k3s/pkg/daemons/agent/agent.go

package agent

import (
	"bufio"
	"context"
	"math/rand"
	"os"
	"path/filepath"
	"strings"
	"time"

	"github.com/opencontainers/runc/libcontainer/system"
	"github.com/rancher/k3s/pkg/daemons/config"
	"github.com/sirupsen/logrus"
	"k8s.io/apimachinery/pkg/util/net"
	"k8s.io/component-base/logs"
	app2 "k8s.io/kubernetes/cmd/kube-proxy/app"
	"k8s.io/kubernetes/cmd/kubelet/app"
	"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"

	_ "k8s.io/kubernetes/pkg/client/metrics/prometheus" // for client metric registration
	_ "k8s.io/kubernetes/pkg/version/prometheus"        // for version metric registration
)

func Agent(config *config.Agent) error {
	rand.Seed(time.Now().UTC().UnixNano())

	kubelet(config)
	kubeProxy(config)

	return nil
}

func kubeProxy(cfg *config.Agent) {
	argsMap := map[string]string{
		"proxy-mode":           "iptables",
		"healthz-bind-address": "127.0.0.1",
		"kubeconfig":           cfg.KubeConfig,
		"cluster-cidr":         cfg.ClusterCIDR.String(),
	}
	args := config.GetArgsList(argsMap, cfg.ExtraKubeProxyArgs)

	command := app2.NewProxyCommand()
	command.SetArgs(args)
	go func() {
		err := command.Execute()
		logrus.Fatalf("kube-proxy exited: %v", err)
	}()
}

func kubelet(cfg *config.Agent) {
	command := app.NewKubeletCommand(context.Background().Done())
	logs.InitLogs()
	defer logs.FlushLogs()

	argsMap := map[string]string{
		"healthz-bind-address":     "127.0.0.1",
		"read-only-port":           "0",
		"allow-privileged":         "true",
		"cluster-domain":           cfg.ClusterDomain,
		"kubeconfig":               cfg.KubeConfig,
		"eviction-hard":            "imagefs.available<5%,nodefs.available<5%",
		"eviction-minimum-reclaim": "imagefs.available=10%,nodefs.available=10%",
		"fail-swap-on":             "false",
		//"cgroup-root": "/k3s",
		"cgroup-driver":                "cgroupfs",
		"authentication-token-webhook": "true",
		"authorization-mode":           modes.ModeWebhook,
	}
	if cfg.RootDir != "" {
		argsMap["root-dir"] = cfg.RootDir
		argsMap["cert-dir"] = filepath.Join(cfg.RootDir, "pki")
		argsMap["seccomp-profile-root"] = filepath.Join(cfg.RootDir, "seccomp")
	}
	if cfg.CNIConfDir != "" {
		argsMap["cni-conf-dir"] = cfg.CNIConfDir
	}
	if cfg.CNIBinDir != "" {
		argsMap["cni-bin-dir"] = cfg.CNIBinDir
	}
	if len(cfg.ClusterDNS) > 0 {
		argsMap["cluster-dns"] = cfg.ClusterDNS.String()
	}
	if cfg.ResolvConf != "" {
		argsMap["resolv-conf"] = cfg.ResolvConf
	}
	if cfg.RuntimeSocket != "" {
		argsMap["container-runtime"] = "remote"
		argsMap["container-runtime-endpoint"] = cfg.RuntimeSocket
		argsMap["serialize-image-pulls"] = "false"
	}
	if cfg.ListenAddress != "" {
		argsMap["address"] = cfg.ListenAddress
	}
	if cfg.CACertPath != "" {
		argsMap["anonymous-auth"] = "false"
		argsMap["client-ca-file"] = cfg.CACertPath
	}
	if cfg.NodeCertFile != "" && cfg.NodeKeyFile != "" {
		argsMap["tls-cert-file"] = cfg.NodeCertFile
		argsMap["tls-private-key-file"] = cfg.NodeKeyFile
	}
	if cfg.NodeName != "" {
		argsMap["hostname-override"] = cfg.NodeName
	}
	defaultIP, err := net.ChooseHostInterface()
	if err != nil || defaultIP.String() != cfg.NodeIP {
		argsMap["node-ip"] = cfg.NodeIP
	}
	root, hasCFS, hasPIDs := checkCgroups()
	if !hasCFS {
		logrus.Warn("Disabling CPU quotas due to missing cpu.cfs_period_us")
		argsMap["cpu-cfs-quota"] = "false"
	}
	if !hasPIDs {
		logrus.Warn("Disabling pod PIDs limit feature due to missing cgroup pids support")
		argsMap["cgroups-per-qos"] = "false"
		argsMap["enforce-node-allocatable"] = ""
		argsMap["feature-gates"] = addFeatureGate(argsMap["feature-gates"], "SupportPodPidsLimit=false")
	}
	if root != "" {
		argsMap["runtime-cgroups"] = root
		argsMap["kubelet-cgroups"] = root
	}
	if system.RunningInUserNS() {
		argsMap["feature-gates"] = addFeatureGate(argsMap["feature-gates"], "DevicePlugins=false")
	}

	args := config.GetArgsList(argsMap, cfg.ExtraKubeletArgs)
	command.SetArgs(args)

	go func() {
		logrus.Infof("Running kubelet %s", config.ArgString(args))
		logrus.Fatalf("kubelet exited: %v", command.Execute())
	}()
}

func addFeatureGate(current, new string) string {
	if current == "" {
		return new
	}
	return current + "," + new
}

func checkCgroups() (root string, hasCFS bool, hasPIDs bool) {
	f, err := os.Open("/proc/self/cgroup")
	if err != nil {
		return "", false, false
	}
	defer f.Close()

	scan := bufio.NewScanner(f)
	for scan.Scan() {
		parts := strings.Split(scan.Text(), ":")
		if len(parts) < 3 {
			continue
		}
		systems := strings.Split(parts[1], ",")
		for _, system := range systems {
			if system == "pids" {
				hasPIDs = true
			} else if system == "cpu" {
				p := filepath.Join("/sys/fs/cgroup", parts[1], parts[2], "cpu.cfs_period_us")
				if _, err := os.Stat(p); err == nil {
					hasCFS = true
				}
			} else if system == "name=systemd" {
				last := parts[len(parts)-1]
				i := strings.LastIndex(last, ".slice")
				if i > 0 {
					root = "/systemd" + last[:i+len(".slice")]
				}
			}
		}
	}

	return root, hasCFS, hasPIDs
}
Initial Commit 2019-01-01 08:23:01 +00:00			`package agent`

			`import (`
Prepare for initial release 2019-01-22 21:14:58 +00:00			`"bufio"`
Initial Commit 2019-01-01 08:23:01 +00:00			`"context"`
			`"math/rand"`
Prepare for initial release 2019-01-22 21:14:58 +00:00			`"os"`
Continued refactoring 2019-01-09 16:54:15 +00:00			`"path/filepath"`
Prepare for initial release 2019-01-22 21:14:58 +00:00			`"strings"`
Initial Commit 2019-01-01 08:23:01 +00:00			`"time"`

Add rootless support 2019-03-08 22:47:44 +00:00			`"github.com/opencontainers/runc/libcontainer/system"`
Continued refactoring 2019-01-09 16:54:15 +00:00			`"github.com/rancher/k3s/pkg/daemons/config"`
Initial Commit 2019-01-01 08:23:01 +00:00			`"github.com/sirupsen/logrus"`
Prepare for initial release 2019-01-22 21:14:58 +00:00			`"k8s.io/apimachinery/pkg/util/net"`
Updates for k8s 1.14 2019-04-08 17:53:52 +00:00			`"k8s.io/component-base/logs"`
Initial Commit 2019-01-01 08:23:01 +00:00			`app2 "k8s.io/kubernetes/cmd/kube-proxy/app"`
			`"k8s.io/kubernetes/cmd/kubelet/app"`
Bind kubelet to all interfaces and use webhook auth 2019-04-26 22:02:30 +00:00			`"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"`
Add rootless support 2019-03-08 22:47:44 +00:00
Initial Commit 2019-01-01 08:23:01 +00:00			`_ "k8s.io/kubernetes/pkg/client/metrics/prometheus" // for client metric registration`
			`_ "k8s.io/kubernetes/pkg/version/prometheus" // for version metric registration`
			`)`

			`func Agent(config *config.Agent) error {`
			`rand.Seed(time.Now().UTC().UnixNano())`

			`kubelet(config)`
			`kubeProxy(config)`

			`return nil`
			`}`

Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`func kubeProxy(cfg *config.Agent) {`
			`argsMap := map[string]string{`
			`"proxy-mode": "iptables",`
			`"healthz-bind-address": "127.0.0.1",`
			`"kubeconfig": cfg.KubeConfig,`
			`"cluster-cidr": cfg.ClusterCIDR.String(),`
			`}`
			`args := config.GetArgsList(argsMap, cfg.ExtraKubeProxyArgs)`
Initial Commit 2019-01-01 08:23:01 +00:00
			`command := app2.NewProxyCommand()`
			`command.SetArgs(args)`
			`go func() {`
			`err := command.Execute()`
			`logrus.Fatalf("kube-proxy exited: %v", err)`
			`}()`
			`}`

Continued refactoring 2019-01-09 16:54:15 +00:00			`func kubelet(cfg *config.Agent) {`
Initial Commit 2019-01-01 08:23:01 +00:00			`command := app.NewKubeletCommand(context.Background().Done())`
			`logs.InitLogs()`
			`defer logs.FlushLogs()`

Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap := map[string]string{`
			`"healthz-bind-address": "127.0.0.1",`
			`"read-only-port": "0",`
			`"allow-privileged": "true",`
Add --cluster-domain option 2019-04-12 06:06:35 +00:00			`"cluster-domain": cfg.ClusterDomain,`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`"kubeconfig": cfg.KubeConfig,`
			`"eviction-hard": "imagefs.available<5%,nodefs.available<5%",`
			`"eviction-minimum-reclaim": "imagefs.available=10%,nodefs.available=10%",`
			`"fail-swap-on": "false",`
			`//"cgroup-root": "/k3s",`
Enable aggregation layer Configure kube-apiserver, kubelets, and kube-proxy for use with aggregation layer in order for metrics-server deployment to function correctly. 2019-04-10 18:09:38 +00:00			`"cgroup-driver": "cgroupfs",`
			`"authentication-token-webhook": "true",`
Bind kubelet to all interfaces and use webhook auth 2019-04-26 22:02:30 +00:00			`"authorization-mode": modes.ModeWebhook,`
Initial Commit 2019-01-01 08:23:01 +00:00			`}`
Continued refactoring 2019-01-09 16:54:15 +00:00			`if cfg.RootDir != "" {`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["root-dir"] = cfg.RootDir`
			`argsMap["cert-dir"] = filepath.Join(cfg.RootDir, "pki")`
			`argsMap["seccomp-profile-root"] = filepath.Join(cfg.RootDir, "seccomp")`
Initial Commit 2019-01-01 08:23:01 +00:00			`}`
Continued refactoring 2019-01-09 16:54:15 +00:00			`if cfg.CNIConfDir != "" {`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["cni-conf-dir"] = cfg.CNIConfDir`
Initial Commit 2019-01-01 08:23:01 +00:00			`}`
Continued refactoring 2019-01-09 16:54:15 +00:00			`if cfg.CNIBinDir != "" {`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["cni-bin-dir"] = cfg.CNIBinDir`
Initial Commit 2019-01-01 08:23:01 +00:00			`}`
Continued refactoring 2019-01-09 16:54:15 +00:00			`if len(cfg.ClusterDNS) > 0 {`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["cluster-dns"] = cfg.ClusterDNS.String()`
Initial Commit 2019-01-01 08:23:01 +00:00			`}`
Kubelet resolv.conf DNS update Allow the kubelet resolv-conf flag to be set, or automatically discovered from /etc/resolv.conf & /run/systemd/resolve/resolv.conf if no loopback devices are present, or create our own which points to nameserver 8.8.8.8 2019-03-26 22:15:16 +00:00			`if cfg.ResolvConf != "" {`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["resolv-conf"] = cfg.ResolvConf`
Kubelet resolv.conf DNS update Allow the kubelet resolv-conf flag to be set, or automatically discovered from /etc/resolv.conf & /run/systemd/resolve/resolv.conf if no loopback devices are present, or create our own which points to nameserver 8.8.8.8 2019-03-26 22:15:16 +00:00			`}`
Continued refactoring 2019-01-09 16:54:15 +00:00			`if cfg.RuntimeSocket != "" {`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["container-runtime"] = "remote"`
			`argsMap["container-runtime-endpoint"] = cfg.RuntimeSocket`
			`argsMap["serialize-image-pulls"] = "false"`
Initial Commit 2019-01-01 08:23:01 +00:00			`}`
Continued refactoring 2019-01-09 16:54:15 +00:00			`if cfg.ListenAddress != "" {`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["address"] = cfg.ListenAddress`
Continued refactoring 2019-01-09 16:54:15 +00:00			`}`
			`if cfg.CACertPath != "" {`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["anonymous-auth"] = "false"`
			`argsMap["client-ca-file"] = cfg.CACertPath`
Add node name to node cert generation 2019-04-19 18:20:34 +00:00			`}`
			`if cfg.NodeCertFile != "" && cfg.NodeKeyFile != "" {`
			`argsMap["tls-cert-file"] = cfg.NodeCertFile`
			`argsMap["tls-private-key-file"] = cfg.NodeKeyFile`
Continued refactoring 2019-01-09 16:54:15 +00:00			`}`
			`if cfg.NodeName != "" {`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["hostname-override"] = cfg.NodeName`
Continued refactoring 2019-01-09 16:54:15 +00:00			`}`
			`defaultIP, err := net.ChooseHostInterface()`
			`if err != nil \|\| defaultIP.String() != cfg.NodeIP {`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["node-ip"] = cfg.NodeIP`
Continued refactoring 2019-01-09 16:54:15 +00:00			`}`
Check for cgroup pids support If cgroup pids are not supported add a feature-gates flag SupportPodPidsLimit=false for kubelet. 2019-04-12 23:45:59 +00:00			`root, hasCFS, hasPIDs := checkCgroups()`
Cleanup docker cgroup errors in kubelet 2019-03-04 05:00:47 +00:00			`if !hasCFS {`
Prepare for initial release 2019-01-22 21:14:58 +00:00			`logrus.Warn("Disabling CPU quotas due to missing cpu.cfs_period_us")`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["cpu-cfs-quota"] = "false"`
Prepare for initial release 2019-01-22 21:14:58 +00:00			`}`
Check for cgroup pids support If cgroup pids are not supported add a feature-gates flag SupportPodPidsLimit=false for kubelet. 2019-04-12 23:45:59 +00:00			`if !hasPIDs {`
			`logrus.Warn("Disabling pod PIDs limit feature due to missing cgroup pids support")`
			`argsMap["cgroups-per-qos"] = "false"`
			`argsMap["enforce-node-allocatable"] = ""`
			`argsMap["feature-gates"] = addFeatureGate(argsMap["feature-gates"], "SupportPodPidsLimit=false")`
			`}`
Cleanup docker cgroup errors in kubelet 2019-03-04 05:00:47 +00:00			`if root != "" {`
Add extra flags for server and agent components 2019-04-05 00:43:00 +00:00			`argsMap["runtime-cgroups"] = root`
			`argsMap["kubelet-cgroups"] = root`
Cleanup docker cgroup errors in kubelet 2019-03-04 05:00:47 +00:00			`}`
Add rootless support 2019-03-08 22:47:44 +00:00			`if system.RunningInUserNS() {`
Check for cgroup pids support If cgroup pids are not supported add a feature-gates flag SupportPodPidsLimit=false for kubelet. 2019-04-12 23:45:59 +00:00			`argsMap["feature-gates"] = addFeatureGate(argsMap["feature-gates"], "DevicePlugins=false")`
Add rootless support 2019-03-08 22:47:44 +00:00			`}`
Initial Commit 2019-01-01 08:23:01 +00:00
Add rootless support 2019-03-08 22:47:44 +00:00			`args := config.GetArgsList(argsMap, cfg.ExtraKubeletArgs)`
Initial Commit 2019-01-01 08:23:01 +00:00			`command.SetArgs(args)`

			`go func() {`
Continued refactoring 2019-01-09 16:54:15 +00:00			`logrus.Infof("Running kubelet %s", config.ArgString(args))`
Initial Commit 2019-01-01 08:23:01 +00:00			`logrus.Fatalf("kubelet exited: %v", command.Execute())`
			`}()`
			`}`
Prepare for initial release 2019-01-22 21:14:58 +00:00
Check for cgroup pids support If cgroup pids are not supported add a feature-gates flag SupportPodPidsLimit=false for kubelet. 2019-04-12 23:45:59 +00:00			`func addFeatureGate(current, new string) string {`
			`if current == "" {`
			`return new`
			`}`
			`return current + "," + new`
			`}`

			`func checkCgroups() (root string, hasCFS bool, hasPIDs bool) {`
Prepare for initial release 2019-01-22 21:14:58 +00:00			`f, err := os.Open("/proc/self/cgroup")`
			`if err != nil {`
Check for cgroup pids support If cgroup pids are not supported add a feature-gates flag SupportPodPidsLimit=false for kubelet. 2019-04-12 23:45:59 +00:00			`return "", false, false`
Prepare for initial release 2019-01-22 21:14:58 +00:00			`}`
			`defer f.Close()`

			`scan := bufio.NewScanner(f)`
			`for scan.Scan() {`
			`parts := strings.Split(scan.Text(), ":")`
			`if len(parts) < 3 {`
			`continue`
			`}`
			`systems := strings.Split(parts[1], ",")`
			`for _, system := range systems {`
Check for cgroup pids support If cgroup pids are not supported add a feature-gates flag SupportPodPidsLimit=false for kubelet. 2019-04-12 23:45:59 +00:00			`if system == "pids" {`
			`hasPIDs = true`
			`} else if system == "cpu" {`
Prepare for initial release 2019-01-22 21:14:58 +00:00			`p := filepath.Join("/sys/fs/cgroup", parts[1], parts[2], "cpu.cfs_period_us")`
			`if _, err := os.Stat(p); err == nil {`
Check for cgroup pids support If cgroup pids are not supported add a feature-gates flag SupportPodPidsLimit=false for kubelet. 2019-04-12 23:45:59 +00:00			`hasCFS = true`
Cleanup docker cgroup errors in kubelet 2019-03-04 05:00:47 +00:00			`}`
			`} else if system == "name=systemd" {`
			`last := parts[len(parts)-1]`
			`i := strings.LastIndex(last, ".slice")`
			`if i > 0 {`
			`root = "/systemd" + last[:i+len(".slice")]`
Prepare for initial release 2019-01-22 21:14:58 +00:00			`}`
			`}`
			`}`
			`}`

Check for cgroup pids support If cgroup pids are not supported add a feature-gates flag SupportPodPidsLimit=false for kubelet. 2019-04-12 23:45:59 +00:00			`return root, hasCFS, hasPIDs`
Prepare for initial release 2019-01-22 21:14:58 +00:00			`}`