From b232f04b4cefe950e855634f9c747101c5c707fa Mon Sep 17 00:00:00 2001 From: calvinhartwell Date: Mon, 21 May 2018 17:34:05 +0100 Subject: [PATCH 1/5] changed the default value for allow-privileged for the kubelet (kubernetes-worker) based on new standard for 1.10 release --- cluster/juju/layers/kubernetes-worker/config.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/cluster/juju/layers/kubernetes-worker/config.yaml b/cluster/juju/layers/kubernetes-worker/config.yaml index 7f51776c169..46a985d95a0 100644 --- a/cluster/juju/layers/kubernetes-worker/config.yaml +++ b/cluster/juju/layers/kubernetes-worker/config.yaml @@ -13,7 +13,7 @@ options: cluster. Declare node labels in key=value format, separated by spaces. allow-privileged: type: string - default: "auto" + default: true description: | Allow privileged containers to run on worker nodes. Supported values are "true", "false", and "auto". If "true", kubelet will run in privileged From 7322f7f13775b0e7bfd1f467101d1051c5978e8e Mon Sep 17 00:00:00 2001 From: calvinh Date: Fri, 1 Jun 2018 18:03:11 +0100 Subject: [PATCH 2/5] fixed branch and changed values to true --- cluster/juju/layers/kubernetes-master/config.yaml | 9 +++++++-- .../kubernetes-master/reactive/kubernetes_master.py | 12 +++++++++--- cluster/juju/layers/kubernetes-worker/config.yaml | 5 +++-- 3 files changed, 19 insertions(+), 7 deletions(-) diff --git a/cluster/juju/layers/kubernetes-master/config.yaml b/cluster/juju/layers/kubernetes-master/config.yaml index 7057614c1e9..92c1878f609 100644 --- a/cluster/juju/layers/kubernetes-master/config.yaml +++ b/cluster/juju/layers/kubernetes-master/config.yaml @@ -23,14 +23,14 @@ options: description: CIDR to user for Kubernetes services. Cannot be changed after deployment. allow-privileged: type: string - default: "auto" + default: "true" description: | Allow kube-apiserver to run in privileged mode. Supported values are "true", "false", and "auto". If "true", kube-apiserver will run in privileged mode by default. If "false", kube-apiserver will never run in privileged mode. If "auto", kube-apiserver will not run in privileged mode by default, but will switch to privileged mode if gpu hardware is - detected on a worker node. + detected on a worker node. enable-nvidia-plugin: type: string default: "auto" @@ -82,6 +82,11 @@ options: description: | Comma separated authorization modes. Allowed values are "RBAC", "Node", "Webhook", "ABAC", "AlwaysDeny" and "AlwaysAllow". + cluster-context: + type: string + default: "" + description: | + When specified, the juju model name will be overridden in the kube config. require-manual-upgrade: type: boolean default: true diff --git a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py index f866471f934..63e558a9243 100644 --- a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py +++ b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py @@ -1000,10 +1000,16 @@ def build_kubeconfig(server): if ca_exists and client_pass: # Create an absolute path for the kubeconfig file. kubeconfig_path = os.path.join(os.sep, 'home', 'ubuntu', 'config') + # set context_name based on combination of modelname and userinput + context_name = hookenv.config('cluster-context') + if not context_name: + context_name = 'cdk-'+os.environ['JUJU_MODEL_NAME'] + else: + context_name = 'cdk-'+context_name # Create the kubeconfig on this system so users can access the cluster. - - create_kubeconfig(kubeconfig_path, server, ca, - user='admin', password=client_pass) + create_kubeconfig(kubeconfig_path, server, ca, user=context_name+'-admin', + context=context_name+'-context', + cluster=context_name,password=client_pass) # Make the config file readable by the ubuntu users so juju scp works. cmd = ['chown', 'ubuntu:ubuntu', kubeconfig_path] check_call(cmd) diff --git a/cluster/juju/layers/kubernetes-worker/config.yaml b/cluster/juju/layers/kubernetes-worker/config.yaml index 46a985d95a0..b335495966b 100644 --- a/cluster/juju/layers/kubernetes-worker/config.yaml +++ b/cluster/juju/layers/kubernetes-worker/config.yaml @@ -13,13 +13,14 @@ options: cluster. Declare node labels in key=value format, separated by spaces. allow-privileged: type: string - default: true + default: "true" description: | Allow privileged containers to run on worker nodes. Supported values are "true", "false", and "auto". If "true", kubelet will run in privileged mode by default. If "false", kubelet will never run in privileged mode. If "auto", kubelet will not run in privileged mode by default, but will - switch to privileged mode if gpu hardware is detected. + switch to privileged mode if gpu hardware is detected. Pod security + policies (PSP) should be used to restrict container privileges. channel: type: string default: "1.10/stable" From 28b5587594e02f9677fdbde4d872b4da42fa3457 Mon Sep 17 00:00:00 2001 From: calvinh Date: Fri, 1 Jun 2018 18:58:55 +0100 Subject: [PATCH 3/5] fixed the bad branch merge issue --- cluster/juju/layers/kubernetes-master/config.yaml | 7 +------ .../reactive/kubernetes_master.py | 14 ++++---------- 2 files changed, 5 insertions(+), 16 deletions(-) diff --git a/cluster/juju/layers/kubernetes-master/config.yaml b/cluster/juju/layers/kubernetes-master/config.yaml index 92c1878f609..e60de9e63cc 100644 --- a/cluster/juju/layers/kubernetes-master/config.yaml +++ b/cluster/juju/layers/kubernetes-master/config.yaml @@ -23,7 +23,7 @@ options: description: CIDR to user for Kubernetes services. Cannot be changed after deployment. allow-privileged: type: string - default: "true" + default: "auto" description: | Allow kube-apiserver to run in privileged mode. Supported values are "true", "false", and "auto". If "true", kube-apiserver will run in @@ -82,11 +82,6 @@ options: description: | Comma separated authorization modes. Allowed values are "RBAC", "Node", "Webhook", "ABAC", "AlwaysDeny" and "AlwaysAllow". - cluster-context: - type: string - default: "" - description: | - When specified, the juju model name will be overridden in the kube config. require-manual-upgrade: type: boolean default: true diff --git a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py index 63e558a9243..7874a01c7d4 100644 --- a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py +++ b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py @@ -1000,16 +1000,10 @@ def build_kubeconfig(server): if ca_exists and client_pass: # Create an absolute path for the kubeconfig file. kubeconfig_path = os.path.join(os.sep, 'home', 'ubuntu', 'config') - # set context_name based on combination of modelname and userinput - context_name = hookenv.config('cluster-context') - if not context_name: - context_name = 'cdk-'+os.environ['JUJU_MODEL_NAME'] - else: - context_name = 'cdk-'+context_name # Create the kubeconfig on this system so users can access the cluster. - create_kubeconfig(kubeconfig_path, server, ca, user=context_name+'-admin', - context=context_name+'-context', - cluster=context_name,password=client_pass) + + create_kubeconfig(kubeconfig_path, server, ca, + user='admin', password=client_pass) # Make the config file readable by the ubuntu users so juju scp works. cmd = ['chown', 'ubuntu:ubuntu', kubeconfig_path] check_call(cmd) @@ -1597,4 +1591,4 @@ def _write_gcp_snap_config(component): if gcp_creds_env_key not in daemon_env: daemon_env += '{}={}\n'.format(gcp_creds_env_key, creds_path) daemon_env_path.parent.mkdir(parents=True, exist_ok=True) - daemon_env_path.write_text(daemon_env) + daemon_env_path.write_text(daemon_env) \ No newline at end of file From 9817a552e83878b165c2e9d43fc869bf9280d647 Mon Sep 17 00:00:00 2001 From: calvinh Date: Fri, 1 Jun 2018 19:29:48 +0100 Subject: [PATCH 4/5] fixed newline issue --- .../layers/kubernetes-master/reactive/kubernetes_master.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py index 7874a01c7d4..82f8b195fe5 100644 --- a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py +++ b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py @@ -1591,4 +1591,5 @@ def _write_gcp_snap_config(component): if gcp_creds_env_key not in daemon_env: daemon_env += '{}={}\n'.format(gcp_creds_env_key, creds_path) daemon_env_path.parent.mkdir(parents=True, exist_ok=True) - daemon_env_path.write_text(daemon_env) \ No newline at end of file + daemon_env_path.write_text(daemon_env) + \ No newline at end of file From 41cb9ed02c98e905d7ec7cb4ba1aa14334cf43ea Mon Sep 17 00:00:00 2001 From: calvinh Date: Fri, 1 Jun 2018 19:30:47 +0100 Subject: [PATCH 5/5] fixed newline issue --- .../juju/layers/kubernetes-master/reactive/kubernetes_master.py | 1 - 1 file changed, 1 deletion(-) diff --git a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py index 82f8b195fe5..f866471f934 100644 --- a/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py +++ b/cluster/juju/layers/kubernetes-master/reactive/kubernetes_master.py @@ -1592,4 +1592,3 @@ def _write_gcp_snap_config(component): daemon_env += '{}={}\n'.format(gcp_creds_env_key, creds_path) daemon_env_path.parent.mkdir(parents=True, exist_ok=True) daemon_env_path.write_text(daemon_env) - \ No newline at end of file