Commit graph

36 commits

Author SHA1 Message Date
Matthew Mosesohn
fd30131dc2 Revert "Drop linux capabilities and rework users/groups" 2017-02-06 15:58:54 +03:00
Bogdan Dobrelya
cb2e5ac776 Drop linux capabilities and rework users/groups
* Drop linux capabilities for unprivileged containerized
  worlkoads Kargo configures for deployments.
* Configure required securityContext/user/group/groups for kube
  components' static manifests, etcd, calico-rr and k8s apps,
  like dnsmasq daemonset.
* Rework cloud-init (etcd) users creation for CoreOS.
* Fix nologin paths, adjust defaults for addusers role and ensure
  supplementary groups membership added for users.
* Add netplug user for network plugins (yet unused by privileged
  networking containers though).
* Grant the kube and netplug users read access for etcd certs via
  the etcd certs group.
* Grant group read access to kube certs via the kube cert group.
* Remove priveleged mode for calico-rr and run it under its uid/gid
  and supplementary etcd_cert group.
* Adjust docs.
* Align cpu/memory limits and dropped caps with added rkt support
  for control plane.

Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
2017-01-20 08:50:42 +01:00
Matthew Mosesohn
80703010bd Use only one certificate for all apiservers
https://github.com/kubernetes/kubernetes/issues/25063
2017-01-13 14:03:20 +03:00
Matthew Mosesohn
3f274115b0 Generate individual certificates for k8s hosts 2017-01-11 12:58:07 +03:00
Bogdan Dobrelya
a56d9de502 Systemd units, limits, and bin path fixes
* Add restart for weave service unit
* Reuse docker_bin_dir everythere
* Limit systemd managed docker containers by CPU/RAM. Do not configure native
  systemd limits due to the lack of consensus in the kernel community
  requires out-of-tree kernel patches.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-28 15:49:42 +01:00
Matthew Mosesohn
ad796d188d Individual etcd ssl certs
Includes hooks for triggering calico, kubelet, and kube-apiserver restarts
if etcd certs changed.
2016-12-22 13:31:11 +03:00
Antoine Legrand
26e3142c95 Merge branch 'master' into standalone_kubelet 2016-12-13 17:26:21 +01:00
Alexander Block
444b1dafdc Pass --anonymous-auth to apiserver
Fixes #732
2016-12-13 17:06:53 +01:00
Bogdan Dobrelya
c75f394707 Address standalone kubelet config case
Also place in global vars and do not repeat the kube_*_config_dir
and kube_namespace vars for better code maintainability and UX.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-12-13 16:35:53 +01:00
Sebastian Melchior
bb55f68f95 add basic azure support for kargo 2016-11-29 10:20:28 +01:00
Bogdan Dobrelya
2d18e19263 Tune dnsmasq/kubedns limits, replicas, logging
* Add dns_replicas, dns_memory/cpu_limit/requests vars for
dns related apps.
* When kube_log_level=4, log dnsmasq queries as well.
* Add log level control for skydns (part of kubedns app).
* Add limits/requests vars for dnsmasq (part of kubedns app) and
  dnsmasq daemon set.
* Drop string defaults for kube_log_level as it is int and
  is defined in the global vars as well.
* Add docs

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-11-25 12:49:17 +01:00
Bogdan Dobrelya
dff78f616e Allow pre-downloaded images to be used effectively
According to http://kubernetes.io/docs/user-guide/images/ :
By default, the kubelet will try to pull each image from the
specified registry. However, if the imagePullPolicy property
of the container is set to IfNotPresent or Never, then a local\
image is used (preferentially or exclusively, respectively).

Use IfNotPresent value to allow images prepared by the download
role dependencies to be effectively used by kubelet without pull
errors resulting apps to stay blocked in PullBackOff/Error state
even when there are images on the localhost exist.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-11-22 16:16:04 +01:00
Bogdan Dobrelya
1bd1825ecb Add missing liveness probe for apiserver static pod
Fix unreliable waiting for the apiserver to become ready.
Remove logfile mount to align with the rest of static pods
and because containers shall write logs to stdout only.

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-11-21 13:15:51 +01:00
Maciej Filipiak
cc2f26b8e9 Add service-node-port-range parameter for kube-apiserver 2016-11-18 14:09:38 +01:00
Bogdan Dobrelya
88577b9889 Merge pull request #593 from bogdando/label_apps
Label k8s apps, adjust collect info commands
2016-11-10 18:09:05 +01:00
Bogdan Dobrelya
cf7c60029b Label k8s apps, adjust collect/upload info steps
- Drop debugs from collect-info playbook
- Drop sudo from collect-info step and add target dir var (required for travis jobs)
- Label all k8s apps, including static manifests
- Add logs for K8s apps to be collected as well
- Fix upload to GCS as a public-read tarball

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-11-10 16:05:50 +01:00
Matthew Mosesohn
a32cd85eb7 Add etcd TLS support 2016-11-09 18:38:28 +03:00
Matthew Mosesohn
95b460ae94 Remove etcd-proxy from all nodes and use etcd multiaccess 2016-11-09 13:31:12 +03:00
Spencer Smith
8f20d90f88 update admission controllers for > 1.4 2016-11-04 12:54:35 -04:00
Artem Roma
3919d666c1 Add possibility to enable network policy via Calico network controller
The requirements for network policy feature are described here [1]. In
order to enable it, appropriate configuration must be provided to the CNI
plug in and Calico policy controller must be set up. Beside that
corresponding extensions needed to be enabled in k8s API.

Now to turn on the feature user can define `enable_network_policy`
customization variable for Ansible.

[1] http://kubernetes.io/docs/user-guide/networkpolicies/
2016-10-10 17:22:12 +03:00
Matthew Mosesohn
f4e6fdc193 Enable quorum read for apiserver
This reduces the likelihood of apiserver status updates
timing out due to etcd write conflicts.
2016-10-04 18:31:42 +03:00
Matthew Mosesohn
c50c6672f3 Remove SecurityContextDeny API plugin
This is no longer recommended for use since K8s 1.2:
http://kubernetes.io/docs/admin/admission-controllers/#is-there-a-recommended-set-of-plug-ins-to-use
2016-08-29 14:20:28 +03:00
Spencer Smith
60f263b629 updated to no longer handle gce as cloud-provider. provided aws setup doc 2016-08-24 09:48:32 -04:00
Spencer Smith
f35e5e864f pass cloud provider flag in all cases, not just openstack 2016-08-23 13:57:32 -04:00
Bogdan Dobrelya
731d32afda Add HA/LB endpoints for kube-apiserver
* Add HA docs for API server.
* Add auto-evaluated internal endpoints and clarify the loadbalancer_apiserver
vars and usecases.
* Use facts for kube_apiserver to not repeat code and enable LB endpoints use.
* Use /healthz check for the wait-for apiserver.
* Use the single endpoint for kubelet instead of the list of apiservers
* Specify kube_apiserver_count to for HA layout

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
2016-07-25 17:25:45 +02:00
Matthew Mosesohn
d0a1e15ef3 Deploy kubelet and kube-apiserver as containers
kubelet via docker
kube-apiserver as a static pod

Fixed etcd service start to be more tolerant of slow start.

Workaround for kube_version to stay in download role, but not
download an files by creating a new "nothing" download entry.
2016-07-22 16:42:34 +03:00
Bogdan Dobrelya
32cd6e99b2 Add etcd proxy support
* Enforce a etcd-proxy role to a k8s-cluster group members. This
provides an HA layout for all of the k8s cluster internal clients.
* Proxies to be run on each node in the group as a separate etcd
instances with a readwrite proxy mode and listen the given endpoint,
which is either the access_ip:2379 or the localhost:2379.
* A notion for the 'kube_etcd_multiaccess' is: ignore endpoints and
loadbalancers and use the etcd members IPs as a comma-separated
list. Otherwise, clients shall use the local endpoint provided by a
etcd-proxy instances on each etcd node. A Netwroking plugins always
use that access mode.
* Fix apiserver's etcd servers args to use the etcd_access_endpoint.
* Fix networking plugins flannel/calico to use the etcd_endpoint.
* Fix name env var for non masters to be set as well.
* Fix etcd_client_url was not used anywhere and other etcd_* facts
evaluation was duplicated in a few places.
* Define proxy modes only in the env file, if not a master. Del
an automatic proxy mode decisions for etcd nodes in init/unit scripts.
* Use Wants= instead of Requires= as "This is the recommended way to
hook start-up of one unit to the start-up of another unit"
* Make apiserver/calico Wants= etcd-proxy to keep it always up

Signed-off-by: Bogdan Dobrelya <bdobrelia@mirantis.com>
Co-authored-by: Matthew Mosesohn <mmosesohn@mirantis.com>
2016-07-19 14:09:40 +02:00
Paul Czarkowski
c226b4e5cb fixes issue #258
Kubernetes API server has an option:

```
--advertise-address=<nil>: The IP address on which to advertise the apiserver to members of the cluster. This address must be reachable by the rest of the cluster. If blank, the --bind-address will be used. If --bind-address is unspecified, the host's default interface will be used.
```

kargo does not set --bind-address, thus it binds to eth0, in vagrant and similar
environments this causes issues because nodes cannot talk to eachother over eth0.

This sets `--advertise-address` to `ip` if its set, otherwise the default behavior
of is persisted by using `ansible_default_ipv4.address`.
2016-05-22 13:48:16 -05:00
teuto.net Netzdienste GmbH
8cbdf73eba Changed path to hosts ssl certs from /usr/share/ca-certificates to /etc/ssl/certs/ which fixes https problems in kube-controller-manager and kube-apiserver (#189) caused by the lack of certificates on debian and redhat based systems. 2016-04-01 09:34:28 +02:00
Greg Althaus
bedcca922c Add variables and defaults for multiple types of ip addresses.
Each node can have 3 IPs.
1. ansible_default_ip4 - whatever ansible things is the first IPv4 address
   usually with the default gw.
2. ip - An address to use on the local node to bind listeners and do local
   communication.  For example, Vagrant boxes have a first address that is the
   NAT bridge and is common for all nodes.  The second address/interface should
   be used.
3. access_ip - An address to use for node-to-node access.  This is assumed to
   be used by other nodes to access the node and may not be actually assigned
   on the node.  For example, AWS public ip that is not assigned to node.

This updates the places addresses are used to use either ip or access_ip and walk
up the list to find an address.
2016-01-27 16:05:39 -06:00
Smaine Kahlouch
e7e03bae9f calico talks to apiserver with https 2015-12-18 22:22:52 +01:00
ant31
f21f660cc5 Use kube_apiserver_port 2015-12-15 16:27:12 +01:00
Smaine Kahlouch
2fc8b46996 etcd can run on a distinct cluster 2015-12-14 10:39:13 +01:00
Smaine Kahlouch
5efc09710b Renaming hyperkube image vars 2015-12-14 09:54:58 +01:00
Smaine Kahlouch
1568cbe8e9 optionnal api runtime extensions 2015-12-12 19:37:08 +01:00
Smaine Kahlouch
f49620517e running kubernetes master processes as pods 2015-12-12 19:37:08 +01:00