* Give kube-proxy a blanket toleration
* Replace scheduler.alpha.kubernetes.io/critical-pod annotation with
priorityClassName: system-node-critical
Change-Id: I810333913c09531eefa1ded014fe090d4cca7f7d
Flags in kube-proxy other than --config, --write-config-to,
and --cleanup are deprecated.
Added configmap to remove deprecated warning
Change-Id: I325e3a459b1079c6d1902bf06a43e00021231716
The existing liveness and readiness probes for kube-proxy are in need of
adjustment. The current implementation is exec-based, which can be a
resource concern, and is tied heavily to iptables, so is incompatible
with ipvs.
This change removes the exec-based liveness and readiness probes from
the kube-proxy daemonset, and replaces them with HTTP probes of the
healthz endpoint, following the direction that kubernetes seems to be
taking.[0][1]
The values.yaml interface to enable and disable the probes and set various
parameters is also modified to use the helm-toolkit standard snippet.[2]
Notably, the settings previously configurable under livenessProbe.config
are now under pod.probes.proxy.proxy.liveness.params.
0: https://github.com/kubernetes/kubernetes/issues/81630
1: https://github.com/kubernetes/kubernetes/pull/75323
2: https://opendev.org/openstack/openstack-helm-infra/src/branch/master/helm-toolkit/templates/snippets/_kubernetes_probes.tpl
Change-Id: I99ccbc2270a1f8a204417aa410868d04788dc60f
This updates the proxy chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem flag to false
Change-Id: I4e6d2836aa9d548118937b6b176e06fbc4a8c7ee
During bootstrap process kubernetes node is not ready due to missed CNI.
It will be installed later but for a few daemonsets it's critical.
They can't start pods and looping in a while.
Workaround is here: add tolerations.
Change-Id: Ib3c361949ea4e452d599aa7a3a2b7827541b7bac
Daemonset update strategy defaults to OnDelete in v1beta1, whereas
it defaults to RollingUpdate in v1, which seems prefereable.
This also adds helm-toolkit based labels at the controller level
to match standard usage such as for example by armada as wait labels.
This change has been tested using the promenade resiliency gate.
Change-Id: I9fd1bc4caedc0a6717b779e5333640ca8dc78b7e
This avoids leaving zombies in cases where the processes don't reap
children.
Also fixes a certificate issue with the resiliency gate.
Change-Id: I8a795557b0d60338c40b360c947b81a20fd48877
This PS adds the ability to attach a release uuid to pods and rc
objects as desired. This can be used, for example, to force an
artificial manifest change in CICD scenarios, for upgradability
testing purposes.
Change-Id: I8d0ffac306258f940c63799e86e7e26b5c2c5add
This brings the proxy chart into alignment with the upstream Daemonset
yaml.
* Add missing mounts
* Set NODE_NAME explicitly
Change-Id: I0fb0406a02735b4714df3c8082b313d200cd7721
In K8S version 1.10, the proxy can sometimes get stuck believing that
some services do not have any endpoints. This seems to be triggered by
network instability, though the proxy doesn't seem to recover on its
own, while bouncing the pod fixes the issue.
This change adds a naive means of detecting and recoverying from this
(`iptables-save | grep 'has no endpoints'` in the liveness probe) that
may occasionally have false positives. As such, the liveness probe is
configured very conservatively to avoid triggering CrashLoopBackoff in
the event of a false positive.
Finally, there is a whitelist feature to help avoid false positives for
services that are known to legitimately have empty endpoints during the
course of normal operation (e.g. Patroni might manage such an endpoint
list).
Change-Id: I29a770fab70b1fb79db59ef5408f40b2af1c01f9
This change includes several interconnected features:
* Migration to Deckhand-based configuration. This is integrated here,
because new configuration data were needed, so it would have been
wasted effort to either implement it in the old format or to update
the old configuration data to Dechkand format.
* Failing faster with stronger validation. Migration to Deckhand
configuration was a good opportunity to add schema validation, which
is a requirement in the near term anyway. Additionally, rendering
all templates up front adds an additional layer of "fail-fast".
* Separation of certificate generation and configuration assembly into
different commands. Combined with Deckhand substitution, this creates
a much clearer distinction between Promenade configuration and
deployable secrets.
* Migration of components to charts. This is a key step that will
enable support for dynamic node management. Additionally, this paves
the way for significant configurability in component deployment.
* Version of kubelet is configurable & controlled via download url.
* Restructuring templates to be more intuitive. Many of the templates
require changes or deletion due to the migration to charts.
* Installation of pre-configured useful tools on hosts, including calicoctl.
* DNS is now provided by coredns, which is highly configurable.
Change-Id: I9f2d8da6346f4308be5083a54764ce6035a2e10c