Merge pull request #64104 from CalvinHartwell/kubelet-allow-privilege…

…d-true Automatic merge from submit-queue (batch tested with PRs 65032, 63471, 64104, 64672, 64427). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. changed the default value for allow-privileged for the kubelet (kuber… **What this PR does / why we need it**: This PR modifies the default value for the kubernetes-worker: it sets the allow-privileged kubelet value to true, based on this issue:[https://github.com/juju-solutions/bundle-canonical-kubernetes/issues/579](https://github.com/juju-solutions/bundle-canonical-kubernetes/issues/579). The original PR was here: [#63442 which included this change for the k8s 1.10 release. This PR incorporates this fix into the Canonical distribution of Kubernetes. **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes # This change fixes two issues: [https://github.com/juju-solutions/bundle-canonical-kubernetes/issues/579](https://github.com/juju-solutions/bundle-canonical-kubernetes/issues/579) [rancher/rancher#13612 **Special notes for your reviewer**: Waiting review from Canonical Kubernetes charm tea. **Release note**: ```release-note The new default value for the --allow-privileged parameter of the Kubernetes-worker charm has been set to true based on changes which went into the Kubernetes 1.10 release. Before this change the default value was set to false. If you're installing Canonical Kubernetes you should expect this value to now be true by default and you should now look to use PSP (pod security policies). ```
kubernetes · Jun 20, 2018 · 2fb7af7 · 2fb7af7
2 parents 06ea14a + 41cb9ed
commit 2fb7af7
Show file tree

Hide file tree

Showing 2 changed files with 4 additions and 3 deletions.
diff --git a/cluster/juju/layers/kubernetes-master/config.yaml b/cluster/juju/layers/kubernetes-master/config.yaml
@@ -30,7 +30,7 @@ options:
       privileged mode by default. If "false", kube-apiserver will never run in
       privileged mode. If "auto", kube-apiserver will not run in privileged
       mode by default, but will switch to privileged mode if gpu hardware is
-      detected on a worker node.
+      detected on a worker node. 
   enable-nvidia-plugin:
     type: string
     default: "auto"

diff --git a/cluster/juju/layers/kubernetes-worker/config.yaml b/cluster/juju/layers/kubernetes-worker/config.yaml
@@ -13,13 +13,14 @@ options:
       cluster. Declare node labels in key=value format, separated by spaces.
   allow-privileged:
     type: string
-    default: "auto"
+    default: "true"
     description: |
       Allow privileged containers to run on worker nodes. Supported values are
       "true", "false", and "auto". If "true", kubelet will run in privileged
       mode by default. If "false", kubelet will never run in privileged mode.
       If "auto", kubelet will not run in privileged mode by default, but will
-      switch to privileged mode if gpu hardware is detected.
+      switch to privileged mode if gpu hardware is detected. Pod security
+      policies (PSP) should be used to restrict container privileges.
   channel:
     type: string
     default: "1.10/stable"