From 0d59d2a43e8d83b1d7facf9251c94385315e6380 Mon Sep 17 00:00:00 2001 From: Michael Taufen Date: Thu, 7 Mar 2019 11:41:32 -0800 Subject: [PATCH] Windows kubeproxy flags cleanup - Pass most of the flags via kube-env, similar to Kubelet, to make it easier to reconfigure. - Use kube-proxy's kubeconfig file to pass the API server address, rather than the --master flag. - Make KUBEPROXY_ARGS a required variable in Windows kube-env, similar to KUBELET_ARGS. --- cluster/gce/util.sh | 33 +++++++++++++++++++++++ cluster/gce/windows/k8s-node-setup.psm1 | 36 +++++-------------------- 2 files changed, 39 insertions(+), 30 deletions(-) diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh index 24d4bdc8f0d..a39e822535f 100755 --- a/cluster/gce/util.sh +++ b/cluster/gce/util.sh @@ -600,6 +600,7 @@ function write-linux-node-env { function write-windows-node-env { construct-windows-kubelet-flags + construct-windows-kubeproxy-flags build-windows-kube-env "${KUBE_TEMP}/windows-node-kube-env.yaml" build-kubelet-config false "windows" "${KUBE_TEMP}/windows-node-kubelet-config.yaml" } @@ -871,6 +872,37 @@ function construct-windows-kubelet-flags { KUBELET_ARGS="${flags}" } +function construct-windows-kubeproxy-flags { + local flags="" + + # Use the same log level as the Kubelet during tests. + flags+=" ${KUBELET_TEST_LOG_LEVEL:-"--v=2"}" + + # Windows uses kernelspace proxymode + flags+=" --proxy-mode=kernelspace" + + # Configure kube-proxy to run as a windows service. + flags+=" --windows-service=true" + + # TODO(mtaufen): Configure logging for kube-proxy running as a service. + # I haven't been able to figure out how to direct stdout/stderr into log + # files when configuring it to run via sc.exe, so we just manually + # override logging config here. + flags+=" --log-file=${WINDOWS_LOGS_DIR}\kube-proxy.log" + + # klog sets this to true internally, so need to override to false + # so we actually log to the file + flags+=" --logtostderr=false" + + # Configure flags with explicit empty string values. We can't escape + # double-quotes, because they still break sc.exe after expansion in the + # binPath parameter, and single-quotes get parsed as characters instead + # of string delimiters. + flags+=" --resource-container=" + + KUBEPROXY_ARGS="${flags}" +} + # $1: if 'true', we're rendering config for a master, else a node function build-kubelet-config { local master="$1" @@ -1438,6 +1470,7 @@ CNI_CONFIG_DIR: $(yaml-quote ${WINDOWS_CNI_CONFIG_DIR}) MANIFESTS_DIR: $(yaml-quote ${WINDOWS_MANIFESTS_DIR}) PKI_DIR: $(yaml-quote ${WINDOWS_PKI_DIR}) KUBELET_CONFIG_FILE: $(yaml-quote ${WINDOWS_KUBELET_CONFIG_FILE}) +KUBEPROXY_ARGS: $(yaml-quote ${KUBEPROXY_ARGS}) KUBECONFIG_FILE: $(yaml-quote ${WINDOWS_KUBECONFIG_FILE}) BOOTSTRAP_KUBECONFIG_FILE: $(yaml-quote ${WINDOWS_BOOTSTRAP_KUBECONFIG_FILE}) KUBEPROXY_KUBECONFIG_FILE: $(yaml-quote ${WINDOWS_KUBEPROXY_KUBECONFIG_FILE}) diff --git a/cluster/gce/windows/k8s-node-setup.psm1 b/cluster/gce/windows/k8s-node-setup.psm1 index 9254f754847..9abd5bab4d0 100644 --- a/cluster/gce/windows/k8s-node-setup.psm1 +++ b/cluster/gce/windows/k8s-node-setup.psm1 @@ -564,6 +564,7 @@ users: clusters: - name: local cluster: + server: https://APISERVER_ADDRESS certificate-authority-data: CA_CERT contexts: - context: @@ -572,7 +573,8 @@ contexts: name: service-account-context current-context: service-account-context'.` replace('KUBEPROXY_TOKEN', ${kube_env}['KUBE_PROXY_TOKEN']).` - replace('CA_CERT', ${kube_env}['CA_CERT']) + replace('CA_CERT', ${kube_env}['CA_CERT']).` + replace('APISERVER_ADDRESS', ${kube_env}['KUBERNETES_MASTER_NAME']) Log-Output ("kubeproxy kubeconfig:`n" + "$(Get-Content -Raw ${env:KUBEPROXY_KUBECONFIG})") @@ -934,7 +936,7 @@ function Configure-Kubelet { # # Required ${kube_env} keys: # KUBELET_ARGS -# KUBERNETES_MASTER_NAME +# KUBEPROXY_ARGS # CLUSTER_IP_RANGE function Start-WorkerServices { # Compute kubelet args @@ -949,11 +951,7 @@ function Start-WorkerServices { # Compute kube-proxy args $kubeproxy_args_str = ${kube_env}['KUBEPROXY_ARGS'] - Try { - $kubeproxy_args = $kubeproxy_args_str.Split(" ") - } Catch { - $kubeproxy_args = "" - } + $kubeproxy_args = $kubeproxy_args_str.Split(" ") Log-Output "kubeproxy_args from metadata: ${kubeproxy_args}" # kubeproxy is started on Linux nodes using @@ -966,31 +964,9 @@ function Start-WorkerServices { # --iptables-sync-period=1m --iptables-min-sync-period=10s # --ipvs-sync-period=1m --ipvs-min-sync-period=10s # And also with various volumeMounts and "securityContext: privileged: true". - $apiserver_address = ${kube_env}['KUBERNETES_MASTER_NAME'] $default_kubeproxy_args = @(` - "--v=4", - "--master=https://${apiserver_address}", "--kubeconfig=${env:KUBEPROXY_KUBECONFIG}", - "--proxy-mode=kernelspace", - "--cluster-cidr=$(${kube_env}['CLUSTER_IP_RANGE'])", - - # Configure kube-proxy to run as a windows service. - "--windows-service=true", - - # TODO(mtaufen): Configure logging for kube-proxy running as a service. - # I haven't been able to figure out how to direct stdout/stderr into log - # files when configuring it to run via sc.exe, so we just manually - # override logging config here. - "--log-file=${env:LOGS_DIR}\kube-proxy.log", - # klog sets this to true intenrally, so need to override to false - # so we actually log to the file - "--logtostderr=false", - - # Configure flags with explicit empty string values. We can't escape - # double-quotes, because they still break sc.exe after expansion in the - # binPath parameter, and single-quotes get parsed as characters instead - # of string delimiters. - "--resource-container=" + "--cluster-cidr=$(${kube_env}['CLUSTER_IP_RANGE'])" ) $kubeproxy_args = ${default_kubeproxy_args} + ${kubeproxy_args} Log-Output "Final kubeproxy_args: ${kubeproxy_args}"