The first pod with network latency impact user workloads, however,
it is difficuly to understand where is the problem of this latency,
since it depends on the CNI plugin to be ready at the moment of the
pod creation.
Add a new internal metric in the kubelet that allow developers and cluster
administrator to understand the source of the latency problems on
node startups.
kubelet_first_network_pod_start_sli_duration_seconds
Change-Id: I4cdb55b0df72c96a3a65b78ce2aae404c5195006
The default service-cidr controller blocks the apiserver because it
needs to create the default ServiceCIDR so Services can be allocated.
If the apiserver is started without the default ServiceCIDR any attempt
to createa new Service will fail, and this is a breaking change for
users and installers that does not retry on this operation.
Instead of using a channel to signal the controller is ready, just
implement two loops, a first one that verifies that is ready and that
polls with a shorted interval, and leave the second loop with the
existing interval.
Change-Id: I54303af9faeaa9c5cce2a840b6b7b0320cd2f4ad
Because labels are currently typically added also to the spec texts, we don't
need to write them separately.
This redundancy got introduced in f2cfbf44b1 when registering all inline tags
also as labels.
As part of the memory manager GA graduation effort, we should add
metrics in order to iprove observability.
The metrics also mentioned in the PR https://github.com/kubernetes/enhancements/pull/4251 (which was not merged yet)
Signed-off-by: Talor Itzhak <titzhak@redhat.com>
The component connection between kube-apiserver and kubelet does not
require the "O" field on the Subject to be set to the
"system:masters" privileged group. It can be a less
privileged group like "kubeadm:cluster-admins".
Change the group in the apiserve-kubelet-client
certificate specification. This cert is passed to
--kubelet-client-certificate.
This script relies on Go but doesn't set up the private Go environment
(which ensures that the go command meets k/k's requirements). This
fixes that.
As a drive-by improvement, drop two unnecessary backslashes from
regexes (before / which doesn't need to be escaped).
Signed-off-by: Stephen Kitt <skitt@redhat.com>
kubemark's proxy mode exists to test how kube-proxy affects the load
on the apiserver, not how it affects the load on the node. There's no
need to generate fake iptables commands, because that all happens
entirely independently of the api watchers.
