELinux configuration for containerd is no longer
supported. Specifying both --selinux and --disable-selinux will result
in an error message encouraging you to pick a side.
* Update pkg/agent/containerd/containerd.go
update log warning message about enabled selinux host but disabled runtime
Co-authored-by: Brad Davidson <brad@oatmail.org>
Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
2020-08-11 16:17:32 -07:00
Euan Kemp
4808c4e7d5
Listen insecurely on localhost only
...
Before this change, k3s configured the scheduler and controller's
insecure ports to listen on 0.0.0.0. Those ports include pprof, which
provides a DoS vector at the very least.
These ports are only enabled for componentstatus checks in the first
place, and componentstatus is hardcoded to only do the check on
localhost anyway (see
https://github.com/kubernetes/kubernetes/blob/v1.18.2/pkg/registry/core/rest/storage_core.go#L341-L344 ),
so there shouldn't be any downside to switching them to listen only on
localhost.
2020-08-05 10:28:11 -07:00
Brian Downs
5a81fdbdc5
update cis flag implementation to propogate the rest of the way through to kubelet
...
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-07-20 16:31:56 -07:00
Jason
e3f8789114
Add containerd snapshotter flag ( #1991 )
...
* Add containerd snapshotter flag
Signed-off-by: Jason-ZW <zhenyang@rancher.com>
* Fix CamelCase nit and option description
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Jason-ZW <zhenyang@rancher.com>
Co-authored-by: Brad Davidson <brad@oatmail.org>
2020-07-18 01:16:23 +02:00
Brian Downs
ebac755da1
add profiling flag with default value of false
...
Signed-off-by: Brian Downs <brian.downs@gmail.com>
2020-07-10 13:08:04 -07:00
Brandon Davidson
538842ffdc
Merge pull request #1768 from brandond/fix_1764
...
Configure default signer implementation to use ClientCA instead of ServerCA
2020-07-07 16:52:14 -07:00
Brian Downs
7f4f237575
added profile = false args to api, controllerManager, and scheduler ( #1891 )
2020-06-12 21:09:41 +02:00
galal-hussein
c580a8b528
Add heartbeat interval and election timeout
2020-06-06 16:39:42 -07:00
Darren Shepherd
6b5b69378f
Add embedded etcd support
...
This is replaces dqlite with etcd. The each same UX of dqlite is
followed so there is no change to the CLI args for this.
2020-06-06 16:39:41 -07:00
Darren Shepherd
39571424dd
Generate etcd certificates
2020-06-06 16:39:41 -07:00
Darren Shepherd
a18d387390
Refactor clustered DB framework
2020-06-06 16:39:41 -07:00
Darren Shepherd
7e59c0801e
Make program name a variable to be changed at compile time
2020-06-06 16:39:41 -07:00
Chuck Schweizer
ca9c9c2e1e
Adding support for TLS MinVersion and CipherSuites
...
This will watch for the following kube-apiserver-arg variables and apply
them to the k3s kube-apiserver https listener.
--kube-apiserver-arg=tls-cipher-suites=XXXXXXX
--kube-apiserver-arg=tls-min-version=XXXXXXX
2020-05-07 09:27:09 -05:00
Darren Shepherd
cb4b34763e
Merge pull request #1759 from ibuildthecloud/background
...
Start kube-apiserver in the background
2020-05-06 21:50:48 -07:00
Darren Shepherd
e5fe184a44
Merge pull request #1757 from ibuildthecloud/separate-port
...
Add supervisor port
2020-05-06 21:32:45 -07:00
Darren Shepherd
072396f774
Start kube-apiserver in the background
...
In rke2 everything is a static pod so this causes a chicken and egg situation
in which we need the kubelet running before the kube-apiserver can be
launched. By starting the apiserver in the background this allows us to
do this odd bootstrapping.
2020-05-06 21:17:23 -07:00
Brad Davidson
71561ecda2
Use ClientCA for the signer controller
2020-05-06 16:51:35 -07:00
Darren Shepherd
2f5ee914f9
Add supervisor port
...
In k3s today the kubernetes API and the /v1-k3s API are combined into
one http server. In rke2 we are running unmodified, non-embedded Kubernetes
and as such it is preferred to run k8s and the /v1-k3s API on different
ports. The /v1-k3s API port is called the SupervisorPort in the code.
To support this separation of ports a new shim was added on the client in
then pkg/agent/proxy package that will launch two load balancers instead
of just one load balancer. One load balancer for 6443 and the other
for 9345 (which is the supervisor port).
2020-05-05 15:54:51 -07:00
Darren Shepherd
afd6f6d7e7
Encapsulate execution logic
...
This moves all the calls to cobra root commands to one package
so that we can change the behavior of running components as embedded
or external.
2020-05-05 15:34:32 -07:00
Darren Shepherd
70ddc799bd
Merge pull request #1691 from ibuildthecloud/staticpod
...
Suppport static pods at ${datadir}/agent/staticpods
2020-05-05 14:35:45 -07:00
Darren Shepherd
8c7fbe3dde
Suppport static pods at ${datadir}/agent/pod-manifests
2020-05-05 12:43:47 -07:00
Erik Wilson
c941e1d0bb
Merge pull request #1695 from ibuildthecloud/kubeproxy
...
Add ability to disable kubeproxy
2020-05-04 20:26:22 -07:00
Darren Shepherd
3c8e0b4157
No longer use basic auth for default admin account
2020-04-28 16:01:33 -07:00
Darren Shepherd
5715e1ba0d
Add ability to disable kubeproxy
2020-04-27 11:24:00 -07:00
Knic Knic
44b8af097c
fix usage of path instead of filepath
2020-04-25 00:29:18 -07:00
Erik Wilson
a3cb9ee1f6
Simplify SELinux detection and add --disable-selinux flag
2020-02-28 10:10:55 -07:00
Erik Wilson
0374c4f63d
Add --disable flag
2020-01-30 16:45:01 -07:00
Erik Wilson
3592d0bdd9
Merge pull request #1344 from ibuildthecloud/dialer-fallback
...
If tunnel session does not exist fallback to default dialer
2020-01-27 13:59:45 -07:00
Erik Wilson
1a2690d7be
Merge pull request #1192 from galal-hussein/add_encryption_config
...
Add secret encryption config
2020-01-27 13:59:09 -07:00
Darren Shepherd
3396a7b099
If tunnel session does not exist fallback to default dialer
2020-01-22 11:04:41 -07:00
Erik Wilson
1b23c891dd
Merge pull request #1304 from erikwilson/fixup-cadvisor
...
Run kubelet with containerd flag
2020-01-20 15:37:22 -07:00
Erik Wilson
fa03a0df3c
Run kubelet with containerd flag
...
The containerd flag was accidentally added to kubelet and is
deprecated, but needed for cadvisor to properly connect with
the k3s containerd socket, so adding for now.
2020-01-16 10:25:57 -07:00
Erik Wilson
7675f9f85c
Clean up host-gw variable names
2020-01-08 17:43:07 -07:00
Segator
6736e24673
support hostgw
2020-01-08 17:43:07 -07:00
galal-hussein
388cd9c4e8
Add secret encryption configuration
2019-12-23 13:16:27 +02:00
Darren Shepherd
4acaa0740d
Small dqlite fixes
2019-12-16 11:45:01 -07:00
Erik Wilson
76281bf731
Update k3s for k8s 1.17.0
2019-12-15 23:28:19 -07:00
Erik Wilson
2de93d70cf
Allow --pause-image to set docker sandbox image also
2019-12-10 16:16:26 -07:00
galal-hussein
99b8222e8d
Change storage to datastore
2019-11-15 21:52:07 -07:00
Darren Shepherd
77703b90ff
Don't ever change 10252/10251 ports
...
Kubernetes componentstatus check is hardcoded to 10252 and 10251
so we should never change these ports. If you do componentstatus
will return error.
2019-11-13 18:20:57 -07:00
Erik Wilson
55c05ac500
Refactor node password location
2019-11-12 15:30:34 -07:00
Darren Shepherd
0ae20eb7a3
Support both http and db based bootstrap
2019-11-12 01:12:24 +00:00
Darren Shepherd
29b270dce6
Wait for apiserver to be health, not just running
2019-11-12 01:09:33 +00:00
Darren Shepherd
91cacb3a14
Fix server join issues
2019-11-08 21:35:58 +00:00
Erik Wilson
01f6e0e64e
Add context to server daemon functions that wait
2019-11-05 11:06:07 -07:00
larmog
7aa3d08385
Wait for api-server to report version after starting
2019-11-05 11:05:22 -07:00
Darren Shepherd
ba240d0611
Refactor tokens, bootstrap, and cli args
2019-10-30 19:06:49 -07:00
Akihiro Suda
aafccdbccb
rootless: add kubelet flags automatically
...
Fix https://github.com/rancher/k3s/issues/784
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2019-10-25 17:10:14 +09:00
Erik Wilson
da3a7c6bbc
Add network policy controller
2019-10-18 16:11:42 -07:00
galal-hussein
d2c1f66496
Add k3s cloud provider
2019-10-16 21:13:15 +02:00
Erik Wilson
c12d2a1aea
Merge pull request #867 from galal-hussein/private_reg
...
Add private registry support to containerd
2019-10-10 14:35:37 -07:00
galal-hussein
436ff4ef63
fix cert rotation function
2019-10-10 03:35:32 +02:00
galal-hussein
5ccc880ddb
Add private registry to containerd
2019-10-08 01:54:53 +02:00
Erik Wilson
cac41db0e1
Merge pull request #816 from galal-hussein/default_local_storage
...
Add default storage class
2019-10-01 14:09:24 -07:00
galal-hussein
2dc5ba5bae
Add certificate rotation
2019-09-30 18:34:58 +02:00
galal-hussein
56e0e5ad7e
Add default local storage provisioner
2019-09-30 18:17:33 +02:00
Erik Wilson
999e40d6d3
Add strongswan utilities for ipsec
2019-09-27 18:26:39 -07:00
Erik Wilson
959acf9c92
Add --flannel-backend flag
2019-09-27 18:26:39 -07:00
Erik Wilson
3cd807a657
Add --flannel-conf flag
2019-09-27 18:26:39 -07:00
Darren Shepherd
36ca606073
Merge pull request #793 from yamt/noderestriction
...
Add back NodeRestriction
2019-09-07 12:07:01 -07:00
YAMAMOTO Takashi
9cf80eacd9
Add back NodeRestriction
...
It has been removed as a part of #764 for no obvious reasons.
Fix #791
2019-09-05 15:47:46 +09:00
Erik Wilson
197985c673
Add --kubelet-certificate-authority flag
2019-09-02 10:49:23 -07:00
Darren Shepherd
f57dd13774
Default kube-apiserver to httpsport + 1
2019-08-28 20:53:38 -07:00
Darren Shepherd
9c8b95be9d
Drop unneeded prometheus imports
2019-08-28 20:53:37 -07:00
Darren Shepherd
a51a2eaaad
Add anonymous-auth=false and remove NodeRestriction
2019-08-28 20:53:37 -07:00
Erik Wilson
5679cfafaf
Merge pull request #707 from ibuildthecloud/pr683
...
Integrate Kine
2019-08-26 09:25:37 -07:00
Darren Shepherd
2cb6f52339
Disable storing bootstrap information by default
2019-08-24 22:27:24 -07:00
Erik Wilson
e6067314c9
Localhost -> 127.0.0.1
2019-08-22 11:56:00 -07:00
galal-hussein
1ae0c540d7
Refactor bootstrap, move kine startup code to kine, integrate kine
2019-08-22 09:14:43 -07:00
YAMAMOTO Takashi
fc8eddae29
Appease kubelet warnings on docker for mac
...
On my environment, the name=systemd entry in /proc/self/cgroup
looks like:
13:name=systemd:/docker/917b388b40c70b17a3283d852d38bfcdc84d1bf8242e32a779eacd98a610e499
Kubelet periodically complains like:
E0802 06:42:52.667123 1 summary_sys_containers.go:47] Failed to get system container stats for "/docker/917b388b40c70b17a3283d852d38bfcdc84d1bf8242e32a779eacd98a610e499/kube-proxy": failed to get cgroup stats for "/docker/917b388b40c70b17a3283d852d38bfcdc84d1bf8242e32a779eacd98a610e499/kube-proxy": failed to get container info for "/docker/917b388b40c70b17a3283d852d38bfcdc84d1bf8242e32a779eacd98a610e499/kube-proxy": unknown container "/docker/917b388b40c70b17a3283d852d38bfcdc84d1bf8242e32a779eacd98a610e499/kube-proxy"
2019-08-02 16:22:51 +09:00
YAMAMOTO Takashi
d78701acb1
Fix bootstrap with non-tls etcd
2019-07-31 16:14:13 +09:00
YAMAMOTO Takashi
35d972fd72
Sort args to make log outputs a bit more deterministic
2019-07-24 13:16:41 +09:00
Erik Wilson
1833b65fcd
Merge pull request #647 from yamt/remove-proxy-port
...
Remove agent proxy config which is no longer used
2019-07-23 15:51:51 -07:00
Erik Wilson
2d32337334
Merge pull request #650 from erikwilson/update-bootstrap
...
Bootstrap node key files & fix permissions
2019-07-17 14:22:05 -07:00
Erik Wilson
2f4d2838ea
Bootstrap node key files & fix permissions
2019-07-17 13:57:33 -07:00
YAMAMOTO Takashi
dc4ebd4c67
Remove agent proxy config which is no longer used
2019-07-17 18:05:16 +09:00
YAMAMOTO Takashi
f6a04ea995
Add a few comments in bootstrap.go
2019-07-17 16:25:34 +09:00
Erik Wilson
fdc1427317
Add more logs for bootstrap
2019-07-14 00:49:08 -07:00
Erik Wilson
e79fda96d2
Enforce explicit read or write for bootstrap
2019-07-12 16:18:53 -07:00
Erik Wilson
ad11ba583f
Use watch-cache for kvsql
2019-07-07 14:43:43 -07:00
Erik Wilson
11a4c71f28
Use watch-cache for etcd3 backend
2019-07-01 14:09:25 -07:00
Erik Wilson
24b73403c7
Cleanup bootstrap
2019-06-30 12:39:54 -07:00
Erik Wilson
8d979d675e
Add tls support for etcd cert storage backend
2019-06-30 08:28:42 -07:00
galal-hussein
37582b6fac
Add cert storage backend flag
2019-06-28 20:47:21 +02:00
galal-hussein
28d9d83be2
Add k3s HA bootstrap
2019-06-27 21:00:43 +02:00
Erik Wilson
7090a7d551
Move node password to separate file
2019-06-25 15:04:04 -07:00
Erik Wilson
93f6690f26
Graceful upgrade token to server CA
2019-06-25 15:04:04 -07:00
Erik Wilson
2c9444399b
Refactor certs
2019-06-25 15:04:04 -07:00
galal-hussein
17d8708ca5
Add storage backend flags
2019-06-12 00:48:47 +02:00
Erik Wilson
199f673676
Merge pull request #479 from galal-hussein/add_storage_backend_options
...
Add MySQL and Postgress support
2019-05-28 16:57:38 -07:00
Darren Shepherd
c0702b0492
Port to wrangler
2019-05-26 22:28:50 -07:00
galal-hussein
e9cd8adbf6
Add Storage endpoint option
2019-05-16 01:05:24 +02:00
galal-hussein
930093dfe9
Expose node labels and taints and add node roles
2019-05-08 01:47:07 +02:00
haokang.ke
52f845ec84
Make pause image configurable ( #345 )
2019-05-03 10:36:12 -07:00
Erik Wilson
d5ce19caae
Force upgrade of token node cert
2019-05-02 16:22:42 -07:00
galal-hussein
191ac9371a
Add cni plugin to kubelet if docker is used
2019-04-30 22:12:02 +02:00
Darren Shepherd
9db91d7de3
Merge pull request #369 from erikwilson/node-dns
...
Node DNS & cert registration
2019-04-26 16:00:31 -07:00
Darren Shepherd
50f405ddfd
Merge pull request #376 from galal-hussein/fix_kubeletarg
...
Fix extra argument with multiple =
2019-04-26 15:57:16 -07:00
Erik Wilson
c9941895d6
Bind kubelet to all interfaces and use webhook auth
2019-04-26 15:02:30 -07:00
galal-hussein
72d2edc0cb
Fix extra argument with multiple =
2019-04-25 22:49:03 +02:00
galal-hussein
bdf8a355e1
Add containerd config go template
2019-04-25 22:17:34 +02:00
Erik Wilson
1b2db423de
Add node name to node cert generation
2019-04-19 18:20:34 +00:00
Darren Shepherd
be24f837bb
Merge pull request #349 from erikwilson/missing-cgroup-pids-fix
...
Check for cgroup pids support
2019-04-15 15:52:07 -07:00
Erik Wilson
4bba04023d
Check for cgroup pids support
...
If cgroup pids are not supported add a feature-gates flag
SupportPodPidsLimit=false for kubelet.
2019-04-15 22:26:50 +00:00
Darren Shepherd
0e3711b8b7
Merge pull request #339 from km4rcus/cluster-domain-option
...
Add --cluster-domain option
2019-04-15 10:06:07 -07:00
Stuart Wallace
2268e028a2
Add ability to override flannel interface
2019-04-12 21:06:43 +01:00
Marco Mancini
b445bad171
Add --cluster-domain option
2019-04-12 08:06:35 +02:00
Erik Wilson
c48739206a
Enable aggregation layer
...
Configure kube-apiserver, kubelets, and kube-proxy for use with
aggregation layer in order for metrics-server deployment to function
correctly.
2019-04-11 22:43:31 +00:00
Darren Shepherd
046a817818
Add rootless support
2019-04-09 10:38:04 -07:00
galal-hussein
7794528aa1
Add extra flags for server and agent components
2019-04-09 08:20:38 +02:00
Darren Shepherd
a11ac8cc40
Pull in parallel for CRI
2019-04-08 22:50:59 -07:00
Darren Shepherd
3c7e103085
Updates for k8s 1.14
2019-04-08 22:50:59 -07:00
galal-hussein
e8c5b2498c
Change address to bind-address for scheduler and api
2019-03-31 14:55:56 +02:00
Erik Wilson
a4df9f4ab1
Kubelet resolv.conf DNS update
...
Allow the kubelet resolv-conf flag to be set, or automatically
discovered from /etc/resolv.conf & /run/systemd/resolve/resolv.conf if
no loopback devices are present, or create our own which points to
nameserver 8.8.8.8
2019-03-26 23:13:54 +00:00
Julien Salleyron
164b89bce4
fix review.
2019-03-04 21:46:37 +01:00
Darren Shepherd
70e6ca4ab8
Support external CRI implementations
2019-03-04 10:08:12 -07:00
Thorsten Schifferdecker
2c398c5d5f
Update server.go
...
fallback to the old --address part and enable the non-tls port to make healthz happy
2019-03-04 10:07:30 -07:00
Thorsten Schifferdecker
35cfc717d3
fix missing ","
2019-03-04 10:07:30 -07:00
Thorsten Schifferdecker
ee2fffb0ca
make the controller-manager and scheduler usable for the
...
componentstatus.
Fixes #126
Signed-off-by: Thorsten Schifferdecker <schifferdecker@b1-systems.de>
2019-03-04 10:07:30 -07:00
Darren Shepherd
fdb51c9f53
Cleanup docker cgroup errors in kubelet
2019-03-04 10:06:59 -07:00
Darren Shepherd
828ce5a24a
Disable watch caching, not needed for sqlite
2019-02-22 19:58:42 -07:00
Darren Shepherd
5e1ce4aa42
Cache self-signed loopback cert on startup
2019-02-07 21:45:31 -07:00
Darren Shepherd
af96c908da
Disable proxy hostname checks
2019-02-07 21:45:31 -07:00
Darren Shepherd
529aa431d1
Adjust debug logging and write containerd logs to a file
2019-02-07 21:45:31 -07:00
Darren Shepherd
287e0f44c9
Prepare for initial release
2019-01-22 14:20:29 -07:00
Darren Shepherd
62c62cc7b4
Continued refactoring
2019-01-11 21:52:30 -07:00
Darren Shepherd
9bb7c27c62
Initial Commit
2019-01-01 01:23:01 -07:00