From 3674b3617a770bd71d09e23137ff96f90eb1241a Mon Sep 17 00:00:00 2001
From: Spyros Trigazis <spyridon.trigazi@cern.ch>
Date: Mon, 30 Sep 2019 15:47:31 +0000
Subject: [PATCH] k8s_atomic: Run all syscontainer with podman

Using the atomic cli to install kubelet breaks mount
propagation of secrets, configmaps and so on. Using podman
in a systemd unit works.

Additionally, with this change all atomic commands are dropped,
containers are pulled from gcr.io (ofiicial kubernetes containers).

Finally, after this patch only by starting the heat-agent with
ignition, we can use fedora coreos as a drop-in replacement.

* Drop del of docker0
  This command to remove docker0 is carried from
  earlier versions of docker. This is not an issue
  anymore.

story: 2006459
task: 36871

Change-Id: I2ed8e02f5295e48d371ac9e1aff2ad5d30d0c2bd
Signed-off-by: Spyros Trigazis <spyridon.trigazi@cern.ch>
---
 .../kubernetes/fragments/configure-etcd.sh    | 111 +++++++---
 .../fragments/configure-kubernetes-master.sh  | 206 ++++++++++++++++--
 .../fragments/configure-kubernetes-minion.sh  | 108 +++++++--
 .../fragments/enable-services-master.sh       |   2 +-
 .../fragments/enable-services-minion.sh       |   3 +-
 .../fragments/start-container-agent.sh        |  45 +++-
 .../fragments/upgrade-kubernetes.sh           |  43 ++--
 .../templates/kubecluster.yaml                |   2 +-
 8 files changed, 417 insertions(+), 103 deletions(-)

diff --git a/magnum/drivers/common/templates/kubernetes/fragments/configure-etcd.sh b/magnum/drivers/common/templates/kubernetes/fragments/configure-etcd.sh
index a0f9b0d066..7ef2a8156a 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-etcd.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-etcd.sh
@@ -50,12 +50,30 @@ if [ -n "$ETCD_VOLUME_SIZE" ] && [ "$ETCD_VOLUME_SIZE" -gt 0 ]; then
 
 fi
 
-_prefix=${CONTAINER_INFRA_PREFIX:-docker.io/openstackmagnum/}
-$ssh_cmd atomic install \
---system-package no \
---system \
---storage ostree \
---name=etcd ${_prefix}etcd:${ETCD_TAG}
+cat > /etc/systemd/system/etcd.service <<EOF
+[Unit]
+Description=Etcd server
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+ExecStartPre=mkdir -p /var/lib/etcd
+ExecStartPre=-/bin/podman rm etcd
+ExecStart=/bin/podman run \\
+    --name etcd \\
+    --volume /etc/pki/ca-trust/extracted/pem:/etc/ssl/certs:ro,z \\
+    --volume /etc/etcd:/etc/etcd:ro,z \\
+    --volume /var/lib/etcd:/var/lib/etcd:rshared,z \\
+    --net=host \\
+    ${CONTAINER_INFRA_PREFIX:-"k8s.gcr.io/"}etcd:${ETCD_TAG} \\
+    /usr/local/bin/etcd \\
+    --config-file /etc/etcd/etcd.conf.yaml
+ExecStop=/bin/podman stop etcd
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
 
 if [ -z "$KUBE_NODE_IP" ]; then
     # FIXME(yuanying): Set KUBE_NODE_IP correctly
@@ -70,34 +88,69 @@ if [ "$TLS_DISABLED" = "True" ]; then
     protocol="http"
 fi
 
-cat > /etc/etcd/etcd.conf <<EOF
-ETCD_NAME="$myip"
-ETCD_DATA_DIR="/var/lib/etcd/default.etcd"
-ETCD_LISTEN_CLIENT_URLS="$protocol://$myip:2379,http://127.0.0.1:2379"
-ETCD_LISTEN_PEER_URLS="$protocol://$myip:2380"
+cat > /etc/etcd/etcd.conf.yaml <<EOF
+# This is the configuration file for the etcd server.
 
-ETCD_ADVERTISE_CLIENT_URLS="$protocol://$myip:2379,http://127.0.0.1:2379"
-ETCD_INITIAL_ADVERTISE_PEER_URLS="$protocol://$myip:2380"
-ETCD_DISCOVERY="$ETCD_DISCOVERY_URL"
-EOF
+# Human-readable name for this member.
+name: "${INSTANCE_NAME}"
 
-if [ "$TLS_DISABLED" = "False" ]; then
+# Path to the data directory.
+data-dir: /var/lib/etcd/default.etcd
+
+# List of comma separated URLs to listen on for peer traffic.
+listen-peer-urls: "$protocol://$myip:2380"
+
+# List of comma separated URLs to listen on for client traffic.
+listen-client-urls: "$protocol://$myip:2379,http://127.0.0.1:2379"
+
+# List of this member's peer URLs to advertise to the rest of the cluster.
+# The URLs needed to be a comma-separated list.
+initial-advertise-peer-urls: "$protocol://$myip:2380"
+
+# List of this member's client URLs to advertise to the public.
+# The URLs needed to be a comma-separated list.
+advertise-client-urls: "$protocol://$myip:2379,http://127.0.0.1:2379"
+
+# Discovery URL used to bootstrap the cluster.
+discovery: "$ETCD_DISCOVERY_URL"
 
-cat >> /etc/etcd/etcd.conf <<EOF
-ETCD_CA_FILE=$cert_dir/ca.crt
-ETCD_TRUSTED_CA_FILE=$cert_dir/ca.crt
-ETCD_CERT_FILE=$cert_dir/server.crt
-ETCD_KEY_FILE=$cert_dir/server.key
-ETCD_CLIENT_CERT_AUTH=true
-ETCD_PEER_CA_FILE=$cert_dir/ca.crt
-ETCD_PEER_TRUSTED_CA_FILE=$cert_dir/ca.crt
-ETCD_PEER_CERT_FILE=$cert_dir/server.crt
-ETCD_PEER_KEY_FILE=$cert_dir/server.key
-ETCD_PEER_CLIENT_CERT_AUTH=true
 EOF
 
+if [ -n "$HTTP_PROXY" ]; then
+    cat >> /etc/etcd/etcd.conf.yaml <<EOF
+# HTTP proxy to use for traffic to discovery service.
+discovery-proxy: $HTTP_PROXY
+
+EOF
 fi
 
-if [ -n "$HTTP_PROXY" ]; then
-    echo "ETCD_DISCOVERY_PROXY=$HTTP_PROXY" >> /etc/etcd/etcd.conf
+if [ "$TLS_DISABLED" = "False" ]; then
+
+    cat >> /etc/etcd/etcd.conf.yaml <<EOF
+client-transport-security:
+  # Path to the client server TLS cert file.
+  cert-file: $cert_dir/server.crt
+
+  # Path to the client server TLS key file.
+  key-file: $cert_dir/server.key
+
+  # Enable client cert authentication.
+  client-cert-auth: true
+
+  # Path to the client server TLS trusted CA cert file.
+  trusted-ca-file: $cert_dir/ca.crt
+
+peer-transport-security:
+  # Path to the peer server TLS cert file.
+  cert-file: $cert_dir/server.crt
+
+  # Path to the peer server TLS key file.
+  key-file: $cert_dir/server.key
+
+  # Enable peer client cert authentication.
+  client-cert-auth: true
+
+  # Path to the peer server TLS trusted CA cert file.
+  trusted-ca-file: $cert_dir/ca.crt
+EOF
 fi
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
index ea39754e58..0093bdfa23 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh
@@ -21,14 +21,11 @@ if [ ! -z "$NO_PROXY" ]; then
     export NO_PROXY
 fi
 
-_prefix=${CONTAINER_INFRA_PREFIX:-docker.io/openstackmagnum/}
-
 $ssh_cmd rm -rf /etc/cni/net.d/*
 $ssh_cmd rm -rf /var/lib/cni/*
 $ssh_cmd rm -rf /opt/cni/*
-$ssh_cmd mkdir -p /opt/cni
+$ssh_cmd mkdir -p /opt/cni/bin
 $ssh_cmd mkdir -p /etc/cni/net.d/
-_addtl_mounts=',{"type":"bind","source":"/opt/cni","destination":"/opt/cni","options":["bind","rw","slave","mode=777"]},{"type":"bind","source":"/var/lib/docker","destination":"/var/lib/docker","options":["bind","rw","slave","mode=755"]}'
 
 if [ "$NETWORK_DRIVER" = "calico" ]; then
     echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
@@ -49,16 +46,193 @@ fi
 
 
 mkdir -p /srv/magnum/kubernetes/
-cat > /srv/magnum/kubernetes/install-kubernetes.sh <<EOF
-#!/bin/bash -x
-atomic install --storage ostree --system --set=ADDTL_MOUNTS='${_addtl_mounts}' --system-package=no --name=kubelet ${_prefix}kubernetes-kubelet:${KUBE_TAG}
-atomic install --storage ostree --system --system-package=no --name=kube-apiserver ${_prefix}kubernetes-apiserver:${KUBE_TAG}
-atomic install --storage ostree --system --system-package=no --name=kube-controller-manager ${_prefix}kubernetes-controller-manager:${KUBE_TAG}
-atomic install --storage ostree --system --system-package=no --name=kube-scheduler ${_prefix}kubernetes-scheduler:${KUBE_TAG}
-atomic install --storage ostree --system --system-package=no --name=kube-proxy ${_prefix}kubernetes-proxy:${KUBE_TAG}
+cat > /etc/kubernetes/config <<EOF
+KUBE_LOGTOSTDERR="--logtostderr=true"
+KUBE_LOG_LEVEL="--v=3"
+KUBE_MASTER="--master=http://127.0.0.1:8080"
+EOF
+cat > /etc/kubernetes/kubelet <<EOF
+KUBELET_ARGS="--fail-swap-on=false"
+EOF
+
+cat > /etc/kubernetes/apiserver <<EOF
+KUBE_API_ADDRESS="--insecure-bind-address=127.0.0.1"
+KUBE_ETCD_SERVERS="--etcd-servers=http://127.0.0.1:2379,http://127.0.0.1:4001"
+KUBE_SERVICE_ADDRESSES="--service-cluster-ip-range=10.254.0.0/16"
+KUBE_ADMISSION_CONTROL="--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota"
+KUBE_API_ARGS=""
+EOF
+
+cat > /etc/kubernetes/controller-manager <<EOF
+KUBE_CONTROLLER_MANAGER_ARGS=""
+EOF
+cat > /etc/kubernetes/scheduler<<EOF
+KUBE_SCHEDULER_ARGS=""
+EOF
+cat > /etc/kubernetes/proxy <<EOF
+KUBE_PROXY_ARGS=""
+EOF
+
+
+cat > /etc/systemd/system/kube-apiserver.service <<EOF
+[Unit]
+Description=kube-apiserver via Hyperkube
+[Service]
+EnvironmentFile=/etc/sysconfig/heat-params
+EnvironmentFile=/etc/kubernetes/config
+EnvironmentFile=/etc/kubernetes/apiserver
+ExecStartPre=/bin/mkdir -p /etc/kubernetes/
+ExecStartPre=-/usr/bin/podman rm kube-apiserver
+ExecStartPre=-/bin/bash -c '/usr/bin/podman run --privileged --user root --net host --rm --volume /usr/local/bin:/host/usr/local/bin \${CONTAINER_INFRA_PREFIX:-k8s.gcr.io/}hyperkube:\${KUBE_TAG} /bin/sh -c "cp /usr/local/bin/kubectl /host/usr/local/bin/kubectl"'
+ExecStart=/bin/bash -c '/usr/bin/podman run --name kube-apiserver \\
+    --net host \\
+    --volume /etc/kubernetes:/etc/kubernetes:ro,z \\
+    --volume /usr/lib/os-release:/etc/os-release:ro \\
+    --volume /etc/ssl/certs:/etc/ssl/certs:ro \\
+    --volume /run:/run \\
+    --volume /etc/pki/tls/certs:/usr/share/ca-certificates:ro \\
+    \${CONTAINER_INFRA_PREFIX:-k8s.gcr.io/}hyperkube:\${KUBE_TAG} \\
+    /hyperkube kube-apiserver \\
+    \$KUBE_LOGTOSTDERR \$KUBE_LOG_LEVEL \$KUBE_ETCD_SERVERS \$KUBE_API_ADDRESS \$KUBE_API_PORT \$KUBELET_PORT \$KUBE_SERVICE_ADDRESSES \$KUBE_ADMISSION_CONTROL \$KUBE_API_ARGS'
+ExecStop=-/usr/bin/podman stop kube-apiserver
+Delegate=yes
+Restart=always
+RestartSec=10
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat > /etc/systemd/system/kube-controller-manager.service <<EOF
+[Unit]
+Description=kube-controller-manager via Hyperkube
+[Service]
+EnvironmentFile=/etc/sysconfig/heat-params
+EnvironmentFile=/etc/kubernetes/config
+EnvironmentFile=/etc/kubernetes/controller-manager
+ExecStartPre=/bin/mkdir -p /etc/kubernetes/
+ExecStartPre=-/usr/bin/podman rm kube-controller-manager
+ExecStart=/bin/bash -c '/usr/bin/podman run --name kube-controller-manager \\
+    --net host \\
+    --volume /etc/kubernetes:/etc/kubernetes:ro,z \\
+    --volume /usr/lib/os-release:/etc/os-release:ro \\
+    --volume /etc/ssl/certs:/etc/ssl/certs:ro \\
+    --volume /run:/run \\
+    --volume /etc/pki/tls/certs:/usr/share/ca-certificates:ro \\
+    \${CONTAINER_INFRA_PREFIX:-k8s.gcr.io/}hyperkube:\${KUBE_TAG} \\
+    /hyperkube kube-controller-manager \\
+    --secure-port=0 \\
+    \$KUBE_LOGTOSTDERR \$KUBE_LOG_LEVEL \$KUBE_MASTER \$KUBE_CONTROLLER_MANAGER_ARGS'
+ExecStop=-/usr/bin/podman stop kube-controller-manager
+Delegate=yes
+Restart=always
+RestartSec=10
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat > /etc/systemd/system/kube-scheduler.service <<EOF
+[Unit]
+Description=kube-scheduler via Hyperkube
+[Service]
+EnvironmentFile=/etc/sysconfig/heat-params
+EnvironmentFile=/etc/kubernetes/config
+EnvironmentFile=/etc/kubernetes/scheduler
+ExecStartPre=/bin/mkdir -p /etc/kubernetes/
+ExecStartPre=-/usr/bin/podman rm kube-scheduler
+ExecStart=/bin/bash -c '/usr/bin/podman run --name kube-scheduler \\
+    --net host \\
+    --volume /etc/kubernetes:/etc/kubernetes:ro,z \\
+    --volume /usr/lib/os-release:/etc/os-release:ro \\
+    --volume /etc/ssl/certs:/etc/ssl/certs:ro \\
+    --volume /run:/run \\
+    --volume /etc/pki/tls/certs:/usr/share/ca-certificates:ro \\
+    \${CONTAINER_INFRA_PREFIX:-k8s.gcr.io/}hyperkube:\${KUBE_TAG} \\
+    /hyperkube kube-scheduler \\
+    \$KUBE_LOGTOSTDERR \$KUBE_LOG_LEVEL \$KUBE_MASTER \$KUBE_SCHEDULER_ARGS'
+ExecStop=-/usr/bin/podman stop kube-scheduler
+Delegate=yes
+Restart=always
+RestartSec=10
+[Install]
+WantedBy=multi-user.target
+EOF
+
+
+
+cat > /etc/systemd/system/kubelet.service <<EOF
+[Unit]
+Description=Kubelet via Hyperkube (System Container)
+[Service]
+EnvironmentFile=/etc/sysconfig/heat-params
+EnvironmentFile=/etc/kubernetes/config
+EnvironmentFile=/etc/kubernetes/kubelet
+ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
+ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
+ExecStartPre=/bin/mkdir -p /var/lib/calico
+ExecStartPre=/bin/mkdir -p /var/lib/kubelet/volumeplugins
+ExecStartPre=/bin/mkdir -p /opt/cni/bin
+ExecStartPre=-/usr/bin/podman rm kubelet
+ExecStart=/bin/bash -c '/usr/bin/podman run --name kubelet \\
+    --privileged \\
+    --pid host \\
+    --network host \\
+    --volume /etc/cni/net.d:/etc/cni/net.d:ro,z \\
+    --volume /etc/kubernetes:/etc/kubernetes:ro,z \\
+    --volume /usr/lib/os-release:/etc/os-release:ro \\
+    --volume /etc/ssl/certs:/etc/ssl/certs:ro \\
+    --volume /lib/modules:/lib/modules:ro \\
+    --volume /run:/run \\
+    --volume /sys/fs/cgroup:/sys/fs/cgroup:ro \\
+    --volume /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd \\
+    --volume /etc/pki/tls/certs:/usr/share/ca-certificates:ro \\
+    --volume /var/lib/calico:/var/lib/calico \\
+    --volume /var/lib/docker:/var/lib/docker \\
+    --volume /var/lib/kubelet:/var/lib/kubelet:rshared,z \\
+    --volume /var/log:/var/log \\
+    --volume /var/run:/var/run \\
+    --volume /var/run/lock:/var/run/lock:z \\
+    --volume /opt/cni/bin:/opt/cni/bin:z \\
+    \${CONTAINER_INFRA_PREFIX:-k8s.gcr.io/}hyperkube:\${KUBE_TAG} \\
+    /hyperkube kubelet \\
+    \$KUBE_LOGTOSTDERR \$KUBE_LOG_LEVEL \$KUBELET_API_SERVER \$KUBELET_ADDRESS \$KUBELET_PORT \$KUBELET_HOSTNAME \$KUBELET_ARGS'
+ExecStop=-/usr/bin/podman stop kubelet
+Delegate=yes
+Restart=always
+RestartSec=10
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat > /etc/systemd/system/kube-proxy.service <<EOF
+[Unit]
+Description=kube-proxy via Hyperkube
+[Service]
+EnvironmentFile=/etc/sysconfig/heat-params
+EnvironmentFile=/etc/kubernetes/config
+EnvironmentFile=/etc/kubernetes/proxy
+ExecStartPre=/bin/mkdir -p /etc/kubernetes/
+ExecStartPre=-/usr/bin/podman rm kube-proxy
+ExecStart=/bin/bash -c '/usr/bin/podman run --name kube-proxy \\
+    --privileged \\
+    --net host \\
+    --volume /etc/kubernetes:/etc/kubernetes:ro,z \\
+    --volume /usr/lib/os-release:/etc/os-release:ro \\
+    --volume /etc/ssl/certs:/etc/ssl/certs:ro \\
+    --volume /run:/run \\
+    --volume /sys/fs/cgroup:/sys/fs/cgroup:ro \\
+    --volume /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd \\
+    --volume /lib/modules:/lib/modules:ro \\
+    --volume /etc/pki/tls/certs:/usr/share/ca-certificates:ro \\
+    \${CONTAINER_INFRA_PREFIX:-k8s.gcr.io/}hyperkube:\${KUBE_TAG} \\
+    /hyperkube kube-proxy \\
+    \$KUBE_LOGTOSTDERR \$KUBE_LOG_LEVEL \$KUBE_MASTER \$KUBE_PROXY_ARGS'
+ExecStop=-/usr/bin/podman stop kube-proxy
+Delegate=yes
+Restart=always
+RestartSec=10
+[Install]
+WantedBy=multi-user.target
 EOF
-chmod +x /srv/magnum/kubernetes/install-kubernetes.sh
-$ssh_cmd "/srv/magnum/kubernetes/install-kubernetes.sh"
 
 
 CERT_DIR=/etc/kubernetes/certs
@@ -199,7 +373,7 @@ sed -i '
 sed -i '/^KUBE_SCHEDULER_ARGS=/ s/=.*/="--leader-elect=true"/' /etc/kubernetes/scheduler
 
 $ssh_cmd mkdir -p /etc/kubernetes/manifests
-KUBELET_ARGS="--register-node=true --pod-manifest-path=/etc/kubernetes/manifests --cadvisor-port=0 --hostname-override=${INSTANCE_NAME}"
+KUBELET_ARGS="--register-node=true --pod-manifest-path=/etc/kubernetes/manifests --hostname-override=${INSTANCE_NAME}"
 KUBELET_ARGS="${KUBELET_ARGS} --pod-infra-container-image=${CONTAINER_INFRA_PREFIX:-gcr.io/google_containers/}pause:3.0"
 KUBELET_ARGS="${KUBELET_ARGS} --cluster_dns=${DNS_SERVICE_IP} --cluster_domain=${DNS_CLUSTER_DOMAIN}"
 KUBELET_ARGS="${KUBELET_ARGS} --volume-plugin-dir=/var/lib/kubelet/volumeplugins"
@@ -281,7 +455,7 @@ fi
 KUBELET_ARGS="${KUBELET_ARGS} --address=${KUBE_NODE_IP} --port=10250 --read-only-port=0 --anonymous-auth=false --authorization-mode=Webhook --authentication-token-webhook=true"
 
 sed -i '
-/^KUBELET_ADDRESS=/ s/=.*/="--address=${KUBE_NODE_IP}"/
+/^KUBELET_ADDRESS=/ s/=.*/=""/
 /^KUBELET_HOSTNAME=/ s/=.*/=""/
-/^KUBELET_ARGS=/ s|=.*|="'"\$(/etc/kubernetes/get_require_kubeconfig.sh) ${KUBELET_ARGS}"'"|
+/^KUBELET_ARGS=/ s|=.*|="'"${KUBELET_ARGS}"'"|
 ' /etc/kubernetes/kubelet
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh
index 0e3d372c74..06b81114c2 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-minion.sh
@@ -21,12 +21,11 @@ if [ ! -z "$NO_PROXY" ]; then
     export NO_PROXY
 fi
 
-_prefix=${CONTAINER_INFRA_PREFIX:-docker.io/openstackmagnum/}
-
 $ssh_cmd rm -rf /etc/cni/net.d/*
 $ssh_cmd rm -rf /var/lib/cni/*
 $ssh_cmd rm -rf /opt/cni/*
 $ssh_cmd mkdir -p /opt/cni
+$ssh_cmd mkdir -p /opt/cni/bin
 $ssh_cmd mkdir -p /etc/cni/net.d/
 _addtl_mounts=',{"type":"bind","source":"/opt/cni","destination":"/opt/cni","options":["bind","rw","slave","mode=777"]},{"type":"bind","source":"/var/lib/docker","destination":"/var/lib/docker","options":["bind","rw","slave","mode=755"]}'
 
@@ -48,13 +47,91 @@ EOF
 fi
 
 mkdir -p /srv/magnum/kubernetes/
-cat > /srv/magnum/kubernetes/install-kubernetes.sh <<EOF
-#!/bin/bash -x
-atomic install --storage ostree --system --system-package=no --set=ADDTL_MOUNTS='${_addtl_mounts}' --name=kubelet ${_prefix}kubernetes-kubelet:${KUBE_TAG}
-atomic install --storage ostree --system --system-package=no --name=kube-proxy ${_prefix}kubernetes-proxy:${KUBE_TAG}
+cat > /etc/kubernetes/config <<EOF
+KUBE_LOGTOSTDERR="--logtostderr=true"
+KUBE_LOG_LEVEL="--v=3"
+KUBE_MASTER="--master=http://127.0.0.1:8080"
+EOF
+cat > /etc/kubernetes/kubelet <<EOF
+KUBELET_ARGS="--fail-swap-on=false"
+EOF
+cat > /etc/kubernetes/proxy <<EOF
+KUBE_PROXY_ARGS=""
+EOF
+cat > /etc/systemd/system/kubelet.service <<EOF
+[Unit]
+Description=Kubelet via Hyperkube (System Container)
+[Service]
+EnvironmentFile=/etc/sysconfig/heat-params
+EnvironmentFile=/etc/kubernetes/config
+EnvironmentFile=/etc/kubernetes/kubelet
+ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
+ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
+ExecStartPre=/bin/mkdir -p /var/lib/calico
+ExecStartPre=/bin/mkdir -p /var/lib/kubelet/volumeplugins
+ExecStartPre=/bin/mkdir -p /opt/cni/bin
+ExecStartPre=-/usr/bin/podman rm kubelet
+ExecStart=/bin/bash -c '/usr/bin/podman run --name kubelet \\
+    --privileged \\
+    --pid host \\
+    --network host \\
+    --volume /etc/cni/net.d:/etc/cni/net.d:ro,z \\
+    --volume /etc/kubernetes:/etc/kubernetes:ro,z \\
+    --volume /usr/lib/os-release:/etc/os-release:ro \\
+    --volume /etc/ssl/certs:/etc/ssl/certs:ro \\
+    --volume /lib/modules:/lib/modules:ro \\
+    --volume /run:/run \\
+    --volume /sys/fs/cgroup:/sys/fs/cgroup:ro \\
+    --volume /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd \\
+    --volume /etc/pki/tls/certs:/usr/share/ca-certificates:ro \\
+    --volume /var/lib/calico:/var/lib/calico \\
+    --volume /var/lib/docker:/var/lib/docker \\
+    --volume /var/lib/kubelet:/var/lib/kubelet:rshared,z \\
+    --volume /var/log:/var/log \\
+    --volume /var/run:/var/run \\
+    --volume /var/run/lock:/var/run/lock:z \\
+    --volume /opt/cni/bin:/opt/cni/bin:z \\
+    \${CONTAINER_INFRA_PREFIX:-k8s.gcr.io/}hyperkube:\${KUBE_TAG} \\
+    /hyperkube kubelet \\
+    \$KUBE_LOGTOSTDERR \$KUBE_LOG_LEVEL \$KUBELET_API_SERVER \$KUBELET_ADDRESS \$KUBELET_PORT \$KUBELET_HOSTNAME \$KUBELET_ARGS'
+ExecStop=-/usr/bin/podman stop kubelet
+Delegate=yes
+Restart=always
+RestartSec=10
+[Install]
+WantedBy=multi-user.target
+EOF
+
+cat > /etc/systemd/system/kube-proxy.service <<EOF
+[Unit]
+Description=kube-proxy via Hyperkube
+[Service]
+EnvironmentFile=/etc/sysconfig/heat-params
+EnvironmentFile=/etc/kubernetes/config
+EnvironmentFile=/etc/kubernetes/proxy
+ExecStartPre=/bin/mkdir -p /etc/kubernetes/
+ExecStartPre=-/usr/bin/podman rm kube-proxy
+ExecStart=/bin/bash -c '/usr/bin/podman run --name kube-proxy \\
+    --privileged \\
+    --net host \\
+    --volume /etc/kubernetes:/etc/kubernetes:ro,z \\
+    --volume /usr/lib/os-release:/etc/os-release:ro \\
+    --volume /etc/ssl/certs:/etc/ssl/certs:ro \\
+    --volume /run:/run \\
+    --volume /sys/fs/cgroup:/sys/fs/cgroup:ro \\
+    --volume /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd \\
+    --volume /lib/modules:/lib/modules:ro \\
+    --volume /etc/pki/tls/certs:/usr/share/ca-certificates:ro \\
+    \${CONTAINER_INFRA_PREFIX:-k8s.gcr.io/}hyperkube:\${KUBE_TAG} \\
+    /hyperkube kube-proxy \\
+    \$KUBE_LOGTOSTDERR \$KUBE_LOG_LEVEL \$KUBE_MASTER \$KUBE_PROXY_ARGS'
+ExecStop=-/usr/bin/podman stop kube-proxy
+Delegate=yes
+Restart=always
+RestartSec=10
+[Install]
+WantedBy=multi-user.target
 EOF
-chmod +x /srv/magnum/kubernetes/install-kubernetes.sh
-$ssh_cmd "/srv/magnum/kubernetes/install-kubernetes.sh"
 
 CERT_DIR=/etc/kubernetes/certs
 ETCD_SERVER_IP=${ETCD_SERVER_IP:-$KUBE_MASTER_IP}
@@ -139,7 +216,7 @@ sed -i '
 # the option --hostname-override for kubelet uses the hostname to register the node.
 # Using any other name will break the load balancer and cinder volume features.
 mkdir -p /etc/kubernetes/manifests
-KUBELET_ARGS="--pod-manifest-path=/etc/kubernetes/manifests --cadvisor-port=0 --kubeconfig ${KUBELET_KUBECONFIG} --hostname-override=${INSTANCE_NAME}"
+KUBELET_ARGS="--pod-manifest-path=/etc/kubernetes/manifests --kubeconfig ${KUBELET_KUBECONFIG} --hostname-override=${INSTANCE_NAME}"
 KUBELET_ARGS="${KUBELET_ARGS} --address=${KUBE_NODE_IP} --port=10250 --read-only-port=0 --anonymous-auth=false --authorization-mode=Webhook --authentication-token-webhook=true"
 KUBELET_ARGS="${KUBELET_ARGS} --cluster_dns=${DNS_SERVICE_IP} --cluster_domain=${DNS_CLUSTER_DOMAIN}"
 KUBELET_ARGS="${KUBELET_ARGS} --volume-plugin-dir=/var/lib/kubelet/volumeplugins"
@@ -183,24 +260,13 @@ fi
 $ssh_cmd systemctl daemon-reload
 $ssh_cmd systemctl enable docker
 
-cat > /etc/kubernetes/get_require_kubeconfig.sh <<EOF
-#!/bin/bash
-
-KUBE_VERSION=\$(kubelet --version | awk '{print \$2}')
-min_version=v1.8.0
-if [[ "\${min_version}" != \$(echo -e "\${min_version}\n\${KUBE_VERSION}" | sort -s -t. -k 1,1 -k 2,2n -k 3,3n | head -n1) && "\${KUBE_VERSION}" != "devel" ]]; then
-    echo "--require-kubeconfig"
-fi
-EOF
-chmod +x /etc/kubernetes/get_require_kubeconfig.sh
-
 KUBELET_ARGS="${KUBELET_ARGS} --network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin"
 
 sed -i '
     /^KUBELET_ADDRESS=/ s/=.*/="--address=0.0.0.0"/
     /^KUBELET_HOSTNAME=/ s/=.*/=""/
     s/^KUBELET_API_SERVER=.*$//
-    /^KUBELET_ARGS=/ s|=.*|="'"\$(/etc/kubernetes/get_require_kubeconfig.sh) ${KUBELET_ARGS}"'"|
+    /^KUBELET_ARGS=/ s|=.*|="'"${KUBELET_ARGS}"'"|
 ' /etc/kubernetes/kubelet
 
 KUBE_PROXY_ARGS="--kubeconfig=${PROXY_KUBECONFIG} --cluster-cidr=${PODS_NETWORK_CIDR} --hostname-override=${INSTANCE_NAME}"
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/enable-services-master.sh b/magnum/drivers/common/templates/kubernetes/fragments/enable-services-master.sh
index 2bd9b8e1f0..126a40faf3 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/enable-services-master.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/enable-services-master.sh
@@ -19,7 +19,7 @@ echo "starting services"
 for service in etcd docker kube-apiserver kube-controller-manager kube-scheduler kubelet kube-proxy; do
     echo "activating service $service"
     $ssh_cmd systemctl enable $service
-    $ssh_cmd systemctl --no-block restart $service
+    $ssh_cmd systemctl restart $service
 done
 
 # Label self as master
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/enable-services-minion.sh b/magnum/drivers/common/templates/kubernetes/fragments/enable-services-minion.sh
index 4f0082b4cf..62979a436b 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/enable-services-minion.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/enable-services-minion.sh
@@ -9,7 +9,6 @@ ssh_cmd="ssh -F /srv/magnum/.ssh/config root@localhost"
 # be re-created using the flannel-provided subnet).
 echo "stopping docker"
 $ssh_cmd systemctl stop docker
-$ssh_cmd ip link del docker0
 
 # make sure we pick up any modified unit files
 $ssh_cmd systemctl daemon-reload
@@ -17,5 +16,5 @@ $ssh_cmd systemctl daemon-reload
 for service in docker kubelet kube-proxy; do
     echo "activating service $service"
     $ssh_cmd systemctl enable $service
-    $ssh_cmd systemctl --no-block start $service
+    $ssh_cmd systemctl start $service
 done
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/start-container-agent.sh b/magnum/drivers/common/templates/kubernetes/fragments/start-container-agent.sh
index 4e43c7bd23..b6c943cb44 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/start-container-agent.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/start-container-agent.sh
@@ -50,12 +50,43 @@ systemctl restart sshd
 
 
 _prefix="${CONTAINER_INFRA_PREFIX:-docker.io/openstackmagnum/}"
-atomic install \
---storage ostree \
---system \
---system-package no \
---set REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt \
---name heat-container-agent \
-"${_prefix}heat-container-agent:${HEAT_CONTAINER_AGENT_TAG}"
 
+cat > /etc/systemd/system/heat-container-agent.service <<EOF
+[Unit]
+Description=Run heat-container-agent
+After=network-online.target
+Wants=network-online.target
+
+[Service]
+ExecStartPre=mkdir -p /var/lib/heat-container-agent
+ExecStartPre=mkdir -p /var/run/heat-config
+ExecStartPre=mkdir -p /var/run/os-collect-config
+ExecStartPre=mkdir -p /opt/stack/os-config-refresh
+ExecStartPre=mkdir -p /srv/magnum
+ExecStartPre=-/bin/podman kill heat-container-agent
+ExecStartPre=-/bin/podman rm heat-container-agent
+ExecStartPre=-/bin/podman pull docker.io/openstackmagnum/heat-container-agent:train-dev
+ExecStart=/bin/podman run \\
+    --name heat-container-agent \\
+    --net=host \\
+    --privileged \\
+    --volume /srv/magnum:/srv/magnum \\
+    --volume /opt/stack/os-config-refresh:/opt/stack/os-config-refresh \\
+    --volume /run/systemd:/run/systemd \\
+    --volume /etc/:/etc/ \\
+    --volume /var/lib:/var/lib \\
+    --volume /var/run:/var/run \\
+    --volume /var/log:/var/log \\
+    --volume /tmp:/tmp \\
+    --volume /dev:/dev \\
+    --env REQUESTS_CA_BUNDLE=/etc/pki/tls/certs/ca-bundle.crt \\
+    ${_prefix}heat-container-agent:${HEAT_CONTAINER_AGENT_TAG} \\
+    /usr/bin/start-heat-container-agent
+ExecStop=/bin/podman stop heat-container-agent
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl enable heat-container-agent
 systemctl start heat-container-agent
diff --git a/magnum/drivers/common/templates/kubernetes/fragments/upgrade-kubernetes.sh b/magnum/drivers/common/templates/kubernetes/fragments/upgrade-kubernetes.sh
index 9ab7c3531d..76a6aa879e 100644
--- a/magnum/drivers/common/templates/kubernetes/fragments/upgrade-kubernetes.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/upgrade-kubernetes.sh
@@ -4,49 +4,40 @@
 set -x
 
 ssh_cmd="ssh -F /srv/magnum/.ssh/config root@localhost"
-kubecontrol="/var/lib/containers/atomic/heat-container-agent.0/rootfs/usr/bin/kubectl --kubeconfig /etc/kubernetes/kubelet-config.yaml"
+KUBECONFIG="/etc/kubernetes/kubelet-config.yaml"
 new_kube_tag="$kube_tag_input"
 
 if [ ${new_kube_tag}!=${KUBE_TAG} ]; then
     # If there is only one master and this is the master node, skip the drain, just cordon it
     # If there is only one worker and this is the worker node, skip the drain, just cordon it
-    all_masters=$(${ssh_cmd} ${kubecontrol} get nodes --selector=node-role.kubernetes.io/master= -o name)
-    all_workers=$(${ssh_cmd} ${kubecontrol} get nodes --selector=node-role.kubernetes.io/master!= -o name)
+    all_masters=$(kubectl get nodes --selector=node-role.kubernetes.io/master= -o name)
+    all_workers=$(kubectl get nodes --selector=node-role.kubernetes.io/master!= -o name)
     if [ "node/${INSTANCE_NAME}" != "${all_masters}" ] && [ "node/${INSTANCE_NAME}" != "${all_workers}" ]; then
-        ${ssh_cmd} ${kubecontrol} drain ${INSTANCE_NAME} --ignore-daemonsets --delete-local-data --force
+        kubectl drain ${INSTANCE_NAME} --ignore-daemonsets --delete-local-data --force
     else
-        ${ssh_cmd} ${kubecontrol} cordon ${INSTANCE_NAME}
+        kubectl cordon ${INSTANCE_NAME}
     fi
 
-    declare -A service_image_mapping
-    service_image_mapping=( ["kubelet"]="kubernetes-kubelet" ["kube-controller-manager"]="kubernetes-controller-manager" ["kube-scheduler"]="kubernetes-scheduler" ["kube-proxy"]="kubernetes-proxy" ["kube-apiserver"]="kubernetes-apiserver" )
-
-    SERVICE_LIST=$($ssh_cmd atomic containers list -f container=kube -q --no-trunc)
+    SERVICE_LIST=$($ssh_cmd podman ps -f name=kube --format {{.Names}})
 
     for service in ${SERVICE_LIST}; do
         ${ssh_cmd} systemctl stop ${service}
+        ${ssh_cmd} podman rm ${service}
     done
 
-    for service in ${SERVICE_LIST}; do
-        ${ssh_cmd} atomic pull --storage ostree "docker.io/openstackmagnum/${service_image_mapping[${service}]}:${new_kube_tag}"
-    done
-
-    for service in ${SERVICE_LIST}; do
-        ${ssh_cmd} atomic containers update --rebase docker.io/openstackmagnum/${service_image_mapping[${service}]}:${new_kube_tag} ${service}
-    done
+    ${ssh_cmd} podman rmi ${CONTAINER_INFRA_PREFIX:-k8s.gcr.io/}hyperkube:${KUBE_TAG}
+    echo "KUBE_TAG=$new_kube_tag" >> /etc/sysconfig/heat-params
 
     for service in ${SERVICE_LIST}; do
-        systemctl restart ${service}
+        ${ssh_cmd} systemctl start ${service}
     done
 
-    ${ssh_cmd} /var/lib/containers/atomic/heat-container-agent.0/rootfs/usr/bin/kubectl --kubeconfig /etc/kubernetes/kubelet-config.yaml uncordon ${INSTANCE_NAME}
-
-    for service in ${SERVICE_LIST}; do
-        ${ssh_cmd} atomic --assumeyes images "delete docker.io/openstackmagnum/${service_image_mapping[${service}]}:${KUBE_TAG}"
+    i=0
+    until kubectl uncordon ${INSTANCE_NAME}
+    do
+        ((i++))
+        [ $i -lt 30 ] || break;
+        echo "Trying to uncordon node..."
+        sleep 5s
     done
-
-    ${ssh_cmd} atomic images prune
-
-    # Appending the new KUBE_TAG into the heat-parms to log and indicate the current k8s version
-    echo "KUBE_TAG=$new_kube_tag" >> /etc/sysconfig/heat-params
 fi
diff --git a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
index dc1703ce45..e5c086ce62 100644
--- a/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
+++ b/magnum/drivers/k8s_fedora_atomic_v1/templates/kubecluster.yaml
@@ -434,7 +434,7 @@ parameters:
   etcd_tag:
     type: string
     description: tag of the etcd system container
-    default: v3.2.7
+    default: 3.2.26
 
   coredns_tag:
     type: string