Merge pull request #64665 from stealthybox/feature/kubeadm_845-systemd-resolved

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. kubeadm: Set the kubelet `--resolv-conf` flag conditionally on init **What this PR does / why we need it**: `kubeadm init` detects if systemd-resolved is running and configures the kubelet to use a working resolv.conf. This patch also removes the warning message prompting manual user action for this configuration. /area kubeadm /area kubelet /area dns /kind bug /priority important-soon /sig cluster-lifecycle /assign @timothysc **Which issue(s) this PR fixes** Fixes https://github.com/kubernetes/kubeadm/issues/845 **Special notes for your reviewer**: See the difference in `KUBELET_KUBEADM_ARGS` when running with this build and enabling the resolved daemon on Ubuntu 17.10: ```bash root@vagrant:/vagrant/bin# bash << EOF systemctl start systemd-resolved ./845_kubeadm init |& tail -n5 cat /var/lib/kubelet/kubeadm-flags.env ./845_kubeadm reset --force |& tail -n2 systemctl stop systemd-resolved echo nameserver 8.8.8.8 > /etc/resolv.conf ./845_kubeadm init |& tail -n5 cat /var/lib/kubelet/kubeadm-flags.env EOF You can now join any number of machines by running the following on each node as root: kubeadm join 10.0.2.15:6443 --token 77q84j.0342evur7rrfrwwx --discovery-token-ca-cert-hash sha256:190040f9c3adf8410bc6766dac79f8679870190564e15e8f8d1704fafa03f678 KUBELET_KUBEADM_ARGS=--cgroup-driver=cgroupfs --cni-bin-dir=/opt/cni/bin --cni-conf-dir=/etc/cni/net.d --network-plugin=cni --resolv-conf=/run/systemd/resolve/resolv.conf I0603 06:49:16.592482 14106 reset.go:276] [reset] deleting contents of config directories: [/etc/kubernetes/manifests /etc/kubernetes/pki] I0603 06:49:16.592858 14106 reset.go:290] [reset] deleting files: [/etc/kubernetes/admin.conf /etc/kubernetes/kubelet.conf /etc/kubernetes/bootstrap-kubelet.conf /etc/kubernetes/controller-manager.conf /etc/kubernetes/scheduler.conf] You can now join any number of machines by running the following on each node as root: kubeadm join 10.0.2.15:6443 --token 8mdart.gp67vq3nh9urq4z5 --discovery-token-ca-cert-hash sha256:da6b2e5841546eae134524b045e782f0dd91a6b53becc8d69c15d9eab9c88758 KUBELET_KUBEADM_ARGS=--cgroup-driver=cgroupfs --cni-bin-dir=/opt/cni/bin --cni-conf-dir=/etc/cni/net.d --network-plugin=cni ``` **Release note**: ```release-note `kubeadm init` detects if systemd-resolved is running and configures the kubelet to use a working resolv.conf. ```
2025-07-24 04:06:03 +00:00 · 2018-06-04 08:20:31 -07:00 · 2018-06-04 08:20:31 -07:00 · 86ae84b10e
commit 86ae84b10e
parent 1635393bd1 b7df5cd2f8
4 changed files with 8 additions and 32 deletions
--- a/cmd/kubeadm/app/phases/kubelet/BUILD
+++ b/cmd/kubeadm/app/phases/kubelet/BUILD
@ -19,6 +19,7 @@ go_library(
        "//pkg/apis/rbac/v1:go_default_library",
        "//pkg/kubelet/apis/kubeletconfig/scheme:go_default_library",
        "//pkg/kubelet/apis/kubeletconfig/v1beta1:go_default_library",
+        "//pkg/util/procfs:go_default_library",
        "//pkg/util/version:go_default_library",
        "//vendor/github.com/golang/glog:go_default_library",
        "//vendor/k8s.io/api/core/v1:go_default_library",
--- a/cmd/kubeadm/app/phases/kubelet/flags.go
+++ b/cmd/kubeadm/app/phases/kubelet/flags.go
@ -28,6 +28,7 @@ import (
 	kubeadmapiv1alpha2 "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1alpha2"
 	"k8s.io/kubernetes/cmd/kubeadm/app/constants"
 	kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util"
+	"k8s.io/kubernetes/pkg/util/procfs"
 	utilsexec "k8s.io/utils/exec"
 )

@ -72,8 +73,12 @@ func buildKubeletArgMap(nodeRegOpts *kubeadmapi.NodeRegistrationOptions, registe
 		kubeletFlags["register-with-taints"] = strings.Join(taintStrs, ",")
 	}

+	if pids, _ := procfs.PidOf("systemd-resolved"); len(pids) > 0 {
+		// procfs.PidOf only returns an error if the regex is empty or doesn't compile, so we can ignore it
+		kubeletFlags["resolv-conf"] = "/run/systemd/resolve/resolv.conf"
+	}
+
 	// TODO: Pass through --hostname-override if a custom name is used?
-	// TODO: Check if `systemd-resolved` is running, and set `--resolv-conf` based on that
 	// TODO: Conditionally set `--cgroup-driver` to either `systemd` or `cgroupfs` for CRI other than Docker

 	return kubeletFlags
--- a/cmd/kubeadm/app/preflight/BUILD
+++ b/cmd/kubeadm/app/preflight/BUILD
@ -57,7 +57,6 @@ go_library(
        "//pkg/registry/core/service/ipallocator:go_default_library",
        "//pkg/util/initsystem:go_default_library",
        "//pkg/util/ipvs:go_default_library",
-        "//pkg/util/procfs:go_default_library",
        "//pkg/util/version:go_default_library",
        "//pkg/version:go_default_library",
        "//test/e2e_node/system:go_default_library",
--- a/cmd/kubeadm/app/preflight/checks.go
+++ b/cmd/kubeadm/app/preflight/checks.go
@ -51,7 +51,6 @@ import (
 	"k8s.io/kubernetes/pkg/registry/core/service/ipallocator"
 	"k8s.io/kubernetes/pkg/util/initsystem"
 	ipvsutil "k8s.io/kubernetes/pkg/util/ipvs"
-	"k8s.io/kubernetes/pkg/util/procfs"
 	versionutil "k8s.io/kubernetes/pkg/util/version"
 	kubeadmversion "k8s.io/kubernetes/pkg/version"
 	"k8s.io/kubernetes/test/e2e_node/system"
@ -830,33 +829,6 @@ func getEtcdVersionResponse(client *http.Client, url string, target interface{})
 	return err
 }

-// ResolveCheck tests for potential issues related to the system resolver configuration
-type ResolveCheck struct{}
-
-// Name returns label for ResolveCheck
-func (ResolveCheck) Name() string {
-	return "Resolve"
-}
-
-// Check validates the system resolver configuration
-func (ResolveCheck) Check() (warnings, errors []error) {
-	glog.V(1).Infoln("validating the system resolver configuration")
-
-	warnings = []error{}
-
-	// procfs.PidOf only returns an error if the string passed is empty
-	// or there is an issue compiling the regex, so we can ignore it here
-	pids, _ := procfs.PidOf("systemd-resolved")
-	if len(pids) > 0 {
-		warnings = append(warnings, fmt.Errorf(
-			"systemd-resolved was detected, for cluster dns resolution to work "+
-				"properly --resolv-conf=/run/systemd/resolve/resolv.conf must be set "+
-				"for the kubelet. (/etc/systemd/system/kubelet.service.d/10-kubeadm.conf should be edited for this purpose)\n"))
-	}
-
-	return warnings, errors
-}
-
 // ImagePullCheck will pull container images used by kubeadm
 type ImagePullCheck struct {
 	Images    images.Images
@ -1011,8 +983,7 @@ func addCommonChecks(execer utilsexec.Interface, cfg kubeadmapi.CommonConfigurat
 			InPathCheck{executable: "ethtool", mandatory: false, exec: execer},
 			InPathCheck{executable: "socat", mandatory: false, exec: execer},
 			InPathCheck{executable: "tc", mandatory: false, exec: execer},
-			InPathCheck{executable: "touch", mandatory: false, exec: execer},
-			ResolveCheck{})
+			InPathCheck{executable: "touch", mandatory: false, exec: execer})
 	}
 	checks = append(checks,
 		SystemVerificationCheck{CRISocket: cfg.GetCRISocket()},