Due to a few several small connected patches for the
fedora atomic driver, this patch includes 4 smaller patches.
Patch 1:
k8s: Do not start kubelet and kube-proxy on master
Patch [1], misses the removal of kubelet and kube-proxy from
enable-services-master.sh and therefore they are started if they
exist in the image or the script will fail.
* Make certificates and kubeconfigs compatible
with NodeAuthorizer [1].
* Add CoreDNS roles and rolebindings.
* Create the system:kube-apiserver-to-kubelet ClusterRole.
* Bind the system:kube-apiserver-to-kubelet ClusterRole to
the kubernetes user.
* remove creation of kube-system namespaces, it is created
by default
* update client cert generation in the conductor with
kubernetes' requirements
* Add --insecure-bind-address=127.0.0.1 to work on
multi-master too. The controller manager on each
node needs to contact the apiserver (on the same node)
on 127.0.0.1:8080
Reviewed: https:/ /review. openstack. org/542742 /git.openstack. org/cgit/ openstack/ magnum/ commit/ ?id=eb92701e05b b57e4d608e5bc66 a69ed33c82c76e
Committed: https:/
Submitter: Zuul
Branch: stable/queens
commit eb92701e05bb57e 4d608e5bc66a69e d33c82c76e
Author: Spyros Trigazis <email address hidden>
Date: Mon Jan 15 11:16:02 2018 +0100
k8s: Fix kubelet, add RBAC and pass e2e tests
Due to a few several small connected patches for the
fedora atomic driver, this patch includes 4 smaller patches.
Patch 1:
k8s: Do not start kubelet and kube-proxy on master
Patch [1], misses the removal of kubelet and kube-proxy from services- master. sh and therefore they are started if they
enable-
exist in the image or the script will fail.
https:/ /review. openstack. org/#/c/ 533593/
Closes-Bug: #1726482
Patch 2:
k8s: Set require-kubeconfig when needed
From kubernetes 1.8 [1] --require- kubeconfig is deprecated and
in kubernetes 1.9 it is removed.
Add --require- kubeconfig only for k8s <= 1.8.
[1] https:/ /github. com/kubernetes/ kubernetes/ issues/ 36745
Closes-Bug: #1718926
https:/ /review. openstack. org/#/c/ 534309/
Patch 3:
k8s_fedora: Add RBAC configuration
* Make certificates and kubeconfigs compatible kube-apiserver- to-kubelet ClusterRole. kube-apiserver- to-kubelet ClusterRole to bind-address= 127.0.0. 1 to work on
with NodeAuthorizer [1].
* Add CoreDNS roles and rolebindings.
* Create the system:
* Bind the system:
the kubernetes user.
* remove creation of kube-system namespaces, it is created
by default
* update client cert generation in the conductor with
kubernetes' requirements
* Add --insecure-
multi-master too. The controller manager on each
node needs to contact the apiserver (on the same node)
on 127.0.0.1:8080
[1] https:/ /kubernetes. io/docs/ admin/authoriza tion/node/
Closes-Bug: #1742420 2ff1fceffe4bcc3 33b31dbdaab /review. openstack. org/#/c/ 527103/
Depends-On: If43c3d0a0d83c4
https:/
Patch 4:
k8s_fedora: Update coredns config to pass e2e
To pass the e2e conformance tests, coredns needs to
be configured with POD-MODE verified. Otherwise, pods
won't be resolvable [1].
[1] https:/ /github. com/coredns/ coredns/ tree/master/ plugin/ kubernetes
https:/ /review. openstack. org/#/c/ 528566/
Closes-Bug: #1738633
Change-Id: Ibd5245ca0f5a11 e1d67a2514cebb2 ffe8aa5e7de