rancher/rke
1
0
Fork 0
mirror of https://github.com/rancher/rke.git synced 2025-09-12 13:18:47 +00:00
Code Issues Releases Wiki Activity

use k8s version info from kontainer-driver-metadata

Browse Source
This commit is contained in:
kinarashah
2019-05-28 11:51:53 -07:00
committed by Alena Prokharchyk
parent 8c8e3d1c6b
commit c191ed6202
25 changed files with 231 additions and 5547 deletions
Download Patch File Download Diff File Expand all files Collapse all files

161
cluster/plan.go
View File

@@ -15,6 +15,7 @@ import (
"github.com/rancher/rke/docker"
"github.com/rancher/rke/hosts"
"github.com/rancher/rke/k8s"
"github.com/rancher/rke/metadata"
"github.com/rancher/rke/pki"
"github.com/rancher/rke/services"
"github.com/rancher/rke/util"
@@ -120,46 +121,26 @@ func (c *Cluster) BuildKubeAPIProcess(host *hosts.Host, prefixPath string) v3.Pr
c.getRKEToolsEntryPoint(),
"kube-apiserver",
}
baseEnabledAdmissionPlugins := []string{
"DefaultStorageClass",
"DefaultTolerationSeconds",
"LimitRanger",
"NamespaceLifecycle",
"NodeRestriction",
"ResourceQuota",
"ServiceAccount",
}
CommandArgs := map[string]string{
"allow-privileged": "true",
"anonymous-auth": "false",
"bind-address": "0.0.0.0",
"client-ca-file": pki.GetCertPath(pki.CACertName),
"cloud-provider": c.CloudProvider.Name,
"etcd-cafile": etcdCAClientCert,
"etcd-certfile": etcdClientCert,
"etcd-keyfile": etcdClientKey,
"etcd-prefix": etcdPathPrefix,
"etcd-servers": etcdConnectionString,
"insecure-port": "0",
"kubelet-client-certificate": pki.GetCertPath(pki.KubeAPICertName),
"kubelet-client-key": pki.GetKeyPath(pki.KubeAPICertName),
"kubelet-preferred-address-types": "InternalIP,ExternalIP,Hostname",
"profiling": "false",
"proxy-client-cert-file": pki.GetCertPath(pki.APIProxyClientCertName),
"proxy-client-key-file": pki.GetKeyPath(pki.APIProxyClientCertName),
"requestheader-allowed-names": pki.APIProxyClientCertName,
"requestheader-client-ca-file": pki.GetCertPath(pki.RequestHeaderCACertName),
"requestheader-extra-headers-prefix": "X-Remote-Extra-",
"requestheader-group-headers": "X-Remote-Group",
"requestheader-username-headers": "X-Remote-User",
"secure-port": "6443",
"service-account-key-file": pki.GetKeyPath(pki.ServiceAccountTokenKeyName),
"service-account-lookup": "true",
"service-cluster-ip-range": c.Services.KubeAPI.ServiceClusterIPRange,
"service-node-port-range": c.Services.KubeAPI.ServiceNodePortRange,
"storage-backend": "etcd3",
"tls-cert-file": pki.GetCertPath(pki.KubeAPICertName),
"tls-private-key-file": pki.GetKeyPath(pki.KubeAPICertName),
"client-ca-file": pki.GetCertPath(pki.CACertName),
"cloud-provider": c.CloudProvider.Name,
"etcd-cafile": etcdCAClientCert,
"etcd-certfile": etcdClientCert,
"etcd-keyfile": etcdClientKey,
"etcd-prefix": etcdPathPrefix,
"etcd-servers": etcdConnectionString,
"kubelet-client-certificate": pki.GetCertPath(pki.KubeAPICertName),
"kubelet-client-key": pki.GetKeyPath(pki.KubeAPICertName),
"proxy-client-cert-file": pki.GetCertPath(pki.APIProxyClientCertName),
"proxy-client-key-file": pki.GetKeyPath(pki.APIProxyClientCertName),
"requestheader-allowed-names": pki.APIProxyClientCertName,
"requestheader-client-ca-file": pki.GetCertPath(pki.RequestHeaderCACertName),
"service-account-key-file": pki.GetKeyPath(pki.ServiceAccountTokenKeyName),
"service-cluster-ip-range": c.Services.KubeAPI.ServiceClusterIPRange,
"service-node-port-range": c.Services.KubeAPI.ServiceNodePortRange,
"tls-cert-file": pki.GetCertPath(pki.KubeAPICertName),
"tls-private-key-file": pki.GetKeyPath(pki.KubeAPICertName),
}
if len(c.CloudProvider.Name) > 0 {
CommandArgs["cloud-config"] = cloudConfigFileName
@@ -198,37 +179,15 @@ func (c *Cluster) BuildKubeAPIProcess(host *hosts.Host, prefixPath string) v3.Pr
CommandArgs["advertise-address"] = host.InternalAddress
}
// PodSecurityPolicy
if c.Services.KubeAPI.PodSecurityPolicy {
CommandArgs["runtime-config"] = "extensions/v1beta1/podsecuritypolicy=true"
baseEnabledAdmissionPlugins = append(baseEnabledAdmissionPlugins, "PodSecurityPolicy")
}
// AlwaysPullImages
if c.Services.KubeAPI.AlwaysPullImages {
baseEnabledAdmissionPlugins = append(baseEnabledAdmissionPlugins, "AlwaysPullImages")
}
// Admission control plugins
// Resolution order:
// k8s_defaults.go K8sVersionServiceOptions
// enabledAdmissionPlugins
// cluster.yml extra_args overwrites it all
for _, optionName := range admissionControlOptionNames {
if _, ok := CommandArgs[optionName]; ok {
enabledAdmissionPlugins := strings.Split(CommandArgs[optionName], ",")
enabledAdmissionPlugins = append(enabledAdmissionPlugins, baseEnabledAdmissionPlugins...)
// Join unique slice as arg
CommandArgs[optionName] = strings.Join(util.UniqueStringSlice(enabledAdmissionPlugins), ",")
break
}
}
if c.Services.KubeAPI.PodSecurityPolicy {
CommandArgs["runtime-config"] = "extensions/v1beta1/podsecuritypolicy=true"
for _, optionName := range admissionControlOptionNames {
if _, ok := CommandArgs[optionName]; ok {
CommandArgs[optionName] = CommandArgs[optionName] + ",PodSecurityPolicy"
if c.Services.KubeAPI.AlwaysPullImages {
CommandArgs[optionName] = CommandArgs[optionName] + ",PodSecurityPolicy,AlwaysPullImages"
} else {
CommandArgs[optionName] = CommandArgs[optionName] + ",PodSecurityPolicy"
}
break
}
}
@@ -284,23 +243,12 @@ func (c *Cluster) BuildKubeControllerProcess(prefixPath string) v3.Process {
}
CommandArgs := map[string]string{
"address": "0.0.0.0",
"allow-untagged-cloud": "true",
"allocate-node-cidrs": "true",
"cloud-provider": c.CloudProvider.Name,
"cluster-cidr": c.ClusterCIDR,
"configure-cloud-routes": "false",
"enable-hostpath-provisioner": "false",
"kubeconfig": pki.GetConfigPath(pki.KubeControllerCertName),
"leader-elect": "true",
"node-monitor-grace-period": "40s",
"pod-eviction-timeout": "5m0s",
"profiling": "false",
"root-ca-file": pki.GetCertPath(pki.CACertName),
"service-account-private-key-file": pki.GetKeyPath(pki.ServiceAccountTokenKeyName),
"service-cluster-ip-range": c.Services.KubeController.ServiceClusterIPRange,
"terminated-pod-gc-threshold": "1000",
"v": "2",
}
// Best security practice is to listen on localhost, but DinD uses private container network instead of Host.
if c.DinD {
@@ -382,30 +330,15 @@ func (c *Cluster) BuildKubeletProcess(host *hosts.Host, prefixPath string) v3.Pr
}
CommandArgs := map[string]string{
"address": "0.0.0.0",
"anonymous-auth": "false",
"authentication-token-webhook": "true",
"cgroups-per-qos": "True",
"client-ca-file": pki.GetCertPath(pki.CACertName),
"cloud-provider": c.CloudProvider.Name,
"cluster-dns": c.ClusterDNSServer,
"cluster-domain": c.ClusterDomain,
"cni-bin-dir": "/opt/cni/bin",
"cni-conf-dir": "/etc/cni/net.d",
"enforce-node-allocatable": "",
"event-qps": "0",
"fail-swap-on": strconv.FormatBool(c.Services.Kubelet.FailSwapOn),
"hostname-override": host.HostnameOverride,
"kubeconfig": pki.GetConfigPath(pki.KubeNodeCertName),
"make-iptables-util-chains": "true",
"network-plugin": "cni",
"pod-infra-container-image": c.Services.Kubelet.InfraContainerImage,
"read-only-port": "0",
"resolv-conf": "/etc/resolv.conf",
"root-dir": path.Join(prefixPath, "/var/lib/kubelet"),
"streaming-connection-idle-timeout": "30m",
"volume-plugin-dir": "/var/lib/kubelet/volumeplugins",
"v": "2",
"client-ca-file": pki.GetCertPath(pki.CACertName),
"cloud-provider": c.CloudProvider.Name,
"cluster-dns": c.ClusterDNSServer,
"cluster-domain": c.ClusterDomain,
"fail-swap-on": strconv.FormatBool(c.Services.Kubelet.FailSwapOn),
"hostname-override": host.HostnameOverride,
"kubeconfig": pki.GetConfigPath(pki.KubeNodeCertName),
"pod-infra-container-image": c.Services.Kubelet.InfraContainerImage,
"root-dir": path.Join(prefixPath, "/var/lib/kubelet"),
}
if host.IsControl && !host.IsWorker {
CommandArgs["register-with-taints"] = unschedulableControlTaint
@@ -522,16 +455,11 @@ func (c *Cluster) BuildKubeProxyProcess(host *hosts.Host, prefixPath string) v3.
}
CommandArgs := map[string]string{
"cluster-cidr": c.ClusterCIDR,
"v": "2",
"healthz-bind-address": "127.0.0.1",
"hostname-override": host.HostnameOverride,
"kubeconfig": pki.GetConfigPath(pki.KubeProxyCertName),
}
// Best security practice is to listen on localhost, but DinD uses private container network instead of Host.
if c.DinD {
CommandArgs["healthz-bind-address"] = "0.0.0.0"
"cluster-cidr": c.ClusterCIDR,
"hostname-override": host.HostnameOverride,
"kubeconfig": pki.GetConfigPath(pki.KubeProxyCertName),
}
// check if our version has specific options for this component
serviceOptions := c.GetKubernetesServicesOptions()
if serviceOptions.Kubeproxy != nil {
@@ -545,6 +473,11 @@ func (c *Cluster) BuildKubeProxyProcess(host *hosts.Host, prefixPath string) v3.
}
}
// Best security practice is to listen on localhost, but DinD uses private container network instead of Host.
if c.DinD {
CommandArgs["healthz-bind-address"] = "0.0.0.0"
}
VolumesFrom := []string{
services.SidekickContainerName,
}
@@ -624,11 +557,7 @@ func (c *Cluster) BuildSchedulerProcess(prefixPath string) v3.Process {
}
CommandArgs := map[string]string{
"leader-elect": "true",
"v": "2",
"address": "0.0.0.0",
"profiling": "false",
"kubeconfig": pki.GetConfigPath(pki.KubeSchedulerCertName),
"kubeconfig": pki.GetConfigPath(pki.KubeSchedulerCertName),
}
// Best security practice is to listen on localhost, but DinD uses private container network instead of Host.
@@ -860,7 +789,7 @@ func (c *Cluster) GetKubernetesServicesOptions() v3.KubernetesServicesOptions {
clusterMajorVersion = k8sImageMajorVersion
}
serviceOptions, ok := v3.K8sVersionServiceOptions[clusterMajorVersion]
serviceOptions, ok := metadata.K8sVersionToServiceOptions[clusterMajorVersion]
if ok {
return serviceOptions
}