Commit Graph

58 Commits

Author SHA1 Message Date
Joseph Anttila Hall
5c01971f2a Bump konnectivity-client to v0.1.1
Fixes memory leaks.
Upgrades GRPC and ProtoBuf versions.
2023-01-19 04:35:31 +00:00
Joseph Anttila Hall
7df98deda0 Bump konnectivity-client to v0.0.35
./hack/pin-dependency.sh sigs.k8s.io/apiserver-network-proxy/konnectivity-client v0.0.35
./hack/update-codegen.sh
./hack/update-vendor.sh

Manual adjustments:
vendor/modules.txt
cluster/gce/addons/konnectivity-agent/konnectivity-agent-ds.yaml
cluster/gce/manifests/konnectivity-server.yaml
2023-01-03 20:23:29 +00:00
Walter Fender
1dfdfc4bb5 Bump konnectivity-client to v0.0.33
Bump konnectivity network proxy to v0.0.33.
Includes a couple bug fixes for better handling of dial failures.
[Agent &
Server](https://github.com/kubernetes-sigs/apiserver-network-proxy/commits/v0.0.33)
include numerous other fixes.
Pin goleak to 1.2
2022-09-26 17:06:49 -07:00
Joseph Anttila Hall
f5c584a020 Bump konnectivity-client to 0.0.32 2022-06-22 17:22:42 -07:00
Davanum Srinivas
50bea1dad8
Move from k8s.gcr.io to registry.k8s.io
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2022-05-31 10:16:53 -04:00
Jordan Liggitt
a44192b955 Remove PodSecurityPolicy cluster config 2022-05-04 16:00:56 -04:00
Andrew Sy Kim
f654992aec cluster/gce: update konnectivity image tags to v0.0.30
Signed-off-by: Andrew Sy Kim <andrewsy@google.com>
2022-03-04 19:01:02 +00:00
Walter Fender
e5b0392f12 Bump konnectivity-client to v0.0.28
Bump konnectivity network proxy to v0.0.28.
Includes a fix to ensure the KAS calls Close() on the egress connection.
2022-02-24 12:35:54 -08:00
Walter Fender
b869d5550c Bump konnectivity network proxy to v0.0.27.
/kind feature

Includes fixes for a few resource leaks.
Set the dependency chain to K/K v0.0.21.

Fixes # N/A

```release-note
NONE
```

```docs
NONE
```
2021-12-09 11:56:20 -08:00
Kubernetes Prow Robot
e9a8bd94f7
Merge pull request #104921 from cheftako/anp-cp
Add mTLS as default HTTPConnect egress configuration for GCP.
2021-11-09 22:15:25 -08:00
Kubernetes Prow Robot
97125e76f3
Merge pull request #103626 from jkh52/tweak-konnectivity
Konnectivity Proxy: move proxy-agent cpu limit to request.
2021-11-08 12:11:20 -08:00
Walter Fender
fbc13f22f8 Bump konnectivity to v0.0.25
/kind feature

Bump konnectivity network proxy to v0.0.25.
Includes fixes for a few resource leaks.
Adds better logging for debugging.
Moves to golang1.17.
Adds additional keepalives.
Fixes HTTP-CONNECT goroutine leak.

Fixes # N/A

```release-note
NONE
```

```docs
NONE
```

Update the images.
2021-11-07 14:34:09 -08:00
Walter Fender
f7185b0be1 Add mTLS as default HTTPConnect egress configuration for GCP.
We currently have UDS as the configuration with GRPC.
Some users are setting up egress to remote konnectivity servers.
Cannot use UDS for this configuration.
Should have a config setup which validates the mTLS configuration.

Fixed lint errors from shell check.
Fix volumes to not include pki for ANP in grpc mode.
2021-11-05 11:39:39 -07:00
Joseph Anttila Hall
d13ee80cb0 Konnectivity Proxy: move cpu limit to request. 2021-11-03 17:40:51 -07:00
Paco Xu
ef99ba8cb2
konnectivity-agent-ds: remove toleration for NoSchedule 2021-09-17 10:58:09 +08:00
Kubernetes Prow Robot
03e0106bbc
Merge pull request #102592 from pacoxu/patch-11
add NoExecute toleration for konnectivity agent
2021-09-15 01:40:42 -07:00
wfender
590300f90d Enable http2 health checking with go 1.16.5
Enabling http2 health checking on http-connect KAS egress.
Reran update-vendor.
Fixed pinning.
2021-08-19 22:38:41 -07:00
Walter Fender
6d1556df7b Update to using apiserver-network-proxy v1.22
Includes a fix to prevent the agent writing to a closed channel.
2021-07-24 16:02:01 -07:00
Walter Fender
9f7d61c520 Upgrade ANP components to v0.0.20.
Pick up new metrics to help with debugging and monitoring.
Pick up GRPC keep alive on frontend tunnel.
Server now using apps/options.
2021-06-11 09:02:04 -07:00
Joseph Anttila Hall
9d514b2de4 Konnectivity: tune flags for larger clusters (5k nodes). 2021-06-10 14:05:44 -07:00
Paco Xu
7f06d0d553
add NoExecute toleration for konnectivity agent 2021-06-04 17:39:02 +08:00
walter
13ab65d356 Upgrade konnectivity-client for GRPC connection fixes
The v0.0.19 Konnectivity client includes several
significant fixes to prevent the GRPC tunnel between
the KAS and the APIServer Network Proxy from becoming
blocked/wedged.
Importantly it picks up the fix for kubernetes-sigs/apiserver-network-proxy#167.
We believe this will also fix many of the failures currently seen on
https://testgrid.k8s.io/sig-api-machinery-network-proxy#ci-kubernetes-e2e-gci-gce-network-proxy-grpc&width=5.
2021-05-24 14:53:30 -07:00
David Porter
e02ff0687e Remove node termination handler addon 2021-04-29 14:42:23 -07:00
Benjamin Elder
56e092e382 hack/update-bazel.sh 2021-02-28 15:17:29 -08:00
Joseph Anttila Hall
6812a9c610 Bump network proxy images to v0.0.15 2021-02-05 00:35:33 -08:00
Jefftree
58001e847d Bump kas to v0.0.14 2020-11-10 17:22:41 -08:00
Jing Xu
d6e805b38c Add nodeSelector for konnectivity daemonSet
konnectivity agent daemonSet can only run on Linux node. Add node
selector to the yaml file

Change-Id: I3a4790bbfe95a39d9b668443d59dcaa72fb4cd0d
2020-11-07 23:12:31 -08:00
Jefftree
300c88cf47 Bump network proxy images to v0.0.12 2020-09-22 13:26:56 -07:00
Stephen Augustus
90c223fa5c [VDF] Remove references to us.gcr.io/k8s-artifacts-prod
Signed-off-by: Stephen Augustus <saugustus@vmware.com>
2020-07-22 16:08:30 -04:00
Jordan Liggitt
3b323b2ef0 Limit critical pods to kube-system by default 2020-07-17 09:52:19 -04:00
Jefftree
c6b2b1fad3 Add health port to network proxy 2020-06-12 16:44:56 -07:00
Chao Xu
7d86217043 Use the v0.0.8 network proxy images 2020-03-05 09:54:19 -08:00
Jefftree
0989770135 Update network proxy to v0.0.7 2020-03-02 10:09:00 -08:00
Jefftree
4c54241c3d Support token authentication for network proxy 2020-03-01 17:24:48 -08:00
Jefftree
725d2b6a8f Network Proxy: GRPC + HTTP Connect with UDS 2020-02-20 10:19:37 -08:00
Antoine Pelisse
e41f2ccd41 gce-addons: Make sure default/limit-range doesn't get overridden 2020-02-06 12:10:12 -08:00
Pavithra Ramesh
1de2327afc Attach a new finalizer in GCE ILB creation.
Add logic in service_controller to skip create/update
if finalizer from a different controller is found.

The newly added finalizer will be checked by other controllers
implementing ILB services to determine if a given service is
already being managed by service_controller.

Moved finalizer check into cloudprovider code.

added unit test to verify new finalizer.

Modified existing unit test to create a fake service so that
attach/remove finalizer step can be tested.
2020-01-28 15:02:19 -08:00
draveness
495faa22db feat: cleanup pod critical pod annotations feature 2019-08-09 08:41:23 +08:00
Walter Fender
ebb65c5f4c Get network-proxy working with GCE.
Got the proxy-server coming up in the master.
Added certs and have it comiung up with those certs.
Added a daemonset to run the network-agent.
Adding support for agent running as a sameon set on every node.

Added quick hack to test that proxy server/agent were correctly
tunneling traffic to the kubelet.

Added more WIP for reading network proxy configuration.
Get flags set correctly and fix connection services.
Adding missing ApplyTo
Added ConnectivityService.
Fixed build directives. Added connectivity service configuration.
Fixed log levels.
Fixed minor issues for feature turned off.
Fixed boilerplate and format.
Moved log dialer initialization earlier as per Liggits suggestion.
Fixed a few minor issues in the configuration for GCE.
Fixed scheme allocation
Adding unit test.
Added test for direct connectivity service.

Switching to injecting the Lookup method rather than using a Singleton.
First round of mikedaneses feedback.
Fixed deployment to use yaml and other changes suggested by MikeDanese.

Switched network proxy server/agent which are kebab-case not camelCase.
Picked up DIAL_RSP fix.
Factored in deads2k feedback.
Feedback from mikedanese
Factored in second round of feedback from David.
Fix path in verify.
Factored in anfernee's feedback.
First part of lavalamps feedback.
Factored in more changes from lavalamp and mikedanese.

Renamed network-proxy to konnectivity-server and konnectivity-agent.
Fixed tolerations and config file checking.
Added missing strptr
Finished lavalamps requested rename.
Disambiguating konnectivity service by renaming it egress selector.

Switched feature flag to KUBE_ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE
2019-08-06 23:09:49 -07:00
draveness
d83526d253 Revert "feat: cleanup pod critical pod annotations feature"
This reverts commit b6d41ee5cc.
2019-07-18 13:31:12 +08:00
draveness
b6d41ee5cc feat: cleanup pod critical pod annotations feature 2019-07-11 08:54:19 +08:00
Yuwen Ma
53bace16df Updated gce node-termination-handler yaml. 2019-05-06 11:29:47 -07:00
Jeff Grafton
e216995ef1 Update repo-infra, bazel-skylib, rules_docker, and rules_go dependencies
Also require bazel 0.18.0+
2019-02-12 17:55:10 -08:00
Tim Allclair
485b21e8cb Fix kube-proxy PodSecurityPolicy RoleBinding namespace 2019-01-09 17:57:15 -08:00
Mike Danese
98c468de8d update PSPs to allow projected volumes 2018-11-16 19:32:44 +00:00
Kubernetes Submit Queue
6900a8042b
Merge pull request #67224 from grayluck/namespace-cloudprovider-rbac
Automatic merge from submit-queue (batch tested with PRs 65251, 67255, 67224, 67297, 68105). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md.

Add namespace for (cluster)role(binding) cloud-provider.

**What this PR does / why we need it**:
Add namespace for (cluster)role(binding) cloud-provider.
Change the addonmanager mode to be from reconcile to EnsureExists.

Needs to be cherrypicked together with https://github.com/kubernetes/kubernetes/pull/59686.

**Special notes for your reviewer**:
/assign @bowei @tallclair 
/sig auth

**Release note**:

```release-note
Role, ClusterRole and their bindings for cloud-provider is put under system namespace. Their addonmanager mode switches to EnsureExists.
```

Manual tested. Cluster can be created succesfully using kube-up.sh with desired (cluster)role(binding)s.
2018-08-31 19:25:33 -07:00
Vishnu kannan
ee65e6ac04 Adding GCE node termination handler as an optional addon.
This step is a pre-requisite for auto-deploying that addon in GKE.

Signed-off-by: Vishnu kannan <vishnuk@google.com>
2018-08-31 12:47:37 -07:00
yankaiz
bea625fd65 Add namespace for (cluster)role(binding) cloud-provider.
Change the addonmanager mode to be from reconcile to EnsureExists.
2018-08-27 20:47:26 -07:00
Tim Allclair
13adb97714 Allow adding default capabilities to unprivileged addons 2018-08-20 17:28:09 -07:00
Zhen Wang
6351e25203 Use runtime/default as default seccomp profile for unprivileged PodSecurityPolicy 2018-05-15 09:39:37 -07:00