Mirror/k3s
1
0
Fork 0
mirror of https://github.com/k3s-io/k3s.git synced 2024-06-07 19:41:36 +00:00
Code Issues Packages Projects Releases Wiki Activity
2,303 Commits 27 Branches 785 Tags 625 MiB
c38a8c3b43
Commit Graph

279 Commits

Author SHA1 Message Date
Brad Davidson
8ace8975d2 Don't start up multiple apiserver load balancers 
get() is called in a loop until client configuration is successfully
retrieved. Each iteration will try to configure the apiserver proxy,
which will in turn create a new load balancer. Skip creating a new
load balancer if we already have one.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2021-03-08 17:05:25 -08:00
Brad Davidson
c0d129003b Handle loadbalancer port in TIME_WAIT 
If the port wanted by the client load balancer is in TIME_WAIT, startup
will fail. Set SO_REUSEPORT so that it can be listened on again
immediately.

The configurable Listen call wants a context, so plumb that through as
well.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2021-03-08 17:05:25 -08:00
Brad Davidson
7cdfaad6ce
Always use static ports for client load-balancers (#3026) 
* Always use static ports for the load-balancers

This fixes an issue where RKE2 kube-proxy daemonset pods were failing to
communicate with the apiserver when RKE2 was restarted because the
load-balancer used a different port every time it started up.

This also changes the apiserver load-balancer port to be 1 below the
supervisor port instead of 1 above it. This makes the apiserver port
consistent at 6443 across servers and agents on RKE2.

Additional fixes below were required to successfully test and use this change
on etcd-only nodes.

* Actually add lb-server-port flag to CLI
* Fix nil pointer when starting server with --disable-etcd but no --server
* Don't try to use full URI as initial load-balancer endpoint
* Fix etcd load-balancer pool updates
* Update dynamiclistener to fix cert updates on etcd-only nodes
* Handle recursive initial server URL in load balancer
* Don't run the deploy controller on etcd-only nodes
 2021-03-06 02:29:57 -08:00
Brian Downs
4d1f9eda9d
Etcd Snapshot/Restore to/from S3 Compatible Backends (#2902) 
* Add functionality for etcd snapshot/restore to and from S3 compatible backends.
* Update etcd restore functionality to extract and write certificates and configs from snapshot.
 2021-03-03 11:14:12 -07:00
Brad Davidson
4fb073e799 Log clearer error on startup if NPC cannot be started 
Servers should always be upgraded before agents, but generally this
isn't required because things are compatible between versions. In this
case we're OK with failing closed if the user upgrades out of order, but
we should give a clearer message about what steps are required to fix
the issue.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2021-03-01 14:23:59 -08:00
Brad Davidson
f970e49b7d Wait for apiserver to become healthy before starting agent controllers 
It is possible that the apiserver may serve read requests but not allow
writes yet, in which case flannel will crash on startup when trying to
configure the subnet manager.

Fix this by waiting for the apiserver to become fully ready before
starting flannel and the network policy controller.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2021-02-26 19:28:53 -08:00
Brad Davidson
88dd601941 Limit zstd decoder memory 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2021-02-17 11:48:03 -08:00
Brad Davidson
ec661c67d7 Add support for retagging images on load from tarball 
Adds support for retagging images to appear to have been sourced from
one or more additional registries as they are imported from the tarball.
This is intended to support RKE2 use cases with system-default-registry
where the images need to appear to have been pulled from a registry
other than docker.io.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2021-02-17 11:48:03 -08:00
Hussein Galal
5749f66aa3
Add disable flags for control components (#2900) 
* Add disable flags to control components

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* golint

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fixes to disable flags

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Add comments to functions

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Fix joining problem

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* golint

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix ticker

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix role labels

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* more fixes

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
 2021-02-12 17:35:57 +02:00
Brad Davidson
65c78cc397 Replace options.KubeRouterConfig with config.Node and remove metrics/waitgroup stuff 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2021-02-03 10:41:51 -08:00
Brad Davidson
07256cf7ab Add ServiceIPRange and ServiceNodePortRange to agent config 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2021-02-03 10:41:51 -08:00
Brad Davidson
95a1a86847 Spell check upstream code 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2021-02-03 10:41:51 -08:00
Brad Davidson
29483d0651 Initial update of netpol and utils from upstream 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2021-02-03 10:41:51 -08:00
Brad Davidson
8011697175 Only container-runtime-endpoint wants RuntimeSocket path as URI 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2021-01-22 18:56:30 -08:00
Waqar Ahmed
3ea696815b Do not validate snapshotter argument if docker is enabled 
Problem:
While using ZFS on debian and K3s with docker, I am unable to get k3s working as the snapshotter value is being validated and the validation fails.

Solution:
We should not validate snapshotter value if we are using docker as it's a no-op in that case.

Signed-off-by: Waqar Ahmed <waqarahmedjoyia@live.com>
 2021-01-20 12:25:28 -08:00
Erik Wilson
c71060f288
Merge pull request #2744 from erikwilson/rke2-node-password-bootstrap 
Bootstrap node password with local file
 2021-01-11 09:51:30 -07:00
Erik Wilson
09eb44ba53 Bootstrap node password with local file 
Signed-off-by: Erik Wilson <Erik.E.Wilson@gmail.com>
 2020-12-23 15:08:06 -07:00
JenTing Hsiao
57041f0239
Add codespell CI test and fix codespell error (#2740) 
* Add codespell CI test
* Fix codespell error
 2020-12-22 12:35:58 -08:00
Erik Wilson
0ae7f2d5ae
Merge pull request #2407 from erikwilson/node-passwd-cleanup 
Use secrets for node-passwd entries
 2020-12-08 16:25:13 -07:00
Akihiro Suda
eb72d509ce pkg/agent/config: validate containerd snapshotter value 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-12-01 11:00:00 -08:00
Akihiro Suda
0b45e32486 Support cgroup v2 
Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2020-11-30 22:57:37 -08:00
Brad Davidson
b873d3a03b Explicitly set agent paths within --data-dir 
Removing the cfg.DataDir mutation in 3e4fd7b did not break anything, but
did change some paths in unwanted ways. Rather than mutating the
user-supplied command-line flags, explicitly specify the agent
subdirectory as needed.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2020-11-11 09:26:41 -08:00
Brad Davidson
3e4fd7b41f Respect --data-dir path for crictl.yaml 
Related to rancher/rke2#474

Note that anyone who customizes the data-dir path will have to set
CRI_CONFIG_FILE to the correct path when using the wrapped binaries
(crictl, etc). This is better than dropping files in the incorrect
location.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2020-11-05 15:51:10 -08:00
Brad Davidson
5b318d093f Fix containerd sock path warning 
Resolves warning 1 from #2471

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2020-11-05 15:51:10 -08:00
Brad Davidson
d1424626ac Disable containerd experimental snapshot labels 
Related to #2455 and containerd/containerd#4684

These were not meant to be enabled by default, break images with many
layers, and will be disabled by default on the next containerd release.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2020-11-05 15:51:10 -08:00
Erik Wilson
992ca52c31
Enable go test in ci 2020-11-05 09:48:53 -07:00
Chris Kim
96fc4c4b21 Add iptable_nat to modprobe list 
Signed-off-by: Chris Kim <oats87g@gmail.com>
 2020-10-27 14:22:14 -04:00
Erik Wilson
e26e333b7e
Add network policy controller CacheSyncOrTimeout 2020-10-07 12:35:44 -07:00
Erik Wilson
045cd49ab5
Add event handlers to network policy controller 2020-10-07 12:10:27 -07:00
Brad Davidson
45dd4afe50 Simplify token parsing 
Improves readability, reduces round-trips to the join server to validate certs.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2020-09-27 03:26:24 -07:00
Brian Downs
ba70c41cce
Initial Logging Output Update (#2246) 
This attempts to update logging statements to make them consistent
through out the code base. It also adds additional context to messages
where possible, simplifies messages, and updates level where necessary.
 2020-09-21 09:56:03 -07:00
Brad Davidson
8c6d3567fe Rename k3s-controller based on the build-time program name 
Since we're replacing the k3s rolebindings.yaml in rke2, we should allow
renaming this so that we can use the white-labeled name downstream.

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2020-09-16 10:53:07 -07:00
Erik Wilson
a08e998bc5 Import containerd images with all platforms 
Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
 2020-09-14 20:44:58 -07:00
Brian Downs
bb8e5374ea conform to repo conventions 
Signed-off-by: Brian Downs <brian.downs@gmail.com>
 2020-09-03 18:48:30 -07:00
Brian Downs
00831f9bc8 use version.Program 
Signed-off-by: Brian Downs <brian.downs@gmail.com>
 2020-09-03 08:51:17 -07:00
Brian Downs
301fb73952 add node ip to the request header for cert gen 
Signed-off-by: Brian Downs <brian.downs@gmail.com>
 2020-09-02 19:15:09 -07:00
Brad Davidson
a3e9d31e6c
Merge pull request #2097 from iwilltry42/registry-insecure-skip-verify 
Feature: add insecure_skip_verify field to registry config template
 2020-09-01 15:58:26 -07:00
Erik Wilson
447097a597
Merge pull request #2098 from erikwilson/k8s-1.19 
Update to k8s 1.19
 2020-08-28 18:22:15 -07:00
Erik Wilson
720197b9b1
Fix linting issues 2020-08-28 17:18:29 -07:00
Brian Downs
866dc94cea
Galal hussein etcd backup restore (#2154) 
* Add etcd snapshot and restore

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix error logs

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* goimports

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* fix flag describtion

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* Add disable snapshot and retention

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* use creation time for snapshot retention

Signed-off-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>

* unexport method, update var name

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* adjust snapshot flags

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update var name, string concat

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* revert previous change, create constants

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* updates

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* type assertion error checking

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* pr remediation

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* pr remediation

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* pr remediation

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* pr remediation

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* pr remediation

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* updates

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* updates

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* simplify logic, remove unneeded function

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update flags

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update flags

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* add comment

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* exit on restore completion, update flag names, move retention check

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* exit on restore completion, update flag names, move retention check

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* exit on restore completion, update flag names, move retention check

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update disable snapshots flag and field names

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* move function

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update field names

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update var and field names

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update var and field names

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update defaultSnapshotIntervalMinutes to 12 like rke

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update directory perms

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update etc-snapshot-dir usage

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update interval to 12 hours

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* fix usage typo

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* add cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* add cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* add cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* wire in cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* wire in cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* wire in cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* wire in cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* wire in cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* wire in cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* wire in cron

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update deps target to work, add build/data target for creation, and generate

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* remove dead make targets

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* error handling, cluster reset functionality

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* error handling, cluster reset functionality

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* update

Signed-off-by: Brian Downs <brian.downs@gmail.com>

* remove intermediate dapper file

Signed-off-by: Brian Downs <brian.downs@gmail.com>

Co-authored-by: galal-hussein <hussein.galal.ahmed.11@gmail.com>
 2020-08-28 16:57:40 -07:00
Frederick F. Kautz IV
cdce2b7e9a
Add support for compressed images when pre-loading images (#2165) 
* Add support for compressed images when pre-loading images

Signed-off-by: Frederick F. Kautz IV <fkautz@alumni.cmu.edu>

* attempting to fix vendor source being dirty

Signed-off-by: Frederick F. Kautz IV <fkautz@alumni.cmu.edu>

* fixing file extension for .tar.lz4

Signed-off-by: Frederick F. Kautz IV <fkautz@alumni.cmu.edu>
 2020-08-28 12:27:01 -07:00
Jacob Blain Christen
e2089bea18
cli: add --selinux flag to agent/server sub-cmds (#2111) 
* cli: add --selinux flag to agent/server sub-cmds

Introduces --selinux flag to affirmatively enable SELinux in containerd.
Deprecates --disable-selinux flag which now defaults to true which
auto-detection of SELinux configuration for containerd is no longer
supported.  Specifying both --selinux and --disable-selinux will result
in an error message encouraging you to pick a side.

* Update pkg/agent/containerd/containerd.go

update log warning message about enabled selinux host but disabled runtime

Co-authored-by: Brad Davidson <brad@oatmail.org>
Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
 2020-08-11 16:17:32 -07:00
Thorsten Klein
cf8c101b70
registry template: add insecure_skip_verify field 
Signed-off-by: Thorsten Klein <iwilltry42@gmail.com>
 2020-08-06 08:02:08 +02:00
Jacob Blain Christen
371bee82f9 containerd: bump to v1.3.6 
Remove $NOTIFY_SOCKET, if present, from env when invoking containerd to
prevent gratuitous notifications sent to systemd.

Signed-off-by: Jacob Blain Christen <jacob@rancher.com>
 2020-07-27 14:41:52 -07:00
Brian Downs
5a81fdbdc5 update cis flag implementation to propogate the rest of the way through to kubelet 
Signed-off-by: Brian Downs <brian.downs@gmail.com>
 2020-07-20 16:31:56 -07:00
Jason
e3f8789114
Add containerd snapshotter flag (#1991) 
* Add containerd snapshotter flag

Signed-off-by: Jason-ZW <zhenyang@rancher.com>

* Fix CamelCase nit and option description

Signed-off-by: Brad Davidson <brad.davidson@rancher.com>
Signed-off-by: Jason-ZW <zhenyang@rancher.com>

Co-authored-by: Brad Davidson <brad@oatmail.org>
 2020-07-18 01:16:23 +02:00
Erik Wilson
0d6a2bfb0b
Merge pull request #1974 from mschneider82/patch-1 
fixed panic in network_policy_controller
 2020-07-01 09:48:00 -07:00
Erik Wilson
42f0b95ac5
Merge pull request #1800 from niusmallnan/dev 
Add retry backoff for starting network-policy controller
 2020-07-01 09:47:21 -07:00
niusmallnan
d713683614 Add retry backoff for starting network-policy controller 
Signed-off-by: niusmallnan <niusmallnan@gmail.com>
 2020-06-30 09:25:09 +08:00
Matthias Schneider
56a083c812 fixed panic in network_policy_controller 
I have rebooted a newly created k3s etcd cluster and this panic was triggered:

    ```
    k3s[948]: [signal SIGSEGV: segmentation violation code=0x1 addr=0x18 pc=0x45f2945]
    k3s[948]: goroutine 1 [running]:
    k3s[948]: github.com/rancher/k3s/pkg/agent/netpol.NewNetworkPolicyController(0xc00159e180, 0x61b4a60, 0xc006294000, 0xdf8475800, 0xc011d9a360, 0xc, 0x0, 0xc00bf545b8, 0x2b2edbc)
    k3s[948]:         /home/x/git/k3s/pkg/agent/netpol/network_policy_controller.go:1698 +0x275
    ```

Signed-off-by: Matthias Schneider <ms@wck.biz>
 2020-06-29 20:49:24 +02:00
Brian Downs
58aae57e12 set environment variable and create config for crictl 
Signed-off-by: Brian Downs <brian.downs@gmail.com>
 2020-06-24 14:26:44 -07:00
Brian Downs
63dbf806df create symlink from docker sock to where crictl in k3s is looking for the sock to use 
Signed-off-by: Brian Downs <brian.downs@gmail.com>
 2020-06-23 18:42:45 -07:00
Darren Shepherd
7e59c0801e Make program name a variable to be changed at compile time 2020-06-06 16:39:41 -07:00
Darren Shepherd
e5fe184a44
Merge pull request #1757 from ibuildthecloud/separate-port 
Add supervisor port
 2020-05-06 21:32:45 -07:00
Darren Shepherd
f38082673d
Merge pull request #1753 from ibuildthecloud/prepull 
Support prepulling images on start
 2020-05-05 22:11:52 -07:00
Darren Shepherd
2f5ee914f9 Add supervisor port 
In k3s today the kubernetes API and the /v1-k3s API are combined into
one http server.  In rke2 we are running unmodified, non-embedded Kubernetes
and as such it is preferred to run k8s and the /v1-k3s API on different
ports.  The /v1-k3s API port is called the SupervisorPort in the code.

To support this separation of ports a new shim was added on the client in
then pkg/agent/proxy package that will launch two load balancers instead
of just one load balancer.  One load balancer for 6443 and the other
for 9345 (which is the supervisor port).
 2020-05-05 15:54:51 -07:00
Darren Shepherd
61ba9171ce Only echo Waiting for kubelet every 30 seconds 
Don't print a message every second while we are waiting for the
kubelet to report Ready.
 2020-05-05 15:23:18 -07:00
Darren Shepherd
6932d03bb4 Support prepulling images on start 
In the agent/images folder if a .txt file is found it is assumed to
be a line separated list of image names to pull on start.
 2020-05-05 14:45:39 -07:00
Darren Shepherd
70ddc799bd
Merge pull request #1691 from ibuildthecloud/staticpod 
Suppport static pods at ${datadir}/agent/staticpods
 2020-05-05 14:35:45 -07:00
Darren Shepherd
8c7fbe3dde Suppport static pods at ${datadir}/agent/pod-manifests 2020-05-05 12:43:47 -07:00
Erik Wilson
c941e1d0bb
Merge pull request #1695 from ibuildthecloud/kubeproxy 
Add ability to disable kubeproxy
 2020-05-04 20:26:22 -07:00
Erik Wilson
21266bab7e
Merge pull request #1692 from ibuildthecloud/err 
Check for error on mkdir
 2020-05-04 20:16:20 -07:00
Erik Wilson
ed8cd9250b
Merge pull request #1690 from ibuildthecloud/flannel 
Only need to resolve the path of host-local if Flannel is enabled
 2020-05-04 20:15:59 -07:00
Erik Wilson
47bb0939e6
Merge pull request #1611 from Dirbaio/master 
Correctly quote auth strings in containerd config. For #1610
 2020-05-04 19:27:17 -07:00
Darren Shepherd
5715e1ba0d Add ability to disable kubeproxy 2020-04-27 11:24:00 -07:00
Darren Shepherd
7920fa48c9 Only need to resolve the path of host-local if Flannel is enabled 2020-04-27 11:17:41 -07:00
Darren Shepherd
c25f1ab1b6 Check for error on mkdir 2020-04-27 11:14:21 -07:00
Knic Knic
44b8af097c fix usage of path instead of filepath 2020-04-25 00:29:18 -07:00
Darren Shepherd
a8d96112d9 Updates for k8s v1.18 support 2020-04-18 23:59:08 -07:00
Dario Nieuwenhuis
cd0b58e920 Correctly quote auth strings in containerd config. Fixes #1610 2020-04-03 02:42:01 +02:00
Erik Wilson
8725798578
Merge pull request #1464 from erikwilson/selinux-update 
Simplify SELinux detection and add --disable-selinux flag
 2020-02-28 15:42:45 -07:00
Erik Wilson
a3cb9ee1f6 Simplify SELinux detection and add --disable-selinux flag 2020-02-28 10:10:55 -07:00
Erik Wilson
0aeea78060
Merge pull request #1444 from KnicKnic/k3s_build_windows 
K3s build windows (no agents)
 2020-02-27 11:46:21 -07:00
Darren Shepherd
4d32fe9959 Support SELinux 2020-02-24 16:03:09 -07:00
Knic Knic
c2db115ec3 fix formatting 2020-02-23 00:48:26 -08:00
Knic Knic
2346ccc63f get build on windows and get api_server to work 2020-02-22 23:17:59 -08:00
Erik Wilson
fe45eb008a
Merge pull request #1416 from erikwilson/device-plugins-path 
Use default kubelet device-plugins path
 2020-02-14 14:19:51 -07:00
galal-hussein
d49ef31767 Inject node config on startup 2020-02-14 21:17:13 +02:00
Erik Wilson
b15c4473cd Use default kubelet device-plugins path 2020-02-14 10:18:07 -07:00
Erik Wilson
4cacffd7e6
Merge pull request #1298 from erikwilson/warn-npc-fail 
Warn if NPC can't start rather than fatal error
 2020-01-20 15:36:56 -07:00
Erik Wilson
5b98d10e4b Warn if NPC can't start rather than fatal error 
If the ip_set kernel module is not available we should warn
that the network policy controller can not start rather than
cause a fatal error.

Also adds module probing and config checks for ip_set.
 2020-01-14 14:30:12 -07:00
Erik Wilson
7675f9f85c Clean up host-gw variable names 2020-01-08 17:43:07 -07:00
Segator
c23f12765e hostgw flannel support 2020-01-08 17:43:07 -07:00
Segator
6736e24673 support hostgw 2020-01-08 17:43:07 -07:00
Erik Wilson
5c37454762
Merge pull request #1198 from narqo/tunel-addr-join-host-port 
Respect IPv6 when building proxy address
 2019-12-19 15:20:12 -07:00
Erik Wilson
9b2538c2c4 Set wireguard persistent-keepalive on wg set peer 2019-12-19 14:54:48 -07:00
Erik Wilson
3376f31fc2 Revert "Merge pull request #1190 from erikwilson/wireguard-keepalive" 
This reverts commit e712cdf7e8, reversing
changes made to d5929bc8c8.

Wireguard docs fail to describe that persistent-keepalive is only valid
when peer is set.
 2019-12-19 14:41:38 -07:00
Vladimir Varankin
0c5299c951 pkg/agent/tunnel: respect ipv6 when building proxy addresses 2019-12-19 12:08:07 +01:00
Erik Wilson
6875b11dd2 Fix identity_token -> identitytoken for containerd toml 2019-12-17 21:14:05 -07:00
Erik Wilson
97383868bd
Merge pull request #1186 from erikwilson/upgrade-k8s-1.17.0 
Upgrade k8s  to v1.17.0
 2019-12-16 09:40:38 -07:00
Erik Wilson
e712cdf7e8
Merge pull request #1190 from erikwilson/wireguard-keepalive 
Set Wireguard keepalive to 25 seconds
 2019-12-16 09:40:11 -07:00
Erik Wilson
76281bf731 Update k3s for k8s 1.17.0 2019-12-15 23:28:19 -07:00
Erik Wilson
814c302d7c
Merge pull request #955 from btashton/servicelb-sysctl 
Enable ip forwarding on both all and default net config
 2019-12-12 17:31:02 -07:00
Erik Wilson
7b62811f98 Set Wireguard keepalive to 25 seconds 2019-12-12 10:40:41 -07:00
Erik Wilson
d4959d53af
Merge pull request #1182 from erikwilson/docker-pause-image 
Allow --pause-image to set docker sandbox image also
 2019-12-11 10:36:07 -07:00
Brennan Ashton
a952d5c32a Default device net config enables ip forwarding 
The Linux kernel is inconsistent about how devconf is configured for new
network namespaces between ipv4 and ipv6. The behavior can also be
controlled via net.core.devconf_inherit_init_net in Linux 5.1+ so make
sure to enable forwarding on all and default for both ipv6 and ipv4.

This issue first came up testing on a yocto kernel that had this patch:
 ipv4: net namespace does not inherit network configurations

[0] https://www.kernel.org/doc/html/latest/admin-guide/sysctl/net.html#devconf-inherit-init-net
[1] https://lkml.org/lkml/2014/7/29/119

Signed-off-by: Brennan Ashton <brennana@jfrog.com>
 2019-12-10 16:29:59 -08:00
Erik Wilson
2de93d70cf Allow --pause-image to set docker sandbox image also 2019-12-10 16:16:26 -07:00
Jacob Blain Christen
063efb25bb Mutable --node-label values for server/agent sub-commands. 
Values passed in via the server/agent `--node-label` flag are treated as mutable. They are passed through to the kubelet just as before but after the kubelet comes up they are applied again. This allows for passing labels a k3s start-time that may be necessary for scheduling but may change from boot to boot, e.g. `k3os.io/version` after an upgrade.

Tested locallon on my amd64 workstation with the docker container.

Addresses #1119.
 2019-12-09 16:40:15 -07:00
yuzhiquan
24869ddf21 remove []byte trans, handle func error 2019-11-28 19:26:45 +08:00
yuzhiquan
7cc0110081 fix typo 2019-11-28 19:24:19 +08:00
Guangbo Chen
8ff4c3c256 Update base pause image to rancher repo 2019-11-25 16:09:05 +08:00
Darren Shepherd
ff34c5c5cf Download cert/key to agent with single HTTP request 
Since generated cert/keys are stored locally, each server has a different
copy.  In a HA setup we need to ensure we download the cert and key from
the same server so we combined HTTP requests to do that.
 2019-11-15 21:51:51 -07:00
Erik Wilson
55c05ac500 Refactor node password location 2019-11-12 15:30:34 -07:00
Erik Wilson
2bbc356f65
Merge pull request #1008 from erikwilson/ip6-system-setup 
Improve ip6 system setup & utilities
 2019-11-04 14:24:55 -07:00
Erik Wilson
afa9422ad9 Improve ip6 system setup & utilities 2019-11-04 11:35:14 -07:00
Darren Shepherd
ba240d0611 Refactor tokens, bootstrap, and cli args 2019-10-30 19:06:49 -07:00
Erik Wilson
f648a64ee3
Merge pull request #923 from AkihiroSuda/fix-rootless-kubelet-flags 
rootless: add kubelet flags automatically
 2019-10-25 01:40:06 -07:00
Akihiro Suda
aafccdbccb rootless: add kubelet flags automatically 
Fix https://github.com/rancher/k3s/issues/784

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
 2019-10-25 17:10:14 +09:00
Erik Wilson
aed163b338 Remove trailing whitespace trimming from containerd template 2019-10-23 08:02:07 -07:00
Erik Wilson
2ff2baba49
Merge pull request #913 from erikwilson/kube-router-network-policy 
Add network policy support
 2019-10-18 16:14:18 -07:00
Erik Wilson
da3a7c6bbc Add network policy controller 2019-10-18 16:11:42 -07:00
Erik Wilson
1df72d14b8 Cleanup containerd config template spacing 2019-10-18 12:34:27 -07:00
Erik Wilson
90df4a1921 Use containerd-shim-run-v2 2019-10-18 12:34:27 -07:00
Erik Wilson
12307a4a69 Fallback to /etc/strongswan for config 
Needed for docker image
 2019-10-17 22:38:48 -07:00
Darren Shepherd
30c14a4db6
Merge pull request #901 from erikwilson/default-kubelet-dir 
Use default kubelet directory
 2019-10-17 16:49:11 -07:00
galal-hussein
d2c1f66496 Add k3s cloud provider 2019-10-16 21:13:15 +02:00
Erik Wilson
c72ef62d2c Use default kubelet directory 2019-10-15 10:47:03 -07:00
galal-hussein
5ccc880ddb Add private registry to containerd 2019-10-08 01:54:53 +02:00
Erik Wilson
0af32bba75 Use newest flannel API 2019-09-27 18:33:05 -07:00
Erik Wilson
999e40d6d3 Add strongswan utilities for ipsec 2019-09-27 18:26:39 -07:00
Erik Wilson
959acf9c92 Add --flannel-backend flag 2019-09-27 18:26:39 -07:00
Erik Wilson
359a77939c Enable hairpin mode 2019-09-27 18:26:39 -07:00
Erik Wilson
36fa425d45 Enable extension and ipsec flannel backends 2019-09-27 18:26:39 -07:00
Erik Wilson
3cd807a657 Add --flannel-conf flag 2019-09-27 18:26:39 -07:00
Darren Shepherd
b24f214a50 Update to new cri-api import 2019-08-28 20:53:36 -07:00
Erik Wilson
a76ca2e887 Remove hostname requirement in /etc/hosts 2019-08-21 22:56:20 -07:00
Erik Wilson
98254a3412 Change load balancer logging to debug 2019-08-08 10:48:11 -07:00
Erik Wilson
a17e336993 Use go tcpproxy 2019-07-30 09:53:15 -07:00
Erik Wilson
1833b65fcd
Merge pull request #647 from yamt/remove-proxy-port 
Remove agent proxy config which is no longer used
 2019-07-23 15:51:51 -07:00
Erik Wilson
8ce509ee6b Cleanup tunnel logs 2019-07-18 05:00:07 -07:00
Erik Wilson
23b0797578 Add context to tunnel connect 2019-07-17 18:15:15 -07:00
Erik Wilson
b93b4732eb Start endpoint tunnel watch before waiting 2019-07-17 17:13:40 -07:00
YAMAMOTO Takashi
dc4ebd4c67 Remove agent proxy config which is no longer used 2019-07-17 18:05:16 +09:00
Erik Wilson
e77dc568bb Cleanup tunnel 2019-07-14 00:29:21 -07:00
Erik Wilson
7e6664b684 Add resource version to tunnel endpoint watch 2019-07-12 15:38:49 -07:00
Erik Wilson
034a863696 Cleanup remotedialer tunnel logs 2019-07-12 15:38:49 -07:00
Erik Wilson
e0212144e8 Tunnel agent to all servers 
Watch the kubernetes endpoints to create a tunnel to all servers.
 2019-07-03 13:11:54 -07:00
Erik Wilson
29865fd9c9 Remove agent proxy 2019-06-25 15:04:04 -07:00
Erik Wilson
2c9444399b Refactor certs 2019-06-25 15:04:04 -07:00
Darren Shepherd
c0702b0492 Port to wrangler 2019-05-26 22:28:50 -07:00
Darren Shepherd
4b4dd1b59b
Merge pull request #454 from galal-hussein/node_labels_taints 
Expose node labels and taints and add node roles
 2019-05-25 00:39:55 +02:00
Wenxuan Zhao
f0f57c1e44
Allow using built-in modules 
Signed-off-by: Wenxuan Zhao <viz@linux.com>
 2019-05-09 12:23:33 -07:00
galal-hussein
930093dfe9 Expose node labels and taints and add node roles 2019-05-08 01:47:07 +02:00
haokang.ke
52f845ec84 Make pause image configurable (#345) 2019-05-03 10:36:12 -07:00
galal-hussein
5d8d9e610b Add timeout to hostname check 2019-05-03 14:41:08 +02:00
Darren Shepherd
4ec051d032
Merge pull request #422 from galal-hussein/use_cni_with_docker 
Add cni plugin to kubelet if docker is used
 2019-05-02 10:45:34 -07:00
galal-hussein
7e1699cda0 Check if hostname is resolvable before running agent 2019-05-01 22:54:05 +02:00
galal-hussein
191ac9371a Add cni plugin to kubelet if docker is used 2019-04-30 22:12:02 +02:00
Darren Shepherd
2950e81c23
Merge pull request #371 from warmchang/nf_conntrack 
🔧 modprobe nf_conntrack
 2019-04-26 16:01:13 -07:00
Darren Shepherd
9db91d7de3
Merge pull request #369 from erikwilson/node-dns 
Node DNS & cert registration
 2019-04-26 16:00:31 -07:00