upgrades kubernetes client to v1.26.0
remove installation of containerd during genesis.sh to prevent containerd downgrade
update bitnami kubectl image to image with curl installed for readiness check
Change-Id: I3afd5a7e7211bae3f52263167a62a012da0619a0
Address changes and deprecations in Kubernetes v1.21=>v1.23
controller-manager:
* --authorization-kubeconfig and --authentication-kubeconfig must be set
* liveness/readiness probes must use HTTPS
* the default port has been changed to 10257
kubelet:
* --dynamic-config-dir has been deprecated, will not move to GA
* --cni-bin-dir has been deprecated, will be removed with dockershim
* --cni-conf-dir has been deprecated, will be removed with dockershim
* --network-plugin has been deprecated, will be removed with dockershim
https: //github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#deprecation
https: //kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/
https: //github.com/kubernetes/enhancements/tree/master/keps/sig-node/281-dynamic-kubelet-configuration
Change-Id: Ia996d7c14d81d1d8b8067f11c02ffb4ce90eb49a
Removed PersistentVolumeLabel from apiserver to fix below warning.
Deprecated warning:
1. PersistentVolumeLabel admission controller is deprecated.
Please remove this controller from your configuration files and scripts.
2. insecure-port has been deprecated, This flag has no effect now
and will be removed in v1.24.
Change-Id: Iaccff8467b5ed967fa41e85b38c27f7345cd97bb
In v1.20, TokenRequest and TokenRequestProjection become GA features,
and the following flags are required by the API server:
* --service-account-issuer
* --service-account-key-file
* --service-account-signing-key-file
This change ensures that the flags are set, and that the required keys
are in the right places.
Change-Id: I6606c5b1c9ff005d1943b424e3e7ad4d20b68408
The existing apiserver chart supports volume overrides for the anchor
daemonset, but not for the apiserver static pod itself. The feature to
allow volume overrides in the apiserver-webhook chart was never fully
implemented.
This changes allows volume overrides via values.yaml for both charts,
and provides a more complete audit example that includes mounting the
audit log destination as a host path volume.
Change-Id: I27ccf77671a190e8cb6b66d8a9b13c2cde6c9a45
Replace all usages of the hyperkube image with standalone container
images for apiserver, controller, scheduler, and proxy.
Change-Id: I44392c7900a72edd35bc5afa1c50bec8e04f927f
gcr.io/google_containers/ no longer contains some of the image
versions we require, use the new location.
Change-Id: I8f9a976a35ca632d785dd4d05f2a55713bde8c3e
There are several kubernetes bugs [0,1,2] involving connection problems
that seem related to the Go net/http2 library, where the stream state
and connection state can get out of sync. This can manifest as a kubelet
issue, where the node status gets stuck in a NotReady state, but can
also happen elsewhere.
In newer versions of the Go libraries some issues are fixed [3,4], but
the fixes are not present in k8s 1.18.
This change disables http2 in kube-apiserver and webhook-apiserver. This
should be sufficient to avoid the majority of the issues, as disabling
on one side of the connection is enough, and apiserver is generally
either the client or the server.
0: https://github.com/kubernetes/kubernetes/issues/87615
1: https://github.com/kubernetes/kubernetes/issues/80313
2: https://github.com/kubernetes/client-go/issues/374
3: https://github.com/golang/go/issues/40423
4: https://github.com/golang/go/issues/40201
Change-Id: Id693a7201acffccbc4b3db8f4e4b96290fd50288
The /hyperkube prefix isn't required and causes problems when using
non-hyperkube images elsewhere.
Change-Id: Ie9281b07e3be0eedbe86be726f907f68461e23b2
This ps makes following changes to upgrade kubernetes from v1.17.3
to v1.18.6.
- Updated all references to k8s images to 1.18.6
- Updated command options and api object and versions based on
k8s 1.18 release notes:
https://kubernetes.io/docs/setup/release/notes/
- Uplifted uwsgi to 2.0.19.1 to align with other airship
components, and to bring in fixes and improvements.
- Added build-essentials and python3-dev packages to pass the zull
gate, which was looking for a c compiler.
Change-Id: I1160d1e6e2f02a0524043641b9296ea39edb301e
This updates the promenade chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem
Change-Id: I0be613a2617fcc83a8750ece7aae121fae0be839
The patch introduces network policy configuration similar
to openstack-helm services. It allows users to configure
policies depending on the environment.
* Network policies are disabled by default.
* When enabled default policies allow all ingress and
egress traffic (i.e. policy set to {}), this may be
changed in future patch-sets.
Change-Id: I3c6457f4abc9accf39cd9320208899200a43f828
This PS includes changes to support k8s 1.16, these
changes would work with existing kubernetes version
as well. A seperate change would be done to uplift
kubernetes to 1.16.
Hyperkube short aliases are removed in k8s 1.15
https://github.com/kubernetes/kubernetes/pull/76953
- Rename binaries of kubernetes components in promenade and
corresponding anchor helm charts
- Kubelet flag --allow-priveleged is deprecated in k8s 1.15 and
removed in 1.16. Remove the flag from kubelet template. This
fix will be backward compatible as long as psp are defined.
Change-Id: I751dd7c0281b0c00ac8f283c1df379e932fe4658
- support a similar dynamic config patter in the apiserver-webhook
chart as the base apiserver chart
- Update the example values.yaml in apiserver to fully reflect
configuration of the aggregation API
Change-Id: I85da2512934071fb9d9465ee4b957e18a8e394ad
a. Adding the same encryption configuration to webhook-apiserver
as is used for kubernetes-apiserver, so it can access secrets
stored in etcd by kubernetes-apiserver.
b. Adding an additional ingress annotation to allow for TLS
access to the Keystone backend.
c. Adding an apt-get clean to Dockerfile as this seems to be
needed to get image building working properly.
This patchset has passed the Promenade resiliency gate.
Change-Id: I7b15779b688458ec0faf2b23700d0c1bc2ede7e6
This PS adds pod anti-affinity to apiserver-webhook pods,
so that the scheduler can constrain pods against labels on other pods
running on the node. The default soft rule is in place so that if the
scheduler can’t satisfy the requirement, the pod will still
be scheduled.
Change-Id: I8c118410b822d4fed44693b8a0308c8eff103978
This change updates the following components in the Promenade charts,
docs, and example bootstrap configuration:
Kubernetes 1.10.11 -> 1.11.6
CoreDNS 1.1.2 -> 1.1.3 (per k8s 1.11 recommendations)
Etcd 3.2.14 -> 3.2.18 (per k8s 1.11 recommendations)
Tiller 2.10.0 -> 2.12.1 (per Helm k8s support)
This change has been tested by the Promenade resiliency gate.
Change-Id: Ia70de212dd2d50c6638578b92c750a4d5c791229
- Updates to the webhook-enabled apiserver chart to properly
support certificate trust and allow for fragmented CAs for
better security.
Change-Id: I56dee9d1ca4e0807d89ce6b0f3ab3fb5d4ea8c67
This commit create an apisever pods with kubernetes keystone webhook
as a side for. The sole purpose of this pods is authentication and
authorization.
Change-Id: I74472576d7dc0da6ac66d7e0a8e1db5fad156952