Removed PersistentVolumeLabel from apiserver to fix below warning.
Deprecated warning:
1. PersistentVolumeLabel admission controller is deprecated.
Please remove this controller from your configuration files and scripts.
2. insecure-port has been deprecated, This flag has no effect now
and will be removed in v1.24.
Change-Id: Iaccff8467b5ed967fa41e85b38c27f7345cd97bb
Add a hash of the dynamic-config configmap to the annotations of the apiserver-webhook pod metadata, so that a chart upgrade will trigger a pod restart if the configmap contents change
Change-Id: I9c01b71b128e2bc6a5a07e5aa7ba826a4ffa237e
In v1.20, TokenRequest and TokenRequestProjection become GA features,
and the following flags are required by the API server:
* --service-account-issuer
* --service-account-key-file
* --service-account-signing-key-file
This change ensures that the flags are set, and that the required keys
are in the right places.
Change-Id: I6606c5b1c9ff005d1943b424e3e7ad4d20b68408
Defines a "labels" variable and adds it to the deployment itself. In
addition, reuses said labels variable to replace other parts of the
deployment in which this was repeated. This will clean up the chart
a bit and enable Armada itself to properly wait for certain percentages
of the deployment replicas to be ready prior to proceeding. Prior to
this change, there wasn't a way to select the apiserver-webhook
deployment via labels.
Change-Id: If1ddb4feb8cde414e76a412431222f8f608f3b18
The kube-apiserver command line is constructed from a command_prefix
array, and in the case of the apiserver chart, an arguments array, both
defined in values.yaml. If an option needs to be added to the command
line, the entire array needs to be redefined in a values.yaml override,
which is sometimes inconvenient.
There is an existing interface in the apiserver and apiserver-webhook
charts to allow kube-apiserver arguments to be appended, but only when
they are associated with a config file that is dynamically included in a
configmap. The typical usage is similar to:
conf:
ignored_key_name:
file: filename.yaml
content: ...
command_options:
- --some-file=/etc/kubernetes/apiserver/filename.yaml
This change removes the requirement to include a file in the configmap,
allowing arbitrary command options to be appended. For example, in the
apiserver chart, this is now possible:
conf:
ignored_key_name:
command_options:
- --service-account-issuer=apiserver
Change-Id: I86283ecedd701c0f061da7b706d6ed54498f27a3
The existing apiserver chart supports volume overrides for the anchor
daemonset, but not for the apiserver static pod itself. The feature to
allow volume overrides in the apiserver-webhook chart was never fully
implemented.
This changes allows volume overrides via values.yaml for both charts,
and provides a more complete audit example that includes mounting the
audit log destination as a host path volume.
Change-Id: I27ccf77671a190e8cb6b66d8a9b13c2cde6c9a45
There are several kubernetes bugs [0,1,2] involving connection problems
that seem related to the Go net/http2 library, where the stream state
and connection state can get out of sync. This can manifest as a kubelet
issue, where the node status gets stuck in a NotReady state, but can
also happen elsewhere.
In newer versions of the Go libraries some issues are fixed [3,4], but
the fixes are not present in k8s 1.18.
This change disables http2 in kube-apiserver and webhook-apiserver. This
should be sufficient to avoid the majority of the issues, as disabling
on one side of the connection is enough, and apiserver is generally
either the client or the server.
0: https://github.com/kubernetes/kubernetes/issues/87615
1: https://github.com/kubernetes/kubernetes/issues/80313
2: https://github.com/kubernetes/client-go/issues/374
3: https://github.com/golang/go/issues/40423
4: https://github.com/golang/go/issues/40201
Change-Id: Id693a7201acffccbc4b3db8f4e4b96290fd50288
This updates the promenade chart to include the pod
security context on the pod template.
This also adds the container security context to set
readOnlyRootFilesystem
Change-Id: I0be613a2617fcc83a8750ece7aae121fae0be839
The patch introduces network policy configuration similar
to openstack-helm services. It allows users to configure
policies depending on the environment.
* Network policies are disabled by default.
* When enabled default policies allow all ingress and
egress traffic (i.e. policy set to {}), this may be
changed in future patch-sets.
Change-Id: I3c6457f4abc9accf39cd9320208899200a43f828
- support a similar dynamic config patter in the apiserver-webhook
chart as the base apiserver chart
- Update the example values.yaml in apiserver to fully reflect
configuration of the aggregation API
Change-Id: I85da2512934071fb9d9465ee4b957e18a8e394ad
a. Adding the same encryption configuration to webhook-apiserver
as is used for kubernetes-apiserver, so it can access secrets
stored in etcd by kubernetes-apiserver.
b. Adding an additional ingress annotation to allow for TLS
access to the Keystone backend.
c. Adding an apt-get clean to Dockerfile as this seems to be
needed to get image building working properly.
This patchset has passed the Promenade resiliency gate.
Change-Id: I7b15779b688458ec0faf2b23700d0c1bc2ede7e6
This PS adds pod anti-affinity to apiserver-webhook pods,
so that the scheduler can constrain pods against labels on other pods
running on the node. The default soft rule is in place so that if the
scheduler can’t satisfy the requirement, the pod will still
be scheduled.
Change-Id: I8c118410b822d4fed44693b8a0308c8eff103978
- Updates to the webhook-enabled apiserver chart to properly
support certificate trust and allow for fragmented CAs for
better security.
Change-Id: I56dee9d1ca4e0807d89ce6b0f3ab3fb5d4ea8c67
This commit create an apisever pods with kubernetes keystone webhook
as a side for. The sole purpose of this pods is authentication and
authorization.
Change-Id: I74472576d7dc0da6ac66d7e0a8e1db5fad156952