Kernel 5.11 added support for rootless overlayfs, but still incompatible
with SELinux, so we should always use fuse-overlayfs.
Related: moby/moby issue 42333
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
- bump the runc version to v1.0.0-rc94
- build runc from its own source tree instead of from ./vendor/
- side-steps incompatibility with upstream kubelet container manager
Signed-off-by: Jacob Blain Christen <dweomer5@gmail.com>
* Move registries.yaml handling out to rancher/wharfie
* Add system-default-registry support
* Add CLI support for kubelet image credential providers
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Problem:
Only the client CA is passed to the kube-controller-manager and
therefore CSRs with the signer name "kubernetes.io/kubelet-serving" are
signed with the client CA. Serving certificates must be signed with the
server CA otherwise e.g. "kubectl logs" fails with the error message
"x509: certificate signed by unknown authority".
Solution:
Instead of providing only one CA via the kube-controller-manager
parameter "--cluster-signing-cert-file", the corresponding CA for every
signer is set with the parameters
"--cluster-signing-kube-apiserver-client-cert-file",
"--cluster-signing-kubelet-client-cert-file",
"--cluster-signing-kubelet-serving-cert-file", and
"--cluster-signing-legacy-unknown-cert-file".
Signed-off-by: Siegfried Weber <mail@siegfriedweber.net>
Add `.github/workflows/cgroup2.yaml` for running Fedora on Vagrant on
GitHub Actions to test cgroup2 environment.
Only very basic smoke tests are executed, as Vagrant is too slow to run
the entire sonobuoy.
Relevant:
- kubernetes-sigs/kind PR 2017
- https://github.com/rootless-containers/usernetes/blob/v20210201.0/.github/workflows/main.yaml
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
The kube-apiserver cert should have the same SANs in the same order,
excluding the extra user-configured SANs since this will only be used
in-cluster.
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
If key ends in "+" the value of the key is appended to previous
values found. If values are string instead of a slice they are
automatically converted to a slice of one string.
Signed-off-by: Darren Shepherd <darren@rancher.com>