Mirror/k3s
1
0
Fork 0
mirror of https://github.com/k3s-io/k3s.git synced 2024-06-07 19:41:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
1,834 Commits 27 Branches 785 Tags 625 MiB
a62d143936
Commit Graph

176 Commits

Author SHA1 Message Date
Euan Kemp
4808c4e7d5 Listen insecurely on localhost only 
Before this change, k3s configured the scheduler and controller's
insecure ports to listen on 0.0.0.0. Those ports include pprof, which
provides a DoS vector at the very least.

These ports are only enabled for componentstatus checks in the first
place, and componentstatus is hardcoded to only do the check on
localhost anyway (see
https://github.com/kubernetes/kubernetes/blob/v1.18.2/pkg/registry/core/rest/storage_core.go#L341-L344),
so there shouldn't be any downside to switching them to listen only on
localhost.
 2020-08-05 10:28:11 -07:00
Brian Downs
5a81fdbdc5 update cis flag implementation to propogate the rest of the way through to kubelet 
Signed-off-by: Brian Downs <brian.downs@gmail.com>
 2020-07-20 16:31:56 -07:00
Jason
e3f8789114
Add containerd snapshotter flag (#1991) 
* Add containerd snapshotter flag

Signed-off-by: Jason-ZW <zhenyang@rancher.com>

* Fix CamelCase nit and option description

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Jason-ZW <zhenyang@rancher.com>

Co-authored-by: Brad Davidson <brad@oatmail.org>
 2020-07-18 01:16:23 +02:00
Brian Downs
ebac755da1 add profiling flag with default value of false 
Signed-off-by: Brian Downs <brian.downs@gmail.com>
 2020-07-10 13:08:04 -07:00
Brandon Davidson
538842ffdc
Merge pull request #1768 from brandond/fix_1764 
Configure default signer implementation to use ClientCA instead of ServerCA
 2020-07-07 16:52:14 -07:00
Brian Downs
7f4f237575
added profile = false args to api, controllerManager, and scheduler (#1891) 2020-06-12 21:09:41 +02:00
galal-hussein
c580a8b528 Add heartbeat interval and election timeout 2020-06-06 16:39:42 -07:00
Darren Shepherd
6b5b69378f Add embedded etcd support 
This is replaces dqlite with etcd.  The each same UX of dqlite is
followed so there is no change to the CLI args for this.
 2020-06-06 16:39:41 -07:00
Darren Shepherd
39571424dd Generate etcd certificates 2020-06-06 16:39:41 -07:00
Darren Shepherd
a18d387390 Refactor clustered DB framework 2020-06-06 16:39:41 -07:00
Darren Shepherd
7e59c0801e Make program name a variable to be changed at compile time 2020-06-06 16:39:41 -07:00
Chuck Schweizer
ca9c9c2e1e Adding support for TLS MinVersion and CipherSuites 
This will watch for the following kube-apiserver-arg variables and apply
them to the k3s kube-apiserver https listener.

  --kube-apiserver-arg=tls-cipher-suites=XXXXXXX
  --kube-apiserver-arg=tls-min-version=XXXXXXX
 2020-05-07 09:27:09 -05:00
Darren Shepherd
cb4b34763e
Merge pull request #1759 from ibuildthecloud/background 
Start kube-apiserver in the background
 2020-05-06 21:50:48 -07:00
Darren Shepherd
e5fe184a44
Merge pull request #1757 from ibuildthecloud/separate-port 
Add supervisor port
 2020-05-06 21:32:45 -07:00
Darren Shepherd
072396f774 Start kube-apiserver in the background 
In rke2 everything is a static pod so this causes a chicken and egg situation
in which we need the kubelet running before the kube-apiserver can be
launched.  By starting the apiserver in the background this allows us to
do this odd bootstrapping.
 2020-05-06 21:17:23 -07:00
Brad Davidson
71561ecda2 Use ClientCA for the signer controller 2020-05-06 16:51:35 -07:00
Darren Shepherd
2f5ee914f9 Add supervisor port 
In k3s today the kubernetes API and the /v1-k3s API are combined into
one http server.  In rke2 we are running unmodified, non-embedded Kubernetes
and as such it is preferred to run k8s and the /v1-k3s API on different
ports.  The /v1-k3s API port is called the SupervisorPort in the code.

To support this separation of ports a new shim was added on the client in
then pkg/agent/proxy package that will launch two load balancers instead
of just one load balancer.  One load balancer for 6443 and the other
for 9345 (which is the supervisor port).
 2020-05-05 15:54:51 -07:00
Darren Shepherd
afd6f6d7e7 Encapsulate execution logic 
This moves all the calls to cobra root commands to one package
so that we can change the behavior of running components as embedded
or external.
 2020-05-05 15:34:32 -07:00
Darren Shepherd
70ddc799bd
Merge pull request #1691 from ibuildthecloud/staticpod 
Suppport static pods at ${datadir}/agent/staticpods
 2020-05-05 14:35:45 -07:00
Darren Shepherd
8c7fbe3dde Suppport static pods at ${datadir}/agent/pod-manifests 2020-05-05 12:43:47 -07:00
Erik Wilson
c941e1d0bb
Merge pull request #1695 from ibuildthecloud/kubeproxy 
Add ability to disable kubeproxy
 2020-05-04 20:26:22 -07:00
Darren Shepherd
3c8e0b4157 No longer use basic auth for default admin account 2020-04-28 16:01:33 -07:00
Darren Shepherd
5715e1ba0d Add ability to disable kubeproxy 2020-04-27 11:24:00 -07:00
Knic Knic
44b8af097c fix usage of path instead of filepath 2020-04-25 00:29:18 -07:00
Erik Wilson
a3cb9ee1f6 Simplify SELinux detection and add --disable-selinux flag 2020-02-28 10:10:55 -07:00
Erik Wilson
0374c4f63d Add --disable flag 2020-01-30 16:45:01 -07:00
Erik Wilson
3592d0bdd9
Merge pull request #1344 from ibuildthecloud/dialer-fallback 
If tunnel session does not exist fallback to default dialer
 2020-01-27 13:59:45 -07:00
Erik Wilson
1a2690d7be
Merge pull request #1192 from galal-hussein/add_encryption_config 
Add secret encryption config
 2020-01-27 13:59:09 -07:00
Darren Shepherd
3396a7b099 If tunnel session does not exist fallback to default dialer 2020-01-22 11:04:41 -07:00
Erik Wilson
1b23c891dd
Merge pull request #1304 from erikwilson/fixup-cadvisor 
Run kubelet with containerd flag
 2020-01-20 15:37:22 -07:00
Erik Wilson
fa03a0df3c Run kubelet with containerd flag 
The containerd flag was accidentally added to kubelet and is
deprecated, but needed for cadvisor to properly connect with
the k3s containerd socket, so adding for now.
 2020-01-16 10:25:57 -07:00
Erik Wilson
7675f9f85c Clean up host-gw variable names 2020-01-08 17:43:07 -07:00
Segator
6736e24673 support hostgw 2020-01-08 17:43:07 -07:00
galal-hussein
388cd9c4e8 Add secret encryption configuration 2019-12-23 13:16:27 +02:00
Darren Shepherd
4acaa0740d Small dqlite fixes 2019-12-16 11:45:01 -07:00
Erik Wilson
76281bf731 Update k3s for k8s 1.17.0 2019-12-15 23:28:19 -07:00
Erik Wilson
2de93d70cf Allow --pause-image to set docker sandbox image also 2019-12-10 16:16:26 -07:00
galal-hussein
99b8222e8d Change storage to datastore 2019-11-15 21:52:07 -07:00
Darren Shepherd
77703b90ff Don't ever change 10252/10251 ports 
Kubernetes componentstatus check is hardcoded to 10252 and 10251
so we should never change these ports.  If you do componentstatus
will return error.
 2019-11-13 18:20:57 -07:00
Erik Wilson
55c05ac500 Refactor node password location 2019-11-12 15:30:34 -07:00
Darren Shepherd
0ae20eb7a3 Support both http and db based bootstrap 2019-11-12 01:12:24 +00:00
Darren Shepherd
29b270dce6 Wait for apiserver to be health, not just running 2019-11-12 01:09:33 +00:00
Darren Shepherd
91cacb3a14 Fix server join issues 2019-11-08 21:35:58 +00:00
Erik Wilson
01f6e0e64e Add context to server daemon functions that wait 2019-11-05 11:06:07 -07:00
larmog
7aa3d08385 Wait for api-server to report version after starting 2019-11-05 11:05:22 -07:00
Darren Shepherd
ba240d0611 Refactor tokens, bootstrap, and cli args 2019-10-30 19:06:49 -07:00
Akihiro Suda
aafccdbccb rootless: add kubelet flags automatically 
Fix https://github.com/rancher/k3s/issues/784

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2019-10-25 17:10:14 +09:00
Erik Wilson
da3a7c6bbc Add network policy controller 2019-10-18 16:11:42 -07:00
galal-hussein
d2c1f66496 Add k3s cloud provider 2019-10-16 21:13:15 +02:00
Erik Wilson
c12d2a1aea
Merge pull request #867 from galal-hussein/private_reg 
Add private registry support to containerd
 2019-10-10 14:35:37 -07:00
galal-hussein
436ff4ef63 fix cert rotation function 2019-10-10 03:35:32 +02:00
galal-hussein
5ccc880ddb Add private registry to containerd 2019-10-08 01:54:53 +02:00
Erik Wilson
cac41db0e1
Merge pull request #816 from galal-hussein/default_local_storage 
Add default storage class
 2019-10-01 14:09:24 -07:00
galal-hussein
2dc5ba5bae Add certificate rotation 2019-09-30 18:34:58 +02:00
galal-hussein
56e0e5ad7e Add default local storage provisioner 2019-09-30 18:17:33 +02:00
Erik Wilson
999e40d6d3 Add strongswan utilities for ipsec 2019-09-27 18:26:39 -07:00
Erik Wilson
959acf9c92 Add --flannel-backend flag 2019-09-27 18:26:39 -07:00
Erik Wilson
3cd807a657 Add --flannel-conf flag 2019-09-27 18:26:39 -07:00
Darren Shepherd
36ca606073
Merge pull request #793 from yamt/noderestriction 
Add back NodeRestriction
 2019-09-07 12:07:01 -07:00
YAMAMOTO Takashi
9cf80eacd9 Add back NodeRestriction 
It has been removed as a part of #764 for no obvious reasons.

Fix #791
 2019-09-05 15:47:46 +09:00
Erik Wilson
197985c673 Add --kubelet-certificate-authority flag 2019-09-02 10:49:23 -07:00
Darren Shepherd
f57dd13774 Default kube-apiserver to httpsport + 1 2019-08-28 20:53:38 -07:00
Darren Shepherd
9c8b95be9d Drop unneeded prometheus imports 2019-08-28 20:53:37 -07:00
Darren Shepherd
a51a2eaaad Add anonymous-auth=false and remove NodeRestriction 2019-08-28 20:53:37 -07:00
Erik Wilson
5679cfafaf
Merge pull request #707 from ibuildthecloud/pr683 
Integrate Kine
 2019-08-26 09:25:37 -07:00
Darren Shepherd
2cb6f52339 Disable storing bootstrap information by default 2019-08-24 22:27:24 -07:00
Erik Wilson
e6067314c9 Localhost -> 127.0.0.1 2019-08-22 11:56:00 -07:00
galal-hussein
1ae0c540d7 Refactor bootstrap, move kine startup code to kine, integrate kine 2019-08-22 09:14:43 -07:00
YAMAMOTO Takashi
fc8eddae29 Appease kubelet warnings on docker for mac 
On my environment, the name=systemd entry in /proc/self/cgroup
looks like:

	13:name=systemd:/docker/917b388b40c70b17a3283d852d38bfcdc84d1bf8242e32a779eacd98a610e499

Kubelet periodically complains like:

	E0802 06:42:52.667123       1 summary_sys_containers.go:47] Failed to get system container stats for "/docker/917b388b40c70b17a3283d852d38bfcdc84d1bf8242e32a779eacd98a610e499/kube-proxy": failed to get cgroup stats for "/docker/917b388b40c70b17a3283d852d38bfcdc84d1bf8242e32a779eacd98a610e499/kube-proxy": failed to get container info for "/docker/917b388b40c70b17a3283d852d38bfcdc84d1bf8242e32a779eacd98a610e499/kube-proxy": unknown container "/docker/917b388b40c70b17a3283d852d38bfcdc84d1bf8242e32a779eacd98a610e499/kube-proxy"
 2019-08-02 16:22:51 +09:00
YAMAMOTO Takashi
d78701acb1 Fix bootstrap with non-tls etcd 2019-07-31 16:14:13 +09:00
YAMAMOTO Takashi
35d972fd72 Sort args to make log outputs a bit more deterministic 2019-07-24 13:16:41 +09:00
Erik Wilson
1833b65fcd
Merge pull request #647 from yamt/remove-proxy-port 
Remove agent proxy config which is no longer used
 2019-07-23 15:51:51 -07:00
Erik Wilson
2d32337334
Merge pull request #650 from erikwilson/update-bootstrap 
Bootstrap node key files & fix permissions
 2019-07-17 14:22:05 -07:00
Erik Wilson
2f4d2838ea Bootstrap node key files & fix permissions 2019-07-17 13:57:33 -07:00
YAMAMOTO Takashi
dc4ebd4c67 Remove agent proxy config which is no longer used 2019-07-17 18:05:16 +09:00
YAMAMOTO Takashi
f6a04ea995 Add a few comments in bootstrap.go 2019-07-17 16:25:34 +09:00
Erik Wilson
fdc1427317 Add more logs for bootstrap 2019-07-14 00:49:08 -07:00
Erik Wilson
e79fda96d2 Enforce explicit read or write for bootstrap 2019-07-12 16:18:53 -07:00
Erik Wilson
ad11ba583f Use watch-cache for kvsql 2019-07-07 14:43:43 -07:00
Erik Wilson
11a4c71f28 Use watch-cache for etcd3 backend 2019-07-01 14:09:25 -07:00
Erik Wilson
24b73403c7 Cleanup bootstrap 2019-06-30 12:39:54 -07:00
Erik Wilson
8d979d675e Add tls support for etcd cert storage backend 2019-06-30 08:28:42 -07:00
galal-hussein
37582b6fac Add cert storage backend flag 2019-06-28 20:47:21 +02:00
galal-hussein
28d9d83be2 Add k3s HA bootstrap 2019-06-27 21:00:43 +02:00
Erik Wilson
7090a7d551 Move node password to separate file 2019-06-25 15:04:04 -07:00
Erik Wilson
93f6690f26 Graceful upgrade token to server CA 2019-06-25 15:04:04 -07:00
Erik Wilson
2c9444399b Refactor certs 2019-06-25 15:04:04 -07:00
galal-hussein
17d8708ca5 Add storage backend flags 2019-06-12 00:48:47 +02:00
Erik Wilson
199f673676
Merge pull request #479 from galal-hussein/add_storage_backend_options 
Add MySQL and Postgress support
 2019-05-28 16:57:38 -07:00
Darren Shepherd
c0702b0492 Port to wrangler 2019-05-26 22:28:50 -07:00
galal-hussein
e9cd8adbf6 Add Storage endpoint option 2019-05-16 01:05:24 +02:00
galal-hussein
930093dfe9 Expose node labels and taints and add node roles 2019-05-08 01:47:07 +02:00
haokang.ke
52f845ec84 Make pause image configurable (#345) 2019-05-03 10:36:12 -07:00
Erik Wilson
d5ce19caae Force upgrade of token node cert 2019-05-02 16:22:42 -07:00
galal-hussein
191ac9371a Add cni plugin to kubelet if docker is used 2019-04-30 22:12:02 +02:00
Darren Shepherd
9db91d7de3
Merge pull request #369 from erikwilson/node-dns 
Node DNS & cert registration
 2019-04-26 16:00:31 -07:00
Darren Shepherd
50f405ddfd
Merge pull request #376 from galal-hussein/fix_kubeletarg 
Fix extra argument with multiple =
 2019-04-26 15:57:16 -07:00
Erik Wilson
c9941895d6 Bind kubelet to all interfaces and use webhook auth 2019-04-26 15:02:30 -07:00
galal-hussein
72d2edc0cb Fix extra argument with multiple = 2019-04-25 22:49:03 +02:00
galal-hussein
bdf8a355e1 Add containerd config go template 2019-04-25 22:17:34 +02:00