diff --git a/cluster/juju/layers/kubernetes-worker/reactive/kubernetes_worker.py b/cluster/juju/layers/kubernetes-worker/reactive/kubernetes_worker.py index 91b3d56e330..5910429ed92 100644 --- a/cluster/juju/layers/kubernetes-worker/reactive/kubernetes_worker.py +++ b/cluster/juju/layers/kubernetes-worker/reactive/kubernetes_worker.py @@ -378,9 +378,6 @@ def start_worker(kube_api, kube_control, auth_control, cni): creds = db.get('credentials') data_changed('kube-control.creds', creds) - # set --allow-privileged flag for kubelet - set_privileged() - create_config(random.choice(servers), creds) configure_kubelet(dns, ingress_ip) configure_kube_proxy(servers, cluster_cidr) @@ -632,8 +629,8 @@ def configure_kubelet(dns, ingress_ip): if (dns['enable-kube-dns']): kubelet_opts['cluster-dns'] = dns['sdn-ip'] - privileged = is_state('kubernetes-worker.privileged') - kubelet_opts['allow-privileged'] = 'true' if privileged else 'false' + # set --allow-privileged flag for kubelet + kubelet_opts['allow-privileged'] = set_privileged() if is_state('kubernetes-worker.gpu.enabled'): hookenv.log('Adding ' @@ -871,8 +868,10 @@ def remove_nrpe_config(nagios=None): def set_privileged(): - """Update the allow-privileged flag for kubelet. - + """Return 'true' if privileged containers are needed. + This is when a) the user requested them + b) user does not care (auto) and GPUs are available in a pre + 1.9 era """ privileged = hookenv.config('allow-privileged').lower() gpu_needs_privileged = (is_state('kubernetes-worker.gpu.enabled') and @@ -887,6 +886,8 @@ def set_privileged(): # No need to restart kubernetes (set the restart-needed state) # because set-privileged is already in the restart path + return privileged + @when('config.changed.allow-privileged') @when('kubernetes-worker.config.created')