FetchInitConfigurationFromCluster always called SetAPIEndpointDynamicDefaults,
which invokes ChooseAPIServerBindAddress and requires a default route on the
host. Worker nodes joining the cluster don't need a LocalAPIEndpoint and may
legitimately have no default route, causing kubeadm join to fail with:
```
unable to fetch the kubeadm-config ConfigMap: unable to select an IP from
default routes.
```
Add a skipAPIEndpoint parameter to SetInitDynamicDefaults and pass
`!getAPIEndpoint` from FetchInitConfigurationFromCluster, so the endpoint
defaulter is bypassed when the caller did not request the endpoint (worker
join, non-control-plane reset/certs/upgrade paths).
Signed-off-by: Seena Fallah <seenafallah@gmail.com>
Historicaly the kubeadm clients have used the 'admin.conf'
and 'super-admin.conf' directly, which makes all API calls
go trough the CPE (control plane endpoint). This can create
problems for scenarios when the LB is provisioned only after
'init' starts the kube-apiserver.
Instead of using the '.conf' as they are, modify them
in memory to point to the LAE (localAPIEndpoint).
This was already done by the WaitControlPlaneClient for
the WaitControlPlane phase, which required it. This separate
client is no longer needed.
However, do use a unmodified kubeconfig to the init phase
bootstrap-token since this is the phase that creates
the cluster-info CM and for that we need the original CPE
server address.
If /var/lib/kubelet is MS_SHARED mountpoint, all the mountpoints
under /var/lib/kubelet will have duplicate one. When `kubeadm reset -f`
is executed, it will try to umount one path twice. However, they are in
the peer group. Once we umount one path, the duplicate one will be
umounted as well. So, in this case, we should ignore EINVAL error.
Signed-off-by: Wei Fu <fuweid89@gmail.com>
(cherry picked from commit 2634261c17)
Signed-off-by: Wei Fu <fuweid89@gmail.com>
The PatchNodeOnce function has historically exited early
in scanarious when we Get a Node object, but the next Patch
API call on the same Node object fails. This can happen
in setups that are under a lot of resource pressure
or different network timeout scenarious.
Instead of exiting early and allow listing certain errors,
always retry on any Patch error. This aligns with the
general idea that kubeadm retries *all* API calls.
If the user has provided extraArgs with an order that has
significance (e.g. --service-account-issuer for kube-apiserver),
kubeadm will correctly override any base args, but will end up
sorting the entire resulting list, which is not desired.
Instead, only sort the base arguments and preserve the order
of overrides provided by the user.
When retrieving the cluster-info CM, ensure the cluster pointed
out by the current context in the kubeconfig is validated.
Add unit test for the above.
Make the function GetClusterFromKubeConfig() to return various
errors. Handle the errors on call sites. Add unit tests
for the update.
The above changes prevent panics when the users has manually
edited and malformed the kubeconfig in the cluster-info CM.
The newControlPlane flag has been historically problematic, since
it implies that the function FetchInitConfigurationFromCluster
cannot handle the cases where a node is worker node but
we still want to fetch its NodeRegistrationOptions conditionally,
in cases such as "upgrade node" for workers.
To fix this issue, replace the flag newControlPlaneNode with
two new flags getNodeRegistration and getAPIEndpoint.
If getNodeRegistration is true, we fetch the NRO, and if
getAPIEndpoint is true, we fetch the API endpoint for
that node.
Additionally, rename skipComponentConfigs to getComponentConfigs
for consistency and flip its value accordingly everywhere.
When waiting for the kube-apiserver to report 'ok'
in the 'init' and 'join' phase 'wait-control-plane', a client
constructed from the 'admin.conf' is used. In the case of the
kube-apiserver, the discovery client is used so that
anonymous-auth works. But if 'admin.conf' is used as is,
it would point to the CPE and not the LAE.
Implement a new method WaitControlPlaneClient() for both
init.go and join.go that patches the 'Server' field in the
loaded v1.Config to point to the LAE, before constructing
a client set and using it in the kube-apiserver waiter.
With StreamingCollectionEncodingToJSON and
StreamingCollectionEncodingToProtobuf, the WatchList must re-justify its
necessity. To prevent an ecosystem from building around a feature that
may not be promoted, we will stop serving list-via-watch until
performance numbers can justify its inclusion.
This also stops the kube-controller-manager from using the
list-via-watch by default. The fallback is a regular list, so during
the skew during an upgrade the "right" thing will happen and the new
StreamingCollectionEncoding will be used.
When the kube-apiserver has --anonymous-auth=false,
the regular http.Client.Get() that WaitForAllControlPlaneComponents
does will not work.
Always use the discovery client when checking the health status
of the kube-apiserver.
Do a minor rework of struct fields and unit tests.
Replace nil client in cmd/phases/join/waitcontrolplane.go.
There was one error path that led to a "controller has shut down" log
message. Other errors caused different log entries or are so unlikely (event
handler registration failure!) that they weren't checked at all.
It's clearer to let Run return an error in all cases and then log the
"controller has shut down" error at the call site. This also enables tests to
mark themselves as failed, should that ever happen.
This change introduces improvements to the component compatibility registry:
- Modify the kube-scheduler test server to create a separate ComponentGlobalsRegistry
- Update the compatibility registry to handle multiple flag configurations
- Enhance test cases to support emulation version mapping between components
Various parts of kube-proxy passed around a "hostname", but it is
actually the name of the *node* kube-proxy is running on, which is not
100% guaranteed to be exactly the same as the hostname. Rename it
everywhere to make it clearer that (a) it is definitely safe to use
that name to refer to the Node, (b) it is not necessarily safe to use
that name with DNS, etc.
The controller is derived from the node taint eviction controller.
In contrast to that controller it tracks the UID of pods to prevent
deleting the wrong pod when it got replaced.