Merge pull request #97868 from mtaufen/pki-tmpfs

Mount /var/lib/kubelet/pki on tmpfs
2025-07-25 04:33:26 +00:00 · 2021-01-14 10:47:04 -08:00 · 2021-01-14 10:47:04 -08:00 · 9da11e294f
commit 9da11e294f
parent 8b0433bff3 9f9e235b9d
1 changed files with 10 additions and 3 deletions
--- a/cluster/gce/gci/configure-helper.sh
+++ b/cluster/gce/gci/configure-helper.sh
@ -1515,9 +1515,6 @@ EOF
 function start-kubelet {
  echo "Start kubelet"

-  # TODO(#60123): The kubelet should create the cert-dir directory if it doesn't exist
-  mkdir -p /var/lib/kubelet/pki/
-
  local kubelet_bin="${KUBE_HOME}/bin/kubelet"
  local -r version="$("${kubelet_bin}" --version=true | cut -f2 -d " ")"
  local -r builtin_kubelet="/usr/bin/kubelet"
@ -2765,6 +2762,16 @@ function setup-kubelet-dir {
    echo "Making /var/lib/kubelet executable for kubelet"
    mount -B /var/lib/kubelet /var/lib/kubelet/
    mount -B -o remount,exec,suid,dev /var/lib/kubelet
+
+    # TODO(#60123): The kubelet should create the cert-dir directory if it doesn't exist
+    mkdir -p /var/lib/kubelet/pki/
+
+    # Mount /var/lib/kubelet/pki on a tmpfs so it doesn't persist across
+    # reboots. This can help avoid some rare instances of corrupt cert files
+    # (e.g. created but not written during a shutdown). Kubelet crash-loops
+    # in these cases. Do this after above mount calls so it isn't overwritten.
+    echo "Mounting /var/lib/kubelet/pki on tmpfs"
+    mount -t tmpfs tmpfs /var/lib/kubelet/pki
 }

 # Override for GKE custom master setup scripts (no-op outside of GKE).