Commit Graph

1298 Commits

Author SHA1 Message Date
Julie Qi
2a4a1c1d00 disable aufs module 2021-07-21 23:25:19 -07:00
Matthew Cary
60d446fe3d Drop end of sunrpc port range to avoid port conflicts.
Change-Id: I1561fe447f50d9ac835094b3cceba62ea74dfd81
2021-07-13 18:38:40 +00:00
Cong Liu
6c87c22277 Add structured logging for more steps 2021-07-09 15:35:44 -07:00
Kubernetes Prow Robot
5e3bed6399
Merge pull request #101433 from SergeyKanzhelev/patch-1
Make the service account error more apparent
2021-07-05 03:23:13 -07:00
Marian Lobur
5d80d6e7c3 Make cpu request of kube proxy configurable by env variable. 2021-07-02 16:00:56 +02:00
Piotr Tabor
de442ef860 Retry hostname->IP: [Errno -2] Name or service not known
During cluster configuration, the hostname is getting resolved to IP,
as etcd requires IP address as listening address.

Due to connectivity flakes or delayed network inititalization, sometimes
the IP fails to be resolved to a name with following error:
```
[Errno -2] Name or service not known
```
that leads to attempt to run etcd with empty flag.

The PR adds a proper retry (up to 5 minutes) in case the connectivity
problems happens.

I considered alternatives like: `getent hosts foo`, but unfortunetelly thay
can return IPv6 that etcd is not ready for (yet).
2021-07-01 12:20:07 +02:00
Sergey Kanzhelev
210c610d66 make sure to split NPD hashes by architecture when upgrading to 0.8.9 2021-07-01 08:12:35 +00:00
pacoxu
ffdf3f5007 update node-problem-detector npd to v0.8.8
Signed-off-by: pacoxu <paco.xu@daocloud.io>
Co-Authored-By: vteratipally <vteratipally@users.noreply.github.com>
2021-06-29 09:35:32 +08:00
pacoxu
f05f30943d kube-apiserver in gce: use --api-audiences as --service-account-api-audiences is deprecated
Signed-off-by: pacoxu <paco.xu@daocloud.io>
2021-06-22 11:09:46 +08:00
Vinayak Goyal
774d228637 remove the path if it exists before writing pki data.
if setfacl is called before chmod g+r at anypoint during the lifetime of
the cluster then the default group does not have read permissions on the
file. so we explicitly grant the default group read permissions. See
https://gist.github.com/mmdriley/85ca34f711acbec4b1b94902add488e5 for a
repro.
2021-06-18 11:03:37 -07:00
Joseph Anttila Hall
9d514b2de4 Konnectivity: tune flags for larger clusters (5k nodes). 2021-06-10 14:05:44 -07:00
Kubernetes Prow Robot
9d27400fe2
Merge pull request #102040 from njuptlzf/fix_conversion
Fix auditing failed of request: encoding failed
2021-06-05 19:58:38 -07:00
njuptlzf
7b0fbb7292 add audit log test cases for cross-group subresource 2021-06-06 09:52:05 +08:00
Kubernetes Prow Robot
74af3b712d
Merge pull request #102297 from deads2k/ssh-tunnels
remove --ssh- options, deprecated 13 releases, that only work on GCE
2021-06-05 10:40:50 -07:00
Marek Siarkowicz
4ebc0c94a4 Remove legacy metrics client from podautoscaler 2021-06-04 23:06:32 +02:00
David Eads
ae603a38bc remove -ssh-user from cluster scripts for GCE 2021-06-03 17:53:09 -04:00
Kubernetes Prow Robot
bc8acbc43e
Merge pull request #102328 from lentzi90/update-cni-plugins
Update CNI plugins v0.9.1
2021-05-28 10:16:46 -07:00
Kubernetes Prow Robot
d541872f9a
Merge pull request #102239 from Haleygo/clean-up-AlgorithmProvider-flag-and-pkg
clean up algorithmprovider pkg and remove scheduler deprecated algorithm-provider flag
2021-05-27 00:54:23 -07:00
Lennart Jern
507710b50f
Update CNI plugins v0.9.1
ref: https://github.com/containernetworking/plugins/releases/tag/v0.9.1
Signed-off-by: Lennart Jern <lennart.jern@est.tech>
2021-05-26 11:02:04 +03:00
Haleygo
2769e99dba remove scheduler deprecated algorithm-provider flag and clean up algorithmprovider pkg 2021-05-26 13:19:44 +08:00
Kubernetes Prow Robot
06d44d2f42
Merge pull request #101168 from mikedanese/warning
add a warning about the filter table
2021-05-24 21:48:40 -07:00
Kubernetes Prow Robot
77937b1e8e
Merge pull request #101628 from bobbypage/addon-termination-handler
Remove node termination handler addon
2021-05-24 11:31:39 -07:00
Kubernetes Prow Robot
e8cf412e5e
Merge pull request #101881 from vinayakankugoyal/konnectivity
Update konnectivity network proxy server to run as non-root, by defau…
2021-05-13 23:16:04 -07:00
Sergey Kanzhelev
72fe1b722c Make the service account error more apparent 2021-05-14 04:39:24 +00:00
Vinayak Goyal
b951b9349f Update konnectivity network proxy server to run as non-root, by default in kube-up. 2021-05-13 12:35:34 -07:00
Avritt Rohwer
0a5a697882 Fix bug in retry-forever usage.
- Push retry-forever wrapping to curl invocations.
- Collect curl retry flags into a single variable.
- Remove 'sudo: false' in master.yaml, is unnecessary and breaks older
  cloud-init versions.
- Change log-error status reason to be more accurate.
- Fix the some 'python' invocations to 'python3'.
2021-05-12 09:22:20 -07:00
Kubernetes Prow Robot
ca0c04e4d3
Merge pull request #101164 from vinayakankugoyal/apiservernonroot
Run control-plane as non root in kube-up.
2021-05-06 17:33:14 -07:00
Kubernetes Prow Robot
1f3fd1cb80
Merge pull request #101751 from vinayakankugoyal/sshproxy
Recursive chown the /etc/srv/sshproxy if kube-apiserver is running as…
2021-05-06 15:15:51 -07:00
Kubernetes Prow Robot
8955f55fcf
Merge pull request #101678 from vinayakankugoyal/goodbye-basicauth
Remove remnants of basic auth from cluster bootstrap.
2021-05-06 14:14:14 -07:00
Vinayak Goyal
6aa495ddc6 Revert - Recursive chown the /etc/srv/sshproxy if kube-apiserver is running as non root. This way if a key already exists we will be able to read it. 2021-05-06 14:02:53 -07:00
Vinayak Goyal
487583bd0a Recursive chown the /etc/srv/sshproxy if kube-apiserver is running as non root. This way if a key already exists we will be able to read it. 2021-05-05 15:23:04 -07:00
Vinayak Goyal
406ceae991 Recursive chown the /etc/srv/sshproxy if kube-apiserver is running as non root. This way if a key already exists we will be able to read it. 2021-05-05 14:49:59 -07:00
David Porter
dac06aefb0 Revert "Revert "cluster: Use python3 everywhere""
This reverts commit 7038338e0f.
2021-05-03 21:43:15 -07:00
Kubernetes Prow Robot
c5b900b69c
Merge pull request #97399 from davidxia/comment-typo
Fix typo in comment
2021-05-01 04:57:59 -07:00
Vinayak Goyal
b87762966d Remove remnants of basic auth from cluster bootstrap. 2021-04-30 11:23:14 -07:00
David Porter
e02ff0687e Remove node termination handler addon 2021-04-29 14:42:23 -07:00
Paco Xu
7038338e0f
Revert "cluster: Use python3 everywhere" 2021-04-26 11:21:44 +08:00
David Porter
3f87f4f278 Use python3 everywhere 2021-04-23 14:33:58 -07:00
Kubernetes Prow Robot
ae35c6f10c
Merge pull request #101255 from basantsa1989/stack-type
Adding stack-type to gce cloud config (to be used for dual stack in legacy-cloud-providers gce code)
2021-04-22 15:55:28 -07:00
Kubernetes Prow Robot
6aa683e9cf
Merge pull request #100639 from zshihang/proxy
dnat to 169.254.169.252 for metadata server traffic
2021-04-21 11:15:51 -07:00
Ikko Ashimine
f69a2b40da
Fix typo in gci/README.md
becase -> because
2021-04-21 21:35:05 +09:00
Kubernetes Prow Robot
41505f7109
Merge pull request #101176 from jkh52/master
kube-master-installation: improve systemd cross-unit robustness.
2021-04-20 00:42:45 -07:00
Kubernetes Prow Robot
46b0ad1327
Merge pull request #101207 from vinayakankugoyal/sshproxy
If kube-apiserver is running as non-root then set the permissions of …
2021-04-19 17:24:33 -07:00
Joseph Anttila Hall
05bcc72dc2 kube-master-installation: reboot on failure.
Also some minor reliability tweaks.
2021-04-19 17:16:21 -07:00
Vinayak Goyal
94e34da471 If kube-apiserver is running as non-root then set the permissions of /etc/srv/sshproxy accordingly. 2021-04-19 13:16:06 -07:00
Basant Amarkhed
e15d811652 Adding stack-type to cloud config (to be used for dual stack in legacy-cloud-providers code) 2021-04-19 19:06:55 +00:00
Shihang Zhang
297ad30610 dnat to 169.254.169.252 for metadata server traffic 2021-04-19 10:47:51 -07:00
Kubernetes Prow Robot
28c877dcb6
Merge pull request #101043 from benhxy/tls-2
Use GKE specific configuration for kubeconfig file generation
2021-04-16 11:54:51 -07:00
Kubernetes Prow Robot
7ecd93ea1e
Merge pull request #100764 from benhxy/tls
Use GKE specific configuration for kube-apiserver SNI cert
2021-04-15 19:52:22 -07:00
Mike Danese
ba3fc65072 add a warning about the filter table 2021-04-15 16:22:28 -07:00
Kubernetes Prow Robot
24350a922e
Merge pull request #101086 from enj/enj/i/auth_owners_gen
Prune stale entries from OWNERS files
2021-04-15 08:27:50 -07:00
Maciej Borsz
493adbada9 Do not grep for curl --help for --retry-connrefused 2021-04-14 08:32:21 +02:00
Kubernetes Prow Robot
f1c037889d
Merge pull request #100770 from avrittrohwer/configure-script-logging
Add configure script logging instrumentation
2021-04-13 18:06:42 -07:00
Monis Khan
91241eac9b
Prune stale entries from OWNERS files
Signed-off-by: Monis Khan <mok@vmware.com>
2021-04-13 20:54:50 -04:00
Kubernetes Prow Robot
318db993c8
Merge pull request #101020 from cindy52/bugfix/etcd
Change file owner of /mnt/disks/master-pd/var/etcd  instead of /var/etcd
2021-04-13 12:09:47 -07:00
Avritt Rohwer
d4495183c9 Add configure script logging instrumentation.
- Add log functions to facilitate debug logging.
- Wrap commands called in main with debug logging.
- Configure a systemd service to forward the logs to the serial port.
- Add a 'retry-forever' function to harden download steps.
- Add default value support to 'get-metadata-value' function.
- Fix some spellcheck lints.
2021-04-13 09:30:49 -07:00
Ben Hu
e3270e532c GKE specific kubeconfig 2021-04-12 22:47:39 +00:00
Ben Hu
ccb742c43c Resolve comments. Remove kubeconfig changes. 2021-04-12 22:39:53 +00:00
Cindy Guo
03f60f4b60 chown on /mnt/disks/master-pd/var/etcd instead of /var/etcd 2021-04-12 08:21:01 +00:00
Kubernetes Prow Robot
a96000311f
Merge pull request #100956 from saschagrunert/cri-tools
Update cri-tools to v1.21.0
2021-04-12 00:35:59 -07:00
Kubernetes Prow Robot
99301e672b
Merge pull request #100436 from vinayakankugoyal/apiservernonroot
Fix kube-apiserver manifest.
2021-04-10 20:29:35 -07:00
Antonio Ojea
93f4727aab gce configure containerd default_runtime_name
move config to v2
2021-04-11 00:48:22 +02:00
Kubernetes Prow Robot
5b038e6cff
Merge pull request #100635 from cindy52/etcd/rootless
Run the etcd as non-root
2021-04-09 05:19:37 -07:00
Sascha Grunert
33e0e035ea
Update cri-tools to v1.21.0
This updates crictl to the latest available release.

Signed-off-by: Sascha Grunert <sgrunert@redhat.com>
2021-04-09 11:05:13 +02:00
Kubernetes Prow Robot
96db2323a4
Merge pull request #100041 from vteratipally/update_npd_version
bump npd version to latest v0.8.7
2021-04-08 17:10:55 -07:00
Cindy Guo
9f058079d2 run etcd as nonroot
Co-authored-by: Vinayak Goyal <vinayakankugoyal@gmail.com>
2021-04-08 20:51:45 +00:00
Ben Hu
a2d094797d Use GKE specific configuration in startup scripts in GKE deployment. 2021-04-02 00:10:53 +00:00
Vinayak Goyal
4b3271a542 Fix kube-apiserver manifest. 2021-03-21 16:24:56 -07:00
Maciej Szulik
a3a26171d1
Run GCE unit tests as non-root 2021-03-18 12:14:24 +01:00
varsha teratipally
90983f66e4 Moving docker options to daemon.json
As per the new docker guidelines about customizing the options
like adding registry-mirrors, moving the options to daemon.json
2021-03-10 19:14:48 +00:00
Varsha Teratipally
82434ec818 bump npd version to latest v0.8.7 2021-03-09 22:48:27 +00:00
Benjamin Elder
56e092e382 hack/update-bazel.sh 2021-02-28 15:17:29 -08:00
Vinayak Goyal
c63ff05e6d Run kube-apiserver as non-root. 2021-02-22 20:48:16 -08:00
Kubernetes Prow Robot
874877fa44
Merge pull request #99216 from ruiwen-zhao/remove_modprobe
Remove modprobe configs from configure-helper
2021-02-22 17:24:32 -08:00
Cong Liu
03709c0ece Add arm64 support for GCE node configuration
Fix typo

Add TODO
2021-02-19 14:22:26 -08:00
ruiwen-zhao
c053b232ba Remove modprobe configs from configure-helper 2021-02-18 22:57:44 +00:00
Benjamin Elder
299c561b10 portably configure tempdir in configure-helper.sh
fixes a `make test` failure on macOS
2021-02-12 01:15:14 -08:00
Joakim Roubert
3dd3211c81 Fix shellcheck failures in cluster/gce/gci/configure.sh
Signed-off-by: Joakim Roubert <joakimr@axis.com>
2021-02-10 19:23:31 +01:00
Kubernetes Prow Robot
b87ae556b3
Merge pull request #95865 from joakimr-axis/joakimr-axis_master-helper.sh
Fix shellcheck issues in cluster/gce/gci/master-helper.sh
2021-02-09 17:43:00 -08:00
Matthew Cary
9a7dcd36c1 Disallow local loopback for volume hosts
Change-Id: Ic356c3f859057153cfad97327f1938792a1a512c
2021-01-26 17:12:51 -08:00
Kubernetes Prow Robot
1a67280508
Merge pull request #98037 from vinayakankugoyal/kube-controller-manager-crp
Update configure-helper.sh to early exit from start-kube-controller-m…
2021-01-25 12:38:59 -08:00
Vinayak Goyal
31807032e0 Update configure-helper.sh to early exit from start-kube-controller-manager if kube-controller-manager is deployed through CRP. 2021-01-20 16:22:46 -08:00
Kubernetes Prow Robot
1bfa1d4619
Merge pull request #98055 from qingsenLi/20210114
fix typo and decs in apiserver_etcd_test.go
2021-01-19 18:49:58 -08:00
Kubernetes Prow Robot
176c4c7916
Merge pull request #96823 from hasheddan/cleanup-cos-doc
Cleanup GCI / COS README.md
2021-01-19 17:07:59 -08:00
Kubernetes Prow Robot
9da11e294f
Merge pull request #97868 from mtaufen/pki-tmpfs
Mount /var/lib/kubelet/pki on tmpfs
2021-01-14 10:47:04 -08:00
10177505
deb509a068 fix typo and decs 2021-01-14 16:55:45 +08:00
rajibmitra
69aae7aa6c Update cri-tools to v1.20.0
Signed-off-by: rajibmitra <rajib.jolite@gmail.com>
2021-01-12 19:02:51 +05:30
Michael Taufen
9f9e235b9d Mount /var/lib/kubelet/pki on tmpfs
This helps avoid some rare instances of corrupt cert files
that cause Kubelet to crash-loop after node reboots, e.g.
if Kubelet opens the file during the shutdown but is unable
to write it.
2021-01-08 18:04:35 -08:00
Kubernetes Prow Robot
8b5aeeedb4
Merge pull request #97742 from benhxy/apiserver-cipher
Configure --tls-cipher-suites on kube-apiserver
2021-01-08 13:44:29 -08:00
Jian Zeng
8c1971e17c chore(gce): pass auth flags to KCM and KS
Pass flags `--authentication-kubeconfig` and
`--authorization-kubeconfig` to controller-manager and scheduler,
so that we could grab metrics from their secure ports in tests.
2021-01-06 12:56:39 +08:00
Ben Hu
624b214481 Configure --tls-cipher-suites on kube-apiserver. 2021-01-06 00:31:39 +00:00
Sergey Kanzhelev
d78db9f161 configure docker on containerd nodes so it wouldn't reserver 172.17 subnet 2020-12-23 18:49:57 +00:00
David Xia
0756e54dfc
Fix typo in comment 2020-12-21 20:02:20 -05:00
Ben Hu
9581c40887 Revert "Use host IP instead of localhost for control plane component kubeconfig files."
This reverts commit 49afcfa5f2.
2020-12-11 22:36:39 +00:00
Maciej Borsz
7f09d59215 Migrate etcd's livenessProbe to etcdctl endpoint health.
Change-Id: Ie19c844050c75e3d1c4b431d09ba0ac851c5317b
2020-12-11 12:43:02 +01:00
Kubernetes Prow Robot
ee8983705a
Merge pull request #96679 from stmcginnis/appspot-cleanup
Remove stale analytics links from docs
2020-12-10 23:17:22 -08:00
Kubernetes Prow Robot
cad9a8277d
Merge pull request #97127 from liggitt/revert-etcd-host-ip
Revert "iAdd host IP to etcd listen client URLs."
2020-12-08 22:01:52 -08:00
Kubernetes Prow Robot
d2e7abb153
Merge pull request #96839 from vinayakankugoyal/crp
Update configure-helper.sh to early exit from start-kube-scheduler if…
2020-12-08 20:03:51 -08:00
Kubernetes Prow Robot
56d7f138de
Merge pull request #96622 from vinayakankugoyal/groupfix
If the file already exists we need to grant group read permissions ex…
2020-12-08 17:29:59 -08:00
Jordan Liggitt
8820dc4522 Revert "iAdd host IP to etcd listen client URLs."
This reverts commit 8b4e164a78.
2020-12-08 11:37:13 -05:00