There is no point to track more than 3 etcd versions at a time
where each etcd versions maps to a k8s CP version.
It's 3 instead of 2 (k8s CP / kubeadm version skew size) because
there is a period of time where the 3rd version (newest) will
be WIP at k/k master - e.g. at the time of this commit it's 1.31.
Add a unit test to block on this.
Also fixate the min etcd version to 3.5.11.
During upgrade apply we had logic to download the kubelet and
kubeproxy configs from the cluster as part of the call to:
FetchInitConfigurationFromCluster()
With the introduction of UpgradeConfiguration there was
some refactor in this area and the function no longer
had the argument skipComponentConfigs set to false.
It is set to 'true', an InitConfiguration is downloaded
but it would contain empty / defaulted component configs.
- Set the argument to 'false'
- Perform minor cleanup of STDOUT messages and comments.
that were missed in 1.30.
- Mark the phase 'init kubelet-finilize experimental-cert-rotation'
as deprecated and print a warning if its used directly. It should be
removed in 1.32.
- Add a replacement phase 'enable-client-cert-rotation'.
(!!) We should stop using the 'experimental' and 'alpha' names for
phases, clI flags and k8s object names as this complicates
the graduation and users will use the feature in production regardless.
Having a 'DEPRECATED' or 'EXPERIMENTAL' text in descriptions is
sufficient to indicate a status of a feature that should not be used
in production.
The function KubernetesReleaseVersion is being called in
a number of locations during unit tests but by default it
uses a "fetch version from URL" approach.
- Update the function to return a placeholder version
during unit tests.
- Update unit tests for this function.
- Update strings / comments in other version_tests.go
locations.
The improvement is significant:
time go test k8s.io/kubernetes/cmd/kubeadm/app/... -count=1
before:
real 2m47.733s
after:
real 0m10.234s
If users don't pass any --nodeport-addresses, suggest they should pass
`--nodeport-addresses primary`, to avoid accepting NodePort
connections on all interfaces.
If users pass a single-stack --nodeport-addresses in what looks like a
dual-stack cluster, warn them that they probably ought to be passing a
dual-stack --nodeport-addresses.
The behavior when you specify no --nodeport-addresses value in a
dual-stack cluster is terrible and we can't fix it, for
backward-compatibility reasons. Actually, the behavior when you
specify no --nodeport-addresses value in a single-stack cluster isn't
exactly awesome either...
Allow specifying `--nodeport-addresses primary` to get the
previously-nftables-backend-specific behavior of listening on only the
node's primary IP or IPs.
According to kubeadm repo ticket 1665, /etc/pki
can contain subdirectories with private keys on some distros.
Avoid mounting the entire /etc/pki and mount /etc/pki/ca-trust
and /etc/pki/tls/certs instead. These directories are mounted
as an extra locations which can be used to search
for additional system CAs.
Currently, there are some unit tests that are failing on
Windows due to various reasons:
- time.Now() is not as precise on Windows, which means that
2 consecutive calls may return the same timestamp.
- Different "File not found" error messages on Windows.
- The default Container Runtime URL scheme on Windows is npipe, not unix.
