From 630fb9657a36967ed6ff241689a3c66a492dd497 Mon Sep 17 00:00:00 2001 From: Daniel Nardo Date: Thu, 22 Jun 2017 13:50:01 -0700 Subject: [PATCH] Remove limits from ip-masq-agent for now. ip-masq-agent when issuing an iptables-save will read any configured iptables on the node. This means that the ip-masq-agent's memory requirements would grow with the number of iptables (i.e. services) on the node. Disable ip-masq-agent in GCE --- cluster/addons/ip-masq-agent/ip-masq-agent.yaml | 3 --- cluster/gce/config-default.sh | 7 ------- cluster/gce/config-test.sh | 7 ------- 3 files changed, 17 deletions(-) diff --git a/cluster/addons/ip-masq-agent/ip-masq-agent.yaml b/cluster/addons/ip-masq-agent/ip-masq-agent.yaml index 4293d185da6..02152357fb4 100644 --- a/cluster/addons/ip-masq-agent/ip-masq-agent.yaml +++ b/cluster/addons/ip-masq-agent/ip-masq-agent.yaml @@ -19,9 +19,6 @@ spec: - name: ip-masq-agent image: gcr.io/google-containers/ip-masq-agent-amd64:v2.0.2 resources: - limits: - cpu: 100m - memory: 16Mi requests: cpu: 10m memory: 16Mi diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh index eec40792478..c17d5346f6d 100755 --- a/cluster/gce/config-default.sh +++ b/cluster/gce/config-default.sh @@ -125,10 +125,6 @@ ENABLE_CLUSTER_MONITORING="${KUBE_ENABLE_CLUSTER_MONITORING:-influxdb}" # TODO(piosz): remove this in 1.8 NODE_LABELS="${KUBE_NODE_LABELS:-beta.kubernetes.io/fluentd-ds-ready=true}" -# To avoid running the DaemonSet on older version make sure the ip-masq-agent -# only runs when the readiness label is set. -NODE_LABELS="${NODE_LABELS},beta.kubernetes.io/masq-agent-ds-ready=true" - # To avoid running Calico on a node that is not configured appropriately, # label each Node so that the DaemonSet can run the Pods only on ready Nodes. if [[ ${NETWORK_POLICY_PROVIDER:-} == "calico" ]]; then @@ -246,9 +242,6 @@ OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}" # Network Policy plugin specific settings. NETWORK_POLICY_PROVIDER="${NETWORK_POLICY_PROVIDER:-none}" # calico -# Should the kubelet configure egress masquerade (old way) or let a daemonset do it? -NON_MASQUERADE_CIDR="0.0.0.0/0" - # How should the kubelet configure hairpin mode? HAIRPIN_MODE="${HAIRPIN_MODE:-promiscuous-bridge}" # promiscuous-bridge, hairpin-veth, none # Optional: if set to true, kube-up will configure the cluster to run e2e tests. diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh index 8da62d03139..f76981ebb1e 100755 --- a/cluster/gce/config-test.sh +++ b/cluster/gce/config-test.sh @@ -168,10 +168,6 @@ KUBEPROXY_TEST_ARGS="${KUBEPROXY_TEST_ARGS:-} ${TEST_CLUSTER_API_CONTENT_TYPE}" # TODO(piosz): remove this in 1.8 NODE_LABELS="${KUBE_NODE_LABELS:-beta.kubernetes.io/fluentd-ds-ready=true}" -# To avoid running the DaemonSet on older version make sure the ip-masq-agent -# only runs when the readiness label is set. -NODE_LABELS="${NODE_LABELS},beta.kubernetes.io/masq-agent-ds-ready=true" - # To avoid running Calico on a node that is not configured appropriately, # label each Node so that the DaemonSet can run the Pods only on ready Nodes. if [[ ${NETWORK_POLICY_PROVIDER:-} == "calico" ]]; then @@ -286,9 +282,6 @@ OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}" # Network Policy plugin specific settings. NETWORK_POLICY_PROVIDER="${NETWORK_POLICY_PROVIDER:-none}" # calico -# Should the kubelet configure egress masquerade (old way) or let a daemonset do it? -NON_MASQUERADE_CIDR="0.0.0.0/0" - # How should the kubelet configure hairpin mode? HAIRPIN_MODE="${HAIRPIN_MODE:-promiscuous-bridge}" # promiscuous-bridge, hairpin-veth, none