-
Notifications
You must be signed in to change notification settings - Fork 49
Conversation
assets/charts/control-plane/kube-apiserver/templates/kube-apiserver.yaml
Show resolved
Hide resolved
assets/charts/control-plane/kube-apiserver/templates/kube-apiserver.yaml
Show resolved
Hide resolved
assets/charts/control-plane/kube-apiserver/templates/kube-apiserver.yaml
Show resolved
Hide resolved
assets/charts/control-plane/kube-apiserver/templates/kube-apiserver.yaml
Show resolved
Hide resolved
680465e
to
89cfac4
Compare
Added #867 to this PR in description, as this fixes it too. but I don't know why am I am not able to find it in linked issue. |
89cfac4
to
910b09a
Compare
assets/charts/control-plane/kube-apiserver/templates/kube-apiserver.yaml
Outdated
Show resolved
Hide resolved
assets/charts/control-plane/kube-apiserver/templates/kube-apiserver.yaml
Show resolved
Hide resolved
assets/charts/control-plane/kube-apiserver/templates/kube-apiserver.yaml
Outdated
Show resolved
Hide resolved
assets/charts/control-plane/kube-apiserver/templates/kube-apiserver.yaml
Outdated
Show resolved
Hide resolved
assets/charts/control-plane/kube-apiserver/templates/kube-apiserver.yaml
Show resolved
Hide resolved
Pods fail to create when the linkerd is installed:
And due to this the CI is timing out right now. This is a weird error. |
This is perhaps because of:
This seems to me like linkerd generates bad certificates then? |
bc9d34b
to
eab5513
Compare
c280165
to
4f6cebf
Compare
assets/charts/control-plane/kube-apiserver/templates/kube-apiserver.yaml
Show resolved
Hide resolved
assets/charts/control-plane/kube-apiserver/templates/kube-apiserver.yaml
Outdated
Show resolved
Hide resolved
assets/charts/components/prometheus-operator/templates/grafana/dashboards-1.14/kubelet.yaml
Show resolved
Hide resolved
@@ -0,0 +1,29 @@ | |||
{{- if gt (int .Values.apiserver.replicas) 1 }} | |||
apiVersion: apps/v1 | |||
kind: DaemonSet |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is one disadvantage of running those components as DaemonSet instead of Deployment, which I recently hit myself.
If one runs 3 node controller pool, but each node is resource constrained (e.g. 2 vCPUs, 4GB of RAM), then one might want to run only 2 replicas of each component to save a bit of resources, as for example each kube-apiserver is very RAM-costly.
I think it should be our conscious decision, that we won't be able to support such scenario.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would rather run less number of other components than APIServer. If I were to run my prod cluster then I should make sure that control plane is not fighting for resources. On the workers I will try to bin pack my work loads, not on the control plane.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Leaving this open so that we know this was decided consciously.
I forgot to summarize requested changes:
|
e59aa43
to
8d1dd96
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@surajssd can you update calico-hostendpoint-controller to use same kubernetes version? or not more than 2 versions older.
I mean here, just in case: https://github.com/kinvolk/calico-hostendpoint-controller/blob/fcf32d9e11c82a6522f49b860b6c4d3d411ca245/Dockerfile#L13. And update the calico component version here :)
While it probably will work with an older version, it is not guaranteed, so we should avoid it IMHO.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Largely LGTM, I still found some nits which could be addressed.
assets/charts/components/prometheus-operator/templates/grafana/dashboards-1.14/kubelet.yaml
Show resolved
Hide resolved
assets/terraform-modules/bootkube/resources/bootstrap-manifests/bootstrap-apiserver.yaml
Show resolved
Hide resolved
The pods that don't specify seccomp profile in their `securityContext` explicitly get `runtime/default` injected by default. So this profile has to be allowed by PSPs or else all pods' config should be updated to have seccomp profile mentioned explicitly. Signed-off-by: Suraj Deshmukh <suraj@kinvolk.io>
Release Notes: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.19.md#downloads-for-v1192 Signed-off-by: Suraj Deshmukh <suraj@kinvolk.io>
8d1dd96
to
bad8ede
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Great work @surajssd 🎉
bad8ede
to
000713c
Compare
Pull the image from quay.io instead of docker hub. Signed-off-by: Suraj Deshmukh <suraj@kinvolk.io>
Signed-off-by: Suraj Deshmukh <suraj@kinvolk.io>
- Sets the flag `--permit-port-sharing` on apiserver, bootstrap and self-hosted both, so that now multiple apiserver pods (which use host network) can bind on port 6443 simultaneously. - Makes the self-hosted apiserver "Deployment" based instead of Daemonset. - Remove HAProxy sidecar and the init container needed to create config. - Remove all appearance of `exposeOnAllInterfaces` parameter. Signed-off-by: Suraj Deshmukh <suraj@kinvolk.io>
For the control plane components if the control plane nodes are more than 1 then use DaemonSets but if it is just one node then use Deployment. Signed-off-by: Suraj Deshmukh <suraj@kinvolk.io>
To be able to run on same port as the bootstrap kube-apiserver this should run as root. Signed-off-by: Suraj Deshmukh <suraj@kinvolk.io>
This commit renames the metrics: - `kubelet_running_pod_count` to `kubelet_running_pods`. - `kubelet_running_container_count` to `kubelet_running_containers`. Signed-off-by: Suraj Deshmukh <suraj@kinvolk.io>
These tests were earlier run on deployment but now they should be run on daemonset, since these components are deployed as ones. Signed-off-by: Suraj Deshmukh <suraj@kinvolk.io>
- With go 1.15 there are strict checks for common name so this commit adds a new variable `ignore_x509_cn_check` to Packet and AWS so that user can disable such strict checks. - This commit disables the checks on the CI AWS and Packet, since we test linkerd on these two platforms. Once linkerd provides builds with go 1.15 then we can revert changes from this commit. Signed-off-by: Suraj Deshmukh <suraj@kinvolk.io>
Release Notes: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.19.md#v1193 Signed-off-by: Suraj Deshmukh <suraj@kinvolk.io>
Signed-off-by: Suraj Deshmukh <suraj@kinvolk.io>
000713c
to
bb4d412
Compare
Fixes #866
Fixes #867