From a70e65aa5ae2576152441cd6934bddf52601be13 Mon Sep 17 00:00:00 2001 From: Ed Robinson Date: Wed, 10 Apr 2019 11:21:59 +0100 Subject: [PATCH 1/3] Make args consistent --- pkg/system/system_test.go | 4 ++-- pkg/system/templates/etc/systemd/system/kubelet.service | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/pkg/system/system_test.go b/pkg/system/system_test.go index a96d809..0cbfffa 100644 --- a/pkg/system/system_test.go +++ b/pkg/system/system_test.go @@ -82,7 +82,7 @@ Requires=docker.service ExecStart=/usr/bin/kubelet \ --allow-privileged=true \ --cloud-provider=aws \ - --config /etc/kubernetes/kubelet/config.yaml \ + --config=/etc/kubernetes/kubelet/config.yaml \ --network-plugin=cni \ --kubeconfig=/var/lib/kubelet/kubeconfig $KUBELET_CONTAINER_RUNTIME_ARGS $KUBELET_ARGS $KUBELET_NODE_LABELS $KUBELET_NODE_TAINTS $KUBELET_EXTRA_ARGS @@ -259,7 +259,7 @@ Requires=containerd.service ExecStart=/usr/bin/kubelet \ --allow-privileged=true \ --cloud-provider=aws \ - --config /etc/kubernetes/kubelet/config.yaml \ + --config=/etc/kubernetes/kubelet/config.yaml \ --network-plugin=cni \ --kubeconfig=/var/lib/kubelet/kubeconfig $KUBELET_CONTAINER_RUNTIME_ARGS $KUBELET_ARGS $KUBELET_NODE_LABELS $KUBELET_NODE_TAINTS $KUBELET_EXTRA_ARGS diff --git a/pkg/system/templates/etc/systemd/system/kubelet.service b/pkg/system/templates/etc/systemd/system/kubelet.service index 56718a9..e1aa5f3 100644 --- a/pkg/system/templates/etc/systemd/system/kubelet.service +++ b/pkg/system/templates/etc/systemd/system/kubelet.service @@ -8,7 +8,7 @@ Requires={{.Node.ContainerRuntime}}.service ExecStart=/usr/bin/kubelet \ --allow-privileged=true \ --cloud-provider=aws \ - --config /etc/kubernetes/kubelet/config.yaml \ + --config=/etc/kubernetes/kubelet/config.yaml \ --network-plugin=cni \ --kubeconfig=/var/lib/kubelet/kubeconfig $KUBELET_CONTAINER_RUNTIME_ARGS $KUBELET_ARGS $KUBELET_NODE_LABELS $KUBELET_NODE_TAINTS $KUBELET_EXTRA_ARGS From d0ae081a782faf078366ca83bfdb3677df2df9da Mon Sep 17 00:00:00 2001 From: Ed Robinson Date: Wed, 10 Apr 2019 11:38:45 +0100 Subject: [PATCH 2/3] Don't specify cgroup driver... cgroupfs is the default. If someone wants to use another then a dropin with KUBELET_EXTRA_ARGS will work fine! --- pkg/system/system_test.go | 2 +- .../systemd/system/kubelet.service.d/40-container-runtime.conf | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/system/system_test.go b/pkg/system/system_test.go index 0cbfffa..2fb688f 100644 --- a/pkg/system/system_test.go +++ b/pkg/system/system_test.go @@ -273,7 +273,7 @@ WantedBy=multi-user.target fs.Check(t, "/etc/systemd/system/kubelet.service", expected, 0640) expected = `[Service] -Environment="KUBELET_CONTAINER_RUNTIME_ARGS=--container-runtime=remote --runtime-request-timeout=15m --container-runtime-endpoint=unix:///run/containerd/containerd.sock --cgroup-driver=systemd" +Environment="KUBELET_CONTAINER_RUNTIME_ARGS=--container-runtime=remote --runtime-request-timeout=15m --container-runtime-endpoint=unix:///run/containerd/containerd.sock" ` fs.Check(t, "/etc/systemd/system/kubelet.service.d/40-container-runtime.conf", expected, 0640) } diff --git a/pkg/system/templates/etc/systemd/system/kubelet.service.d/40-container-runtime.conf b/pkg/system/templates/etc/systemd/system/kubelet.service.d/40-container-runtime.conf index 641bde1..2a2609d 100644 --- a/pkg/system/templates/etc/systemd/system/kubelet.service.d/40-container-runtime.conf +++ b/pkg/system/templates/etc/systemd/system/kubelet.service.d/40-container-runtime.conf @@ -1,6 +1,6 @@ [Service] {{- if eq .Node.ContainerRuntime "containerd" }} -Environment="KUBELET_CONTAINER_RUNTIME_ARGS=--container-runtime=remote --runtime-request-timeout=15m --container-runtime-endpoint=unix:///run/containerd/containerd.sock --cgroup-driver=systemd" +Environment="KUBELET_CONTAINER_RUNTIME_ARGS=--container-runtime=remote --runtime-request-timeout=15m --container-runtime-endpoint=unix:///run/containerd/containerd.sock" {{ else if eq .Node.ContainerRuntime "docker" }} Environment="KUBELET_CONTAINER_RUNTIME_ARGS=--container-runtime=docker" {{ end -}} From bfef619e8ecb4a4a4c58d12522a7643349194f2d Mon Sep 17 00:00:00 2001 From: Ed Robinson Date: Wed, 10 Apr 2019 11:40:20 +0100 Subject: [PATCH 3/3] Pull in config enhancements from the upstream eks-ami See: * https://github.com/awslabs/amazon-eks-ami/pull/168 * https://github.com/awslabs/amazon-eks-ami/pull/167 * https://github.com/awslabs/amazon-eks-ami/pull/170 * https://github.com/awslabs/amazon-eks-ami/pull/137 --- pkg/system/system_test.go | 15 +++++++++++---- .../templates/etc/kubernetes/kubelet/config.yaml | 3 +++ .../templates/etc/systemd/system/kubelet.service | 6 ++++-- 3 files changed, 18 insertions(+), 6 deletions(-) diff --git a/pkg/system/system_test.go b/pkg/system/system_test.go index 2fb688f..931f8cd 100644 --- a/pkg/system/system_test.go +++ b/pkg/system/system_test.go @@ -79,6 +79,7 @@ After=docker.service Requires=docker.service [Service] +ExecStartPre=/sbin/iptables -P FORWARD ACCEPT ExecStart=/usr/bin/kubelet \ --allow-privileged=true \ --cloud-provider=aws \ @@ -86,9 +87,10 @@ ExecStart=/usr/bin/kubelet \ --network-plugin=cni \ --kubeconfig=/var/lib/kubelet/kubeconfig $KUBELET_CONTAINER_RUNTIME_ARGS $KUBELET_ARGS $KUBELET_NODE_LABELS $KUBELET_NODE_TAINTS $KUBELET_EXTRA_ARGS -Restart=always -StartLimitInterval=0 +Restart=on-failure +RestartForceExitStatus=SIGPIPE RestartSec=5 +KillMode=process [Install] WantedBy=multi-user.target @@ -117,11 +119,14 @@ authorization: cacheAuthorizedTTL: 5m0s cacheUnauthorizedTTL: 30s clusterDomain: cluster.local +hairpinMode: hairpin-veth clusterDNS: [172.20.0.10] cgroupDriver: cgroupfs +cgroupRoot: / featureGates: RotateKubeletServerCertificate: true serverTLSBootstrap: true +serializeImagePulls: false kubeReserved: cpu: 70m memory: 1024Mi @@ -256,6 +261,7 @@ After=containerd.service Requires=containerd.service [Service] +ExecStartPre=/sbin/iptables -P FORWARD ACCEPT ExecStart=/usr/bin/kubelet \ --allow-privileged=true \ --cloud-provider=aws \ @@ -263,9 +269,10 @@ ExecStart=/usr/bin/kubelet \ --network-plugin=cni \ --kubeconfig=/var/lib/kubelet/kubeconfig $KUBELET_CONTAINER_RUNTIME_ARGS $KUBELET_ARGS $KUBELET_NODE_LABELS $KUBELET_NODE_TAINTS $KUBELET_EXTRA_ARGS -Restart=always -StartLimitInterval=0 +Restart=on-failure +RestartForceExitStatus=SIGPIPE RestartSec=5 +KillMode=process [Install] WantedBy=multi-user.target diff --git a/pkg/system/templates/etc/kubernetes/kubelet/config.yaml b/pkg/system/templates/etc/kubernetes/kubelet/config.yaml index 58c4afd..8654191 100644 --- a/pkg/system/templates/etc/kubernetes/kubelet/config.yaml +++ b/pkg/system/templates/etc/kubernetes/kubelet/config.yaml @@ -15,11 +15,14 @@ authorization: cacheAuthorizedTTL: 5m0s cacheUnauthorizedTTL: 30s clusterDomain: cluster.local +hairpinMode: hairpin-veth clusterDNS: [{{.Node.ClusterDNS}}] cgroupDriver: cgroupfs +cgroupRoot: / featureGates: RotateKubeletServerCertificate: true serverTLSBootstrap: true +serializeImagePulls: false {{- if and .Node.ReservedCPU .Node.ReservedMemory }} kubeReserved: cpu: {{.Node.ReservedCPU}} diff --git a/pkg/system/templates/etc/systemd/system/kubelet.service b/pkg/system/templates/etc/systemd/system/kubelet.service index e1aa5f3..f94edb0 100644 --- a/pkg/system/templates/etc/systemd/system/kubelet.service +++ b/pkg/system/templates/etc/systemd/system/kubelet.service @@ -5,6 +5,7 @@ After={{.Node.ContainerRuntime}}.service Requires={{.Node.ContainerRuntime}}.service [Service] +ExecStartPre=/sbin/iptables -P FORWARD ACCEPT ExecStart=/usr/bin/kubelet \ --allow-privileged=true \ --cloud-provider=aws \ @@ -12,9 +13,10 @@ ExecStart=/usr/bin/kubelet \ --network-plugin=cni \ --kubeconfig=/var/lib/kubelet/kubeconfig $KUBELET_CONTAINER_RUNTIME_ARGS $KUBELET_ARGS $KUBELET_NODE_LABELS $KUBELET_NODE_TAINTS $KUBELET_EXTRA_ARGS -Restart=always -StartLimitInterval=0 +Restart=on-failure +RestartForceExitStatus=SIGPIPE RestartSec=5 +KillMode=process [Install] WantedBy=multi-user.target