This PS updates python modules and code to match Airflow 2.6.2:
- bionic py36 gates were removed
- python code corrected to match new modules versions
- selection of python modules versions was perfoemed based on
airflow-2.6.2 constraints
Change-Id: I9c3e139b3437414a61af7e7c0b7d7e533fadefda
To avoid pods cycling too quickly by checking if manifest
was created by daemonset and the component on the same host
is ready
Change-Id: I7f9b35e222ef5934fca71f30fdf9941caa60ccd7
upgrades kubernetes client to v1.26.0
remove installation of containerd during genesis.sh to prevent containerd downgrade
update bitnami kubectl image to image with curl installed for readiness check
Change-Id: I3afd5a7e7211bae3f52263167a62a012da0619a0
Address changes and deprecations in Kubernetes v1.21=>v1.23
controller-manager:
* --authorization-kubeconfig and --authentication-kubeconfig must be set
* liveness/readiness probes must use HTTPS
* the default port has been changed to 10257
kubelet:
* --dynamic-config-dir has been deprecated, will not move to GA
* --cni-bin-dir has been deprecated, will be removed with dockershim
* --cni-conf-dir has been deprecated, will be removed with dockershim
* --network-plugin has been deprecated, will be removed with dockershim
https: //github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.23.md#deprecation
https: //kubernetes.io/docs/tasks/administer-cluster/reconfigure-kubelet/
https: //github.com/kubernetes/enhancements/tree/master/keps/sig-node/281-dynamic-kubelet-configuration
Change-Id: Ia996d7c14d81d1d8b8067f11c02ffb4ce90eb49a
Update the anchor pods to use a regularly patched and updated kubectl
image that contains the necessary components (bash, jq, curl, etc.) in
addition to kubectl: https://hub.docker.com/r/bitnami/kubectl
Change-Id: Ia3e75dc334c3c1a88abfec10fb0367447e79a538
Replace all usages of the hyperkube image with standalone container
images for apiserver, controller, scheduler, and proxy.
Change-Id: I44392c7900a72edd35bc5afa1c50bec8e04f927f
gcr.io/google_containers/ no longer contains some of the image
versions we require, use the new location.
Change-Id: I8f9a976a35ca632d785dd4d05f2a55713bde8c3e
The /hyperkube prefix isn't required and causes problems when using
non-hyperkube images elsewhere.
Change-Id: Ie9281b07e3be0eedbe86be726f907f68461e23b2
This ps makes following changes to upgrade kubernetes from v1.17.3
to v1.18.6.
- Updated all references to k8s images to 1.18.6
- Updated command options and api object and versions based on
k8s 1.18 release notes:
https://kubernetes.io/docs/setup/release/notes/
- Uplifted uwsgi to 2.0.19.1 to align with other airship
components, and to bring in fixes and improvements.
- Added build-essentials and python3-dev packages to pass the zull
gate, which was looking for a c compiler.
Change-Id: I1160d1e6e2f02a0524043641b9296ea39edb301e
This changes adds security context template at pod level to
set run as user value
This also adds security context template at container level to
set readOnly-fs flag
Change-Id: Iba720e687218987cfefe7a9f08630fb11e8eac12
Also added AppArmor to promenade genesis gates in order to test apparmor changes
to promenade charts
Change-Id: Ib393306dabf40ef9817072aaa9824c22e60626dc
This PS includes changes to support k8s 1.16, these
changes would work with existing kubernetes version
as well. A seperate change would be done to uplift
kubernetes to 1.16.
Hyperkube short aliases are removed in k8s 1.15
https://github.com/kubernetes/kubernetes/pull/76953
- Rename binaries of kubernetes components in promenade and
corresponding anchor helm charts
- Kubelet flag --allow-priveleged is deprecated in k8s 1.15 and
removed in 1.16. Remove the flag from kubelet template. This
fix will be backward compatible as long as psp are defined.
Change-Id: I751dd7c0281b0c00ac8f283c1df379e932fe4658
This change puts in the correct key for Daemonset upgrades to
be controlled by the configuration done in `values.yaml`.
Change-Id: Ic04597cc46d9ce1aac14823191ccc245ac7f9810
By design, the anchor pods clean up after their static pods
(and associated secrets/configs) via a hook when they the anchor
pods are stopped, to make sure that cruft is not left lying around
(or running) when an anchor pod is no longer scheduled to a host.
However, it's been observed that on a host under high load, e.g.
if one or two other control plane hosts are down, then the anchor
pods may be stopped in an unplanned manner. This results in
service unavailability for the anchored static manifest pods.
This change makes that cleanup behavior configurable (following the
pattern already implemented in the haproxy chart) but leaves it on by
by default.
Change-Id: Iab14510ef8ea5b9e400e0f744231811117029887
This updates the controller_manager chart to include the pod
security context on the pod template
This also adds the container security context to set
readOnlyRootFilesystem to true
Change-Id: Icee324ef7ddbd230c7c99f4dc284e2866d9acf1a
This change updates the following components in the Promenade charts,
docs, and example bootstrap configuration:
Kubernetes 1.10.11 -> 1.11.6
CoreDNS 1.1.2 -> 1.1.3 (per k8s 1.11 recommendations)
Etcd 3.2.14 -> 3.2.18 (per k8s 1.11 recommendations)
Tiller 2.10.0 -> 2.12.1 (per Helm k8s support)
This change has been tested by the Promenade resiliency gate.
Change-Id: Ia70de212dd2d50c6638578b92c750a4d5c791229
* Enabled the NodeRestriction Admission Controller.
* Configured the default terminated-pod-gc-threshold in the
controller-manager.
* Disable repair-malformed-updates.
* Disable anonymous-auth in the Kubelet.
* Further restrict permissions for contents of /etc/kubernetes and
/var/lib/etcd.
Change-Id: I112652a5aa7bde054de253234f65755d90ab65ad
* Updates version references
* Increase memory of test VMs due to higher usage with bump
* Move etcd chart scripts from /tmp to /tmp/bin
* Remove certificate signing options for controller manager
* Remove -a from `kubectl get pods`, since that is deprecated in 1.10
* Shorten liveness/readiness probe times for CoreDNS
Change-Id: I16db0370f1c619e16002dd58e29025eb1538691f
This adds stability to etcd and enables cleaner waiting by tiller during
deployment of the Kubernetes apiserver and etcd.
* Adds second auxiliary etcd process.
* Enables "sequenced" for remaining ChartGroups.
* Removes unused disks from test VMs.
* Add readiness and liveness probes for kubernetes components
Change-Id: I6f83bb912f76b0ec35503723b417ba45d69e39c5
This PS bumps the version of K8s used to 1.8.6 which adds:
* prometheus metrics for the PodSecurityPolicy admission controller
* Numerious scheduler fixes
* fixes for overlay2 metrics
* fixes for podSecurityPolicy
Change-Id: Ib46ea1a68c9f34f83b04976f49230ae67f811e66
The current controller-manager image is no longer valid.
We will move away from the custom one and use the one in
gcr.io
Change-Id: I58ac72e125f054b7570c93b86e216689484d5040
This change includes several interconnected features:
* Migration to Deckhand-based configuration. This is integrated here,
because new configuration data were needed, so it would have been
wasted effort to either implement it in the old format or to update
the old configuration data to Dechkand format.
* Failing faster with stronger validation. Migration to Deckhand
configuration was a good opportunity to add schema validation, which
is a requirement in the near term anyway. Additionally, rendering
all templates up front adds an additional layer of "fail-fast".
* Separation of certificate generation and configuration assembly into
different commands. Combined with Deckhand substitution, this creates
a much clearer distinction between Promenade configuration and
deployable secrets.
* Migration of components to charts. This is a key step that will
enable support for dynamic node management. Additionally, this paves
the way for significant configurability in component deployment.
* Version of kubelet is configurable & controlled via download url.
* Restructuring templates to be more intuitive. Many of the templates
require changes or deletion due to the migration to charts.
* Installation of pre-configured useful tools on hosts, including calicoctl.
* DNS is now provided by coredns, which is highly configurable.
Change-Id: I9f2d8da6346f4308be5083a54764ce6035a2e10c