-
Notifications
You must be signed in to change notification settings - Fork 38.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm: Use a new label for marking and tainting the master node #41835
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -19,6 +19,8 @@ package constants | |
import ( | ||
"path" | ||
"time" | ||
|
||
"k8s.io/client-go/pkg/api/v1" | ||
) | ||
|
||
const ( | ||
|
@@ -69,6 +71,10 @@ const ( | |
// DefaultTokenDuration specifies the default amount of time that a bootstrap token will be valid | ||
DefaultTokenDuration = time.Duration(8) * time.Hour | ||
|
||
// LabelNodeRoleMaster specifies that a node is a master | ||
// It's copied over to kubeadm until it's merged in core: https://github.com/kubernetes/kubernetes/pull/39112 | ||
LabelNodeRoleMaster = "node-role.kubernetes.io/master" | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Do we want to add and label nodes too? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Maybe, but that's for the deb packages... ( |
||
|
||
// CSVTokenBootstrapUser is currently the user the bootstrap token in the .csv file | ||
// TODO: This should change to something more official and supported | ||
// TODO: Prefix with kubeadm prefix | ||
|
@@ -80,6 +86,13 @@ const ( | |
) | ||
|
||
var ( | ||
|
||
// MasterToleration is the toleration to apply on the PodSpec for being able to run that Pod on the master | ||
MasterToleration = v1.Toleration{ | ||
Key: LabelNodeRoleMaster, | ||
Effect: v1.TaintEffectNoSchedule, | ||
} | ||
|
||
AuthorizationPolicyPath = path.Join(KubernetesDir, "abac_policy.json") | ||
AuthorizationWebhookConfigPath = path.Join(KubernetesDir, "webhook_authz.conf") | ||
) |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -29,6 +29,7 @@ import ( | |
"k8s.io/client-go/pkg/api/v1" | ||
extensions "k8s.io/client-go/pkg/apis/extensions/v1beta1" | ||
kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm" | ||
kubeadmconstants "k8s.io/kubernetes/cmd/kubeadm/app/constants" | ||
"k8s.io/kubernetes/cmd/kubeadm/app/images" | ||
kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util" | ||
) | ||
|
@@ -43,19 +44,21 @@ func CreateEssentialAddons(cfg *kubeadmapi.MasterConfiguration, client *clientse | |
return fmt.Errorf("error when parsing kube-proxy configmap template: %v", err) | ||
} | ||
|
||
proxyDaemonSetBytes, err := kubeadmutil.ParseTemplate(KubeProxyDaemonSet, struct{ Image, ClusterCIDR string }{ | ||
Image: images.GetCoreImage("proxy", cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage), | ||
ClusterCIDR: getClusterCIDR(cfg.Networking.PodSubnet), | ||
proxyDaemonSetBytes, err := kubeadmutil.ParseTemplate(KubeProxyDaemonSet, struct{ Image, ClusterCIDR, MasterTaintKey string }{ | ||
Image: images.GetCoreImage("proxy", cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage), | ||
ClusterCIDR: getClusterCIDR(cfg.Networking.PodSubnet), | ||
MasterTaintKey: kubeadmconstants.LabelNodeRoleMaster, | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think that DaemonSets don't go through the scheduler so taints don't apply. But this doesn't hurt. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Now they do. This changed in |
||
}) | ||
if err != nil { | ||
return fmt.Errorf("error when parsing kube-proxy daemonset template: %v", err) | ||
} | ||
|
||
dnsDeploymentBytes, err := kubeadmutil.ParseTemplate(KubeDNSDeployment, struct{ ImageRepository, Arch, Version, DNSDomain string }{ | ||
dnsDeploymentBytes, err := kubeadmutil.ParseTemplate(KubeDNSDeployment, struct{ ImageRepository, Arch, Version, DNSDomain, MasterTaintKey string }{ | ||
ImageRepository: kubeadmapi.GlobalEnvParams.RepositoryPrefix, | ||
Arch: runtime.GOARCH, | ||
Version: KubeDNSVersion, | ||
DNSDomain: cfg.Networking.DNSDomain, | ||
MasterTaintKey: kubeadmconstants.LabelNodeRoleMaster, | ||
}) | ||
if err != nil { | ||
return fmt.Errorf("error when parsing kube-dns deployment template: %v", err) | ||
|
@@ -101,6 +104,7 @@ func CreateKubeProxyAddon(configMapBytes, daemonSetbytes []byte, client *clients | |
if err := kuberuntime.DecodeInto(api.Codecs.UniversalDecoder(), daemonSetbytes, kubeproxyDaemonSet); err != nil { | ||
return fmt.Errorf("unable to decode kube-proxy daemonset %v", err) | ||
} | ||
kubeproxyDaemonSet.Spec.Template.Spec.Tolerations = []v1.Toleration{kubeadmconstants.MasterToleration} | ||
|
||
if _, err := client.ExtensionsV1beta1().DaemonSets(metav1.NamespaceSystem).Create(kubeproxyDaemonSet); err != nil { | ||
return fmt.Errorf("unable to create a new kube-proxy daemonset: %v", err) | ||
|
@@ -113,6 +117,13 @@ func CreateKubeDNSAddon(deploymentBytes, serviceBytes []byte, client *clientset. | |
if err := kuberuntime.DecodeInto(api.Codecs.UniversalDecoder(), deploymentBytes, kubednsDeployment); err != nil { | ||
return fmt.Errorf("unable to decode kube-dns deployment %v", err) | ||
} | ||
kubednsDeployment.Spec.Template.Spec.Tolerations = []v1.Toleration{ | ||
kubeadmconstants.MasterToleration, | ||
{ | ||
Key: "CriticalAddonsOnly", | ||
Operator: "Exists", | ||
}, | ||
} | ||
|
||
// TODO: All these .Create(foo) calls should instead be more like "kubectl apply -f" commands; they should not fail if there are existing objects with the same name | ||
if _, err := client.ExtensionsV1beta1().Deployments(metav1.NamespaceSystem).Create(kubednsDeployment); err != nil { | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@smarterclayton
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is acceptable to use here given the discussion on the other PR.