Upgrade to kubernetes v1.8.0 (#1730)

* Upgrade to kubernetes v1.8.0

hyperkube no longer contains rsync, so now use cp

* Enable node authorization mode

* change kube-proxy cert group name
pull/1702/merge
Matthew Mosesohn 2017-10-05 10:51:21 +01:00 committed by GitHub
parent 9c86da1403
commit f14f04c5ea
9 changed files with 25 additions and 36 deletions

View File

@ -60,7 +60,6 @@ before_script:
KUBELET_DEPLOYMENT: "host"
VAULT_DEPLOYMENT: "docker"
WEAVE_CPU_LIMIT: "100m"
AUTHORIZATION_MODES: "{ 'authorization_modes': [] }"
MAGIC: "ci check this"
.gce: &gce
@ -131,7 +130,6 @@ before_script:
-e weave_cpu_requests=${WEAVE_CPU_LIMIT}
-e weave_cpu_limit=${WEAVE_CPU_LIMIT}
-e "{kubeadm_enabled: ${KUBEADM_ENABLED}}"
-e "${AUTHORIZATION_MODES}"
--limit "all:!fake_hosts"
cluster.yml
@ -161,7 +159,6 @@ before_script:
-e weave_cpu_requests=${WEAVE_CPU_LIMIT}
-e weave_cpu_limit=${WEAVE_CPU_LIMIT}
-e "{kubeadm_enabled: ${KUBEADM_ENABLED}}"
-e "${AUTHORIZATION_MODES}"
--limit "all:!fake_hosts"
$PLAYBOOK;
fi
@ -199,7 +196,6 @@ before_script:
-e "{kubeadm_enabled: ${KUBEADM_ENABLED}}"
-e weave_cpu_requests=${WEAVE_CPU_LIMIT}
-e weave_cpu_limit=${WEAVE_CPU_LIMIT}
-e "${AUTHORIZATION_MODES}"
--limit "all:!fake_hosts"
cluster.yml;
fi
@ -248,7 +244,6 @@ before_script:
-e "{kubeadm_enabled: ${KUBEADM_ENABLED}}"
-e weave_cpu_requests=${WEAVE_CPU_LIMIT}
-e weave_cpu_limit=${WEAVE_CPU_LIMIT}
-e "${AUTHORIZATION_MODES}"
--limit "all:!fake_hosts"
cluster.yml;
fi
@ -278,7 +273,6 @@ before_script:
# Test matrix. Leave the comments for markup scripts.
.coreos_calico_aio_variables: &coreos_calico_aio_variables
# stage: deploy-gce-part1
AUTHORIZATION_MODES: "{ 'authorization_modes': [ 'RBAC' ] }"
KUBE_NETWORK_PLUGIN: calico
CLOUD_IMAGE: coreos-stable-1465-6-0-v20170817
CLOUD_REGION: us-west1-b
@ -289,10 +283,9 @@ before_script:
##User-data to simply turn off coreos upgrades
STARTUP_SCRIPT: 'systemctl disable locksmithd && systemctl stop locksmithd'
.ubuntu_canal_ha_rbac_variables: &ubuntu_canal_ha_rbac_variables
.ubuntu_canal_ha_variables: &ubuntu_canal_ha_variables
# stage: deploy-gce-part1
KUBE_NETWORK_PLUGIN: canal
AUTHORIZATION_MODES: "{ 'authorization_modes': [ 'RBAC' ] }"
CLOUD_IMAGE: ubuntu-1604-xenial
CLOUD_REGION: europe-west1-b
CLUSTER_MODE: ha
@ -302,7 +295,6 @@ before_script:
.centos_weave_kubeadm_variables: &centos_weave_kubeadm_variables
# stage: deploy-gce-part1
KUBE_NETWORK_PLUGIN: weave
AUTHORIZATION_MODES: "{ 'authorization_modes': [ 'RBAC' ] }"
CLOUD_IMAGE: centos-7
CLOUD_MACHINE_TYPE: "n1-standard-1"
CLOUD_REGION: us-central1-b
@ -314,7 +306,6 @@ before_script:
.ubuntu_canal_kubeadm_variables: &ubuntu_canal_kubeadm_variables
# stage: deploy-gce-part1
KUBE_NETWORK_PLUGIN: canal
AUTHORIZATION_MODES: "{ 'authorization_modes': [ 'RBAC' ] }"
CLOUD_IMAGE: ubuntu-1604-xenial
CLOUD_MACHINE_TYPE: "n1-standard-1"
CLOUD_REGION: europe-west1-b
@ -409,7 +400,6 @@ before_script:
.ubuntu_vault_sep_variables: &ubuntu_vault_sep_variables
# stage: deploy-gce-part1
AUTHORIZATION_MODES: "{ 'authorization_modes': [ 'RBAC' ] }"
CLOUD_MACHINE_TYPE: "n1-standard-2"
KUBE_NETWORK_PLUGIN: canal
CERT_MGMT: vault
@ -418,9 +408,8 @@ before_script:
CLUSTER_MODE: separate
STARTUP_SCRIPT: ""
.ubuntu_flannel_rbac_variables: &ubuntu_flannel_rbac_variables
.ubuntu_flannel_variables: &ubuntu_flannel_variables
# stage: deploy-gce-special
AUTHORIZATION_MODES: "{ 'authorization_modes': [ 'RBAC' ] }"
KUBE_NETWORK_PLUGIN: flannel
CLOUD_IMAGE: ubuntu-1604-xenial
CLOUD_REGION: europe-west1-b
@ -492,28 +481,28 @@ ubuntu-weave-sep-triggers:
only: ['triggers']
# More builds for PRs/merges (manual) and triggers (auto)
ubuntu-canal-ha-rbac:
ubuntu-canal-ha:
stage: deploy-gce-part1
<<: *job
<<: *gce
variables:
<<: *gce_variables
<<: *ubuntu_canal_ha_rbac_variables
<<: *ubuntu_canal_ha_variables
when: manual
except: ['triggers']
only: ['master', /^pr-.*$/]
ubuntu-canal-ha-rbac-triggers:
ubuntu-canal-ha-triggers:
stage: deploy-gce-part1
<<: *job
<<: *gce
variables:
<<: *gce_variables
<<: *ubuntu_canal_ha_rbac_variables
<<: *ubuntu_canal_ha_variables
when: on_success
only: ['triggers']
ubuntu-canal-kubeadm-rbac:
ubuntu-canal-kubeadm:
stage: deploy-gce-part1
<<: *job
<<: *gce
@ -534,7 +523,7 @@ ubuntu-canal-kubeadm-triggers:
when: on_success
only: ['triggers']
centos-weave-kubeadm-rbac:
centos-weave-kubeadm:
stage: deploy-gce-part1
<<: *job
<<: *gce
@ -694,13 +683,13 @@ ubuntu-vault-sep:
except: ['triggers']
only: ['master', /^pr-.*$/]
ubuntu-flannel-rbac-sep:
ubuntu-flannel-sep:
stage: deploy-gce-special
<<: *job
<<: *gce
variables:
<<: *gce_variables
<<: *ubuntu_flannel_rbac_variables
<<: *ubuntu_flannel_variables
when: manual
except: ['triggers']
only: ['master', /^pr-.*$/]

View File

@ -71,9 +71,11 @@ following default cluster paramters:
alpha/experimental Kubernetes features. (defaults is `[]`)
* *authorization_modes* - A list of [authorization mode](
https://kubernetes.io/docs/admin/authorization/#using-flags-for-your-authorization-module)
that the cluster should be configured for. Defaults to `[]` (i.e. no authorization).
Note: `RBAC` is currently in experimental phase, and do not support either calico or
vault. Upgrade from non-RBAC to RBAC is not tested.
that the cluster should be configured for. Defaults to `['RBAC', 'Node']` (RBAC and Node authorizers).
Note: `RBAC` is enabled by default. Previously deployed clusters can be
converted to RBAC mode. However, your apps which rely on Kubernetes API will
require a service account and cluster role bindings. You can override this
setting by setting authorization_modes to `[]`.
Note, if cloud providers have any use of the ``10.233.0.0/16``, like instances'
private addresses, make sure to pick another values for ``kube_service_addresses``

View File

@ -23,7 +23,7 @@ kube_users_dir: "{{ kube_config_dir }}/users"
kube_api_anonymous_auth: false
## Change this to use another Kubernetes version, e.g. a current beta release
kube_version: v1.7.5
kube_version: v1.8.0
# Where the binaries will be downloaded.
# Note: ensure that you've enough disk space (about 1G)

View File

@ -18,9 +18,8 @@ download_localhost: False
download_always_pull: False
# Versions
kube_version: v1.7.5
# Change to kube_version after v1.8.0 release
kubeadm_version: "v1.8.0-rc.1"
kube_version: v1.8.0
kubeadm_version: "{{ kube_version }}"
etcd_version: v3.2.4
# TODO(mattymo): Move calico versions to roles/network_plugins/calico/defaults
# after migration to container download
@ -37,7 +36,7 @@ pod_infra_version: 3.0
kubeadm_download_url: "https://storage.googleapis.com/kubernetes-release/release/{{ kubeadm_version }}/bin/linux/amd64/kubeadm"
# Checksums
kubeadm_checksum: "8f6ceb26b8503bfc36a99574cf6f853be1c55405aa31669561608ad8099bf5bf"
kubeadm_checksum: "9f4b9cf255d5ef45481d5a1b20bfe84c1d633d67cd50eeaa5c8712fb8fc1bd5b"
# Containers
etcd_image_repo: "quay.io/coreos/etcd"

View File

@ -18,7 +18,6 @@ networking:
kubernetesVersion: {{ kube_version }}
cloudProvider: {{ cloud_provider|default('') }}
authorizationModes:
- Node
{% for mode in authorization_modes %}
- {{ mode }}
{% endfor %}

View File

@ -109,12 +109,12 @@ if [ -n "$HOSTS" ]; then
done
fi
# system:kube-proxy
# system:node-proxier
if [ -n "$HOSTS" ]; then
for host in $HOSTS; do
cn="${host%%.*}"
# kube-proxy
gen_key_and_cert "kube-proxy-${host}" "/CN=system:kube-proxy"
gen_key_and_cert "kube-proxy-${host}" "/CN=system:kube-proxy/O=system:node-proxier"
done
fi

View File

@ -146,9 +146,9 @@ openstack_lbaas_enabled: false
# openstack_lbaas_monitor_max_retries: false
## List of authorization modes that must be configured for
## the k8s cluster. Only 'AlwaysAllow','AlwaysDeny', and
## the k8s cluster. Only 'AlwaysAllow', 'AlwaysDeny', 'Node' and
## 'RBAC' modes are tested.
authorization_modes: []
authorization_modes: ['RBAC', 'Node']
rbac_enabled: "{{ 'RBAC' in authorization_modes or kubeadm_enabled }}"
## List of key=value pairs that describe feature gates for

View File

@ -48,7 +48,7 @@
changed_when: false
- name: Calico | Copy cni plugins from hyperkube
command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /usr/bin/rsync -ac /opt/cni/bin/ /cnibindir/"
command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /bin/cp -r /opt/cni/bin/. /cnibindir/"
register: cni_task_result
until: cni_task_result.rc == 0
retries: 4

View File

@ -50,7 +50,7 @@
- rbac_enabled or item.type not in rbac_resources
- name: Canal | Copy cni plugins from hyperkube
command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /usr/bin/rsync -ac /opt/cni/bin/ /cnibindir/"
command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /bin/cp -r /opt/cni/bin/. /cnibindir/"
register: cni_task_result
until: cni_task_result.rc == 0
retries: 4