mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 03:41:45 +00:00
Separate network proxy flag for apiserver egress and starting pods
This commit is contained in:
parent
ededd08ba1
commit
7820b05467
@ -518,8 +518,16 @@ WINDOWS_NODE_TAINTS="${WINDOWS_NODE_TAINTS:-node.kubernetes.io/os=win1809:NoSche
|
||||
export GCE_PRIVATE_CLUSTER="${KUBE_GCE_PRIVATE_CLUSTER:-false}"
|
||||
export GCE_PRIVATE_CLUSTER_PORTS_PER_VM="${KUBE_GCE_PRIVATE_CLUSTER_PORTS_PER_VM:-}"
|
||||
|
||||
# Optional: Create apiserver konnectivity server and agent.
|
||||
export ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE="${KUBE_ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE:-false}"
|
||||
# When KUBE_ENABLE_KONNECTIVITY_SERVICE is enabled, the two variables below will
|
||||
# will default to true to enable the konnectivity network proxy and start the required pods.
|
||||
# Their values can be overridden for more granular control of the proxy.
|
||||
|
||||
# Optional: Whether to use konnectivity network proxy for all egress from apiserver.
|
||||
export EGRESS_VIA_KONNECTIVITY_SERVICE="${KUBE_ENABLE_KONNECTIVITY_SERVICE:-false}"
|
||||
# Optional: Whether to start the konnectivity server and agent pods.
|
||||
export RUN_KONNECTIVITY_SERVICE_PODS="${KUBE_ENABLE_KONNECTIVITY_SERVICE:-false}"
|
||||
# Proxy Protocol Mode determines the protocol to use to communicate between apiserver and network proxy.
|
||||
# Valid options are grpc and http-connect. Default is grpc.
|
||||
export KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE="${KUBE_KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE:-grpc}"
|
||||
|
||||
# Optional: Enable Windows CSI-Proxy
|
||||
|
@ -922,7 +922,7 @@ contexts:
|
||||
name: webhook
|
||||
EOF
|
||||
fi
|
||||
if [[ "${ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE:-false}" == "true" ]]; then
|
||||
if [[ "${EGRESS_VIA_KONNECTIVITY_SERVICE:-false}" == "true" ]]; then
|
||||
if [[ "${KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE:-grpc}" == 'grpc' ]]; then
|
||||
cat <<EOF >/etc/srv/kubernetes/egress_selector_configuration.yaml
|
||||
apiVersion: apiserver.k8s.io/v1beta1
|
||||
@ -2599,7 +2599,7 @@ EOF
|
||||
setup-node-termination-handler-manifest ''
|
||||
fi
|
||||
# Setting up the konnectivity-agent daemonset
|
||||
if [[ "${ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE:-false}" == "true" ]]; then
|
||||
if [[ "${RUN_KONNECTIVITY_SERVICE_PODS:-false}" == "true" ]]; then
|
||||
setup-addon-manifests "addons" "konnectivity-agent"
|
||||
setup-konnectivity-agent-manifest
|
||||
fi
|
||||
@ -3028,7 +3028,7 @@ function main() {
|
||||
if [[ "${ENABLE_APISERVER_INSECURE_PORT:-false}" != "true" ]]; then
|
||||
KUBE_BOOTSTRAP_TOKEN="$(secure_random 32)"
|
||||
fi
|
||||
if [[ "${ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE:-false}" == "true" ]]; then
|
||||
if [[ "${EGRESS_VIA_KONNECTIVITY_SERVICE:-false}" == "true" ]]; then
|
||||
KONNECTIVITY_SERVER_TOKEN="$(secure_random 32)"
|
||||
fi
|
||||
if [[ "${ENABLE_MONITORING_TOKEN:-false}" == "true" ]]; then
|
||||
@ -3089,7 +3089,7 @@ function main() {
|
||||
fi
|
||||
source ${KUBE_BIN}/configure-kubeapiserver.sh
|
||||
start-kube-apiserver
|
||||
if [[ "${ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE:-false}" == "true" ]]; then
|
||||
if [[ "${RUN_KONNECTIVITY_SERVICE_PODS:-false}" == "true" ]]; then
|
||||
start-konnectivity-server
|
||||
fi
|
||||
start-kube-controller-manager
|
||||
|
@ -341,7 +341,7 @@ function start-kube-apiserver {
|
||||
local csc_config_volume=""
|
||||
local default_konnectivity_socket_vol=""
|
||||
local default_konnectivity_socket_mnt=""
|
||||
if [[ "${ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE:-false}" == "true" ]]; then
|
||||
if [[ "${EGRESS_VIA_KONNECTIVITY_SERVICE:-false}" == "true" ]]; then
|
||||
# Create the EgressSelectorConfiguration yaml file to control the Egress Selector.
|
||||
csc_config_mount="{\"name\": \"cscconfigmount\",\"mountPath\": \"/etc/srv/kubernetes/egress_selector_configuration.yaml\", \"readOnly\": false},"
|
||||
csc_config_volume="{\"name\": \"cscconfigmount\",\"hostPath\": {\"path\": \"/etc/srv/kubernetes/egress_selector_configuration.yaml\", \"type\": \"FileOrCreate\"}},"
|
||||
|
@ -1506,9 +1506,14 @@ EOF
|
||||
MAX_PODS_PER_NODE: $(yaml-quote "${MAX_PODS_PER_NODE}")
|
||||
EOF
|
||||
fi
|
||||
if [[ "${ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE:-false}" == "true" ]]; then
|
||||
cat >>"$file" <<EOF
|
||||
ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE: $(yaml-quote "${ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE}")
|
||||
if [[ "${EGRESS_VIA_KONNECTIVITY_SERVICE:-false}" == "true" ]]; then
|
||||
cat >>$file <<EOF
|
||||
EGRESS_VIA_KONNECTIVITY_SERVICE: $(yaml-quote "${EGRESS_VIA_KONNECTIVITY_SERVICE}")
|
||||
EOF
|
||||
fi
|
||||
if [[ "${RUN_KONNECTIVITY_SERVICE_PODS:-false}" == "true" ]]; then
|
||||
cat >>$file <<EOF
|
||||
RUN_KONNECTIVITY_SERVICE_PODS: $(yaml-quote "${RUN_KONNECTIVITY_SERVICE_PODS}"")
|
||||
EOF
|
||||
fi
|
||||
if [[ -n "${KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE:-}" ]]; then
|
||||
@ -2573,7 +2578,7 @@ function create-master() {
|
||||
--allow tcp:443 &
|
||||
|
||||
echo "Configuring firewall for apiserver konnectivity server"
|
||||
if [[ "${ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE:-false}" == "true" ]]; then
|
||||
if [[ "${EGRESS_VIA_KONNECTIVITY_SERVICE:-false}" == "true" ]]; then
|
||||
gcloud compute firewall-rules create "${MASTER_NAME}-konnectivity-server" \
|
||||
--project "${NETWORK_PROJECT}" \
|
||||
--network "${NETWORK}" \
|
||||
|
Loading…
Reference in New Issue
Block a user