Commit Graph

935 Commits

Author SHA1 Message Date
Kubernetes Submit Queue
5f82f129df Merge pull request #46203 from simt2/fluentd-elasticsearch-rbac
Automatic merge from submit-queue (batch tested with PRs 46151, 47602, 47507, 46203, 47471)

Add RBAC support to fluentd-elasticsearch cluster addon

**What this PR does / why we need it**:
Adds rbac support to the fluentd-elasticsearch addon

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #46023 

**Special notes for your reviewer**:

**Release note**:

```release-note
Add RBAC support to fluentd-elasticsearch cluster addon
```
2017-06-23 05:08:28 -07:00
Kubernetes Submit Queue
509c4351df Merge pull request #47507 from yiqinguo/yiqinguo_es_addargs
Automatic merge from submit-queue (batch tested with PRs 46151, 47602, 47507, 46203, 47471)

es discovery support args apiserver-host and kubeconfig

Now discovery elasticsearch through kubernetes client,but now does not support specifying the apiserver-host or kubeconfig create client.
2017-06-23 05:08:26 -07:00
Kubernetes Submit Queue
0cbd0ca189 Merge pull request #47915 from crassirostris/fix-event-exporter-noise
Automatic merge from submit-queue

Bump event-exporter version to reduce warnings noise

Fixes https://github.com/kubernetes/kubernetes/issues/47914
2017-06-23 03:45:20 -07:00
Kubernetes Submit Queue
9e71b122f5 Merge pull request #47922 from dnardo/ip-masq-agent
Automatic merge from submit-queue

Remove limits from ip-masq-agent for now and disable ip-masq-agent in GCE

ip-masq-agent when issuing an iptables-save will read any configured iptables on the node.  This means that the ip-masq-agent's memory requirements would grow with the number of iptables (i.e. services) on the node.



**What this PR does / why we need it**:

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #
#47865
**Special notes for your reviewer**:

**Release note**:

```release-note
```
2017-06-22 20:41:26 -07:00
Daniel Nardo
630fb9657a Remove limits from ip-masq-agent for now.
ip-masq-agent when issuing an iptables-save will read
any configured iptables on the node.  This means that
the ip-masq-agent's memory requirements would grow
with the number of iptables (i.e. services) on the node.

Disable ip-masq-agent in GCE
2017-06-22 17:01:22 -07:00
Kubernetes Submit Queue
e8fb4abcb7 Merge pull request #47519 from mikalv/fix_broken_cmd_in_registry_docs
Automatic merge from submit-queue

Fix broken command in registry addon document

**What this PR does / why we need it**:

Fix a command example in registry addon document so it matches the example yaml above.
2017-06-22 16:43:55 -07:00
Kubernetes Submit Queue
045a6dca07 Merge pull request #47906 from gmarek/fluentd
Automatic merge from submit-queue

Decrese fluentd cpu request

Fix #47905

cc @piosz - this should fix your tests.
cc @dchen1107
2017-06-22 12:27:13 -07:00
Mik Vyatskov
3932622303 Bump event-exporter version to reduce warnings noise 2017-06-22 19:49:23 +02:00
Kubernetes Submit Queue
de4c381219 Merge pull request #47877 from ixdy/update-1.7-images
Automatic merge from submit-queue

Update addons with upstream CVE fixes

**What this PR does / why we need it**: refreshes the kube-dns, metadata-proxy, and fluentd-gcp, event-exporter, prometheus-to-sd, and ip-masq-agent addons with new base images containing fixes for the following vulnerabilities:
* CVE-2016-4448
* CVE-2016-9841
* CVE-2016-9843
* CVE-2017-1000366
* CVE-2017-2616
* CVE-2017-9526

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #47386 (yay!)

**Special notes for your reviewer**:

**Release note**:

```release-note
Update kube-dns, metadata-proxy, and fluentd-gcp, event-exporter, prometheus-to-sd, and ip-masq-agent addons with new base images containing fixes for CVE-2016-4448, CVE-2016-9841, CVE-2016-9843,  CVE-2017-1000366, CVE-2017-2616, and CVE-2017-9526.
```
/assign @bowei @MrHohn @Q-Lee @crassirostris @dnardo 
/cc @dchen1107 @timstclair
2017-06-22 09:31:51 -07:00
gmarek
8427d5a274 Decrease fluentd cpu request 2017-06-22 18:30:21 +02:00
Daniel Nardo
d0c252f673 Bump the memory request/limit for ip-masq-daemon. 2017-06-21 19:05:03 -07:00
Jeff Grafton
edd92fc3c5 Update metadata-proxy to 0.1.2 2017-06-21 15:13:52 -07:00
Jeff Grafton
405f38c43f Update kube-dns images to 1.14.3 2017-06-21 15:13:48 -07:00
Jeff Grafton
f19bd0561f Update ip-masq-agent to v2.0.2 2017-06-21 14:08:13 -07:00
Jeff Grafton
4c7c865ff6 Update fluentd-gcp to 2.0.7 2017-06-21 14:08:12 -07:00
Jeff Grafton
b43bb842ad Update event-exporter to v0.1.0-r2 and prometheus-to-sd to v0.1.2-r2 2017-06-21 14:08:09 -07:00
Daniel Nardo
fc279e069e Add ip-masq-agent readiness label by default. Since we are
setting the non-masq-cidr in the kubelet to 0.0.0.0/0 we
need to ensure the ip-masq-agent runs.

Add node label pre-req back to ip-masq-agent.

Make gce test consistent with gce default scripts.
2017-06-20 16:19:50 -07:00
Mike Danese
a58ad9f470 Revert "Require a label to indicate ip-masq-agent readiness. " 2017-06-20 10:51:06 +01:00
Dawn Chen
d066dd79d9 Merge pull request #47764 from dnardo/ip-masq-agent
Require a label to indicate ip-masq-agent readiness.
2017-06-19 20:00:42 -07:00
yiqinguo
b0c57c081e es discovery support args apiserver-host and kubeconfig 2017-06-20 09:15:23 +08:00
Daniel Nardo
2aa1277261 Require a label to indicate ip-masq-agent readiness. This prevents
a daemonset running on nodes where the master is 1.7 and has this
enabled by default, however, the nodes are still < 1.7.
2017-06-19 17:41:17 -07:00
Kubernetes Submit Queue
1e76d9e1d5 Merge pull request #47356 from dashpole/master_critical_pods
Automatic merge from submit-queue (batch tested with PRs 47669, 40284, 47356, 47458, 47701)

Mark Static pods on the Master as critical

fixes #47277.

A known issue with static pods is that they do not interact well with evictions.  If a static pod is evicted or oom killed, then it will never be recreated.  To mitigate this, we do not evict static pods that are critical.  In addition, non-critical pods are candidates for preemption if a critical pod is scheduled to the node.  If there are not enough allocatable resources on the node, this causes the static pod to be preempted.

This PR marks all static pods in the kube-system namspace as critical.

cc @vishh @dchen1107
2017-06-19 15:25:01 -07:00
Casey Davenport
2ba0f1c211 Set Typha replica count to 0 when Calico is not enabled 2017-06-19 11:08:17 -07:00
Jacob Simpson
334de1cbe1 Auto approve kubelet certificate signing requests. 2017-06-16 08:47:12 -07:00
simt2
4bc0da349d Add rbac support to fluentd-elasticsearch 2017-06-16 08:44:24 +02:00
Jeff Grafton
641f8c1f29 Revert "Update fluentd-gcp to 2.0.6"
This reverts commit 0bcc271b28.
2017-06-15 11:46:17 -07:00
Jeff Grafton
0bcc271b28 Update fluentd-gcp to 2.0.6 2017-06-14 13:32:03 -07:00
Jeff Grafton
702617815d Update metadata-proxy to 0.1.1 2017-06-14 13:31:47 -07:00
Jeff Grafton
d5bd3c488a Update cluster-proportional-autoscaler-amd64 to 1.1.2-r2 2017-06-14 12:42:23 -07:00
Mikal
a636896499 Fix broken command in registry addon document 2017-06-14 15:50:33 +02:00
Kubernetes Submit Queue
38fa5dc33a Merge pull request #47402 from crassirostris/fix-fluentd-metrics-port
Automatic merge from submit-queue (batch tested with PRs 47302, 47389, 47402, 47468, 47459)

Change port on which fluentd exposes its metrics

Fix https://github.com/kubernetes/kubernetes/issues/47397

/cc @Q-Lee @nicksardo

```release-note
Stackdriver Logging deployment exposes metrics on node port 31337 when enabled.
```
2017-06-13 23:37:50 -07:00
Kubernetes Submit Queue
d8983699e0 Merge pull request #47389 from ixdy/kube-addon-manager-update
Automatic merge from submit-queue (batch tested with PRs 47302, 47389, 47402, 47468, 47459)

Update to kube-addon-manager:v6.4-beta.2: kubectl v1.6.4 and refreshed base images

**What this PR does / why we need it**: refreshes base images for kube-addon-manager with fixes for CVE-2016-9841 and CVE-2016-9843.

x-ref https://github.com/kubernetes/kubernetes/issues/47386

**Special notes for your reviewer**: the updated images are not yet pushed, so tests will fail until that's done.

**Release note**:

```release-note
```

/assign @MrHohn
2017-06-13 23:37:43 -07:00
Mik Vyatskov
1cc2235c17 Change port on which fluentd exposes its metrics 2017-06-13 08:15:34 +02:00
Jeff Grafton
eddf98d2c8 Update to kube-addon-manager:v6.4-beta.2: new kubectl and base images 2017-06-12 19:28:23 -07:00
Kubernetes Submit Queue
b01e8d9809 Merge pull request #47188 from caseydavenport/calico-typha
Automatic merge from submit-queue (batch tested with PRs 47000, 47188, 47094, 47323, 47124)

Add Calico typha agent

**What this PR does / why we need it**:

- Adds the Calico typha agent with autoscaling to the GCE scripts. 
- Adds logic to adjust Calico resource requests based on cluster size.

Fixes https://github.com/kubernetes/kubernetes/issues/47269

**Special notes for your reviewer**:

CC @dnardo 

**Release note**:
```release-note
NONE
```
2017-06-12 18:19:45 -07:00
David Ashpole
e223eb93b5 make all static system pods critical 2017-06-12 15:22:04 -07:00
Casey Davenport
948c6c8027 Change how Typha CPU / replias are determined. 2017-06-12 13:13:16 -07:00
Kubernetes Submit Queue
695d438508 Merge pull request #46539 from crassirostris/fluentd-gcp-make-privileged
Automatic merge from submit-queue

Make fluentd-gcp run with host network

Fluentd-gcp should have access to instance's platform-dependent service account in order to work.

/cc @piosz
2017-06-12 10:13:21 -07:00
Casey Davenport
83ec0d87ff Make calico/node resource requests dynamic based on cluster size 2017-06-11 16:11:57 -07:00
Casey Davenport
88d3245671 Add the Calico Typha agent 2017-06-11 16:11:57 -07:00
Casey Davenport
8ef6b06d39 Use ip-masq-agent for MASQUERADE when using Calico policy 2017-06-11 16:11:56 -07:00
Kubernetes Submit Queue
c0a3d26746 Merge pull request #46750 from cjcullen/grabbag
Automatic merge from submit-queue

Remove e2e-rbac-bindings.

Replace todo-grabbag binding w/ more specific heapster roles/bindings.
Move kubelet binding.

**What this PR does / why we need it**:
The "e2e-rbac-bindings" held 2 leftovers from the 1.6 RBAC rollout process:
 - One is the "kubelet-binding" which grants the "system:node" role to kubelet. This is needed until we enable the node authorizer. I moved this to the folder w/ some other kubelet related bindings.
 - The other is the "todo-remove-grabbag-cluster-admin" binding, which grants the cluster-admin role to the default service account in the kube-system namespace. This appears to only be required for heapster. Heapster will instead use a "heapster" service account, bound to a "system:heapster" role on the cluster (no write perms), and a "system:pod-nanny" role in the kube-system namespace.

**Which issue this PR fixes**: Addresses part of #39990

**Release Note**: 
```release-note
New and upgraded 1.7 GCE/GKE clusters no longer have an RBAC ClusterRoleBinding that grants the `cluster-admin` ClusterRole to the `default` service account in the `kube-system` namespace.
If this permission is still desired, run the following command to explicitly grant it, either before or after upgrading to 1.7:
    kubectl create clusterrolebinding kube-system-default --serviceaccount=kube-system:default --clusterrole=cluster-admin
```
2017-06-09 13:06:30 -07:00
Kubernetes Submit Queue
9c1b2aa9b5 Merge pull request #46743 from Random-Liu/bump-up-npd
Automatic merge from submit-queue

Bump up npd version to v0.4.0

Fixes #47070.

Bump up npd version to [v0.4.0](https://github.com/kubernetes/node-problem-detector/releases/tag/v0.4.0).

```release-note
Bump up Node Problem Detector version to v0.4.0, which added support of parsing log from /dev/kmsg and ABRT.
```

/cc @dchen1107 @ajitak
2017-06-08 08:24:18 -07:00
Random-Liu
1d3979190c Bump up npd version to v0.4.0 2017-06-06 16:30:02 -07:00
Kubernetes Submit Queue
6ed4bc7b97 Merge pull request #46828 from cblecker/links-update
Automatic merge from submit-queue (batch tested with PRs 46718, 46828, 46988)

Update docs/ links to point to main site

**What this PR does / why we need it**:
This updates various links to either point to kubernetes.io or to the kubernetes/community repo instead of the legacy docs/ tree in k/k
Pre-requisite for #46813

**Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes #

**Special notes for your reviewer**:

**Release note**:
```release-note
NONE
```

@kubernetes/sig-docs-maintainers @chenopis @ahmetb @thockin
2017-06-06 11:43:18 -07:00
CJ Cullen
eba50dfeb6 Replace todo-grabbag binding w/ more specific heapster roles/bindings.
Move kubelet binding to the rbac folder.
2017-06-06 09:03:09 -07:00
Kubernetes Submit Queue
a03bb6fc5f Merge pull request #46787 from crassirostris/fluentd-gcp-update
Automatic merge from submit-queue

Update the fluentd-gcp image

Rolled back fluentd version to 0.12 to avoid performance problems and unnecessary noise in logs: https://github.com/kubernetes/contrib/pull/2625

Fixes https://github.com/kubernetes/kubernetes/issues/46990
2017-06-06 01:53:40 -07:00
Kubernetes Submit Queue
8df56da448 Merge pull request #46700 from crassirostris/add-event-exporter-deployment
Automatic merge from submit-queue

Add event exporter deployment to the fluentd-gcp addon

Introduce event exporter deployment to the fluentd-gcp addon so that by default if logging to Stackdriver is enabled, events will be available there also.

In this release, event exporter is a non-critical pod in BestEffort QoS class to avoid preempting actual workload in tightly loaded clusters. It will become critical in one of the future releases.


```release-note
Stackdriver cluster logging now deploys a new component to export Kubernetes events.
```
2017-06-06 00:00:49 -07:00
Christoph Blecker
1bdc7a29ae
Update docs/ URLs to point to proper locations 2017-06-05 22:13:54 -07:00
Kubernetes Submit Queue
5d158281c8 Merge pull request #46805 from MrHohn/dns-autoscaler-1.1.2
Automatic merge from submit-queue (batch tested with PRs 46681, 46786, 46264, 46680, 46805)

Bump cluster-proportional-autoscaler to 1.1.2

From https://github.com/kubernetes-incubator/cluster-proportional-autoscaler/pull/33.

/assign @bowei 

**Release note**:

```release-note
NONE
```
2017-06-03 21:16:48 -07:00