diff --git a/doc/source/configuration/kubelet.rst b/doc/source/configuration/kubelet.rst index 13d3c3e8..eadf0a8f 100644 --- a/doc/source/configuration/kubelet.rst +++ b/doc/source/configuration/kubelet.rst @@ -2,9 +2,12 @@ Kubelet ======= Configuration for the Kubernetes worker daemon (the Kubelet). This document -contains two keys: ``arguments`` and ``images``. The ``arguments`` are -appended directly to the ``kubelet`` command line, along with arguments that -are controlled by Promenade more directly. +contains three keys: ``arguments``, ``images``, and ``config_file_overrides``. +The ``arguments`` are appended directly to the ``kubelet`` command line, +along with arguments that are controlled by Promenade more directly. +The ``config_file_overrides`` are appended directly to the static kubelet +configuration file and only consists of a subset of kubelet arguments. +More information regarding the format for this key can be found here_. The only image that is configurable is for the ``pause`` container. @@ -27,9 +30,12 @@ Here is a sample document: arguments: - --cni-bin-dir=/opt/cni/bin - --cni-conf-dir=/etc/cni/net.d - - --eviction-max-pod-grace-period=-1 - --network-plugin=cni - - --node-status-update-frequency=5s - --v=5 images: pause: gcr.io/google_containers/pause-amd64:3.0 + config_file_overrides: + evictionMaxPodGracePeriod: -1 + nodeStatusUpdateFrequency: "5s" + +.. _here: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file diff --git a/examples/basic/Kubelet.yaml b/examples/basic/Kubelet.yaml index 69c5fa75..b977ab49 100644 --- a/examples/basic/Kubelet.yaml +++ b/examples/basic/Kubelet.yaml @@ -11,14 +11,16 @@ data: arguments: - --cni-bin-dir=/opt/cni/bin - --cni-conf-dir=/etc/cni/net.d - - --eviction-max-pod-grace-period=-1 - --network-plugin=cni - - --node-status-update-frequency=5s - - --serialize-image-pulls=false - - --anonymous-auth=false - - --feature-gates=PodShareProcessNamespace=true - --v=3 - - --cgroup-root=/kube_whitelist images: pause: gcr.io/google_containers/pause-amd64:3.0 + config_file_overrides: + cgroupRoot: "/kube_whitelist" + evictionMaxPodGracePeriod: -1 + featureGates: + PodShareProcessNamespace: true + TaintBasedEvictions: false + nodeStatusUpdateFrequency: "5s" + serializeImagePulls: false ... diff --git a/examples/complete/Kubelet.yaml b/examples/complete/Kubelet.yaml index 41b84ce4..0f1c6f6c 100644 --- a/examples/complete/Kubelet.yaml +++ b/examples/complete/Kubelet.yaml @@ -11,11 +11,12 @@ data: arguments: - --cni-bin-dir=/opt/cni/bin - --cni-conf-dir=/etc/cni/net.d - - --eviction-max-pod-grace-period=-1 - --network-plugin=cni - - --node-status-update-frequency=5s - - --serialize-image-pulls=false - --v=5 images: pause: gcr.io/google_containers/pause-amd64:3.0 + config_file_overrides: + evictionMaxPodGracePeriod: -1 + nodeStatusUpdateFrequency: "5s" + serializeImagePulls: false ... diff --git a/examples/gate/Kubelet.yaml b/examples/gate/Kubelet.yaml index 60074cd3..4abc373d 100644 --- a/examples/gate/Kubelet.yaml +++ b/examples/gate/Kubelet.yaml @@ -11,13 +11,15 @@ data: arguments: - --cni-bin-dir=/opt/cni/bin - --cni-conf-dir=/etc/cni/net.d - - --eviction-max-pod-grace-period=-1 - --network-plugin=cni - - --node-status-update-frequency=5s - - --serialize-image-pulls=false - - --anonymous-auth=false - - --feature-gates=PodShareProcessNamespace=true - --v=3 images: pause: gcr.io/google_containers/pause-amd64:3.0 + config_file_overrides: + evictionMaxPodGracePeriod: -1 + featureGates: + PodShareProcessNamespace: true + TaintBasedEvictions: false + nodeStatusUpdateFrequency: "5s" + serializeImagePulls: false ... diff --git a/promenade/schemas/Kubelet.yaml b/promenade/schemas/Kubelet.yaml index 990167f8..b7a2a6fa 100644 --- a/promenade/schemas/Kubelet.yaml +++ b/promenade/schemas/Kubelet.yaml @@ -26,6 +26,8 @@ data: type: array items: type: string + config_file_overrides: + type: object required: - images additionalProperties: false diff --git a/promenade/templates/roles/common/etc/kubernetes/kubelet/config.yaml b/promenade/templates/roles/common/etc/kubernetes/kubelet/config.yaml new file mode 100644 index 00000000..1394db2b --- /dev/null +++ b/promenade/templates/roles/common/etc/kubernetes/kubelet/config.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: kubelet.config.k8s.io/v1beta1 +kind: KubeletConfiguration +authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: "/etc/kubernetes/pki/kubelet-client-ca.pem" +authorization: + mode: AlwaysAllow +clusterDNS: +- {{ config['KubernetesNetwork:dns.service_ip'] }} +clusterDomain: {{ config['KubernetesNetwork:dns.cluster_domain'] }} +staticPodPath: "/etc/kubernetes/manifests" +tlsCertFile: "/etc/kubernetes/pki/kubelet.pem" +tlsPrivateKeyFile: "/etc/kubernetes/pki/kubelet-key.pem" +{%- if config['Kubelet:config_file_overrides'] is defined %} +{{ config.get_path('Kubelet:config_file_overrides') | toyaml }} +{%- endif %} diff --git a/promenade/templates/roles/common/etc/systemd/system/kubelet.service b/promenade/templates/roles/common/etc/systemd/system/kubelet.service index a7d2dd98..fe624345 100644 --- a/promenade/templates/roles/common/etc/systemd/system/kubelet.service +++ b/promenade/templates/roles/common/etc/systemd/system/kubelet.service @@ -5,16 +5,10 @@ After=network-online.target [Service] ExecStart=/opt/kubernetes/bin/kubelet \ - --anonymous-auth=false \ - --client-ca-file=/etc/kubernetes/pki/kubelet-client-ca.pem \ - --cluster-dns={{ config['KubernetesNetwork:dns.service_ip'] }} \ - --cluster-domain={{ config['KubernetesNetwork:dns.cluster_domain'] }} \ + --config=/etc/kubernetes/kubelet/config.yaml \ --hostname-override={{ config.get_first('Genesis:hostname', 'KubernetesNode:hostname') }} \ --kubeconfig=/etc/kubernetes/kubeconfig \ --node-ip={{ config.get_first('Genesis:ip', 'KubernetesNode:ip') }} \ - --pod-manifest-path=/etc/kubernetes/manifests \ - --tls-cert-file=/etc/kubernetes/pki/kubelet.pem \ - --tls-private-key-file=/etc/kubernetes/pki/kubelet-key.pem \ {%- if config['Genesis:labels.static'] is defined %} --node-labels={{ config['Genesis:labels.static'] | join(',') }} \ {%- elif config['KubernetesNode:labels.static'] is defined %} diff --git a/tests/unit/api/test_validatedesign.py b/tests/unit/api/test_validatedesign.py index b20856d3..d4a6ab0c 100644 --- a/tests/unit/api/test_validatedesign.py +++ b/tests/unit/api/test_validatedesign.py @@ -201,12 +201,15 @@ VALID_DOCS = [ 'data': { 'arguments': [ '--cni-bin-dir=/opt/cni/bin', '--cni-conf-dir=/etc/cni/net.d', - '--eviction-max-pod-grace-period=-1', '--network-plugin=cni', - '--node-status-update-frequency=5s', - '--serialize-image-pulls=false', '--v=5' + '--network-plugin=cni', '--v=5' ], 'images': { 'pause': 'gcr.io/google_containers/pause-amd64:3.0' + }, + 'config_file_overrides': { + 'evictionMaxPodGracePeriod': -1, + 'nodeStatusUpdateFrequency': '5s', + 'serializeImagePulls': 'false' } }, 'metadata': { diff --git a/tests/unit/builder_data/simple/Kubelet.yaml b/tests/unit/builder_data/simple/Kubelet.yaml index 41b84ce4..0f1c6f6c 100644 --- a/tests/unit/builder_data/simple/Kubelet.yaml +++ b/tests/unit/builder_data/simple/Kubelet.yaml @@ -11,11 +11,12 @@ data: arguments: - --cni-bin-dir=/opt/cni/bin - --cni-conf-dir=/etc/cni/net.d - - --eviction-max-pod-grace-period=-1 - --network-plugin=cni - - --node-status-update-frequency=5s - - --serialize-image-pulls=false - --v=5 images: pause: gcr.io/google_containers/pause-amd64:3.0 + config_file_overrides: + evictionMaxPodGracePeriod: -1 + nodeStatusUpdateFrequency: "5s" + serializeImagePulls: false ... diff --git a/tools/gate/config-templates/site-config.yaml b/tools/gate/config-templates/site-config.yaml index d220143e..7855af69 100644 --- a/tools/gate/config-templates/site-config.yaml +++ b/tools/gate/config-templates/site-config.yaml @@ -120,11 +120,12 @@ data: arguments: - --cni-bin-dir=/opt/cni/bin - --cni-conf-dir=/etc/cni/net.d - - --eviction-max-pod-grace-period=-1 - --network-plugin=cni - - --node-status-update-frequency=5s - - --serialize-image-pulls=false - --v=5 images: pause: gcr.io/google_containers/pause-amd64:3.0 + config_file_overrides: + evictionMaxPodGracePeriod: -1 + nodeStatusUpdateFrequency: "5s" + serializeImagePulls: false ...