Commit Graph

268 Commits

Author SHA1 Message Date
Cindy Guo
03f60f4b60 chown on /mnt/disks/master-pd/var/etcd instead of /var/etcd 2021-04-12 08:21:01 +00:00
Kubernetes Prow Robot
99301e672b
Merge pull request #100436 from vinayakankugoyal/apiservernonroot
Fix kube-apiserver manifest.
2021-04-10 20:29:35 -07:00
Cindy Guo
9f058079d2 run etcd as nonroot
Co-authored-by: Vinayak Goyal <vinayakankugoyal@gmail.com>
2021-04-08 20:51:45 +00:00
Vinayak Goyal
4b3271a542 Fix kube-apiserver manifest. 2021-03-21 16:24:56 -07:00
Jake Sanders
fb40ab2cde Update kube-addon-manager to v9.1.4 2021-03-04 22:39:46 -08:00
Benjamin Elder
56e092e382 hack/update-bazel.sh 2021-02-28 15:17:29 -08:00
Vinayak Goyal
c63ff05e6d Run kube-apiserver as non-root. 2021-02-22 20:48:16 -08:00
Cong Liu
03709c0ece Add arm64 support for GCE node configuration
Fix typo

Add TODO
2021-02-19 14:22:26 -08:00
Jake Sanders
927eaffe19 Update kube-addon-manager image to v9.1.2 2021-02-11 09:38:39 -08:00
Joseph Anttila Hall
6812a9c610 Bump network proxy images to v0.0.15 2021-02-05 00:35:33 -08:00
Maciej Borsz
7f09d59215 Migrate etcd's livenessProbe to etcdctl endpoint health.
Change-Id: Ie19c844050c75e3d1c4b431d09ba0ac851c5317b
2020-12-11 12:43:02 +01:00
Kubernetes Prow Robot
cad9a8277d
Merge pull request #97127 from liggitt/revert-etcd-host-ip
Revert "iAdd host IP to etcd listen client URLs."
2020-12-08 22:01:52 -08:00
Jordan Liggitt
8820dc4522 Revert "iAdd host IP to etcd listen client URLs."
This reverts commit 8b4e164a78.
2020-12-08 11:37:13 -05:00
Kuba Tużnik
9efbd914f6
Bump Cluster Autoscaler to v1.20.0 2020-12-02 11:10:54 +01:00
Jefftree
58001e847d Bump kas to v0.0.14 2020-11-10 17:22:41 -08:00
Ben Hu
8416c5cc51 Use host IP instead of 127.0.0.1 for kube-apiserver healthcheck. 2020-10-27 16:25:27 +00:00
Ben Hu
8b4e164a78 iAdd host IP to etcd listen client URLs.
Allow kube-apiserver to use host IP to connect to etcd.
Update etcd/migrate to allow additional client listening URLs.
2020-10-20 16:43:52 +00:00
Jefftree
300c88cf47 Bump network proxy images to v0.0.12 2020-09-22 13:26:56 -07:00
Kubernetes Prow Robot
b49724d5fc
Merge pull request #94287 from jingyih/update_etcd_server_3p4p13
Update default etcd server to 3.4.13
2020-09-01 15:35:20 -07:00
jingyih
c96b93fbd4 Update default etcd server to 3.4.13 2020-08-28 21:19:24 +08:00
Paulo Gomes
8f8f1bad72
Update yaml files to use seccomp GA syntax 2020-08-13 08:45:36 +01:00
Vivek Bagade
2e4a329b35 Update Cluster Autoscaler version to 1.19.0 2020-07-31 14:13:22 +02:00
Stephen Augustus
90c223fa5c [VDF] Remove references to us.gcr.io/k8s-artifacts-prod
Signed-off-by: Stephen Augustus <saugustus@vmware.com>
2020-07-22 16:08:30 -04:00
Kubernetes Prow Robot
f9ad7db9a6
Merge pull request #92349 from jingyih/update_etcd_server_3p4p9
Update default etcd server to 3.4.9
2020-07-17 07:53:01 -07:00
jingyih
e9bf1c3c90 Update default etcd server to 3.4.9 2020-07-08 14:16:40 +08:00
Kubernetes Prow Robot
c6011f2d54
Merge pull request #91390 from vinayakankugoyal/nonroot
Updating kube-controller-manager to run as non-root.
2020-06-21 00:56:38 -07:00
Kubernetes Prow Robot
bfa6eb1772
Merge pull request #91964 from wenjiaswe/etcdNameComment
Add a comment to keep etcd name in sync and change `hostname` to `HOSTNAME`
2020-06-18 19:05:40 -07:00
Wenjia Zhang
0da9c3e379 Add a comment to keep etcd name in sync and change hostname to HOSTNAME 2020-06-18 11:11:12 -07:00
Jefftree
c6b2b1fad3 Add health port to network proxy 2020-06-12 16:44:56 -07:00
wojtekt
ee27e5b8be Remove all references to etcd-empty-dir-cleanup. 2020-06-05 08:41:31 +02:00
Vinayak Goyal
8daa9e6f77 Updating kube-controller-manager to run as non-root. 2020-06-02 14:07:00 -07:00
Kubernetes Prow Robot
f01d848c48
Merge pull request #91329 from dims/switch-kube-controller-manager-to-distroless-image
Switch kube-controller-manager to distroless image
2020-05-22 17:23:10 -07:00
Kubernetes Prow Robot
10caa46f6b
Merge pull request #91300 from dims/move-to-latest-etcd-3.4.7-2
Switch over to new etcd 3.4.7-2 image
2020-05-22 04:14:37 -07:00
Davanum Srinivas
b1742f19ef
Switch kube-controller-manager to distroless image
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2020-05-21 22:33:54 -04:00
Davanum Srinivas
bd835d8a1c
Switch over to new etcd 3.4.7-2 image
Add a safety switch to stop doing anything if migrate failed. We
previously just ignored the exit code from migrate utility

Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2020-05-21 22:16:08 -04:00
Antoni Zawodny
15e491eb2f Update kube-addon-manager to v9.1.1 2020-05-20 09:50:20 +02:00
Yuwen Ma
1aa67fc525
Switch core master base images from debian to distroless
Signed-off-by: Davanum Srinivas <davanum@gmail.com>
2020-05-09 06:55:00 -04:00
Vinayak Goyal
7a5f4c47de Run kube-scheduler and kube-addon-manager as non root 2020-04-16 14:50:04 -07:00
Kubernetes Prow Robot
ea2d784545
Merge pull request #89895 from jingyih/update_etcd_server_3p4p7
Update default etcd server to 3.4.7 in k8s v1.19
2020-04-14 12:34:06 -07:00
jingyih
394df132bd Update default etcd server to 3.4.7 2020-04-13 14:37:56 -07:00
Jordan Liggitt
5534c12dad Fix priorityClass typo, add numeric priority to static pods 2020-04-08 15:33:39 -04:00
Kubernetes Prow Robot
81a0e2f62b
Merge pull request #85923 from MrHohn/sig-gcp-owner-file
Migrate OWNERS file to apply the area/provider/gcp label
2020-04-02 19:03:46 -07:00
jingyih
f9e0e4c6b4 Update default etcd server to 3.4.4 2020-03-18 00:27:46 -07:00
Łukasz Osipiuk
c957b2509f Bump Cluster-Autoscaler to 1.18.0 2020-03-12 21:33:18 +01:00
Łukasz Osipiuk
6be4d0a705 Bump Cluster-Autoscaler to cluster-autoscaler:v1.18.0-beta.1 2020-03-11 16:16:30 +01:00
Chao Xu
7d86217043 Use the v0.0.8 network proxy images 2020-03-05 09:54:19 -08:00
Aleksandra Malinowska
472a935294 Update Cluster Autoscaler version to 1.18.0-gke.0 2020-03-03 14:42:25 +01:00
Jefftree
0989770135 Update network proxy to v0.0.7 2020-03-02 10:09:00 -08:00
Jefftree
4c54241c3d Support token authentication for network proxy 2020-03-01 17:24:48 -08:00
Jefftree
725d2b6a8f Network Proxy: GRPC + HTTP Connect with UDS 2020-02-20 10:19:37 -08:00
Jeffrey Ying
2eb48f6049
Reduce default CPU requirement for konnectivity server
Our network proxy [e2e job](https://k8s-testgrid.appspot.com/sig-api-machinery-network-proxy#ci-kubernetes-e2e-gci-gce-network-proxy) is failing because we are requesting more resources than available on the system. 

The test clusters are consuming exactly 970m CPU resources without the konnectivity-server pod. Requesting 40m exceeds the 1000m limit and causes all tests to fail.
2020-01-31 10:45:21 -08:00
Han Kang
0e786cbafc swap over kube-apiserver manifest to use livez and readyz
Change-Id: I90df19b58b0d4d3004dcc3ca3002b099845dfe3a
2019-12-19 13:52:23 -08:00
Zihong Zheng
5463eda704 Migrate OWNERS file to apply the area/provider/gcp label 2019-12-04 17:05:43 -08:00
Łukasz Osipiuk
b1b9e6254a Bump Cluster Autoscaler version to 1.17.0 2019-11-29 13:58:20 +01:00
Jingyi Hu
706cde51c5 Update default etcd server to 3.4.3 2019-10-28 18:29:37 -07:00
Kubernetes Prow Robot
ec63e099ba
Merge pull request #84018 from rramkumar1/update-glbc
Update glbc.manifest to v1.6.1
2019-10-18 15:21:50 -07:00
Rohit Ramkumar
13c7dfa0ed Update glbc.manifest to v1.6.1 2019-10-18 11:54:42 -04:00
Łukasz Osipiuk
efe79f28cf Update Cluster Autoscaler version to 1.16.2 2019-10-17 12:19:36 +02:00
Joe Betz
c92bd5e7b5 Upgrade to etcd server 3.3.17 2019-10-13 17:17:15 -07:00
Maciej Borsz
2d9a9f7713
Revert "Revert "Revert "[Re-Apply][Distroless] Convert the GCE manifests for master containers.""" 2019-10-02 09:22:02 +02:00
Kubernetes Prow Robot
6610260cc4
Merge pull request #78466 from yuwenma/revert-77904-revert-76396-reapply-75624
Revert "Revert "[Re-Apply][Distroless] Convert the GCE manifests for master containers.""
2019-10-01 01:21:33 -07:00
Shihang Zhang
42cb861487 exclude kms provider from health check
Change-Id: Ie1f828b327c5eede8a0b105a8c3f8fc7affd6f3e
2019-09-18 10:37:55 -07:00
Łukasz Osipiuk
b27e0b54f1 Update Cluster Autoscaler version to 1.16.0 2019-09-09 19:12:31 +02:00
Łukasz Osipiuk
9332d11563 Update cluster-autoscaler image to v1.16.0-beta.1 2019-09-06 17:38:31 +02:00
Davanum Srinivas
8fbfdf8267
Update default etcd server to 3.3.15 for kubernetes 1.16
Change-Id: I68f1a5e5339d83077a1a9f312c4e6e33848886c5
2019-08-30 21:29:45 -04:00
draveness
495faa22db feat: cleanup pod critical pod annotations feature 2019-08-09 08:41:23 +08:00
Walter Fender
ebb65c5f4c Get network-proxy working with GCE.
Got the proxy-server coming up in the master.
Added certs and have it comiung up with those certs.
Added a daemonset to run the network-agent.
Adding support for agent running as a sameon set on every node.

Added quick hack to test that proxy server/agent were correctly
tunneling traffic to the kubelet.

Added more WIP for reading network proxy configuration.
Get flags set correctly and fix connection services.
Adding missing ApplyTo
Added ConnectivityService.
Fixed build directives. Added connectivity service configuration.
Fixed log levels.
Fixed minor issues for feature turned off.
Fixed boilerplate and format.
Moved log dialer initialization earlier as per Liggits suggestion.
Fixed a few minor issues in the configuration for GCE.
Fixed scheme allocation
Adding unit test.
Added test for direct connectivity service.

Switching to injecting the Lookup method rather than using a Singleton.
First round of mikedaneses feedback.
Fixed deployment to use yaml and other changes suggested by MikeDanese.

Switched network proxy server/agent which are kebab-case not camelCase.
Picked up DIAL_RSP fix.
Factored in deads2k feedback.
Feedback from mikedanese
Factored in second round of feedback from David.
Fix path in verify.
Factored in anfernee's feedback.
First part of lavalamps feedback.
Factored in more changes from lavalamp and mikedanese.

Renamed network-proxy to konnectivity-server and konnectivity-agent.
Fixed tolerations and config file checking.
Added missing strptr
Finished lavalamps requested rename.
Disambiguating konnectivity service by renaming it egress selector.

Switched feature flag to KUBE_ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE
2019-08-06 23:09:49 -07:00
Maciej Borsz
e442a427f5 Update kube-addon-manager to v9.0.2. 2019-08-01 16:15:51 +02:00
Kubernetes Prow Robot
3be827e912
Merge pull request #77561 from wenjiaswe/fix-etcd-server
Use HTTPS as etcd-apiserver protocol when mTLS is enabled
2019-07-29 12:14:49 -07:00
Benjamin Elder
1cf8a06d12 add reciprocal note about keeping manifests in sync 2019-07-25 00:44:11 -07:00
Taahir Ahmed
9702c6e6e9 GCP config: gke-exec-auth-plugin for ValidatingAdmissionWebhook
This commit adds support for using `gke-exec-auth-plugin` (vTPM-based
certificates for mTLS) for webhooks when calling endpoints matching
`*.googleapis.com`, and integrates this support with
ValidatingAdmissionWebhook.

To enable it, request ValidatingAdmissionWebhook with
`ADMISSION_CONTROL=...,ValidatingAdmissionWebhook,...` (default) and
opt in to `gke-exec-auth-plugin` using `WEBHOOK_GKE_EXEC_AUTH=true`
during the configuration process.

If you don't opt-in, ValidatingAdmissionWebhook will be deployed as
before.

Requesting `WEBHOOK_GKE_EXEC_AUTH=true` will fail if you have not
provided other configuration variables:

  * `EXEC_AUTH_PLUGIN_URL`: controls whether `gke-exec-auth-plugin` is
    downloaded during the installation step.  A prerequisite for
    actually using the plugin.

  * `TOKEN_URL`, `TOKEN_BODY`, and `TOKEN_BODY_UNQUOTED`:
    configuration values used when calling the plugin.  `TOKEN_URL`
    and `TOKEN_BODY` have existing usage. `TOKEN_BODY_UNQUOTED` is a
    new variable that is meant to sidestep the problem of inverting
    `strconv.Quote` in Bash.

The existing configuration process for ImagePolicyWebhook has been
reworked to make it play nicely with ValidatingAdmissionWebhook under
`WEBHOOK_GKE_EXEC_AUTH=true`.

  * It originally placed the ImagePolicyWebhook configuration object
    at the top-level of the file specified by
    `--admission-control-config-file`.  I can't see why this worked;
    it must have been hitting some sort of lucky path through the
    various config file loading mechanisms.  Now, it places its
    configuration in a sub-field of that file, which is shared among
    all admission control plugins.

  * It mounted its various config files read-write.  I reviewed the
    code and couldn't see why it was necessary, so I moved the config
    files into the existing read-only mount at `/etc/srv/kubernetes`.

  * It now checks that all the configuration values it requires have
    been provided.

Co-authored-by: Mike Danese <mikedanese@google.com>
Co-authored-by: Taahir Ahmed <taahm@google.com>
2019-07-22 16:01:37 -07:00
Wenjia Zhang
2e61ae0c56 Use HTTPS as etcd-apiserver protocol when mTLS is enabled 2019-07-20 14:24:31 -07:00
Kubernetes Prow Robot
49f6510d9a
Merge pull request #80277 from draveness/feature/revert-cleanup-critical-pod
Revert "feat: cleanup pod critical pod annotations feature"
2019-07-18 19:31:37 -07:00
Javier Pérez Hernández
288ea10a59 gce: configure: use 'amd64' in kube core images manifest 2019-07-18 08:31:45 -07:00
draveness
d83526d253 Revert "feat: cleanup pod critical pod annotations feature"
This reverts commit b6d41ee5cc.
2019-07-18 13:31:12 +08:00
draveness
b6d41ee5cc feat: cleanup pod critical pod annotations feature 2019-07-11 08:54:19 +08:00
Vallery Lancey
dc0f14312e Removed deprecated --resource-container flag from kube-proxy. 2019-06-16 08:36:42 -07:00
Łukasz Osipiuk
94c80b1afc Update Cluster Autoscaler version to 1.15.0 2019-06-10 20:08:59 +02:00
Łukasz Osipiuk
df304b0a4d Update Cluster Autoscaler version to 1.15.0-beta.1 2019-06-07 17:11:03 +02:00
Yuwen Ma
ccbb88fc53 Revert "Revert "[Re-Apply][Distroless] Convert the GCE manifests for master containers."" 2019-05-30 08:02:41 -07:00
Łukasz Osipiuk
dda5e49cac Split CA parameters on manifest template expansion
Split arguments to be passed to cluster autoscaler binary,
so each argument is passed separately.
This is preparatory work for migrating CA to disroless base image
and passing multiple arguments together does not work if CA is
not wrapped around with shell script

Change-Id: I26b5a764d2a12079c7f4ed6633ccabf8d623e232
2019-05-29 15:20:34 +02:00
Matt Matejczyk
6ced6491c6 Change etcd's --listen-client-urls to 0.0.0.0 in tests
This is to allow scraping etcd metrics in scalability tests.

Ref. https://github.com/kubernetes/perf-tests/issues/522
2019-05-23 15:11:22 +02:00
Kubernetes Prow Robot
4d3d153210
Merge pull request #77904 from mborsz/revert-76396-reapply-75624
Revert "[Re-Apply][Distroless] Convert the GCE manifests for master containers."
2019-05-15 07:06:41 -07:00
Maciej Borsz
9da7db76b7
Revert "[Re-Apply][Distroless] Convert the GCE manifests for master containers." 2019-05-15 08:31:19 +02:00
Yuwen Ma
1f0f050fde Update etcd* version to use latest released images. 2019-05-13 17:28:40 -07:00
Kubernetes Prow Robot
5184b866d6
Merge pull request #77424 from MrHohn/gce-manifest-owners
Add OWNERS file for gce/manifests
2019-05-09 20:13:57 -07:00
Jake Sanders
2576713a40 when disabled, don't create the API server's insecure port mapping 2019-05-09 11:50:59 -07:00
Zihong Zheng
e6287c61e6 Add OWNERS file for gce/manifests 2019-05-08 17:39:23 -07:00
Kubernetes Prow Robot
e1d40da0df
Merge pull request #76396 from yuwenma/reapply-75624
[Re-Apply][Distroless] Convert the GCE manifests for master containers.
2019-05-06 21:31:39 -07:00
Kubernetes Prow Robot
6027a38e78
Merge pull request #77282 from MrHohn/addon-manager-9.0.1
Bump addon-manager to v9.0.1
2019-05-06 14:01:52 -07:00
Yuwen Ma
b8a8bdb127 [Distroless] Convert the GCE manifests for master containers.
* Touched containers: kube-apiserver, kube-scheduler,
kube-controller-manager.
* Remove the shell dependencies when upstart the containers.
* Reformat the command parameters to ["Exec", "Param1", "Param2"]
2019-05-06 08:04:06 -07:00
Mark Wolters
1456979e93 Added function to create kubeconfig for addon-manager 2019-05-03 15:12:16 -07:00
Jake Sanders
8bd0b45eae use static token to authenticate glbc 2019-05-01 22:24:48 -07:00
Zihong Zheng
037d4b3a07 Bump addon-manager to v9.0.1
- Rebase image on debian-base:v1.0.0.
2019-04-30 15:19:08 -07:00
Wojciech Tyczynski
0d77f62c02
Revert "override ETCD_SERVER with https instead http when mTLS is enabled" 2019-04-27 06:50:20 +02:00
Jake Sanders
113ab741e6 add option to set the value of the apiserver's insecure port 2019-04-18 20:35:08 +00:00
Wenjia Zhang
80c4bccf0f override ETCD_SERVER with https instead http when mTLS is enabled 2019-04-14 22:11:37 -07:00
Maciej Borsz
a0b51681c4
Revert "[Distroless] Convert the GCE manifests for master containers." 2019-04-05 12:55:14 +02:00
Yuwen Ma
af2659527f [Distroless] Convert the GCE manifests for master containers.
* Touched containers: kube-apiserver, kube-scheduler,
kube-controller-manager.
* Remove the shell dependencies when upstart the containers.
* Reformat the command parameters to ["Exec", "Param1", "Param2"]
2019-04-04 11:16:23 -07:00
Łukasz Osipiuk
ff18fbcebb Update Cluster Autscaler version to 1.14.0
No changes since 1.14.0-beta.2
Changelog: https://github.com/kubernetes/autoscaler/releases/tag/cluster-autoscaler-1.14.0
2019-03-19 16:15:20 +01:00