variant: flatcar version: 1.0.0 systemd: units: - name: docker.service enabled: true - name: locksmithd.service mask: true - name: kubelet.path enabled: true contents: | [Unit] Description=Watch for kubeconfig [Path] PathExists=/etc/kubernetes/kubeconfig [Install] WantedBy=multi-user.target - name: wait-for-dns.service enabled: true contents: | [Unit] Description=Wait for DNS entries Wants=systemd-resolved.service Before=kubelet.service [Service] Type=oneshot RemainAfterExit=true ExecStart=/bin/sh -c 'while ! /usr/bin/grep '^[^#[:space:]]' /etc/resolv.conf > /dev/null; do sleep 1; done' [Install] RequiredBy=kubelet.service - name: kubelet.service contents: | [Unit] Description=Kubelet Requires=docker.service After=docker.service Requires=coreos-metadata.service After=coreos-metadata.service Wants=rpc-statd.service [Service] Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.25.0 EnvironmentFile=/run/metadata/coreos ExecStartPre=/bin/mkdir -p /etc/cni/net.d ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests ExecStartPre=/bin/mkdir -p /opt/cni/bin ExecStartPre=/bin/mkdir -p /var/lib/calico ExecStartPre=/bin/mkdir -p /var/lib/kubelet/volumeplugins ExecStartPre=/usr/bin/bash -c "grep 'certificate-authority-data' /etc/kubernetes/kubeconfig | awk '{print $2}' | base64 -d > /etc/kubernetes/ca.crt" # Podman, rkt, or runc run container processes, whereas docker run # is a client to a daemon and requires workarounds to use within a # systemd unit. https://github.com/moby/moby/issues/6791 ExecStartPre=/usr/bin/docker run -d \ --name kubelet \ --privileged \ --pid host \ --network host \ -v /etc/cni/net.d:/etc/cni/net.d:ro \ -v /etc/kubernetes:/etc/kubernetes:ro \ -v /etc/machine-id:/etc/machine-id:ro \ -v /usr/lib/os-release:/etc/os-release:ro \ -v /lib/modules:/lib/modules:ro \ -v /run:/run \ -v /sys/fs/cgroup:/sys/fs/cgroup \ -v /var/lib/calico:/var/lib/calico:ro \ -v /var/lib/containerd:/var/lib/containerd \ -v /var/lib/kubelet:/var/lib/kubelet:rshared \ -v /var/log:/var/log \ -v /opt/cni/bin:/opt/cni/bin \ $${KUBELET_IMAGE} \ --bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \ --config=/etc/kubernetes/kubelet.yaml \ --container-runtime-endpoint=unix:///run/containerd/containerd.sock \ --hostname-override=$${COREOS_DIGITALOCEAN_IPV4_PRIVATE_0} \ --kubeconfig=/var/lib/kubelet/kubeconfig \ --node-labels=node.kubernetes.io/node ExecStart=docker logs -f kubelet ExecStop=docker stop kubelet ExecStopPost=docker rm kubelet Restart=always RestartSec=5 [Install] WantedBy=multi-user.target - name: delete-node.service enabled: true contents: | [Unit] Description=Delete Kubernetes node on shutdown [Service] Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.25.0 Type=oneshot RemainAfterExit=true ExecStart=/bin/true ExecStop=/bin/bash -c '/usr/bin/docker run -v /var/lib/kubelet:/var/lib/kubelet:ro --entrypoint /usr/local/bin/kubectl $${KUBELET_IMAGE} --kubeconfig=/var/lib/kubelet/kubeconfig delete node $HOSTNAME' [Install] WantedBy=multi-user.target storage: directories: - path: /etc/kubernetes mode: 0755 files: - path: /etc/kubernetes/kubelet.yaml mode: 0644 contents: inline: | apiVersion: kubelet.config.k8s.io/v1beta1 kind: KubeletConfiguration authentication: anonymous: enabled: false webhook: enabled: true x509: clientCAFile: /etc/kubernetes/ca.crt authorization: mode: Webhook cgroupDriver: systemd clusterDNS: - ${cluster_dns_service_ip} clusterDomain: ${cluster_domain_suffix} healthzPort: 0 featureGates: LocalStorageCapacityIsolationFSQuotaMonitoring: false rotateCertificates: true shutdownGracePeriod: 45s shutdownGracePeriodCriticalPods: 30s staticPodPath: /etc/kubernetes/manifests readOnlyPort: 0 resolvConf: /run/systemd/resolve/resolv.conf volumePluginDir: /var/lib/kubelet/volumeplugins - path: /etc/systemd/logind.conf.d/inhibitors.conf contents: inline: | [Login] InhibitDelayMaxSec=45s - path: /etc/sysctl.d/max-user-watches.conf mode: 0644 contents: inline: | fs.inotify.max_user_watches=16184