Bug #1726482 “k8s_atomic: Remove kubelet from master nodes” : Bugs : Magnum

Spyros Trigazis (strigazi) on 2017-10-24

description:

updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-10-24: Fix proposed to magnum (master)

#1

Fix proposed to branch: master
Review: https://review.openstack.org/514604

Changed in magnum:
assignee:	nobody → Spyros Trigazis (strigazi)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-12-10: Fix merged to magnum (master)

#2

Reviewed: https://review.openstack.org/514604
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=2f69309eca5b25a2b0cde32a2291a377f9f64506
Submitter: Zuul
Branch: master

commit 2f69309eca5b25a2b0cde32a2291a377f9f64506
Author: Spyros Trigazis <email address hidden>
Date: Tue Oct 24 10:04:43 2017 +0000

k8s_atomic: Remove kubelet and kube-proxy from master

    Currently we start kubelet as unscheduled. Before
    containerizing kube. we needed to run kubelet before as
    unscheduled to run the controller-manager, scheduler and
    kube-proxy as static pods. There is no such need anymore.

    Change-Id: I0e36606427530756d8084b643ba43880541bbe44
    Partially-Implements: blueprint run-kube-as-container
    Closes-Bug: #1726482

Changed in magnum:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-01-15: Fix proposed to magnum (master)

#3

Fix proposed to branch: master
Review: https://review.openstack.org/533593

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-08: Fix included in openstack/magnum 6.0.0

#4

This issue was fixed in the openstack/magnum 6.0.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-09: Fix proposed to magnum (stable/queens)

#5

Fix proposed to branch: stable/queens
Review: https://review.openstack.org/542742

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-13: Fix merged to magnum (master)

#6

Reviewed: https://review.openstack.org/533593
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=2329cb7fb4d197e49d6c07d37b2f7ec14a11c880
Submitter: Zuul
Branch: master

commit 2329cb7fb4d197e49d6c07d37b2f7ec14a11c880
Author: Spyros Trigazis <email address hidden>
Date: Mon Jan 15 11:16:02 2018 +0100

k8s: Fix kubelet, add RBAC and pass e2e tests

Due to a few several small connected patches for the
fedora atomic driver, this patch includes 4 smaller patches.

Patch 1:
k8s: Do not start kubelet and kube-proxy on master

    Patch [1], misses the removal of kubelet and kube-proxy from
    enable-services-master.sh and therefore they are started if they
    exist in the image or the script will fail.

https://review.openstack.org/#/c/533593/
Closes-Bug: #1726482

Patch 2:
k8s: Set require-kubeconfig when needed

From kubernetes 1.8 [1] --require-kubeconfig is deprecated and
in kubernetes 1.9 it is removed.

Add --require-kubeconfig only for k8s <= 1.8.

[1] https://github.com/kubernetes/kubernetes/issues/36745

Closes-Bug: #1718926

https://review.openstack.org/#/c/534309/

Patch 3:
k8s_fedora: Add RBAC configuration

    * Make certificates and kubeconfigs compatible
      with NodeAuthorizer [1].
    * Add CoreDNS roles and rolebindings.
    * Create the system:kube-apiserver-to-kubelet ClusterRole.
    * Bind the system:kube-apiserver-to-kubelet ClusterRole to
      the kubernetes user.
    * remove creation of kube-system namespaces, it is created
      by default
    * update client cert generation in the conductor with
      kubernetes' requirements
    * Add --insecure-bind-address=127.0.0.1 to work on
      multi-master too. The controller manager on each
      node needs to contact the apiserver (on the same node)
      on 127.0.0.1:8080

[1] https://kubernetes.io/docs/admin/authorization/node/

    Closes-Bug: #1742420
    Depends-On: If43c3d0a0d83c42ff1fceffe4bcc333b31dbdaab
    https://review.openstack.org/#/c/527103/

Patch 4:
k8s_fedora: Update coredns config to pass e2e

    To pass the e2e conformance tests, coredns needs to
    be configured with POD-MODE verified. Otherwise, pods
    won't be resolvable [1].

[1] https://github.com/coredns/coredns/tree/master/plugin/kubernetes

https://review.openstack.org/#/c/528566/
Closes-Bug: #1738633

Change-Id: Ibd5245ca0f5a11e1d67a2514cebb2ffe8aa5e7de

Reviewed:  https://review.openstack.org/533593
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=2329cb7fb4d197e49d6c07d37b2f7ec14a11c880
Submitter: Zuul
Branch:    master

commit 2329cb7fb4d197e49d6c07d37b2f7ec14a11c880
Author: Spyros Trigazis <spyridon.trigazis@cern.ch>
Date:   Mon Jan 15 11:16:02 2018 +0100

k8s: Fix kubelet, add RBAC and pass e2e tests
    
    Due to a few several small connected patches for the
    fedora atomic driver, this patch includes 4 smaller patches.
    
    Patch 1:
    k8s: Do not start kubelet and kube-proxy on master
    
    Patch [1], misses the removal of kubelet and kube-proxy from
    enable-services-master.sh and therefore they are started if they
    exist in the image or the script will fail.
    
    https://review.openstack.org/#/c/533593/
    Closes-Bug: #1726482
    
    Patch 2:
    k8s: Set require-kubeconfig when needed
    
    From kubernetes 1.8 [1] --require-kubeconfig is deprecated and
    in kubernetes 1.9 it is removed.
    
    Add --require-kubeconfig only for k8s <= 1.8.
    
    [1] https://github.com/kubernetes/kubernetes/issues/36745
    
    Closes-Bug: #1718926
    
    https://review.openstack.org/#/c/534309/
    
    Patch 3:
    k8s_fedora: Add RBAC configuration
    
    * Make certificates and kubeconfigs compatible
      with NodeAuthorizer [1].
    * Add CoreDNS roles and rolebindings.
    * Create the system:kube-apiserver-to-kubelet ClusterRole.
    * Bind the system:kube-apiserver-to-kubelet ClusterRole to
      the kubernetes user.
    * remove creation of kube-system namespaces, it is created
      by default
    * update client cert generation in the conductor with
      kubernetes' requirements
    * Add --insecure-bind-address=127.0.0.1 to work on
      multi-master too. The controller manager on each
      node needs to contact the apiserver (on the same node)
      on 127.0.0.1:8080
    
    [1] https://kubernetes.io/docs/admin/authorization/node/
    
    Closes-Bug: #1742420
    Depends-On: If43c3d0a0d83c42ff1fceffe4bcc333b31dbdaab
    https://review.openstack.org/#/c/527103/
    
    Patch 4:
    k8s_fedora: Update coredns config to pass e2e
    
    To pass the e2e conformance tests, coredns needs to
    be configured with POD-MODE verified. Otherwise, pods
    won't be resolvable [1].
    
    [1] https://github.com/coredns/coredns/tree/master/plugin/kubernetes
    
    https://review.openstack.org/#/c/528566/
    Closes-Bug: #1738633
    
    Change-Id: Ibd5245ca0f5a11e1d67a2514cebb2ffe8aa5e7de

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-14: Fix merged to magnum (stable/queens)

#7

Reviewed: https://review.openstack.org/542742
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=eb92701e05bb57e4d608e5bc66a69ed33c82c76e
Submitter: Zuul
Branch: stable/queens

commit eb92701e05bb57e4d608e5bc66a69ed33c82c76e
Author: Spyros Trigazis <email address hidden>
Date: Mon Jan 15 11:16:02 2018 +0100

k8s: Fix kubelet, add RBAC and pass e2e tests

Due to a few several small connected patches for the
fedora atomic driver, this patch includes 4 smaller patches.

Patch 1:
k8s: Do not start kubelet and kube-proxy on master

    Patch [1], misses the removal of kubelet and kube-proxy from
    enable-services-master.sh and therefore they are started if they
    exist in the image or the script will fail.

https://review.openstack.org/#/c/533593/
Closes-Bug: #1726482

Patch 2:
k8s: Set require-kubeconfig when needed

From kubernetes 1.8 [1] --require-kubeconfig is deprecated and
in kubernetes 1.9 it is removed.

Add --require-kubeconfig only for k8s <= 1.8.

[1] https://github.com/kubernetes/kubernetes/issues/36745

Closes-Bug: #1718926

https://review.openstack.org/#/c/534309/

Patch 3:
k8s_fedora: Add RBAC configuration

    * Make certificates and kubeconfigs compatible
      with NodeAuthorizer [1].
    * Add CoreDNS roles and rolebindings.
    * Create the system:kube-apiserver-to-kubelet ClusterRole.
    * Bind the system:kube-apiserver-to-kubelet ClusterRole to
      the kubernetes user.
    * remove creation of kube-system namespaces, it is created
      by default
    * update client cert generation in the conductor with
      kubernetes' requirements
    * Add --insecure-bind-address=127.0.0.1 to work on
      multi-master too. The controller manager on each
      node needs to contact the apiserver (on the same node)
      on 127.0.0.1:8080

[1] https://kubernetes.io/docs/admin/authorization/node/

    Closes-Bug: #1742420
    Depends-On: If43c3d0a0d83c42ff1fceffe4bcc333b31dbdaab
    https://review.openstack.org/#/c/527103/

Patch 4:
k8s_fedora: Update coredns config to pass e2e

    To pass the e2e conformance tests, coredns needs to
    be configured with POD-MODE verified. Otherwise, pods
    won't be resolvable [1].

[1] https://github.com/coredns/coredns/tree/master/plugin/kubernetes

https://review.openstack.org/#/c/528566/
Closes-Bug: #1738633

Change-Id: Ibd5245ca0f5a11e1d67a2514cebb2ffe8aa5e7de

Reviewed:  https://review.openstack.org/542742
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=eb92701e05bb57e4d608e5bc66a69ed33c82c76e
Submitter: Zuul
Branch:    stable/queens

commit eb92701e05bb57e4d608e5bc66a69ed33c82c76e
Author: Spyros Trigazis <spyridon.trigazis@cern.ch>
Date:   Mon Jan 15 11:16:02 2018 +0100

k8s: Fix kubelet, add RBAC and pass e2e tests
    
    Due to a few several small connected patches for the
    fedora atomic driver, this patch includes 4 smaller patches.
    
    Patch 1:
    k8s: Do not start kubelet and kube-proxy on master
    
    Patch [1], misses the removal of kubelet and kube-proxy from
    enable-services-master.sh and therefore they are started if they
    exist in the image or the script will fail.
    
    https://review.openstack.org/#/c/533593/
    Closes-Bug: #1726482
    
    Patch 2:
    k8s: Set require-kubeconfig when needed
    
    From kubernetes 1.8 [1] --require-kubeconfig is deprecated and
    in kubernetes 1.9 it is removed.
    
    Add --require-kubeconfig only for k8s <= 1.8.
    
    [1] https://github.com/kubernetes/kubernetes/issues/36745
    
    Closes-Bug: #1718926
    
    https://review.openstack.org/#/c/534309/
    
    Patch 3:
    k8s_fedora: Add RBAC configuration
    
    * Make certificates and kubeconfigs compatible
      with NodeAuthorizer [1].
    * Add CoreDNS roles and rolebindings.
    * Create the system:kube-apiserver-to-kubelet ClusterRole.
    * Bind the system:kube-apiserver-to-kubelet ClusterRole to
      the kubernetes user.
    * remove creation of kube-system namespaces, it is created
      by default
    * update client cert generation in the conductor with
      kubernetes' requirements
    * Add --insecure-bind-address=127.0.0.1 to work on
      multi-master too. The controller manager on each
      node needs to contact the apiserver (on the same node)
      on 127.0.0.1:8080
    
    [1] https://kubernetes.io/docs/admin/authorization/node/
    
    Closes-Bug: #1742420
    Depends-On: If43c3d0a0d83c42ff1fceffe4bcc333b31dbdaab
    https://review.openstack.org/#/c/527103/
    
    Patch 4:
    k8s_fedora: Update coredns config to pass e2e
    
    To pass the e2e conformance tests, coredns needs to
    be configured with POD-MODE verified. Otherwise, pods
    won't be resolvable [1].
    
    [1] https://github.com/coredns/coredns/tree/master/plugin/kubernetes
    
    https://review.openstack.org/#/c/528566/
    Closes-Bug: #1738633
    
    Change-Id: Ibd5245ca0f5a11e1d67a2514cebb2ffe8aa5e7de

tags:

added: in-stable-queens

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-02-23: Fix included in openstack/magnum 6.1.0

#8

This issue was fixed in the openstack/magnum 6.1.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2018-08-13: Fix included in openstack/magnum 7.0.0

#9

This issue was fixed in the openstack/magnum 7.0.0 release.

Magnum

k8s_atomic: Remove kubelet from master nodes

Bug Description

Other bug subscribers

Remote bug watches