Commit Graph

61 Commits

Author SHA1 Message Date
SPEARS, DUSTIN (ds443n) 7f15516372 Update k8s to v1.29.2
Change-Id: I8d8d38e62fd13884afb0d0c4d027d81879cbe313
2024-03-07 16:41:50 -05:00
SPEARS, DUSTIN (ds443n) 89d9d907b7 Upgrade kubernetes to v1.29.0
Change-Id: I2d62dac82d6b9d738c3aa71e541e89eddeb5ae87
2024-01-08 13:39:28 -05:00
SPEARS, DUSTIN (ds443n) 903b1363db Update k8s to v1.28.4
Change-Id: I300aa19f78206712b08d246cabbe5043b8abf509
2023-11-30 13:42:20 -05:00
Sergiy Markin 69a74590e7 Airflow stable 2.6.2
This PS updates python modules and code to match Airflow 2.6.2:

- bionic py36 gates  were removed
- python code corrected to match new modules versions
- selection of python modules versions was perfoemed based on
  airflow-2.6.2 constraints

Change-Id: I9c3e139b3437414a61af7e7c0b7d7e533fadefda
2023-08-29 21:12:11 +00:00
SPEARS, DUSTIN (ds443n) f806f8983a Update k8s to 1.27.4
Change-Id: I782762508f5fa8206751d7b9f719bcea448efe09
2023-07-31 13:55:03 -04:00
SPEARS, DUSTIN (ds443n) 3c68fb2281 Update k8s to 1.27.2
Bump k8s from 1.27.1 to 1.27.2

Change-Id: If171853f06d970a8bcfaa83098e407de9b4bc041
2023-06-02 15:28:33 -04:00
SPEARS, DUSTIN (ds443n) 1717ed84e5 k8s upgrade to 1.27.1
upgrades kubernetes client to v1.27.1
upgrade etcd to v3.5.6

Change-Id: Iaf287353425aa6263a81617890a2ca3c2f2e4281
2023-05-17 10:32:04 -04:00
SPEARS, DUSTIN (ds443n) 70dd0c8599 Remove deprecated controller-manager flag
Additionally update all images from k8s.gcr.io to registry.k8s.io

Change-Id: I0240ee0bf5d23d035126a81318f57b240f5af402
2023-04-18 15:02:30 -04:00
SPEARS, DUSTIN (ds443n) 27a8b0d798 k8s upgrade to 1.26.0
upgrades kubernetes client to v1.26.0
remove installation of containerd during genesis.sh to prevent containerd downgrade
update bitnami kubectl image to image with curl installed for readiness check

Change-Id: I3afd5a7e7211bae3f52263167a62a012da0619a0
2023-03-20 13:16:48 -04:00
Ruslan Aliev c10165c144 K8S upgrade 1.24
Signed-off-by: Ruslan Aliev <raliev@mirantis.com>
Change-Id: Iaa0c5f57ac621f2b91f525da423db0acd9d8ea99
2022-09-14 19:34:02 -05:00
Ruslan Aliev e207bbe966 k8s upgrade to v1.23.7
Address changes and deprecations in Kubernetes v1.21=>v1.23

controller-manager:
* --authorization-kubeconfig and --authentication-kubeconfig must be set
* liveness/readiness probes must use HTTPS
* the default port has been changed to 10257

kubelet:
* --dynamic-config-dir has been deprecated, will not move to GA
* --cni-bin-dir has been deprecated, will be removed with dockershim
* --cni-conf-dir has been deprecated, will be removed with dockershim
* --network-plugin has been deprecated, will be removed with dockershim

https: //github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#deprecation
https: //kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/
https: //github.com/kubernetes/enhancements/tree/master/keps/sig-node/281-dynamic-kubelet-configuration
Change-Id: Ia996d7c14d81d1d8b8067f11c02ffb4ce90eb49a
2022-06-29 00:21:45 -05:00
Phil Sphicas 0f9818eccc Use bitnami kubectl
Update the anchor pods to use a regularly patched and updated kubectl
image that contains the necessary components (bash, jq, curl, etc.) in
addition to kubectl: https://hub.docker.com/r/bitnami/kubectl

Change-Id: Ia3e75dc334c3c1a88abfec10fb0367447e79a538
2022-04-25 14:28:59 -07:00
francisy 3cac5cbde0 Promenade Enhancement
Update charts in Promenade to Kubernetes version 1.21

Change-Id: Iab6d10b384a8be3a4b4d2357a51b35ab93a797b0
2022-01-10 14:04:15 -05:00
ubuntu 183b977754 Fix deprecated warning in Promenade apiserver chart
Removed PersistentVolumeLabel from apiserver to fix below warning.
Deprecated warning:
1. PersistentVolumeLabel admission controller is deprecated.
   Please remove this controller from your configuration files and scripts.
2. insecure-port has been deprecated, This flag has no effect now
   and will be removed in v1.24.

Change-Id: Iaccff8467b5ed967fa41e85b38c27f7345cd97bb
2021-06-29 16:14:17 +00:00
Phil Sphicas ae6782b452 Kubernetes: Uplift to v1.20.5
Uplift Kubernetes images and binaries from v1.19.7 to v1.20.5. No config
changes.

Change-Id: If2a8c9169c831a001205e8aa947df7fc00a1e658
2021-05-03 17:21:30 +00:00
Phil Sphicas 9533be32a1 Add required apiserver serviceaccount flags
In v1.20, TokenRequest and TokenRequestProjection become GA features,
and the following flags are required by the API server:
* --service-account-issuer
* --service-account-key-file
* --service-account-signing-key-file

This change ensures that the flags are set, and that the required keys
are in the right places.

Change-Id: I6606c5b1c9ff005d1943b424e3e7ad4d20b68408
2021-04-30 22:45:43 +00:00
Phil Sphicas c6b62ff414 apiserver(-webhook): Allow volume overrides
The existing apiserver chart supports volume overrides for the anchor
daemonset, but not for the apiserver static pod itself. The feature to
allow volume overrides in the apiserver-webhook chart was never fully
implemented.

This changes allows volume overrides via values.yaml for both charts,
and provides a more complete audit example that includes mounting the
audit log destination as a host path volume.

Change-Id: I27ccf77671a190e8cb6b66d8a9b13c2cde6c9a45
2021-04-21 21:52:29 +00:00
Phil Sphicas 5bb58863b6 Uplift Kubernetes to v1.19.7
Change-Id: I2ac28e2383cb9c4d84d09c23c02a087db714803e
2021-02-11 17:23:32 +00:00
Phil Sphicas 5323ca2710 Deploy with standalone kubernetes images
Replace all usages of the hyperkube image with standalone container
images for apiserver, controller, scheduler, and proxy.

Change-Id: I44392c7900a72edd35bc5afa1c50bec8e04f927f
2021-02-11 17:23:32 +00:00
Chris Wedgwood 630e504e3e Update to container image repo k8s.gcr.io
gcr.io/google_containers/ no longer contains some of the image
versions we require, use the new location.

Change-Id: I8f9a976a35ca632d785dd4d05f2a55713bde8c3e
2021-01-11 17:42:31 +00:00
Phil Sphicas de9f8415d7 kube-apiserver: disable http2
There are several kubernetes bugs [0,1,2] involving connection problems
that seem related to the Go net/http2 library, where the stream state
and connection state can get out of sync. This can manifest as a kubelet
issue, where the node status gets stuck in a NotReady state, but can
also happen elsewhere.

In newer versions of the Go libraries some issues are fixed [3,4], but
the fixes are not present in k8s 1.18.

This change disables http2 in kube-apiserver and webhook-apiserver. This
should be sufficient to avoid the majority of the issues, as disabling
on one side of the connection is enough, and apiserver is generally
either the client or the server.

0: https://github.com/kubernetes/kubernetes/issues/87615
1: https://github.com/kubernetes/kubernetes/issues/80313
2: https://github.com/kubernetes/client-go/issues/374
3: https://github.com/golang/go/issues/40423
4: https://github.com/golang/go/issues/40201

Change-Id: Id693a7201acffccbc4b3db8f4e4b96290fd50288
2020-10-23 21:28:51 +00:00
Phil Sphicas fb36579e16 kube-apiserver: use HTTP probes instead of exec
The existing exec probes for apiserver rely on things that do not exist
in the official kubernetes release images (bash, socat).

This change modifies the apiserver to use HTTP probes of the recommended
liveness and readiness endpoints.[0]

Also sets `--anonymous-auth=true` (the default setting), as kubelet is
unable to provide a client certificate when performing the health check.
RBAC rules apply, but unauthenticated users will be able to access the
following endpoints:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: system:public-info-viewer
    rules:
    - nonResourceURLs:
      - /healthz
      - /livez
      - /readyz
      - /version
      - /version/
      verbs:
      - get

0: https://v1-18.docs.kubernetes.io/docs/reference/using-api/health-checks/

Change-Id: I06d739c844fe85ec6cbf47d3bb69a39cd008ddd8
2020-09-28 03:27:58 +00:00
Phil Sphicas be7b82e1a1 kube-apiserver: Allow probe customization
Uses the standard helm-toolkit macros for liveness and readiness probes,
allowing them to be enabled or disabled, and params to be overridden.

Change-Id: Ie9aef97f56f2205ada24f17e7cafabc5943ae097
2020-09-28 03:25:50 +00:00
Chris Wedgwood 8c52be3dde Remove /hyperkube prefix
The /hyperkube prefix isn't required and causes problems when using
non-hyperkube images elsewhere.

Change-Id: Ie9281b07e3be0eedbe86be726f907f68461e23b2
2020-09-26 07:53:46 +00:00
Mahmoudi, Ahmad (am495p) c302a083a6 Upgrade k8s from v1.17.3 to v1.18.6
This ps makes following changes to upgrade kubernetes from v1.17.3
to v1.18.6.
  - Updated all references to k8s images to 1.18.6
  - Updated command options and api object and versions based on
    k8s 1.18 release notes:
      https://kubernetes.io/docs/setup/release/notes/
  - Uplifted uwsgi to 2.0.19.1 to align with other airship
    components, and to bring in fixes and improvements.
  - Added build-essentials and python3-dev packages to pass the zull
    gate, which was looking for a c compiler.

Change-Id: I1160d1e6e2f02a0524043641b9296ea39edb301e
2020-08-19 15:56:45 +00:00
KHIYANI, RAHUL (rk0850) 880c6503c8 Add security context template for promenade charts
This changes adds security context template at pod level to
set run as user value

This also adds security context template at container level to
set readOnly-fs flag

Change-Id: Iba720e687218987cfefe7a9f08630fb11e8eac12
2020-07-22 05:24:50 +00:00
KHIYANI, RAHUL (rk0850) dfebe8f55f Add apparmor profile to promenade tpl files
Change-Id: I00d5c74e079f72f9837f8502dfa6ca805e2e0e04
2020-07-20 15:23:08 -05:00
KHIYANI, RAHUL (rk0850) fbaa07a66c Implement helm-toolkit snippet to apiserver and webhook pods/containers
This updates the promenade chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem

Change-Id: I0be613a2617fcc83a8750ece7aae121fae0be839
2020-07-02 14:52:19 +00:00
KHIYANI, RAHUL (rk0850) b51eb9802d Add apparmor profile to apiserver and etcd jobs
Change-Id: I8bed3213868b45a438e5ae5929bca8bef699a503
2020-05-28 13:04:12 -05:00
Smruti Soumitra Khuntia da7c79f6b9 Upgrade Hyperkube version from 1.16.2 to 1.17.3
Changes to use to Hyperkube v1.17.3 instead  of
v1.16.2

Change-Id: I442694afad7f718dcd4db7fa7bb2c60beec8bdaa
2020-05-22 15:23:37 +00:00
KHIYANI, RAHUL (rk0850) 89e2f84357 Add Docker default AppArmor profile to apiserver
Change-Id: I2d00b08ad23df693134c61b02d01df26ec751437
2020-02-05 15:17:16 +00:00
Samuel Pilla b77c6fe637 Upgrade Hyperkube version for k8s 1.16
Upgrade Hyperkube to v1.16.2

Change-Id: I3f17ac007e3704c1f4ae2f79e0c41704074c2010
2019-12-06 18:20:13 +00:00
KHIYANI, RAHUL (rk0850) 154e0b5464 Apiserver: Add pod/container security context
This updates the apiserver chart to include the pod
security context on the pod template.

This also adds the container security context to set
readOnlyRootFilesystem flag to false

Change-Id: I76d80c4cbf40d1e3e518a3d2969c86f4d5c8c3f4
2019-11-04 22:11:35 +00:00
Kumar, Nishant (nk613n) b49805ae82 Chart changes to support k8s v1.16
This PS includes changes to support k8s 1.16, these
changes would work with existing kubernetes version
as well. A seperate change would be done to uplift
kubernetes to 1.16.

Hyperkube short aliases are removed in k8s 1.15
https://github.com/kubernetes/kubernetes/pull/76953

- Rename binaries of kubernetes components in promenade and
corresponding anchor helm charts
- Kubelet flag --allow-priveleged is deprecated in k8s 1.15 and
removed in 1.16. Remove the flag from kubelet template. This
fix will be backward compatible as long as psp are defined.

Change-Id: I751dd7c0281b0c00ac8f283c1df379e932fe4658
2019-10-25 13:59:22 +00:00
Scott Hussey ecfd773506 (charts) Webhook dynamic config
- support a similar dynamic config patter in the apiserver-webhook
  chart as the base apiserver chart

- Update the example values.yaml in apiserver to fully reflect
  configuration of the aggregation API

Change-Id: I85da2512934071fb9d9465ee4b957e18a8e394ad
2019-08-17 13:12:37 -05:00
Luna Das 7f63537f8a Add facility to configure log levels in kubernetes-components
Change-Id: Ib7c481b71818c6673cd0b9c47d282d4a3f42d307
2019-08-14 13:33:21 +05:30
Zuul 0c672551c4 Merge "Make static manifest cleanup configurable" 2019-06-12 17:18:49 +00:00
Matt McEuen 46b6437e72 Make static manifest cleanup configurable
By design, the anchor pods clean up after their static pods
(and associated secrets/configs) via a hook when they the anchor
pods are stopped, to make sure that cruft is not left lying around
(or running) when an anchor pod is no longer scheduled to a host.

However, it's been observed that on a host under high load, e.g.
if one or two other control plane hosts are down, then the anchor
pods may be stopped in an unplanned manner.  This results in
service unavailability for the anchored static manifest pods.

This change makes that cleanup behavior configurable (following the
pattern already implemented in the haproxy chart) but leaves it on by
by default.

Change-Id: Iab14510ef8ea5b9e400e0f744231811117029887
2019-06-12 11:16:38 -05:00
Scott Hussey 4bc788e8b7 Allow non-YAML config file content
- Detect if the content of a auxiliary config file is a string
  to be directly written to a file or something that should be
  serialized as YAML.

Change-Id: I51a25e0911b81b88e58c90576063f39562ef4fee
2019-05-03 15:52:07 -05:00
Scott Hussey ad30aa7382 (apiserver) support key rotation
- Support key rotation for the etcd encryption key in the
  apiserver chart
- Remove configmap annotations from the apiserver anchor pods
  as the pod is built to pickup changes in configmap contents
  without restart.
- Also update the apiserver anchor DaemonSet to apps/v1 and
  make required updates to support that update.

Change-Id: I2d18996bbe04bada9da2bce01a502550d3681c97
2019-04-29 09:31:24 -05:00
Zuul 12b1e84791 Merge "UCP: Enable Audit Logging feature gate in K8s" 2019-03-19 15:15:21 +00:00
Zuul 56f163895b Merge "Update to Kubernetes 1.11.6" 2019-02-28 16:24:55 +00:00
dt241s 1c8c09dc46 UCP: Enable Audit Logging feature gate in K8s
Ensure that API Server can capture Metadata log level details.

Change-Id: I49c7576acdc211d1d8762d5ef31ca2f9ac9ac6e5
2019-02-21 05:45:59 -06:00
Matt McEuen e4cab73d0f Update to Kubernetes 1.11.6
This change updates the following components in the Promenade charts,
docs, and example bootstrap configuration:
  Kubernetes 1.10.11 -> 1.11.6
  CoreDNS 1.1.2 -> 1.1.3 (per k8s 1.11 recommendations)
  Etcd 3.2.14 -> 3.2.18 (per k8s 1.11 recommendations)
  Tiller 2.10.0 -> 2.12.1 (per Helm k8s support)

This change has been tested by the Promenade resiliency gate.

Change-Id: Ia70de212dd2d50c6638578b92c750a4d5c791229
2019-02-05 17:29:59 -06:00
Jared Miller 8fe4333eda Allow tls versions and ciphers to be configured
Add the ability to set tls version and cipher suites

Change-Id: Ifb3d1ed315c0ed8d679e5ab71cf2484dc8329dbd
Vulnerability: https://sweet32.info/
2019-02-04 16:34:31 -05:00
Mark Burnett 04da7585ff Refactor API server
This change accomplishes 2 primary things:
1. It generalizes work to enable the EventRateLimit admission plugin.
2. It restructures the anchor so that during an upgrade an "old" anchor
   does not try to coordinate the injection of "new" data from
   configmaps/secrets.

It also includes these ancillary changes:
* Clean up apiserver argument specification in the chart.
* De-duplicate and realign apiserver arguments in bootstrapping templates.

It has the side effects of:
* Adding a new field, ".apiserver.arguments" to the Genesis config,
  which will be the preferred way to configure bootstrapping apiservers
  going forward (in lieu of command_prefix).

Change-Id: I33cfe80ee8e29cd79e479a7985e3c098a2288fda
2019-01-10 16:31:50 -06:00
Mark Burnett cdd1a6bd28 Update Kubernetes to 1.10.11
Change-Id: If1479f7a5d0a8ea459eed39172a0bc1f89935e36
2018-12-18 11:32:28 -06:00
zhouxinyong 956e2fb862 omit the twice occured words in values.yaml
Change-Id: I0690c79b42be2e06a07f8487774b4a9004ea346d
2018-11-13 10:07:31 +08:00
Matt McEuen 178193be84 Add EventRateLimit admission controller
Add the EventRateLimit admission controller, to allow operators to
define rate limits for the k8s API server at the server, namespace,
or user account level.

This also
* cleans up some of the parameters passed into the API server
* replaces the deprecated --admission-control parameter
* applies --repair-malformed-updates consistently, incl examples
* removes unused batch/v2alpha1 runtime config
* https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
* removes duplicate --service-cluster-ip-range setting

This PS adds EventRateLimits to the bootstrap and anchor API
servers; future work will need to add it to the Keystone
Webhook API server.

Change-Id: I32a2d4add880e50f470e4cb0687e20d16e6e926d
2018-10-27 15:35:43 -05:00
Mark Burnett 1399731096 Use separate CA for kubelet authorization
This increases isolation of actions against the node API.  With the
previous combined CA approach, each node would have a valid key to talk
to each other node.  With this separated approach, only the API servers
will have keys with access to the node APIs.

Change-Id: I2705016eb963ca9d2cc2a344047677f4b2cc3025
2018-08-28 09:38:34 -05:00