1aa6797b74
When the KUBE_LIST_FROM_CACHE_INCONSISTENCY_DETECTOR environment variable was set then clients (client-go, dynamic-client) perform a data consistency check for requests that have a high chance of being served from the watch-cache. The consistency check is meant to be enforced only in the CI, not in production. The check ensures that data retrieved by a list api call from the watch-cache is exactly the same as data received by the list api call from etcd. Note that this function will panic when data inconsistency is detected. This is intentional because we want to catch it in the CI. Note that the new env var is set in the same places the ENABLE_CACHE_MUTATION_DETECTOR is set.
80 lines
2.2 KiB
Plaintext
80 lines
2.2 KiB
Plaintext
# Please keep kube-proxy configuration in-sync with:
|
|
# cluster/addons/kube-proxy/kube-proxy-ds.yaml
|
|
apiVersion: v1
|
|
kind: Pod
|
|
metadata:
|
|
name: kube-proxy
|
|
namespace: kube-system
|
|
labels:
|
|
tier: node
|
|
component: kube-proxy
|
|
spec:
|
|
priorityClassName: system-node-critical
|
|
priority: 2000001000
|
|
hostNetwork: true
|
|
tolerations:
|
|
- operator: "Exists"
|
|
effect: "NoExecute"
|
|
- operator: "Exists"
|
|
effect: "NoSchedule"
|
|
containers:
|
|
- name: kube-proxy
|
|
image: {{pillar['kube_docker_registry']}}/kube-proxy-{{pillar['host_arch']}}:{{pillar['kube-proxy_docker_tag']}}
|
|
resources:
|
|
requests:
|
|
cpu: {{ cpurequest }}
|
|
memory: {{ memoryrequest }}
|
|
command:
|
|
- /bin/sh
|
|
- -c
|
|
- exec kube-proxy {{api_servers_with_port}} {{kubeconfig}} {{cluster_cidr}} --oom-score-adj=-998 {{params}} 1>>/var/log/kube-proxy.log 2>&1
|
|
{{container_env}}
|
|
{{kube_cache_mutation_detector_env_name}}
|
|
{{kube_cache_mutation_detector_env_value}}
|
|
{{kube_watchlist_inconsistency_detector_env_name}}
|
|
{{kube_watchlist_inconsistency_detector_env_value}}
|
|
{{kube_list_from_cache_inconsistency_detector_env_name}}
|
|
{{kube_list_from_cache_inconsistency_detector_env_value}}
|
|
securityContext:
|
|
privileged: true
|
|
volumeMounts:
|
|
- mountPath: /etc/ssl/certs
|
|
name: etc-ssl-certs
|
|
readOnly: true
|
|
- mountPath: /usr/share/ca-certificates
|
|
name: usr-ca-certs
|
|
readOnly: true
|
|
- mountPath: /var/log
|
|
name: varlog
|
|
readOnly: false
|
|
- mountPath: /var/lib/kube-proxy/kubeconfig
|
|
name: kubeconfig
|
|
readOnly: false
|
|
- mountPath: /run/xtables.lock
|
|
name: iptableslock
|
|
readOnly: false
|
|
- mountPath: /lib/modules
|
|
name: lib-modules
|
|
readOnly: true
|
|
volumes:
|
|
- hostPath:
|
|
path: /usr/share/ca-certificates
|
|
name: usr-ca-certs
|
|
- hostPath:
|
|
path: /etc/ssl/certs
|
|
name: etc-ssl-certs
|
|
- hostPath:
|
|
path: /var/lib/kube-proxy/kubeconfig
|
|
type: FileOrCreate
|
|
name: kubeconfig
|
|
- hostPath:
|
|
path: /var/log
|
|
name: varlog
|
|
- hostPath:
|
|
path: /run/xtables.lock
|
|
type: FileOrCreate
|
|
name: iptableslock
|
|
- name: lib-modules
|
|
hostPath:
|
|
path: /lib/modules
|