* Give kube-proxy a blanket toleration
* Replace scheduler.alpha.kubernetes.io/critical-pod annotation with
priorityClassName: system-node-critical
Change-Id: I810333913c09531eefa1ded014fe090d4cca7f7d
Removed PersistentVolumeLabel from apiserver to fix below warning.
Deprecated warning:
1. PersistentVolumeLabel admission controller is deprecated.
Please remove this controller from your configuration files and scripts.
2. insecure-port has been deprecated, This flag has no effect now
and will be removed in v1.24.
Change-Id: Iaccff8467b5ed967fa41e85b38c27f7345cd97bb
This change accomplishes 2 primary things:
1. It generalizes work to enable the EventRateLimit admission plugin.
2. It restructures the anchor so that during an upgrade an "old" anchor
does not try to coordinate the injection of "new" data from
configmaps/secrets.
It also includes these ancillary changes:
* Clean up apiserver argument specification in the chart.
* De-duplicate and realign apiserver arguments in bootstrapping templates.
It has the side effects of:
* Adding a new field, ".apiserver.arguments" to the Genesis config,
which will be the preferred way to configure bootstrapping apiservers
going forward (in lieu of command_prefix).
Change-Id: I33cfe80ee8e29cd79e479a7985e3c098a2288fda
Add the EventRateLimit admission controller, to allow operators to
define rate limits for the k8s API server at the server, namespace,
or user account level.
This also
* cleans up some of the parameters passed into the API server
* replaces the deprecated --admission-control parameter
* applies --repair-malformed-updates consistently, incl examples
* removes unused batch/v2alpha1 runtime config
* https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/
* removes duplicate --service-cluster-ip-range setting
This PS adds EventRateLimits to the bootstrap and anchor API
servers; future work will need to add it to the Keystone
Webhook API server.
Change-Id: I32a2d4add880e50f470e4cb0687e20d16e6e926d
This increases isolation of actions against the node API. With the
previous combined CA approach, each node would have a valid key to talk
to each other node. With this separated approach, only the API servers
will have keys with access to the node APIs.
Change-Id: I2705016eb963ca9d2cc2a344047677f4b2cc3025
- Turn off anonymous-auth.
- Reworked haproxy helm test and updated test images.
- Reworked kubernetes-apiserver readiness and liveness tests.
Change-Id: Ifb39ebed0f9f6e430e97247fceebbd7816f092c7
This avoids possible issues when the configuration of the bootstrapping
apiserver differs from the chart's configuration. Issues were
specifically seen when overriding the node port range, but this opens up
additional configuration also.
Change-Id: I2a3fc5847e850c8055c099bac50782debbbabbf4
This allows us to replace the apiserver process during genesis with the
chart-managed version that is likely to only listen on a secure port.
* Bundle armada + tiller + insecure apiserver into a static pod
* Report aramda logs via host filesystem
NOTE: This is using an additional apiserver sidecar rather than a
`kubectl proxy` sidecar with a serviceaccount, because it's running as a
static pod.
Change-Id: I39c638020c0ad36db8d3b10c4ecb959a6642ad0e
This change includes several interconnected features:
* Migration to Deckhand-based configuration. This is integrated here,
because new configuration data were needed, so it would have been
wasted effort to either implement it in the old format or to update
the old configuration data to Dechkand format.
* Failing faster with stronger validation. Migration to Deckhand
configuration was a good opportunity to add schema validation, which
is a requirement in the near term anyway. Additionally, rendering
all templates up front adds an additional layer of "fail-fast".
* Separation of certificate generation and configuration assembly into
different commands. Combined with Deckhand substitution, this creates
a much clearer distinction between Promenade configuration and
deployable secrets.
* Migration of components to charts. This is a key step that will
enable support for dynamic node management. Additionally, this paves
the way for significant configurability in component deployment.
* Version of kubelet is configurable & controlled via download url.
* Restructuring templates to be more intuitive. Many of the templates
require changes or deletion due to the migration to charts.
* Installation of pre-configured useful tools on hosts, including calicoctl.
* DNS is now provided by coredns, which is highly configurable.
Change-Id: I9f2d8da6346f4308be5083a54764ce6035a2e10c