From fc279e069ea8507118492b5ab6f4995fd14c497a Mon Sep 17 00:00:00 2001 From: Daniel Nardo Date: Tue, 20 Jun 2017 08:18:33 -0700 Subject: [PATCH] Add ip-masq-agent readiness label by default. Since we are setting the non-masq-cidr in the kubelet to 0.0.0.0/0 we need to ensure the ip-masq-agent runs. Add node label pre-req back to ip-masq-agent. Make gce test consistent with gce default scripts. --- cluster/addons/ip-masq-agent/ip-masq-agent.yaml | 2 ++ cluster/gce/config-default.sh | 4 ++++ cluster/gce/config-test.sh | 7 +++++++ 3 files changed, 13 insertions(+) diff --git a/cluster/addons/ip-masq-agent/ip-masq-agent.yaml b/cluster/addons/ip-masq-agent/ip-masq-agent.yaml index cbc728fad09..d4fda49a24c 100644 --- a/cluster/addons/ip-masq-agent/ip-masq-agent.yaml +++ b/cluster/addons/ip-masq-agent/ip-masq-agent.yaml @@ -30,6 +30,8 @@ spec: volumeMounts: - name: config mountPath: /etc/config + nodeSelector: + beta.kubernetes.io/masq-agent-ds-ready: "true" volumes: - name: config configMap: diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh index e9ede35cf0b..eec40792478 100755 --- a/cluster/gce/config-default.sh +++ b/cluster/gce/config-default.sh @@ -125,6 +125,10 @@ ENABLE_CLUSTER_MONITORING="${KUBE_ENABLE_CLUSTER_MONITORING:-influxdb}" # TODO(piosz): remove this in 1.8 NODE_LABELS="${KUBE_NODE_LABELS:-beta.kubernetes.io/fluentd-ds-ready=true}" +# To avoid running the DaemonSet on older version make sure the ip-masq-agent +# only runs when the readiness label is set. +NODE_LABELS="${NODE_LABELS},beta.kubernetes.io/masq-agent-ds-ready=true" + # To avoid running Calico on a node that is not configured appropriately, # label each Node so that the DaemonSet can run the Pods only on ready Nodes. if [[ ${NETWORK_POLICY_PROVIDER:-} == "calico" ]]; then diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh index f76981ebb1e..8da62d03139 100755 --- a/cluster/gce/config-test.sh +++ b/cluster/gce/config-test.sh @@ -168,6 +168,10 @@ KUBEPROXY_TEST_ARGS="${KUBEPROXY_TEST_ARGS:-} ${TEST_CLUSTER_API_CONTENT_TYPE}" # TODO(piosz): remove this in 1.8 NODE_LABELS="${KUBE_NODE_LABELS:-beta.kubernetes.io/fluentd-ds-ready=true}" +# To avoid running the DaemonSet on older version make sure the ip-masq-agent +# only runs when the readiness label is set. +NODE_LABELS="${NODE_LABELS},beta.kubernetes.io/masq-agent-ds-ready=true" + # To avoid running Calico on a node that is not configured appropriately, # label each Node so that the DaemonSet can run the Pods only on ready Nodes. if [[ ${NETWORK_POLICY_PROVIDER:-} == "calico" ]]; then @@ -282,6 +286,9 @@ OPENCONTRAIL_PUBLIC_SUBNET="${OPENCONTRAIL_PUBLIC_SUBNET:-10.1.0.0/16}" # Network Policy plugin specific settings. NETWORK_POLICY_PROVIDER="${NETWORK_POLICY_PROVIDER:-none}" # calico +# Should the kubelet configure egress masquerade (old way) or let a daemonset do it? +NON_MASQUERADE_CIDR="0.0.0.0/0" + # How should the kubelet configure hairpin mode? HAIRPIN_MODE="${HAIRPIN_MODE:-promiscuous-bridge}" # promiscuous-bridge, hairpin-veth, none