Commit graph

265 commits

Author SHA1 Message Date
Chad Swenson
e78562830f Retry kube container removal during upgrade
As we have seen with other containers, sometimes container removal fails on the first attempt due to some Docker bugs. Retrying typically corrects the issue.
2017-12-12 12:06:41 -06:00
Spencer Smith
c4458c9d9a
Merge pull request #1997 from mrbobbytables/feature-keepalived-cloud-provider
Add minimal keepalived-cloud-provider support
2017-12-06 23:28:27 -05:00
Chad Swenson
b8788421d5 Support for disabling apiserver insecure port
This allows `kube_apiserver_insecure_port` to be set to 0 (disabled).

Rework of #1937 with kubeadm support

Also, fixed an issue in `kubeadm-migrate-certs` where the old apiserver cert was copied as the kubeadm key
2017-12-05 09:13:45 -06:00
Steven Hardy
d39a88d63f Allow setting --bind-address for apiserver hyperkube (#1985)
* Allow setting --bind-address for apiserver hyperkube

This is required if you wish to configure a loadbalancer (e.g haproxy)
running on the master nodes without choosing a different port for the
vip from that used by the API - in this case you need the API to bind to
a specific interface, then haproxy can bind the same port on the VIP:

root@overcloud-controller-0 ~]# netstat -taupen | grep 6443
tcp        0      0 192.168.24.6:6443       0.0.0.0:*               LISTEN      0          680613     134504/haproxy
tcp        0      0 192.168.24.16:6443      0.0.0.0:*               LISTEN      0          653329     131423/hyperkube
tcp        0      0 192.168.24.16:6443      192.168.24.16:58404     ESTABLISHED 0          652991     131423/hyperkube
tcp        0      0 192.168.24.16:58404     192.168.24.16:6443      ESTABLISHED 0          652986     131423/hyperkube

This can be achieved e.g via:

kube_apiserver_bind_address: 192.168.24.16

* Address code review feedback

* Update kube-apiserver.manifest.j2
2017-11-29 15:24:02 +00:00
Spencer Smith
43600ffcf8
Merge pull request #1972 from chadswen/master-static-pod-flush
Additional flush for static pod master upgrade
2017-11-28 11:36:38 -05:00
Bogdan Dobrelya
8aafe64397
Defaults for apiserver_loadbalancer_domain_name (#1993)
* Defaults for apiserver_loadbalancer_domain_name

When loadbalancer_apiserver is defined, use the
apiserver_loadbalancer_domain_name with a given default value.

Fix unconsistencies for checking if apiserver_loadbalancer_domain_name
is defined AND using it with a default value provided at once.

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>

* Define defaults for LB modes in common defaults

Adjust the defaults for apiserver_loadbalancer_domain_name and
loadbalancer_apiserver_localhost to come from a single source, which is
kubespray-defaults. Removes some confusion and simplefies the code.

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-11-23 16:15:48 +00:00
Bob Killen
2140303fcc
add minimal keepalived-cloud-provider support 2017-11-23 08:43:36 -05:00
Matthew Mosesohn
f9b68a5d17
Revert "Support for disabling apiserver insecure port" (#1974) 2017-11-14 13:41:28 +00:00
Chad Swenson
1f99710b21 Additional flush for static pod master upgrade
Thought this wasn't required at first but I forgot there's no auto flush at the end of these tasks since the `kubernetes/master` role is not the end of the play.
2017-11-13 18:11:57 -06:00
Spencer Smith
09d85631dc
Merge pull request #1944 from chadswen/reload-master-pods
Master component and kubelet container upgrade fixes
2017-11-08 22:23:12 -05:00
Chad Swenson
e9f795c5ce Master component and kubelet container upgrade fixes
* Fixes an issue where apiserver and friends (controller manager, scheduler) were prevented from restarting after manifests/secrets are changed. This occurred when a replaced kubelet doesn't reconcile new master manifests, which caused old master component versions to linger during deployment. In my case this was causing upgrades from k8s 1.6/1.7 -> k8s 1.8 to fail
* Improves transitions from kubelet container to host kubelet by preventing issues where kubelet container reappeared during the deployment
2017-11-08 01:40:33 -06:00
Chad Swenson
0c7e1889e4 Support for disabling apiserver insecure port
This allows `kube_apiserver_insecure_port` to be set to 0 (disabled). It's working, but so far I have had to:

1. Make the `uri` module "Wait for apiserver up" checks use `kube_apiserver_port` (HTTPS)
2. Add apiserver client cert/key to the "Wait for apiserver up" checks
3. Update apiserver liveness probe to use HTTPS ports
4. Set `kube_api_anonymous_auth` to true to allow liveness probe to hit apiserver's /healthz over HTTPS (livenessProbes can't use client cert/key unfortunately)
5. RBAC has to be enabled. Anonymous requests are in the `system:unauthenticated` group which is granted access to /healthz by one of RBAC's default ClusterRoleBindings. An equivalent ABAC rule could allow this as well.

Changes 1 and 2 should work for everyone, but 3, 4, and 5 require new coupling of currently independent configuration settings. So I also added a new settings check.

Options:

1. The problem goes away if you have both anonymous-auth and RBAC enabled. This is how kubeadm does it. This may be the best way to go since RBAC is already on by default but anonymous auth is not.
2. Include conditional templates to set a different liveness probe for possible combinations of `kube_apiserver_insecure_port = 0`, RBAC, and `kube_api_anonymous_auth` (won't be possible to cover every case without a guaranteed authorizer for the secure port)
3. Use basic auth headers for the liveness probe (I really don't like this, it adds a new dependency on basic auth which I'd also like to leave independently configurable, and it requires encoded passwords in the apiserver manifest)

Option 1 seems like the clear winner to me, but is there a reason we wouldn't want anonymous-auth on by default? The apiserver binary defaults anonymous-auth to true, but kubespray's default was false.
2017-11-06 14:01:10 -06:00
Spencer Smith
19962f6b6a fix indentation for master template (#1906) 2017-10-31 06:43:54 +00:00
Matthew Mosesohn
564de07963 fix indentation for network policy option 2017-10-27 14:56:22 +01:00
Brad Beam
ba0a03a8ba Merge pull request #1880 from mattymo/node_auth_fixes2
Move cluster roles and system namespace to new role
2017-10-26 10:02:24 -05:00
Matthew Mosesohn
b0f04d925a Update network policy setting for Kubernetes 1.8 (#1879)
It is now enabled by default in 1.8 with the api changed
to networking.k8s.io/v1 instead of extensions/v1beta1.
2017-10-26 15:35:26 +01:00
Matthew Mosesohn
ec53b8b66a Move cluster roles and system namespace to new role
This should be done after kubeconfig is set for admin and
before network plugins are up.
2017-10-26 14:36:05 +01:00
Matthew Mosesohn
86fb669fd3 Idempotency fixes (#1838) 2017-10-25 21:19:40 +01:00
Chiang Fong Lee
5dc56df64e Fix ordering of kube-apiserver admission control plug-ins (#1841) 2017-10-24 17:28:07 +01:00
Matthew Mosesohn
0b4fcc83bd Fix up warnings and deprecations (#1848) 2017-10-20 08:25:57 +01:00
Matthew Mosesohn
fc9a65be2b Refactor downloads to use download role directly (#1824)
* Refactor downloads to use download role directly

Also disable fact delegation so download delegate works acros OSes.

* clean up bools and ansible_os_family conditionals
2017-10-19 09:17:11 +01:00
Jan Jungnickel
49dff97d9c Relabel controler-manager to kube-controller-manager (#1830)
Fixes #1129
2017-10-18 17:29:18 +01:00
Matthew Mosesohn
16462292e1 Properly skip extra SANs when not specified for kubeadm (#1831) 2017-10-18 12:04:13 +01:00
Rémi de Passmoilesel
356515222a Add possibility to insert more ip adresses in certificates (#1678)
* Add possibility to insert more ip adresses in certificates

* Add newline at end of files

* Move supp ip parameters to k8s-cluster group file

* Add supplementary addresses in kubeadm master role

* Improve openssl indexes
2017-10-17 11:06:07 +01:00
Matthew Mosesohn
d487b2f927 Security best practice fixes (#1783)
* Disable basic and token auth by default

* Add recommended security params

* allow basic auth to fail in tests

* Enable TLS authentication for kubelet
2017-10-15 20:41:17 +01:00
Matthew Mosesohn
7e4668859b Change file used to check kubeadm upgrade method (#1784)
* Change file used to check kubeadm upgrade method

Test for ca.crt instead of admin.conf because admin.conf
is created during normal deployment.

* more fixes for upgrade
2017-10-15 10:33:22 +01:00
Matthew Mosesohn
ef47a73382 Add new addon Istio (#1744)
* add istio addon

* add addons to a ci job
2017-10-13 15:42:54 +01:00
Matthew Mosesohn
ee83e874a8 Clear admin kubeconfig when rotating certs (#1772)
* Clear admin kubeconfig when rotating certs

* Update main.yml
2017-10-12 09:55:46 +01:00
Matthew Mosesohn
f14f04c5ea Upgrade to kubernetes v1.8.0 (#1730)
* Upgrade to kubernetes v1.8.0

hyperkube no longer contains rsync, so now use cp

* Enable node authorization mode

* change kube-proxy cert group name
2017-10-05 10:51:21 +01:00
Aivars Sterns
9c86da1403 Normalize tags in all places to prepare for tag fixing in future (#1739) 2017-10-05 08:43:04 +01:00
Matthew Mosesohn
a56738324a Move set_facts to kubespray-defaults defaults
These facts can be generated in defaults with a performance
boost.

Also cleaned up duplicate etcd var names.
2017-10-04 14:02:47 +01:00
Matthew Mosesohn
e42cb43ca5 add bootstrap for debian (#1726) 2017-10-03 08:30:45 +01:00
Julian Poschmann
8e1210f96e Fix cluster-network w/ prefix > 25 not possible with CNI (#1713) 2017-10-01 10:43:00 +01:00
Matthew Mosesohn
3ff5f40bdb fix graceful upgrade (#1704)
Fix system namespace creation
Only rotate tokens when necessary
2017-09-27 14:49:20 +01:00
Matthew Mosesohn
689ded0413 Enable kubeadm upgrades to any version (#1709) 2017-09-27 14:48:18 +01:00
Matthew Mosesohn
327ed157ef Verify valid settings before deploy (#1705)
Also fix yaml lint issues

Fixes #1703
2017-09-27 14:47:47 +01:00
tanshanshan
477afa8711 when and run_once are reduplicative (#1694) 2017-09-26 14:48:05 +01:00
Matthew Mosesohn
bd272e0b3c Upgrade to kubeadm (#1667)
* Enable upgrade to kubeadm

* fix kubedns upgrade

* try upgrade route

* use init/upgrade strategy for kubeadm and ignore kubedns svc

* Use bin_dir for kubeadm

* delete more secrets

* fix waiting for terminating pods

* Manually enforce kube-proxy for kubeadm deploy

* remove proxy. update to kubeadm 1.8.0rc1
2017-09-26 10:38:58 +01:00
Matthew Mosesohn
a1cde03b20 Correct master manifest cleanup logic (#1693)
Fixes #1666
2017-09-25 12:19:04 +01:00
Matthew Mosesohn
188bae142b Fix wait for hosts in CI (#1679)
Also fix usage of failed_when and handling exit code.
2017-09-20 14:30:09 +01:00
Matthew Mosesohn
8e731337ba Enable HA deploy of kubeadm (#1658)
* Enable HA deploy of kubeadm

* raise delay to 60s for starting gce hosts
2017-09-15 22:28:15 +01:00
Matthew Mosesohn
b294db5aed fix apply for netchecker upgrade (#1659)
* fix apply for netchecker upgrade and graceful upgrade

* Speed up daemonset upgrades. Make check wait for ds upgrades.
2017-09-15 13:19:37 +01:00
Matthew Mosesohn
6744726089 kubeadm support (#1631)
* kubeadm support

* move k8s master to a subtask
* disable k8s secrets when using kubeadm
* fix etcd cert serial var
* move simple auth users to master role
* make a kubeadm-specific env file for kubelet
* add non-ha CI job

* change ci boolean vars to json format

* fixup

* Update create-gce.yml

* Update create-gce.yml

* Update create-gce.yml
2017-09-13 19:00:51 +01:00
Matthew Mosesohn
75b13caf0b Fix kube-apiserver status checks when changing insecure bind addr (#1633) 2017-09-09 23:41:48 +03:00
Matthew Mosesohn
5d99fa0940 Purge old upgrade hooks and unused tasks (#1641) 2017-09-09 23:41:20 +03:00
Brad Beam
8ae77e955e Adding in certificate serial numbers to manifests (#1392) 2017-09-01 09:02:23 +03:00
Brad Beam
7a98ad50b4 Fixing CA certificate locations for k8s components 2017-08-30 15:30:40 -05:00
Chad Swenson
a39e78d42d Initial version of Flannel using CNI (#1486)
* Updates Controller Manager/Kubelet with Flannel's required configuration for CNI
* Removes old Flannel installation
* Install CNI enabled Flannel DaemonSet/ConfigMap/CNI bins and config (with portmap plugin) on host
* Uses RBAC if enabled
* Fixed an issue that could occur if br_netfilter is not a module and net.bridge.bridge-nf-call-iptables sysctl was not set
2017-08-25 10:07:50 +03:00
Hassan Zamani
01ce09f343 Add feature_gates var for customizing Kubernetes feature gates (#1520) 2017-08-24 23:18:38 +03:00
Brad Beam
8b151d12b9 Adding yamllinter to ci steps (#1556)
* Adding yaml linter to ci check

* Minor linting fixes from yamllint

* Changing CI to install python pkgs from requirements.txt

- adding in a secondary requirements.txt for tests
- moving yamllint to tests requirements
2017-08-24 12:09:52 +03:00
Miad Abrin
3c710219a1 Fix Some Typos in kubernetes master role (#1547)
* Fix Typo etc3 -> etcd3

* Fix typo in post-upgrade of master. stop -> start
2017-08-20 13:54:28 +03:00
Brad Beam
383d582b47 Merge pull request #1382 from jwfang/rbac
basic rbac support
2017-08-07 08:01:51 -05:00
Anton
e0960f6288 FIX: Unneded (extra) cycles in some tasks (#1393) 2017-07-27 20:46:21 +03:00
jwfang
092bf07cbf basic rbac support 2017-07-17 19:29:59 +08:00
Gregory Storme
266ca9318d Use the kube_apiserver_insecure_port variable instead of static 8080 2017-06-12 09:20:59 +02:00
Spencer Smith
8203383c03 rename almost all mentions of kargo 2017-06-16 13:25:46 -04:00
Spencer Smith
01c0ab4f06 check if cloud_provider is defined 2017-05-31 08:24:24 -04:00
Spencer Smith
7e2aafcc76 add direct path for cert in AWS with RHEL family 2017-05-26 17:32:50 -04:00
Matthew Mosesohn
2d6bc9536c Merge pull request #1246 from holser/disable_dns_for_kube_services
Change DNS policy for kubernetes components
2017-04-20 16:12:52 +03:00
Sergii Golovatiuk
d8aa2d0a9e Change DNS policy for kubernetes components
According to code apiserver, scheduler, controller-manager, proxy don't
use resolution of objects they created. It's not harmful to change
policy to have external resolver.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-04-20 11:22:57 +02:00
Hans Kristian Flaatten
d68cfeed6e
Move namespace file to template directory 2017-04-19 13:37:02 +02:00
Spencer Smith
c3c9e955e5 Merge pull request #1232 from rsmitty/custom-flags
add ability for custom flags
2017-04-17 14:01:32 -04:00
Spencer Smith
72d5db92a8 remove stray spaces in templating 2017-04-17 12:24:24 -04:00
Spencer Smith
3f302c8d47 ensure spacing on string of flags 2017-04-17 12:13:39 -04:00
Spencer Smith
f9d4a1c1d8 update to safeguard against accidentally passing string instead of list 2017-04-17 11:09:34 -04:00
gbolo
49be805001
allow admission control plug-ins to be easily customized 2017-04-16 22:03:45 -04:00
Spencer Smith
94596388f7 add ability for custom flags 2017-04-14 17:33:04 -04:00
Sergii Golovatiuk
2670eefcd4 Refactoring resolv.conf
- Renaming templates for netchecker
- Add dnsPolicy: ClusterFirstWithHostNet to kube-proxy

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-04-05 09:28:01 +02:00
Matthew Mosesohn
f8cf6b4f7c Merge pull request #1186 from holser/resolv_conf
Set ClusterFirstWithHostNet for Pods with hostnetwork: true
2017-04-04 20:49:55 +03:00
Sergii Golovatiuk
1cfe0beac0 Set ClusterFirstWithHostNet for Pods with hostnetwork: true
In kubernetes 1.6 ClusterFirstWithHostNet was added as an option. In
accordance to it kubelet will generate resolv.conf based on own
resolv.conf. However, this doesn't create 'options', thus the proper
solution requires some investigation.

This patch sets the same resolv.conf for kubelet as host

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-04-04 16:34:13 +02:00
Matthew Mosesohn
80828a7c77 use etcd2 when upgrading unless forced 2017-04-03 15:07:42 +03:00
Matthew Mosesohn
d42e4f2344 Update .gitlab-ci.yml 2017-03-30 12:19:15 +04:00
Matthew Mosesohn
48beef25fa delete master containers forcefully 2017-03-27 19:08:22 +03:00
Matthew Mosesohn
a3f568fc64 restart scheduler and controller-manager too 2017-03-27 13:51:35 +03:00
Matthew Mosesohn
57ee304260 ensure post-upgrade purge ones only once 2017-03-27 13:28:37 +03:00
Matthew Mosesohn
0794a866a7 switch debian8-canal-ha to ubuntu 2017-03-27 13:28:37 +03:00
Matthew Mosesohn
49e4d344da move network plugins out of grouped upgrades 2017-03-27 13:28:37 +03:00
Matthew Mosesohn
6e505c0c3f Fix delegate tasks for kubectl and etcdctl 2017-03-27 13:28:37 +03:00
Matthew Mosesohn
e9a294fd9c Significantly reduce memory requirements
Canal runs more pods and upgrades need a bit of extra
room to load new pods in and get the old ones out.
2017-03-27 13:28:37 +03:00
Matthew Mosesohn
44d851d5bb Only cordon Ready nodes 2017-03-27 13:28:37 +03:00
Vladimir Rutsky
c4e57477fb replace non-breakable space with regular space
Non-brekable space is 0xc2 0xa0 byte sequence in UTF-8.

To find one:

    $ git grep -I -P '\xc2\xa0'

To replace with regular space:

    $ git grep -l -I -P '\xc2\xa0' | xargs sed -i 's/\xc2\xa0/ /g'

This commit doesn't include changes that will overlap with commit f1c59a91a1.
2017-03-23 00:25:01 +03:00
Aleksandr Didenko
3a39904011 Move calico-policy-controller into separate role
By default Calico CNI does not create any network access policies
or profiles if 'policy' is enabled in CNI config. And without any
policies/profiles network access to/from PODs is blocked.

K8s related policies are created by calico-policy-controller in
such case. So we need to start it as soon as possible, before any
real workloads.

This patch also fixes kube-api port in calico-policy-controller
yaml template.

Closes #1132
2017-03-17 11:21:52 +01:00
Matthew Mosesohn
8195957461 Merge branch 'master' into idempotency2 2017-03-16 09:29:43 +03:00
Matthew Mosesohn
a422ad0d50 More idempotency fixes
Fixed sync_tokens fact
Fixed sync_certs for k8s tokens fact
Disabled register docker images changability
Fixed CNI dir permission
Fix idempotency for etcd pre upgrade checks
2017-03-15 19:06:39 +03:00
Matthew Mosesohn
4354162067 Merge pull request #1080 from VincentS/Granular_Auth_Control
Granular authentication Control
2017-03-15 13:12:51 +03:00
Vincent Schwarzer
026da060f2 Granular authentication Control
It is now possible to deactivate selected authentication methods
(basic auth, token auth) inside the cluster by adding
removing the required arguments to the Kube API Server and generating
the secrets accordingly.

The x509 authentification is currently not optional because disabling it
would affect the kubectl clients deployed on the master nodes.
2017-03-14 16:57:35 +01:00
Matthew Mosesohn
804e9a09c0 Migrate k8s data to etcd3 api store
Default backend is now etcd3 (was etcd2).
The migration process consists of the following steps:
* check if migration is necessary
* stop etcd on first etcd server
* run migration script
* start etcd on first etcd server
* stop kube-apiserver until configuration is updated
* update kube-apiserver
* purge old etcdv2 data
2017-03-14 17:50:20 +03:00
Vincent Schwarzer
b075960e3b Added Support for OpenID Connect Authentication
To use OpenID Connect Authentication beside deploying an OpenID Connect
Identity Provider it is necesarry to pass additional arguments to the Kube API Server.
These required arguments were added to the kube apiserver manifest.
2017-03-06 12:40:35 +01:00
Antoine Legrand
85596c2610 Merge pull request #1045 from bradbeam/vsphere
Adding vsphere cloud provider support
2017-03-06 12:34:05 +01:00
Sergii Golovatiuk
295103adc0 Allow to specify etcd backend for kube-api
Kubernetes project is about to set etcdv3 as default storage engine in
1.6. This patch allows to specify particular backend for
kube-apiserver. User may force the option to etcdv3 for new environment.
At the same time if the environment uses v2 it will continue uses it
until user decides to upgrade to v3.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-28 17:13:22 +01:00
Brad Beam
dbf13290f5 Updating vsphere cloud provider support 2017-02-27 15:08:04 -06:00
Jan Jungnickel
df476b0088 Initial support for vsphere as cloud provider 2017-02-27 12:51:41 -06:00
Andrew Greenwood
ca9ea097df Cleanup legacy syntax, spacing, files all to yml
Migrate older inline= syntax to pure yml syntax for module args as to be consistant with most of the rest of the tasks
Cleanup some spacing in various files
Rename some files named yaml to yml for consistancy
2017-02-17 16:22:34 -05:00
Sergii Golovatiuk
c07d60bc90 Kubernetes Reliability Improvements
- Exclude kubelet CPU/RAM (kube-reserved) from cgroup. It decreases a
  chance of overcommitment
- Add a possibility to modify Kubelet node-status-update-frequency
- Add a posibility to configure node-monitor-grace-period,
  node-monitor-period, pod-eviction-timeout for Kubernetes controller
  manager
- Add Kubernetes Relaibility Documentation with recomendations for
  various scenarios.

Signed-off-by: Sergii Golovatiuk <sgolovatiuk@mirantis.com>
2017-02-09 23:54:08 +01:00
Matthew Mosesohn
fd30131dc2 Revert "Drop linux capabilities and rework users/groups" 2017-02-06 15:58:54 +03:00
Bogdan Dobrelya
cb2e5ac776 Drop linux capabilities and rework users/groups
* Drop linux capabilities for unprivileged containerized
  worlkoads Kargo configures for deployments.
* Configure required securityContext/user/group/groups for kube
  components' static manifests, etcd, calico-rr and k8s apps,
  like dnsmasq daemonset.
* Rework cloud-init (etcd) users creation for CoreOS.
* Fix nologin paths, adjust defaults for addusers role and ensure
  supplementary groups membership added for users.
* Add netplug user for network plugins (yet unused by privileged
  networking containers though).
* Grant the kube and netplug users read access for etcd certs via
  the etcd certs group.
* Grant group read access to kube certs via the kube cert group.
* Remove priveleged mode for calico-rr and run it under its uid/gid
  and supplementary etcd_cert group.
* Adjust docs.
* Align cpu/memory limits and dropped caps with added rkt support
  for control plane.

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-20 08:50:42 +01:00
Matthew Mosesohn
b2a27ed089 Fix bash completion installation 2017-01-17 20:36:58 +03:00
Matthew Mosesohn
80703010bd Use only one certificate for all apiservers
https://github.com/kubernetes/kubernetes/issues/25063
2017-01-13 14:03:20 +03:00
Matthew Mosesohn
3f274115b0 Generate individual certificates for k8s hosts 2017-01-11 12:58:07 +03:00
Bogdan Dobrelya
58062be2a3 Drop non systemd OS types support
Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-02 12:14:03 +01:00