2017-07-25 08:16:34 +02:00
|
|
|
---
|
|
|
|
systemd:
|
|
|
|
units:
|
|
|
|
- name: docker.service
|
|
|
|
enable: true
|
|
|
|
- name: locksmithd.service
|
|
|
|
mask: true
|
|
|
|
- name: kubelet.path
|
|
|
|
enable: true
|
|
|
|
contents: |
|
|
|
|
[Unit]
|
|
|
|
Description=Watch for kubeconfig
|
|
|
|
[Path]
|
|
|
|
PathExists=/etc/kubernetes/kubeconfig
|
|
|
|
[Install]
|
|
|
|
WantedBy=multi-user.target
|
|
|
|
- name: wait-for-dns.service
|
|
|
|
enable: true
|
|
|
|
contents: |
|
|
|
|
[Unit]
|
|
|
|
Description=Wait for DNS entries
|
|
|
|
Wants=systemd-resolved.service
|
|
|
|
Before=kubelet.service
|
|
|
|
[Service]
|
|
|
|
Type=oneshot
|
|
|
|
RemainAfterExit=true
|
|
|
|
ExecStart=/bin/sh -c 'while ! /usr/bin/grep '^[^#[:space:]]' /etc/resolv.conf > /dev/null; do sleep 1; done'
|
|
|
|
[Install]
|
|
|
|
RequiredBy=kubelet.service
|
|
|
|
- name: kubelet.service
|
|
|
|
contents: |
|
|
|
|
[Unit]
|
2018-01-07 01:20:34 +01:00
|
|
|
Description=Kubelet via Hyperkube
|
2017-09-25 03:04:48 +02:00
|
|
|
Wants=rpc-statd.service
|
2017-07-25 08:16:34 +02:00
|
|
|
[Service]
|
2019-06-12 08:24:01 +02:00
|
|
|
Environment=KUBELET_CGROUP_DRIVER=${cgroup_driver}
|
2017-07-25 08:16:34 +02:00
|
|
|
ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
|
2019-09-19 09:15:39 +02:00
|
|
|
ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
|
|
|
|
ExecStartPre=/bin/mkdir -p /opt/cni/bin
|
2018-04-22 00:13:38 +02:00
|
|
|
ExecStartPre=/bin/mkdir -p /var/lib/calico
|
2017-11-11 23:13:54 +01:00
|
|
|
ExecStartPre=/bin/mkdir -p /var/lib/kubelet/volumeplugins
|
2017-07-25 08:16:34 +02:00
|
|
|
ExecStartPre=/usr/bin/bash -c "grep 'certificate-authority-data' /etc/kubernetes/kubeconfig | awk '{print $2}' | base64 -d > /etc/kubernetes/ca.crt"
|
2017-09-14 17:41:17 +02:00
|
|
|
ExecStartPre=-/usr/bin/rkt rm --uuid-file=/var/cache/kubelet-pod.uuid
|
Inline Container Linux kubelet.service, deprecate kubelet-wrapper
* Change kubelet.service on Container Linux nodes to ExecStart Kubelet
inline to replace the use of the host OS kubelet-wrapper script
* Express rkt run flags and volume mounts in a clear, uniform way to
make the Kubelet service easier to audit, manage, and understand
* Eliminate reliance on a Container Linux kubelet-wrapper script
* Typhoon for Fedora CoreOS developed a kubelet.service that similarly
uses an inline ExecStart (except with podman instead of rkt) and a
more minimal set of volume mounts. Adopt the volume improvements:
* Change Kubelet /etc/kubernetes volume to read-only
* Change Kubelet /etc/resolv.conf volume to read-only
* Remove unneeded /var/lib/cni volume mount
Background:
* kubelet-wrapper was added in CoreOS around the time of Kubernetes v1.0
to simplify running a CoreOS-built hyperkube ACI image via rkt-fly. The
script defaults are no longer ideal (e.g. rkt's notion of trust dates
back to quay.io ACI image serving and signing, which informed the OCI
standard images we use today, though they still lack rkt's signing ideas).
* Shipping kubelet-wrapper was regretted at CoreOS, but remains in the
distro for compatibility. The script is not updated to track hyperkube
changes, but it is stable and kubelet.env overrides bridge most gaps
* Typhoon Container Linux nodes have used kubelet-wrapper to rkt/rkt-fly
run the Kubelet via the official k8s.gcr.io hyperkube image using overrides
(new image registry, new image format, restart handling, new mounts, new
entrypoint in v1.17).
* Observation: Most of what it takes to run a Kubelet container is defined
in Typhoon, not in kubelet-wrapper. The wrapper's value is now undermined
by having to workaround its dated defaults. Typhoon may be better served
defining Kubelet.service explicitly
* Typhoon for Fedora CoreOS developed a kubelet.service without the use
of a host OS kubelet-wrapper which is both clearer and eliminated some
volume mounts
2019-12-29 20:17:26 +01:00
|
|
|
ExecStart=/usr/bin/rkt run \
|
|
|
|
--uuid-file-save=/var/cache/kubelet-pod.uuid \
|
|
|
|
--stage1-from-dir=stage1-fly.aci \
|
|
|
|
--hosts-entry host \
|
|
|
|
--insecure-options=image \
|
|
|
|
--volume etc-kubernetes,kind=host,source=/etc/kubernetes,readOnly=true \
|
|
|
|
--mount volume=etc-kubernetes,target=/etc/kubernetes \
|
|
|
|
--volume etc-machine-id,kind=host,source=/etc/machine-id,readOnly=true \
|
|
|
|
--mount volume=etc-machine-id,target=/etc/machine-id \
|
|
|
|
--volume etc-os-release,kind=host,source=/usr/lib/os-release,readOnly=true \
|
|
|
|
--mount volume=etc-os-release,target=/etc/os-release \
|
|
|
|
--volume=etc-resolv,kind=host,source=/etc/resolv.conf,readOnly=true \
|
|
|
|
--mount volume=etc-resolv,target=/etc/resolv.conf \
|
|
|
|
--volume etc-ssl-certs,kind=host,source=/etc/ssl/certs,readOnly=true \
|
|
|
|
--mount volume=etc-ssl-certs,target=/etc/ssl/certs \
|
|
|
|
--volume lib-modules,kind=host,source=/lib/modules,readOnly=true \
|
|
|
|
--mount volume=lib-modules,target=/lib/modules \
|
|
|
|
--volume run,kind=host,source=/run \
|
|
|
|
--mount volume=run,target=/run \
|
|
|
|
--volume usr-share-certs,kind=host,source=/usr/share/ca-certificates,readOnly=true \
|
|
|
|
--mount volume=usr-share-certs,target=/usr/share/ca-certificates \
|
2020-02-19 06:40:58 +01:00
|
|
|
--volume var-lib-calico,kind=host,source=/var/lib/calico,readOnly=true \
|
Inline Container Linux kubelet.service, deprecate kubelet-wrapper
* Change kubelet.service on Container Linux nodes to ExecStart Kubelet
inline to replace the use of the host OS kubelet-wrapper script
* Express rkt run flags and volume mounts in a clear, uniform way to
make the Kubelet service easier to audit, manage, and understand
* Eliminate reliance on a Container Linux kubelet-wrapper script
* Typhoon for Fedora CoreOS developed a kubelet.service that similarly
uses an inline ExecStart (except with podman instead of rkt) and a
more minimal set of volume mounts. Adopt the volume improvements:
* Change Kubelet /etc/kubernetes volume to read-only
* Change Kubelet /etc/resolv.conf volume to read-only
* Remove unneeded /var/lib/cni volume mount
Background:
* kubelet-wrapper was added in CoreOS around the time of Kubernetes v1.0
to simplify running a CoreOS-built hyperkube ACI image via rkt-fly. The
script defaults are no longer ideal (e.g. rkt's notion of trust dates
back to quay.io ACI image serving and signing, which informed the OCI
standard images we use today, though they still lack rkt's signing ideas).
* Shipping kubelet-wrapper was regretted at CoreOS, but remains in the
distro for compatibility. The script is not updated to track hyperkube
changes, but it is stable and kubelet.env overrides bridge most gaps
* Typhoon Container Linux nodes have used kubelet-wrapper to rkt/rkt-fly
run the Kubelet via the official k8s.gcr.io hyperkube image using overrides
(new image registry, new image format, restart handling, new mounts, new
entrypoint in v1.17).
* Observation: Most of what it takes to run a Kubelet container is defined
in Typhoon, not in kubelet-wrapper. The wrapper's value is now undermined
by having to workaround its dated defaults. Typhoon may be better served
defining Kubelet.service explicitly
* Typhoon for Fedora CoreOS developed a kubelet.service without the use
of a host OS kubelet-wrapper which is both clearer and eliminated some
volume mounts
2019-12-29 20:17:26 +01:00
|
|
|
--mount volume=var-lib-calico,target=/var/lib/calico \
|
|
|
|
--volume var-lib-docker,kind=host,source=/var/lib/docker \
|
|
|
|
--mount volume=var-lib-docker,target=/var/lib/docker \
|
|
|
|
--volume var-lib-kubelet,kind=host,source=/var/lib/kubelet,recursive=true \
|
|
|
|
--mount volume=var-lib-kubelet,target=/var/lib/kubelet \
|
|
|
|
--volume var-log,kind=host,source=/var/log \
|
|
|
|
--mount volume=var-log,target=/var/log \
|
|
|
|
--volume opt-cni-bin,kind=host,source=/opt/cni/bin \
|
|
|
|
--mount volume=opt-cni-bin,target=/opt/cni/bin \
|
|
|
|
--volume etc-iscsi,kind=host,source=/etc/iscsi \
|
|
|
|
--mount volume=etc-iscsi,target=/etc/iscsi \
|
|
|
|
--volume usr-sbin-iscsiadm,kind=host,source=/usr/sbin/iscsiadm \
|
|
|
|
--mount volume=usr-sbin-iscsiadm,target=/sbin/iscsiadm \
|
2020-03-17 05:21:41 +01:00
|
|
|
docker://quay.io/poseidon/kubelet:v1.17.4 -- \
|
2017-07-25 08:16:34 +02:00
|
|
|
--anonymous-auth=false \
|
2018-05-14 08:20:42 +02:00
|
|
|
--authentication-token-webhook \
|
|
|
|
--authorization-mode=Webhook \
|
2019-06-12 08:24:01 +02:00
|
|
|
--cgroup-driver=$${KUBELET_CGROUP_DRIVER} \
|
2017-09-14 17:41:17 +02:00
|
|
|
--client-ca-file=/etc/kubernetes/ca.crt \
|
2019-01-05 22:32:03 +01:00
|
|
|
--cluster_dns=${cluster_dns_service_ip} \
|
2017-12-09 22:36:59 +01:00
|
|
|
--cluster_domain=${cluster_domain_suffix} \
|
2017-07-25 08:16:34 +02:00
|
|
|
--cni-conf-dir=/etc/kubernetes/cni/net.d \
|
|
|
|
--exit-on-lock-contention \
|
2019-12-29 20:20:59 +01:00
|
|
|
--healthz-port=0 \
|
2017-09-23 20:49:12 +02:00
|
|
|
--hostname-override=${domain_name} \
|
2017-09-14 17:41:17 +02:00
|
|
|
--kubeconfig=/etc/kubernetes/kubeconfig \
|
|
|
|
--lock-file=/var/run/lock/kubelet.lock \
|
|
|
|
--network-plugin=cni \
|
2019-09-18 06:24:30 +02:00
|
|
|
--node-labels=node.kubernetes.io/node \
|
2020-03-09 04:39:18 +01:00
|
|
|
%{~ for label in compact(split(",", node_labels)) ~}
|
|
|
|
--node-labels=${label} \
|
|
|
|
%{~ endfor ~}
|
|
|
|
%{~ for taint in compact(split(",", node_taints)) ~}
|
|
|
|
--register-with-taints=${taint} \
|
|
|
|
%{~ endfor ~}
|
2017-11-11 23:13:54 +01:00
|
|
|
--pod-manifest-path=/etc/kubernetes/manifests \
|
2018-05-14 03:16:10 +02:00
|
|
|
--read-only-port=0 \
|
2017-11-11 23:13:54 +01:00
|
|
|
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
|
2017-09-14 17:41:17 +02:00
|
|
|
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
|
2017-07-25 08:16:34 +02:00
|
|
|
Restart=always
|
|
|
|
RestartSec=5
|
|
|
|
[Install]
|
|
|
|
WantedBy=multi-user.target
|
|
|
|
|
|
|
|
storage:
|
2020-01-07 06:38:20 +01:00
|
|
|
directories:
|
|
|
|
- path: /etc/kubernetes
|
|
|
|
filesystem: root
|
2017-07-25 08:16:34 +02:00
|
|
|
files:
|
|
|
|
- path: /etc/hostname
|
|
|
|
filesystem: root
|
|
|
|
mode: 0644
|
|
|
|
contents:
|
|
|
|
inline:
|
2017-09-23 20:49:12 +02:00
|
|
|
${domain_name}
|
2017-07-25 08:16:34 +02:00
|
|
|
- path: /etc/sysctl.d/max-user-watches.conf
|
|
|
|
filesystem: root
|
|
|
|
contents:
|
|
|
|
inline: |
|
|
|
|
fs.inotify.max_user_watches=16184
|
|
|
|
passwd:
|
|
|
|
users:
|
|
|
|
- name: core
|
|
|
|
ssh_authorized_keys:
|
2017-09-23 20:49:12 +02:00
|
|
|
- ${ssh_authorized_key}
|
2017-07-25 08:16:34 +02:00
|
|
|
|