7265908e7f
Automatic merge from submit-queue
Cleanup fluentd-gcp image, rebase on debian-base
**Why we need this PR**:
There are several problems with our current fluentd-gcp image:
- It pulls in lots of unused packages, which expose unnecessary risk and create noise in CVE scans (and scare customers). The most notable example is the fluent-ui, which pulls in rails.
- `curl | sh ` is not a good practice for a Dockerfile. First, the script is not checked in the same source control branch, so builds are not reproducible. Second, the actions it is taking are opaque. Third, in this case, using non-standard packages means they're harder to manage with CVE scans & upstream fixes.
**What is changed by this PR?**
- Rather than relying on td-agent (which includes fluent-ui), use standard upstream packages. This is largely based off the [official fluentd debian-based image](https://github.com/fluent/fluentd-docker-image/blob/master/v0.12/debian/Dockerfile).
- Rebases the image on debian-base (depends on https://github.com/kubernetes/kubernetes/pull/41915). We would like to move towards a single full-distro base image we can maintain. This change should be relatively minor.
As a result of these changes, the image size is reduced from 360.6 MB to 185.8 MB (nearly half). Many packages were removed, and the full diff (focus on the unversioned files) is listed here:
|
||
|---|---|---|
| .. | ||
| addon-manager | ||
| calico-policy-controller | ||
| cluster-loadbalancing | ||
| cluster-monitoring | ||
| dashboard | ||
| dns | ||
| dns-horizontal-autoscaler | ||
| e2e-rbac-bindings | ||
| etcd-empty-dir-cleanup | ||
| fluentd-elasticsearch | ||
| fluentd-gcp | ||
| node-problem-detector | ||
| podsecuritypolicies | ||
| python-image | ||
| rbac | ||
| registry | ||
| storage-class | ||
| BUILD | ||
| README.md | ||
README.md
Cluster add-ons
Overview
Cluster add-ons are resources like Services and Deployments (with pods) that are shipped with the Kubernetes binaries and are considered an inherent part of the Kubernetes clusters.
There are currently two classes of add-ons:
- Add-ons that will be reconciled.
- Add-ons that will be created if they don't exist.
More details could be found in addon-manager/README.md.
Cooperating Horizontal / Vertical Auto-Scaling with "reconcile class addons"
"Reconcile" class addons will be periodically reconciled to the original state given
by the initial config. In order to make Horizontal / Vertical Auto-scaling functional,
the related fields in config should be left unset. More specifically, leave replicas
in ReplicationController / Deployment / ReplicaSet unset for Horizontal Scaling,
leave resources for container unset for Vertical Scaling. The periodic reconcile
won't clobbered these fields, hence they could be managed by Horizontal / Vertical
Auto-scaler.
Add-on naming
The suggested naming for most of the resources is <basename> (with no version number).
Though resources like Pod, ReplicationController and DaemonSet are exceptional.
It would be hard to update Pod because many fields in Pod are immutable. For
ReplicationController and DaemonSet, in-place update may not trigger the underlying
pods to be re-created. You probably need to change their names during update to trigger
a complete deletion and creation.