From 3fb59a328936d825b0eab274e45551496b621c06 Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Sat, 27 Aug 2022 09:17:33 -0700 Subject: [PATCH] Migrate most Kubelet flags to KubeletConfiguration file * Add a KubeletConfiguration file to replace most Kubelet flags, to prepare for upcoming changes * Pass Kubelet the --config flag to specify the location of the KubeletConfiguration * Remove flsgs / configuration where it matches the defaults * Remove --cgroups-per-qos, defaults to true * Remove --container-runtime, defaults to remote * Remove enforce-node-allocatable=pods, defaults to pods Rel: * https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/ * https://kubernetes.io/docs/reference/config-api/kubelet-config.v1beta1/ --- .../kubernetes/butane/controller.yaml | 44 ++++++++++++------- .../kubernetes/workers/butane/worker.yaml | 44 ++++++++++++------- .../kubernetes/butane/controller.yaml | 42 +++++++++++------- .../kubernetes/workers/butane/worker.yaml | 42 +++++++++++------- .../kubernetes/butane/controller.yaml | 44 ++++++++++++------- .../kubernetes/workers/butane/worker.yaml | 44 ++++++++++++------- .../kubernetes/butane/controller.yaml | 42 +++++++++++------- .../kubernetes/workers/butane/worker.yaml | 42 +++++++++++------- .../kubernetes/butane/controller.yaml | 44 ++++++++++++------- .../kubernetes/butane/worker.yaml | 44 ++++++++++++------- .../kubernetes/butane/controller.yaml | 42 +++++++++++------- .../kubernetes/butane/worker.yaml | 41 +++++++++++------ .../kubernetes/butane/controller.yaml | 44 ++++++++++++------- .../kubernetes/butane/worker.yaml | 41 +++++++++++------ .../kubernetes/butane/controller.yaml | 42 +++++++++++------- .../kubernetes/butane/worker.yaml | 42 +++++++++++------- .../kubernetes/butane/controller.yaml | 43 +++++++++++------- .../kubernetes/workers/butane/worker.yaml | 43 +++++++++++------- .../kubernetes/butane/controller.yaml | 41 ++++++++++------- .../kubernetes/workers/butane/worker.yaml | 41 ++++++++++------- 20 files changed, 536 insertions(+), 316 deletions(-) diff --git a/aws/fedora-coreos/kubernetes/butane/controller.yaml b/aws/fedora-coreos/kubernetes/butane/controller.yaml index d39cbb91..ac20a44a 100644 --- a/aws/fedora-coreos/kubernetes/butane/controller.yaml +++ b/aws/fedora-coreos/kubernetes/butane/controller.yaml @@ -85,28 +85,13 @@ systemd: --volume /var/run/lock:/var/run/lock:z \ --volume /opt/cni/bin:/opt/cni/bin:z \ $${KUBELET_IMAGE} \ - --anonymous-auth=false \ - --authentication-token-webhook \ - --authorization-mode=Webhook \ --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \ - --cgroup-driver=systemd \ - --cgroups-per-qos=true \ - --container-runtime=remote \ + --config=/etc/kubernetes/kubelet.yaml \ --container-runtime-endpoint=unix:///run/containerd/containerd.sock \ - --enforce-node-allocatable=pods \ - --client-ca-file=/etc/kubernetes/ca.crt \ - --cluster_dns=${cluster_dns_service_ip} \ - --cluster_domain=${cluster_domain_suffix} \ - --healthz-port=0 \ --kubeconfig=/var/lib/kubelet/kubeconfig \ --node-labels=node.kubernetes.io/controller="true" \ - --pod-manifest-path=/etc/kubernetes/manifests \ --provider-id=aws:///$${AFTERBURN_AWS_AVAILABILITY_ZONE}/$${AFTERBURN_AWS_INSTANCE_ID} \ - --read-only-port=0 \ - --resolv-conf=/run/systemd/resolve/resolv.conf \ - --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \ - --rotate-certificates \ - --volume-plugin-dir=/var/lib/kubelet/volumeplugins + --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule ExecStop=-/usr/bin/podman stop kubelet Delegate=yes Restart=always @@ -144,6 +129,31 @@ storage: contents: inline: | ${kubeconfig} + - path: /etc/kubernetes/kubelet.yaml + mode: 0644 + contents: + inline: | + apiVersion: kubelet.config.k8s.io/v1beta1 + kind: KubeletConfiguration + authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: /etc/kubernetes/ca.crt + authorization: + mode: Webhook + cgroupDriver: systemd + clusterDNS: + - ${cluster_dns_service_ip} + clusterDomain: ${cluster_domain_suffix} + healthzPort: 0 + rotateCertificates: true + staticPodPath: /etc/kubernetes/manifests + readOnlyPort: 0 + resolvConf: /run/systemd/resolve/resolv.conf + volumePluginDir: /var/lib/kubelet/volumeplugins - path: /opt/bootstrap/layout mode: 0544 contents: diff --git a/aws/fedora-coreos/kubernetes/workers/butane/worker.yaml b/aws/fedora-coreos/kubernetes/workers/butane/worker.yaml index 75c19744..519afb32 100644 --- a/aws/fedora-coreos/kubernetes/workers/butane/worker.yaml +++ b/aws/fedora-coreos/kubernetes/workers/butane/worker.yaml @@ -58,19 +58,9 @@ systemd: --volume /var/run/lock:/var/run/lock:z \ --volume /opt/cni/bin:/opt/cni/bin:z \ $${KUBELET_IMAGE} \ - --anonymous-auth=false \ - --authentication-token-webhook \ - --authorization-mode=Webhook \ --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \ - --cgroup-driver=systemd \ - --cgroups-per-qos=true \ - --container-runtime=remote \ + --config=/etc/kubernetes/kubelet.yaml \ --container-runtime-endpoint=unix:///run/containerd/containerd.sock \ - --enforce-node-allocatable=pods \ - --client-ca-file=/etc/kubernetes/ca.crt \ - --cluster_dns=${cluster_dns_service_ip} \ - --cluster_domain=${cluster_domain_suffix} \ - --healthz-port=0 \ --kubeconfig=/var/lib/kubelet/kubeconfig \ --node-labels=node.kubernetes.io/node \ %{~ for label in split(",", node_labels) ~} @@ -79,12 +69,7 @@ systemd: %{~ for taint in split(",", node_taints) ~} --register-with-taints=${taint} \ %{~ endfor ~} - --pod-manifest-path=/etc/kubernetes/manifests \ - --provider-id=aws:///$${AFTERBURN_AWS_AVAILABILITY_ZONE}/$${AFTERBURN_AWS_INSTANCE_ID} \ - --read-only-port=0 \ - --resolv-conf=/run/systemd/resolve/resolv.conf \ - --rotate-certificates \ - --volume-plugin-dir=/var/lib/kubelet/volumeplugins + --provider-id=aws:///$${AFTERBURN_AWS_AVAILABILITY_ZONE}/$${AFTERBURN_AWS_INSTANCE_ID} ExecStop=-/usr/bin/podman stop kubelet Delegate=yes Restart=always @@ -113,6 +98,31 @@ storage: contents: inline: | ${kubeconfig} + - path: /etc/kubernetes/kubelet.yaml + mode: 0644 + contents: + inline: | + apiVersion: kubelet.config.k8s.io/v1beta1 + kind: KubeletConfiguration + authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: /etc/kubernetes/ca.crt + authorization: + mode: Webhook + cgroupDriver: systemd + clusterDNS: + - ${cluster_dns_service_ip} + clusterDomain: ${cluster_domain_suffix} + healthzPort: 0 + rotateCertificates: true + staticPodPath: /etc/kubernetes/manifests + readOnlyPort: 0 + resolvConf: /run/systemd/resolve/resolv.conf + volumePluginDir: /var/lib/kubelet/volumeplugins - path: /etc/sysctl.d/max-user-watches.conf contents: inline: | diff --git a/aws/flatcar-linux/kubernetes/butane/controller.yaml b/aws/flatcar-linux/kubernetes/butane/controller.yaml index e6e52621..3cd6fdd2 100644 --- a/aws/flatcar-linux/kubernetes/butane/controller.yaml +++ b/aws/flatcar-linux/kubernetes/butane/controller.yaml @@ -84,26 +84,13 @@ systemd: -v /var/log:/var/log \ -v /opt/cni/bin:/opt/cni/bin \ $${KUBELET_IMAGE} \ - --anonymous-auth=false \ - --authentication-token-webhook \ - --authorization-mode=Webhook \ --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \ - --cgroup-driver=systemd \ - --container-runtime=remote \ + --config=/etc/kubernetes/kubelet.yaml \ --container-runtime-endpoint=unix:///run/containerd/containerd.sock \ - --client-ca-file=/etc/kubernetes/ca.crt \ - --cluster_dns=${cluster_dns_service_ip} \ - --cluster_domain=${cluster_domain_suffix} \ - --healthz-port=0 \ --kubeconfig=/var/lib/kubelet/kubeconfig \ --node-labels=node.kubernetes.io/controller="true" \ - --pod-manifest-path=/etc/kubernetes/manifests \ --provider-id=aws:///$${COREOS_EC2_AVAILABILITY_ZONE}/$${COREOS_EC2_INSTANCE_ID} \ - --read-only-port=0 \ - --resolv-conf=/run/systemd/resolve/resolv.conf \ - --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \ - --rotate-certificates \ - --volume-plugin-dir=/var/lib/kubelet/volumeplugins + --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule ExecStart=docker logs -f kubelet ExecStop=docker stop kubelet ExecStopPost=docker rm kubelet @@ -143,6 +130,31 @@ storage: contents: inline: | ${kubeconfig} + - path: /etc/kubernetes/kubelet.yaml + mode: 0644 + contents: + inline: | + apiVersion: kubelet.config.k8s.io/v1beta1 + kind: KubeletConfiguration + authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: /etc/kubernetes/ca.crt + authorization: + mode: Webhook + cgroupDriver: systemd + clusterDNS: + - ${cluster_dns_service_ip} + clusterDomain: ${cluster_domain_suffix} + healthzPort: 0 + rotateCertificates: true + staticPodPath: /etc/kubernetes/manifests + readOnlyPort: 0 + resolvConf: /run/systemd/resolve/resolv.conf + volumePluginDir: /var/lib/kubelet/volumeplugins - path: /opt/bootstrap/layout mode: 0544 contents: diff --git a/aws/flatcar-linux/kubernetes/workers/butane/worker.yaml b/aws/flatcar-linux/kubernetes/workers/butane/worker.yaml index b8f91769..8a4a2401 100644 --- a/aws/flatcar-linux/kubernetes/workers/butane/worker.yaml +++ b/aws/flatcar-linux/kubernetes/workers/butane/worker.yaml @@ -59,17 +59,9 @@ systemd: -v /var/log:/var/log \ -v /opt/cni/bin:/opt/cni/bin \ $${KUBELET_IMAGE} \ - --anonymous-auth=false \ - --authentication-token-webhook \ - --authorization-mode=Webhook \ --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \ - --cgroup-driver=systemd \ - --container-runtime=remote \ + --config=/etc/kubernetes/kubelet.yaml \ --container-runtime-endpoint=unix:///run/containerd/containerd.sock \ - --client-ca-file=/etc/kubernetes/ca.crt \ - --cluster_dns=${cluster_dns_service_ip} \ - --cluster_domain=${cluster_domain_suffix} \ - --healthz-port=0 \ --kubeconfig=/var/lib/kubelet/kubeconfig \ --node-labels=node.kubernetes.io/node \ %{~ for label in split(",", node_labels) ~} @@ -78,12 +70,7 @@ systemd: %{~ for taint in split(",", node_taints) ~} --register-with-taints=${taint} \ %{~ endfor ~} - --pod-manifest-path=/etc/kubernetes/manifests \ - --provider-id=aws:///$${COREOS_EC2_AVAILABILITY_ZONE}/$${COREOS_EC2_INSTANCE_ID} \ - --read-only-port=0 \ - --resolv-conf=/run/systemd/resolve/resolv.conf \ - --rotate-certificates \ - --volume-plugin-dir=/var/lib/kubelet/volumeplugins + --provider-id=aws:///$${COREOS_EC2_AVAILABILITY_ZONE}/$${COREOS_EC2_INSTANCE_ID} ExecStart=docker logs -f kubelet ExecStop=docker stop kubelet ExecStopPost=docker rm kubelet @@ -111,6 +98,31 @@ storage: contents: inline: | ${kubeconfig} + - path: /etc/kubernetes/kubelet.yaml + mode: 0644 + contents: + inline: | + apiVersion: kubelet.config.k8s.io/v1beta1 + kind: KubeletConfiguration + authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: /etc/kubernetes/ca.crt + authorization: + mode: Webhook + cgroupDriver: systemd + clusterDNS: + - ${cluster_dns_service_ip} + clusterDomain: ${cluster_domain_suffix} + healthzPort: 0 + rotateCertificates: true + staticPodPath: /etc/kubernetes/manifests + readOnlyPort: 0 + resolvConf: /run/systemd/resolve/resolv.conf + volumePluginDir: /var/lib/kubelet/volumeplugins - path: /etc/sysctl.d/max-user-watches.conf mode: 0644 contents: diff --git a/azure/fedora-coreos/kubernetes/butane/controller.yaml b/azure/fedora-coreos/kubernetes/butane/controller.yaml index 1b8b5a0a..47073871 100644 --- a/azure/fedora-coreos/kubernetes/butane/controller.yaml +++ b/azure/fedora-coreos/kubernetes/butane/controller.yaml @@ -81,27 +81,12 @@ systemd: --volume /var/run/lock:/var/run/lock:z \ --volume /opt/cni/bin:/opt/cni/bin:z \ $${KUBELET_IMAGE} \ - --anonymous-auth=false \ - --authentication-token-webhook \ - --authorization-mode=Webhook \ --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \ - --cgroup-driver=systemd \ - --cgroups-per-qos=true \ - --container-runtime=remote \ + --config=/etc/kubernetes/kubelet.yaml \ --container-runtime-endpoint=unix:///run/containerd/containerd.sock \ - --enforce-node-allocatable=pods \ - --client-ca-file=/etc/kubernetes/ca.crt \ - --cluster_dns=${cluster_dns_service_ip} \ - --cluster_domain=${cluster_domain_suffix} \ - --healthz-port=0 \ --kubeconfig=/var/lib/kubelet/kubeconfig \ --node-labels=node.kubernetes.io/controller="true" \ - --pod-manifest-path=/etc/kubernetes/manifests \ - --read-only-port=0 \ - --resolv-conf=/run/systemd/resolve/resolv.conf \ - --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \ - --rotate-certificates \ - --volume-plugin-dir=/var/lib/kubelet/volumeplugins + --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule ExecStop=-/usr/bin/podman stop kubelet Delegate=yes Restart=always @@ -139,6 +124,31 @@ storage: contents: inline: | ${kubeconfig} + - path: /etc/kubernetes/kubelet.yaml + mode: 0644 + contents: + inline: | + apiVersion: kubelet.config.k8s.io/v1beta1 + kind: KubeletConfiguration + authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: /etc/kubernetes/ca.crt + authorization: + mode: Webhook + cgroupDriver: systemd + clusterDNS: + - ${cluster_dns_service_ip} + clusterDomain: ${cluster_domain_suffix} + healthzPort: 0 + rotateCertificates: true + staticPodPath: /etc/kubernetes/manifests + readOnlyPort: 0 + resolvConf: /run/systemd/resolve/resolv.conf + volumePluginDir: /var/lib/kubelet/volumeplugins - path: /opt/bootstrap/layout mode: 0544 contents: diff --git a/azure/fedora-coreos/kubernetes/workers/butane/worker.yaml b/azure/fedora-coreos/kubernetes/workers/butane/worker.yaml index 857f3939..22c59183 100644 --- a/azure/fedora-coreos/kubernetes/workers/butane/worker.yaml +++ b/azure/fedora-coreos/kubernetes/workers/butane/worker.yaml @@ -54,32 +54,17 @@ systemd: --volume /var/run/lock:/var/run/lock:z \ --volume /opt/cni/bin:/opt/cni/bin:z \ $${KUBELET_IMAGE} \ - --anonymous-auth=false \ - --authentication-token-webhook \ - --authorization-mode=Webhook \ --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \ - --cgroup-driver=systemd \ - --cgroups-per-qos=true \ - --container-runtime=remote \ + --config=/etc/kubernetes/kubelet.yaml \ --container-runtime-endpoint=unix:///run/containerd/containerd.sock \ - --enforce-node-allocatable=pods \ - --client-ca-file=/etc/kubernetes/ca.crt \ - --cluster_dns=${cluster_dns_service_ip} \ - --cluster_domain=${cluster_domain_suffix} \ - --healthz-port=0 \ --kubeconfig=/var/lib/kubelet/kubeconfig \ - --node-labels=node.kubernetes.io/node \ %{~ for label in split(",", node_labels) ~} --node-labels=${label} \ %{~ endfor ~} %{~ for taint in split(",", node_taints) ~} --register-with-taints=${taint} \ %{~ endfor ~} - --pod-manifest-path=/etc/kubernetes/manifests \ - --read-only-port=0 \ - --resolv-conf=/run/systemd/resolve/resolv.conf \ - --rotate-certificates \ - --volume-plugin-dir=/var/lib/kubelet/volumeplugins + --node-labels=node.kubernetes.io/node ExecStop=-/usr/bin/podman stop kubelet Delegate=yes Restart=always @@ -108,6 +93,31 @@ storage: contents: inline: | ${kubeconfig} + - path: /etc/kubernetes/kubelet.yaml + mode: 0644 + contents: + inline: | + apiVersion: kubelet.config.k8s.io/v1beta1 + kind: KubeletConfiguration + authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: /etc/kubernetes/ca.crt + authorization: + mode: Webhook + cgroupDriver: systemd + clusterDNS: + - ${cluster_dns_service_ip} + clusterDomain: ${cluster_domain_suffix} + healthzPort: 0 + rotateCertificates: true + staticPodPath: /etc/kubernetes/manifests + readOnlyPort: 0 + resolvConf: /run/systemd/resolve/resolv.conf + volumePluginDir: /var/lib/kubelet/volumeplugins - path: /etc/sysctl.d/max-user-watches.conf contents: inline: | diff --git a/azure/flatcar-linux/kubernetes/butane/controller.yaml b/azure/flatcar-linux/kubernetes/butane/controller.yaml index f9a5bde9..f3df7d89 100644 --- a/azure/flatcar-linux/kubernetes/butane/controller.yaml +++ b/azure/flatcar-linux/kubernetes/butane/controller.yaml @@ -81,25 +81,12 @@ systemd: -v /var/log:/var/log \ -v /opt/cni/bin:/opt/cni/bin \ $${KUBELET_IMAGE} \ - --anonymous-auth=false \ - --authentication-token-webhook \ - --authorization-mode=Webhook \ --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \ - --cgroup-driver=systemd \ - --container-runtime=remote \ + --config=/etc/kubernetes/kubelet.yaml \ --container-runtime-endpoint=unix:///run/containerd/containerd.sock \ - --client-ca-file=/etc/kubernetes/ca.crt \ - --cluster_dns=${cluster_dns_service_ip} \ - --cluster_domain=${cluster_domain_suffix} \ - --healthz-port=0 \ --kubeconfig=/var/lib/kubelet/kubeconfig \ --node-labels=node.kubernetes.io/controller="true" \ - --pod-manifest-path=/etc/kubernetes/manifests \ - --read-only-port=0 \ - --resolv-conf=/run/systemd/resolve/resolv.conf \ - --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \ - --rotate-certificates \ - --volume-plugin-dir=/var/lib/kubelet/volumeplugins + --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule ExecStart=docker logs -f kubelet ExecStop=docker stop kubelet ExecStopPost=docker rm kubelet @@ -139,6 +126,31 @@ storage: contents: inline: | ${kubeconfig} + - path: /etc/kubernetes/kubelet.yaml + mode: 0644 + contents: + inline: | + apiVersion: kubelet.config.k8s.io/v1beta1 + kind: KubeletConfiguration + authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: /etc/kubernetes/ca.crt + authorization: + mode: Webhook + cgroupDriver: systemd + clusterDNS: + - ${cluster_dns_service_ip} + clusterDomain: ${cluster_domain_suffix} + healthzPort: 0 + rotateCertificates: true + staticPodPath: /etc/kubernetes/manifests + readOnlyPort: 0 + resolvConf: /run/systemd/resolve/resolv.conf + volumePluginDir: /var/lib/kubelet/volumeplugins - path: /opt/bootstrap/layout mode: 0544 contents: diff --git a/azure/flatcar-linux/kubernetes/workers/butane/worker.yaml b/azure/flatcar-linux/kubernetes/workers/butane/worker.yaml index 5618810f..046e54bd 100644 --- a/azure/flatcar-linux/kubernetes/workers/butane/worker.yaml +++ b/azure/flatcar-linux/kubernetes/workers/butane/worker.yaml @@ -56,30 +56,17 @@ systemd: -v /var/log:/var/log \ -v /opt/cni/bin:/opt/cni/bin \ $${KUBELET_IMAGE} \ - --anonymous-auth=false \ - --authentication-token-webhook \ - --authorization-mode=Webhook \ --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \ - --cgroup-driver=systemd \ - --container-runtime=remote \ + --config=/etc/kubernetes/kubelet.yaml \ --container-runtime-endpoint=unix:///run/containerd/containerd.sock \ - --client-ca-file=/etc/kubernetes/ca.crt \ - --cluster_dns=${cluster_dns_service_ip} \ - --cluster_domain=${cluster_domain_suffix} \ - --healthz-port=0 \ --kubeconfig=/var/lib/kubelet/kubeconfig \ - --node-labels=node.kubernetes.io/node \ %{~ for label in split(",", node_labels) ~} --node-labels=${label} \ %{~ endfor ~} %{~ for taint in split(",", node_taints) ~} --register-with-taints=${taint} \ %{~ endfor ~} - --pod-manifest-path=/etc/kubernetes/manifests \ - --read-only-port=0 \ - --resolv-conf=/run/systemd/resolve/resolv.conf \ - --rotate-certificates \ - --volume-plugin-dir=/var/lib/kubelet/volumeplugins + --node-labels=node.kubernetes.io/node ExecStart=docker logs -f kubelet ExecStop=docker stop kubelet ExecStopPost=docker rm kubelet @@ -107,6 +94,31 @@ storage: contents: inline: | ${kubeconfig} + - path: /etc/kubernetes/kubelet.yaml + mode: 0644 + contents: + inline: | + apiVersion: kubelet.config.k8s.io/v1beta1 + kind: KubeletConfiguration + authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: /etc/kubernetes/ca.crt + authorization: + mode: Webhook + cgroupDriver: systemd + clusterDNS: + - ${cluster_dns_service_ip} + clusterDomain: ${cluster_domain_suffix} + healthzPort: 0 + rotateCertificates: true + staticPodPath: /etc/kubernetes/manifests + readOnlyPort: 0 + resolvConf: /run/systemd/resolve/resolv.conf + volumePluginDir: /var/lib/kubelet/volumeplugins - path: /etc/sysctl.d/max-user-watches.conf mode: 0644 contents: diff --git a/bare-metal/fedora-coreos/kubernetes/butane/controller.yaml b/bare-metal/fedora-coreos/kubernetes/butane/controller.yaml index d562cad5..2d1f7115 100644 --- a/bare-metal/fedora-coreos/kubernetes/butane/controller.yaml +++ b/bare-metal/fedora-coreos/kubernetes/butane/controller.yaml @@ -80,28 +80,13 @@ systemd: --volume /var/run/lock:/var/run/lock:z \ --volume /opt/cni/bin:/opt/cni/bin:z \ $${KUBELET_IMAGE} \ - --anonymous-auth=false \ - --authentication-token-webhook \ - --authorization-mode=Webhook \ --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \ - --cgroup-driver=systemd \ - --cgroups-per-qos=true \ - --container-runtime=remote \ + --config=/etc/kubernetes/kubelet.yaml \ --container-runtime-endpoint=unix:///run/containerd/containerd.sock \ - --enforce-node-allocatable=pods \ - --client-ca-file=/etc/kubernetes/ca.crt \ - --cluster_dns=${cluster_dns_service_ip} \ - --cluster_domain=${cluster_domain_suffix} \ - --healthz-port=0 \ --hostname-override=${domain_name} \ --kubeconfig=/var/lib/kubelet/kubeconfig \ --node-labels=node.kubernetes.io/controller="true" \ - --pod-manifest-path=/etc/kubernetes/manifests \ - --read-only-port=0 \ - --resolv-conf=/run/systemd/resolve/resolv.conf \ - --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \ - --rotate-certificates \ - --volume-plugin-dir=/var/lib/kubelet/volumeplugins + --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule ExecStop=-/usr/bin/podman stop kubelet Delegate=yes Restart=always @@ -149,6 +134,31 @@ storage: contents: inline: ${domain_name} + - path: /etc/kubernetes/kubelet.yaml + mode: 0644 + contents: + inline: | + apiVersion: kubelet.config.k8s.io/v1beta1 + kind: KubeletConfiguration + authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: /etc/kubernetes/ca.crt + authorization: + mode: Webhook + cgroupDriver: systemd + clusterDNS: + - ${cluster_dns_service_ip} + clusterDomain: ${cluster_domain_suffix} + healthzPort: 0 + rotateCertificates: true + staticPodPath: /etc/kubernetes/manifests + readOnlyPort: 0 + resolvConf: /run/systemd/resolve/resolv.conf + volumePluginDir: /var/lib/kubelet/volumeplugins - path: /opt/bootstrap/layout mode: 0544 contents: diff --git a/bare-metal/fedora-coreos/kubernetes/butane/worker.yaml b/bare-metal/fedora-coreos/kubernetes/butane/worker.yaml index b3cc57fa..593f87d9 100644 --- a/bare-metal/fedora-coreos/kubernetes/butane/worker.yaml +++ b/bare-metal/fedora-coreos/kubernetes/butane/worker.yaml @@ -53,33 +53,18 @@ systemd: --volume /var/run/lock:/var/run/lock:z \ --volume /opt/cni/bin:/opt/cni/bin:z \ $${KUBELET_IMAGE} \ - --anonymous-auth=false \ - --authentication-token-webhook \ - --authorization-mode=Webhook \ --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \ - --cgroup-driver=systemd \ - --cgroups-per-qos=true \ - --container-runtime=remote \ + --config=/etc/kubernetes/kubelet.yaml \ --container-runtime-endpoint=unix:///run/containerd/containerd.sock \ - --enforce-node-allocatable=pods \ - --client-ca-file=/etc/kubernetes/ca.crt \ - --cluster_dns=${cluster_dns_service_ip} \ - --cluster_domain=${cluster_domain_suffix} \ - --healthz-port=0 \ --hostname-override=${domain_name} \ --kubeconfig=/var/lib/kubelet/kubeconfig \ - --node-labels=node.kubernetes.io/node \ %{~ for label in compact(split(",", node_labels)) ~} --node-labels=${label} \ %{~ endfor ~} %{~ for taint in compact(split(",", node_taints)) ~} --register-with-taints=${taint} \ %{~ endfor ~} - --pod-manifest-path=/etc/kubernetes/manifests \ - --read-only-port=0 \ - --resolv-conf=/run/systemd/resolve/resolv.conf \ - --rotate-certificates \ - --volume-plugin-dir=/var/lib/kubelet/volumeplugins + --node-labels=node.kubernetes.io/node ExecStop=-/usr/bin/podman stop kubelet Delegate=yes Restart=always @@ -104,6 +89,31 @@ storage: contents: inline: ${domain_name} + - path: /etc/kubernetes/kubelet.yaml + mode: 0644 + contents: + inline: | + apiVersion: kubelet.config.k8s.io/v1beta1 + kind: KubeletConfiguration + authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: /etc/kubernetes/ca.crt + authorization: + mode: Webhook + cgroupDriver: systemd + clusterDNS: + - ${cluster_dns_service_ip} + clusterDomain: ${cluster_domain_suffix} + healthzPort: 0 + rotateCertificates: true + staticPodPath: /etc/kubernetes/manifests + readOnlyPort: 0 + resolvConf: /run/systemd/resolve/resolv.conf + volumePluginDir: /var/lib/kubelet/volumeplugins - path: /etc/sysctl.d/max-user-watches.conf contents: inline: | diff --git a/bare-metal/flatcar-linux/kubernetes/butane/controller.yaml b/bare-metal/flatcar-linux/kubernetes/butane/controller.yaml index 4b3146d3..c63683cb 100644 --- a/bare-metal/flatcar-linux/kubernetes/butane/controller.yaml +++ b/bare-metal/flatcar-linux/kubernetes/butane/controller.yaml @@ -89,26 +89,13 @@ systemd: -v /var/log:/var/log \ -v /opt/cni/bin:/opt/cni/bin \ $${KUBELET_IMAGE} \ - --anonymous-auth=false \ - --authentication-token-webhook \ - --authorization-mode=Webhook \ --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \ - --cgroup-driver=systemd \ - --container-runtime=remote \ + --config=/etc/kubernetes/kubelet.yaml \ --container-runtime-endpoint=unix:///run/containerd/containerd.sock \ - --client-ca-file=/etc/kubernetes/ca.crt \ - --cluster_dns=${cluster_dns_service_ip} \ - --cluster_domain=${cluster_domain_suffix} \ - --healthz-port=0 \ --hostname-override=${domain_name} \ --kubeconfig=/var/lib/kubelet/kubeconfig \ --node-labels=node.kubernetes.io/controller="true" \ - --pod-manifest-path=/etc/kubernetes/manifests \ - --read-only-port=0 \ - --resolv-conf=/run/systemd/resolve/resolv.conf \ - --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \ - --rotate-certificates \ - --volume-plugin-dir=/var/lib/kubelet/volumeplugins + --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule ExecStart=docker logs -f kubelet ExecStop=docker stop kubelet ExecStopPost=docker rm kubelet @@ -150,6 +137,31 @@ storage: contents: inline: ${domain_name} + - path: /etc/kubernetes/kubelet.yaml + mode: 0644 + contents: + inline: | + apiVersion: kubelet.config.k8s.io/v1beta1 + kind: KubeletConfiguration + authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: /etc/kubernetes/ca.crt + authorization: + mode: Webhook + cgroupDriver: systemd + clusterDNS: + - ${cluster_dns_service_ip} + clusterDomain: ${cluster_domain_suffix} + healthzPort: 0 + rotateCertificates: true + staticPodPath: /etc/kubernetes/manifests + readOnlyPort: 0 + resolvConf: /run/systemd/resolve/resolv.conf + volumePluginDir: /var/lib/kubelet/volumeplugins - path: /opt/bootstrap/layout mode: 0544 contents: diff --git a/bare-metal/flatcar-linux/kubernetes/butane/worker.yaml b/bare-metal/flatcar-linux/kubernetes/butane/worker.yaml index ffe5a102..9913a804 100644 --- a/bare-metal/flatcar-linux/kubernetes/butane/worker.yaml +++ b/bare-metal/flatcar-linux/kubernetes/butane/worker.yaml @@ -64,17 +64,9 @@ systemd: -v /var/log:/var/log \ -v /opt/cni/bin:/opt/cni/bin \ $${KUBELET_IMAGE} \ - --anonymous-auth=false \ - --authentication-token-webhook \ - --authorization-mode=Webhook \ --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \ - --cgroup-driver=systemd \ - --container-runtime=remote \ + --config=/etc/kubernetes/kubelet.yaml \ --container-runtime-endpoint=unix:///run/containerd/containerd.sock \ - --client-ca-file=/etc/kubernetes/ca.crt \ - --cluster_dns=${cluster_dns_service_ip} \ - --cluster_domain=${cluster_domain_suffix} \ - --healthz-port=0 \ --hostname-override=${domain_name} \ --kubeconfig=/var/lib/kubelet/kubeconfig \ --node-labels=node.kubernetes.io/node \ @@ -84,11 +76,7 @@ systemd: %{~ for taint in compact(split(",", node_taints)) ~} --register-with-taints=${taint} \ %{~ endfor ~} - --pod-manifest-path=/etc/kubernetes/manifests \ - --read-only-port=0 \ - --resolv-conf=/run/systemd/resolve/resolv.conf \ - --rotate-certificates \ - --volume-plugin-dir=/var/lib/kubelet/volumeplugins + --node-labels=node.kubernetes.io/node ExecStart=docker logs -f kubelet ExecStop=docker stop kubelet ExecStopPost=docker rm kubelet @@ -107,6 +95,31 @@ storage: contents: inline: ${domain_name} + - path: /etc/kubernetes/kubelet.yaml + mode: 0644 + contents: + inline: | + apiVersion: kubelet.config.k8s.io/v1beta1 + kind: KubeletConfiguration + authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: /etc/kubernetes/ca.crt + authorization: + mode: Webhook + cgroupDriver: systemd + clusterDNS: + - ${cluster_dns_service_ip} + clusterDomain: ${cluster_domain_suffix} + healthzPort: 0 + rotateCertificates: true + staticPodPath: /etc/kubernetes/manifests + readOnlyPort: 0 + resolvConf: /run/systemd/resolve/resolv.conf + volumePluginDir: /var/lib/kubelet/volumeplugins - path: /etc/sysctl.d/max-user-watches.conf mode: 0644 contents: diff --git a/digital-ocean/fedora-coreos/kubernetes/butane/controller.yaml b/digital-ocean/fedora-coreos/kubernetes/butane/controller.yaml index fd0f1f63..5bd2815b 100644 --- a/digital-ocean/fedora-coreos/kubernetes/butane/controller.yaml +++ b/digital-ocean/fedora-coreos/kubernetes/butane/controller.yaml @@ -83,28 +83,13 @@ systemd: --volume /var/run/lock:/var/run/lock:z \ --volume /opt/cni/bin:/opt/cni/bin:z \ $${KUBELET_IMAGE} \ - --anonymous-auth=false \ - --authentication-token-webhook \ - --authorization-mode=Webhook \ --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \ - --cgroup-driver=systemd \ - --cgroups-per-qos=true \ - --container-runtime=remote \ + --config=/etc/kubernetes/kubelet.yaml \ --container-runtime-endpoint=unix:///run/containerd/containerd.sock \ - --enforce-node-allocatable=pods \ - --client-ca-file=/etc/kubernetes/ca.crt \ - --cluster_dns=${cluster_dns_service_ip} \ - --cluster_domain=${cluster_domain_suffix} \ - --healthz-port=0 \ --hostname-override=$${AFTERBURN_DIGITALOCEAN_IPV4_PRIVATE_0} \ --kubeconfig=/var/lib/kubelet/kubeconfig \ --node-labels=node.kubernetes.io/controller="true" \ - --pod-manifest-path=/etc/kubernetes/manifests \ - --read-only-port=0 \ - --resolv-conf=/run/systemd/resolve/resolv.conf \ - --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \ - --rotate-certificates \ - --volume-plugin-dir=/var/lib/kubelet/volumeplugins + --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule ExecStop=-/usr/bin/podman stop kubelet Delegate=yes Restart=always @@ -146,6 +131,31 @@ storage: - path: /etc/kubernetes - path: /opt/bootstrap files: + - path: /etc/kubernetes/kubelet.yaml + mode: 0644 + contents: + inline: | + apiVersion: kubelet.config.k8s.io/v1beta1 + kind: KubeletConfiguration + authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: /etc/kubernetes/ca.crt + authorization: + mode: Webhook + cgroupDriver: systemd + clusterDNS: + - ${cluster_dns_service_ip} + clusterDomain: ${cluster_domain_suffix} + healthzPort: 0 + rotateCertificates: true + staticPodPath: /etc/kubernetes/manifests + readOnlyPort: 0 + resolvConf: /run/systemd/resolve/resolv.conf + volumePluginDir: /var/lib/kubelet/volumeplugins - path: /opt/bootstrap/layout mode: 0544 contents: diff --git a/digital-ocean/fedora-coreos/kubernetes/butane/worker.yaml b/digital-ocean/fedora-coreos/kubernetes/butane/worker.yaml index 4cc0e05e..7818ab14 100644 --- a/digital-ocean/fedora-coreos/kubernetes/butane/worker.yaml +++ b/digital-ocean/fedora-coreos/kubernetes/butane/worker.yaml @@ -61,23 +61,11 @@ systemd: --authentication-token-webhook \ --authorization-mode=Webhook \ --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \ - --cgroup-driver=systemd \ - --cgroups-per-qos=true \ - --container-runtime=remote \ + --config=/etc/kubernetes/kubelet.yaml \ --container-runtime-endpoint=unix:///run/containerd/containerd.sock \ - --enforce-node-allocatable=pods \ - --client-ca-file=/etc/kubernetes/ca.crt \ - --cluster_dns=${cluster_dns_service_ip} \ - --cluster_domain=${cluster_domain_suffix} \ - --healthz-port=0 \ --hostname-override=$${AFTERBURN_DIGITALOCEAN_IPV4_PRIVATE_0} \ --kubeconfig=/var/lib/kubelet/kubeconfig \ - --node-labels=node.kubernetes.io/node \ - --pod-manifest-path=/etc/kubernetes/manifests \ - --read-only-port=0 \ - --resolv-conf=/run/systemd/resolve/resolv.conf \ - --rotate-certificates \ - --volume-plugin-dir=/var/lib/kubelet/volumeplugins + --node-labels=node.kubernetes.io/node ExecStop=-/usr/bin/podman stop kubelet Delegate=yes Restart=always @@ -110,6 +98,31 @@ storage: directories: - path: /etc/kubernetes files: + - path: /etc/kubernetes/kubelet.yaml + mode: 0644 + contents: + inline: | + apiVersion: kubelet.config.k8s.io/v1beta1 + kind: KubeletConfiguration + authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: /etc/kubernetes/ca.crt + authorization: + mode: Webhook + cgroupDriver: systemd + clusterDNS: + - ${cluster_dns_service_ip} + clusterDomain: ${cluster_domain_suffix} + healthzPort: 0 + rotateCertificates: true + staticPodPath: /etc/kubernetes/manifests + readOnlyPort: 0 + resolvConf: /run/systemd/resolve/resolv.conf + volumePluginDir: /var/lib/kubelet/volumeplugins - path: /etc/sysctl.d/max-user-watches.conf contents: inline: | diff --git a/digital-ocean/flatcar-linux/kubernetes/butane/controller.yaml b/digital-ocean/flatcar-linux/kubernetes/butane/controller.yaml index eb271b47..9bb36a53 100644 --- a/digital-ocean/flatcar-linux/kubernetes/butane/controller.yaml +++ b/digital-ocean/flatcar-linux/kubernetes/butane/controller.yaml @@ -92,26 +92,13 @@ systemd: -v /var/log:/var/log \ -v /opt/cni/bin:/opt/cni/bin \ $${KUBELET_IMAGE} \ - --anonymous-auth=false \ - --authentication-token-webhook \ - --authorization-mode=Webhook \ --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \ - --cgroup-driver=systemd \ - --container-runtime=remote \ + --config=/etc/kubernetes/kubelet.yaml \ --container-runtime-endpoint=unix:///run/containerd/containerd.sock \ - --client-ca-file=/etc/kubernetes/ca.crt \ - --cluster_dns=${cluster_dns_service_ip} \ - --cluster_domain=${cluster_domain_suffix} \ - --healthz-port=0 \ --hostname-override=$${COREOS_DIGITALOCEAN_IPV4_PRIVATE_0} \ --kubeconfig=/var/lib/kubelet/kubeconfig \ --node-labels=node.kubernetes.io/controller="true" \ - --pod-manifest-path=/etc/kubernetes/manifests \ - --read-only-port=0 \ - --resolv-conf=/run/systemd/resolve/resolv.conf \ - --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \ - --rotate-certificates \ - --volume-plugin-dir=/var/lib/kubelet/volumeplugins + --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule ExecStart=docker logs -f kubelet ExecStop=docker stop kubelet ExecStopPost=docker rm kubelet @@ -148,6 +135,31 @@ storage: - path: /etc/kubernetes mode: 0755 files: + - path: /etc/kubernetes/kubelet.yaml + mode: 0644 + contents: + inline: | + apiVersion: kubelet.config.k8s.io/v1beta1 + kind: KubeletConfiguration + authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: /etc/kubernetes/ca.crt + authorization: + mode: Webhook + cgroupDriver: systemd + clusterDNS: + - ${cluster_dns_service_ip} + clusterDomain: ${cluster_domain_suffix} + healthzPort: 0 + rotateCertificates: true + staticPodPath: /etc/kubernetes/manifests + readOnlyPort: 0 + resolvConf: /run/systemd/resolve/resolv.conf + volumePluginDir: /var/lib/kubelet/volumeplugins - path: /opt/bootstrap/layout mode: 0544 contents: diff --git a/digital-ocean/flatcar-linux/kubernetes/butane/worker.yaml b/digital-ocean/flatcar-linux/kubernetes/butane/worker.yaml index 93f2654f..512fdb1d 100644 --- a/digital-ocean/flatcar-linux/kubernetes/butane/worker.yaml +++ b/digital-ocean/flatcar-linux/kubernetes/butane/worker.yaml @@ -67,25 +67,12 @@ systemd: -v /var/log:/var/log \ -v /opt/cni/bin:/opt/cni/bin \ $${KUBELET_IMAGE} \ - --anonymous-auth=false \ - --authentication-token-webhook \ - --authorization-mode=Webhook \ --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \ - --cgroup-driver=systemd \ - --container-runtime=remote \ + --config=/etc/kubernetes/kubelet.yaml \ --container-runtime-endpoint=unix:///run/containerd/containerd.sock \ - --client-ca-file=/etc/kubernetes/ca.crt \ - --cluster_dns=${cluster_dns_service_ip} \ - --cluster_domain=${cluster_domain_suffix} \ - --healthz-port=0 \ --hostname-override=$${COREOS_DIGITALOCEAN_IPV4_PRIVATE_0} \ --kubeconfig=/var/lib/kubelet/kubeconfig \ - --node-labels=node.kubernetes.io/node \ - --pod-manifest-path=/etc/kubernetes/manifests \ - --read-only-port=0 \ - --resolv-conf=/run/systemd/resolve/resolv.conf \ - --rotate-certificates \ - --volume-plugin-dir=/var/lib/kubelet/volumeplugins + --node-labels=node.kubernetes.io/node ExecStart=docker logs -f kubelet ExecStop=docker stop kubelet ExecStopPost=docker rm kubelet @@ -111,6 +98,31 @@ storage: - path: /etc/kubernetes mode: 0755 files: + - path: /etc/kubernetes/kubelet.yaml + mode: 0644 + contents: + inline: | + apiVersion: kubelet.config.k8s.io/v1beta1 + kind: KubeletConfiguration + authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: /etc/kubernetes/ca.crt + authorization: + mode: Webhook + cgroupDriver: systemd + clusterDNS: + - ${cluster_dns_service_ip} + clusterDomain: ${cluster_domain_suffix} + healthzPort: 0 + rotateCertificates: true + staticPodPath: /etc/kubernetes/manifests + readOnlyPort: 0 + resolvConf: /run/systemd/resolve/resolv.conf + volumePluginDir: /var/lib/kubelet/volumeplugins - path: /etc/sysctl.d/max-user-watches.conf mode: 0644 contents: diff --git a/google-cloud/fedora-coreos/kubernetes/butane/controller.yaml b/google-cloud/fedora-coreos/kubernetes/butane/controller.yaml index 518db25e..b3a2e205 100644 --- a/google-cloud/fedora-coreos/kubernetes/butane/controller.yaml +++ b/google-cloud/fedora-coreos/kubernetes/butane/controller.yaml @@ -81,27 +81,12 @@ systemd: --volume /var/run/lock:/var/run/lock:z \ --volume /opt/cni/bin:/opt/cni/bin:z \ $${KUBELET_IMAGE} \ - --anonymous-auth=false \ - --authentication-token-webhook \ - --authorization-mode=Webhook \ --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \ - --cgroup-driver=systemd \ - --cgroups-per-qos=true \ - --container-runtime=remote \ + --config=/etc/kubernetes/kubelet.yaml \ --container-runtime-endpoint=unix:///run/containerd/containerd.sock \ - --enforce-node-allocatable=pods \ - --client-ca-file=/etc/kubernetes/ca.crt \ - --cluster_dns=${cluster_dns_service_ip} \ - --cluster_domain=${cluster_domain_suffix} \ - --healthz-port=0 \ --kubeconfig=/var/lib/kubelet/kubeconfig \ --node-labels=node.kubernetes.io/controller="true" \ - --pod-manifest-path=/etc/kubernetes/manifests \ - --read-only-port=0 \ - --resolv-conf=/run/systemd/resolve/resolv.conf \ - --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \ - --rotate-certificates \ - --volume-plugin-dir=/var/lib/kubelet/volumeplugins + --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule ExecStop=-/usr/bin/podman stop kubelet Delegate=yes Restart=always @@ -139,6 +124,30 @@ storage: contents: inline: | ${kubeconfig} + - path: /etc/kubernetes/kubelet.yaml + contents: + inline: | + apiVersion: kubelet.config.k8s.io/v1beta1 + kind: KubeletConfiguration + authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: /etc/kubernetes/ca.crt + authorization: + mode: Webhook + cgroupDriver: systemd + clusterDNS: + - ${cluster_dns_service_ip} + clusterDomain: ${cluster_domain_suffix} + healthzPort: 0 + rotateCertificates: true + staticPodPath: /etc/kubernetes/manifests + readOnlyPort: 0 + resolvConf: /run/systemd/resolve/resolv.conf + volumePluginDir: /var/lib/kubelet/volumeplugins - path: /opt/bootstrap/layout mode: 0544 contents: diff --git a/google-cloud/fedora-coreos/kubernetes/workers/butane/worker.yaml b/google-cloud/fedora-coreos/kubernetes/workers/butane/worker.yaml index 857f3939..4d3a2ef6 100644 --- a/google-cloud/fedora-coreos/kubernetes/workers/butane/worker.yaml +++ b/google-cloud/fedora-coreos/kubernetes/workers/butane/worker.yaml @@ -54,32 +54,17 @@ systemd: --volume /var/run/lock:/var/run/lock:z \ --volume /opt/cni/bin:/opt/cni/bin:z \ $${KUBELET_IMAGE} \ - --anonymous-auth=false \ - --authentication-token-webhook \ - --authorization-mode=Webhook \ --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \ - --cgroup-driver=systemd \ - --cgroups-per-qos=true \ - --container-runtime=remote \ + --config=/etc/kubernetes/kubelet.yaml \ --container-runtime-endpoint=unix:///run/containerd/containerd.sock \ - --enforce-node-allocatable=pods \ - --client-ca-file=/etc/kubernetes/ca.crt \ - --cluster_dns=${cluster_dns_service_ip} \ - --cluster_domain=${cluster_domain_suffix} \ - --healthz-port=0 \ --kubeconfig=/var/lib/kubelet/kubeconfig \ - --node-labels=node.kubernetes.io/node \ %{~ for label in split(",", node_labels) ~} --node-labels=${label} \ %{~ endfor ~} %{~ for taint in split(",", node_taints) ~} --register-with-taints=${taint} \ %{~ endfor ~} - --pod-manifest-path=/etc/kubernetes/manifests \ - --read-only-port=0 \ - --resolv-conf=/run/systemd/resolve/resolv.conf \ - --rotate-certificates \ - --volume-plugin-dir=/var/lib/kubelet/volumeplugins + --node-labels=node.kubernetes.io/node ExecStop=-/usr/bin/podman stop kubelet Delegate=yes Restart=always @@ -108,6 +93,30 @@ storage: contents: inline: | ${kubeconfig} + - path: /etc/kubernetes/kubelet.yaml + contents: + inline: | + apiVersion: kubelet.config.k8s.io/v1beta1 + kind: KubeletConfiguration + authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: /etc/kubernetes/ca.crt + authorization: + mode: Webhook + cgroupDriver: systemd + clusterDNS: + - ${cluster_dns_service_ip} + clusterDomain: ${cluster_domain_suffix} + healthzPort: 0 + rotateCertificates: true + staticPodPath: /etc/kubernetes/manifests + readOnlyPort: 0 + resolvConf: /run/systemd/resolve/resolv.conf + volumePluginDir: /var/lib/kubelet/volumeplugins - path: /etc/sysctl.d/max-user-watches.conf contents: inline: | diff --git a/google-cloud/flatcar-linux/kubernetes/butane/controller.yaml b/google-cloud/flatcar-linux/kubernetes/butane/controller.yaml index b11cc038..8c0427a3 100644 --- a/google-cloud/flatcar-linux/kubernetes/butane/controller.yaml +++ b/google-cloud/flatcar-linux/kubernetes/butane/controller.yaml @@ -81,25 +81,12 @@ systemd: -v /var/log:/var/log \ -v /opt/cni/bin:/opt/cni/bin \ $${KUBELET_IMAGE} \ - --anonymous-auth=false \ - --authentication-token-webhook \ - --authorization-mode=Webhook \ --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \ - --cgroup-driver=systemd \ - --container-runtime=remote \ + --config=/etc/kubernetes/kubelet.yaml \ --container-runtime-endpoint=unix:///run/containerd/containerd.sock \ - --client-ca-file=/etc/kubernetes/ca.crt \ - --cluster_dns=${cluster_dns_service_ip} \ - --cluster_domain=${cluster_domain_suffix} \ - --healthz-port=0 \ --kubeconfig=/var/lib/kubelet/kubeconfig \ --node-labels=node.kubernetes.io/controller="true" \ - --pod-manifest-path=/etc/kubernetes/manifests \ - --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule \ - --read-only-port=0 \ - --resolv-conf=/run/systemd/resolve/resolv.conf \ - --rotate-certificates \ - --volume-plugin-dir=/var/lib/kubelet/volumeplugins + --register-with-taints=node-role.kubernetes.io/controller=:NoSchedule ExecStart=docker logs -f kubelet ExecStop=docker stop kubelet ExecStopPost=docker rm kubelet @@ -139,6 +126,30 @@ storage: contents: inline: | ${kubeconfig} + - path: /etc/kubernetes/kubelet.yaml + contents: + inline: | + apiVersion: kubelet.config.k8s.io/v1beta1 + kind: KubeletConfiguration + authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: /etc/kubernetes/ca.crt + authorization: + mode: Webhook + cgroupDriver: systemd + clusterDNS: + - ${cluster_dns_service_ip} + clusterDomain: ${cluster_domain_suffix} + healthzPort: 0 + rotateCertificates: true + staticPodPath: /etc/kubernetes/manifests + readOnlyPort: 0 + resolvConf: /run/systemd/resolve/resolv.conf + volumePluginDir: /var/lib/kubelet/volumeplugins - path: /opt/bootstrap/layout mode: 0544 contents: diff --git a/google-cloud/flatcar-linux/kubernetes/workers/butane/worker.yaml b/google-cloud/flatcar-linux/kubernetes/workers/butane/worker.yaml index 5618810f..774886fa 100644 --- a/google-cloud/flatcar-linux/kubernetes/workers/butane/worker.yaml +++ b/google-cloud/flatcar-linux/kubernetes/workers/butane/worker.yaml @@ -56,30 +56,17 @@ systemd: -v /var/log:/var/log \ -v /opt/cni/bin:/opt/cni/bin \ $${KUBELET_IMAGE} \ - --anonymous-auth=false \ - --authentication-token-webhook \ - --authorization-mode=Webhook \ --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \ - --cgroup-driver=systemd \ - --container-runtime=remote \ + --config=/etc/kubernetes/kubelet.yaml \ --container-runtime-endpoint=unix:///run/containerd/containerd.sock \ - --client-ca-file=/etc/kubernetes/ca.crt \ - --cluster_dns=${cluster_dns_service_ip} \ - --cluster_domain=${cluster_domain_suffix} \ - --healthz-port=0 \ --kubeconfig=/var/lib/kubelet/kubeconfig \ - --node-labels=node.kubernetes.io/node \ %{~ for label in split(",", node_labels) ~} --node-labels=${label} \ %{~ endfor ~} %{~ for taint in split(",", node_taints) ~} --register-with-taints=${taint} \ %{~ endfor ~} - --pod-manifest-path=/etc/kubernetes/manifests \ - --read-only-port=0 \ - --resolv-conf=/run/systemd/resolve/resolv.conf \ - --rotate-certificates \ - --volume-plugin-dir=/var/lib/kubelet/volumeplugins + --node-labels=node.kubernetes.io/node ExecStart=docker logs -f kubelet ExecStop=docker stop kubelet ExecStopPost=docker rm kubelet @@ -107,6 +94,30 @@ storage: contents: inline: | ${kubeconfig} + - path: /etc/kubernetes/kubelet.yaml + contents: + inline: | + apiVersion: kubelet.config.k8s.io/v1beta1 + kind: KubeletConfiguration + authentication: + anonymous: + enabled: false + webhook: + enabled: true + x509: + clientCAFile: /etc/kubernetes/ca.crt + authorization: + mode: Webhook + cgroupDriver: systemd + clusterDNS: + - ${cluster_dns_service_ip} + clusterDomain: ${cluster_domain_suffix} + healthzPort: 0 + rotateCertificates: true + staticPodPath: /etc/kubernetes/manifests + readOnlyPort: 0 + resolvConf: /run/systemd/resolve/resolv.conf + volumePluginDir: /var/lib/kubelet/volumeplugins - path: /etc/sysctl.d/max-user-watches.conf mode: 0644 contents: