From 7b99223c86dff2a3482f0bda19c77dd841a0ab3e Mon Sep 17 00:00:00 2001 From: Christian Schlotter Date: Mon, 18 Dec 2023 15:00:24 +0100 Subject: [PATCH] capd: fix ignition to also set the kube-proxy configuration to skip setting sysctls --- .../cluster-template-ignition/ignition.yaml | 6 +++++ .../provisioning/ignition/kindadapter.go | 23 +++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/test/e2e/data/infrastructure-docker/main/cluster-template-ignition/ignition.yaml b/test/e2e/data/infrastructure-docker/main/cluster-template-ignition/ignition.yaml index 664757819128..42cde258b69e 100644 --- a/test/e2e/data/infrastructure-docker/main/cluster-template-ignition/ignition.yaml +++ b/test/e2e/data/infrastructure-docker/main/cluster-template-ignition/ignition.yaml @@ -12,6 +12,8 @@ spec: kubeletExtraArgs: eviction-hard: 'nodefs.available<0%,nodefs.inodesFree<0%,imagefs.available<0%' fail-swap-on: "false" + cgroup-root: "/kubelet" + runtime-cgroups: "/system.slice/containerd.service" joinConfiguration: nodeRegistration: # We have to set the criSocket to containerd as kubeadm defaults to docker runtime if both containerd and docker sockets are found @@ -19,6 +21,8 @@ spec: kubeletExtraArgs: eviction-hard: 'nodefs.available<0%,nodefs.inodesFree<0%,imagefs.available<0%' fail-swap-on: "false" + cgroup-root: "/kubelet" + runtime-cgroups: "/system.slice/containerd.service" --- apiVersion: bootstrap.cluster.x-k8s.io/v1beta1 kind: KubeadmConfigTemplate @@ -45,3 +49,5 @@ spec: kubeletExtraArgs: eviction-hard: 'nodefs.available<0%,nodefs.inodesFree<0%,imagefs.available<0%' fail-swap-on: "false" + cgroup-root: "/kubelet" + runtime-cgroups: "/system.slice/containerd.service" diff --git a/test/infrastructure/docker/internal/provisioning/ignition/kindadapter.go b/test/infrastructure/docker/internal/provisioning/ignition/kindadapter.go index d37b1203245f..8873082a8059 100644 --- a/test/infrastructure/docker/internal/provisioning/ignition/kindadapter.go +++ b/test/infrastructure/docker/internal/provisioning/ignition/kindadapter.go @@ -32,6 +32,18 @@ import ( "sigs.k8s.io/cluster-api/test/infrastructure/docker/internal/provisioning" ) +const ( + kubeproxyComponentConfig = ` +--- +apiVersion: kubeproxy.config.k8s.io/v1alpha1 +kind: KubeProxyConfiguration +conntrack: +# Skip setting sysctl value "net.netfilter.nf_conntrack_max" +# It is a global variable that affects other namespaces + maxPerCore: 0 +` +) + // RawIgnitionToProvisioningCommands converts an Ignition YAML document to a slice of commands. func RawIgnitionToProvisioningCommands(config []byte) ([]provisioning.Cmd, error) { // Ensure Ignition is a valid YAML document. @@ -76,6 +88,10 @@ func getActions(userData []byte) ([]provisioning.Cmd, error) { contents = hackKubeadmIgnoreErrors(contents) } + if f.Path == "/etc/kubeadm.yml" { + contents = hackKubeProxySysctlWorkaround(contents) + } + commands = append(commands, []provisioning.Cmd{ // Idempotently create the directory. {Cmd: "mkdir", Args: []string{"-p", filepath.Dir(f.Path)}}, @@ -118,6 +134,13 @@ func hackKubeadmIgnoreErrors(s string) string { return strings.Join(lines, "\n") } +// hackKubeProxySysctlWorkaround adds kube-proxy configuration for kubeadm so it +// to skips setting the sysctl value for "net.netfilter.nf_conntrack_max" +// which would fail on kind clusters because of the sysctls being read-only. +func hackKubeProxySysctlWorkaround(s string) string { + return s + kubeproxyComponentConfig +} + // decodeFileContents accepts a string representing the contents of a file encoded in Ignition // format and returns a decoded version of the string. func decodeFileContents(s string) (string, error) {