-
Notifications
You must be signed in to change notification settings - Fork 712
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
design1.9-update #573
design1.9-update #573
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks a lot @fabriziopandini for this 👏 👏
Overall it LGTM, but here you have the full review 😁
docs/design/design_v1.9.md
Outdated
- if external etcd is not provided, [Error] if ports 2379 is used, if Etcd.DataDir folder already exists and it is not empty, | ||
- if authorization mode is ABAC, [Error] if abac_policy.json does not exists | ||
- if authorization mode is WebHook, [Error] if webhook_authz.conf does not exists | ||
In any case the user can skip specific preflight checks (or eventually all preflight checks) with the `--ignore-checks-errors` option. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We now renamed this to --ignore-preflight-errors
I think, please double check what's at HEAD please
docs/design/design_v1.9.md
Outdated
|
||
- [warning] If the Kubernetes version to use (passed with the `--kubernetes-version` flag) is at least one minor version higher than the kubeadm CLI version. | ||
- Kubernetes system requirements: | ||
- if running on linux: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we have a couple of new things with windows here as well, please add that
- if running on linux: | ||
- [error] if not Kernel 3.10+ or 4+ with specific KernelSpec. | ||
- [error] if required cgroups subsystem aren't in set up. | ||
- if using docker: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
there have been PRs to include CRI-generic functionality, please mention that here
docs/design/design_v1.9.md
Outdated
- Kubernetes DNS names (e.g. `kubernetes.default.svc.cluster.local` if `--service-dns-domain` is `cluster.local`, `kubernetes.default.svc`, `kubernetes.default`, `kubernetes`). | ||
- The node-name. | ||
- The `--apiserver-advertise-address`. | ||
- Optional extra altnamesspecified by the user. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: altnames specified
docs/design/design_v1.9.md
Outdated
- The `--apiserver-advertise-address`. | ||
- Optional extra altnamesspecified by the user. | ||
- A client certificate for the apiservers to connect to the kubelets securely (`apiserver-kubelet-client.crt`) using `ca.crt` as the CA with its private key (`apiserver-kubelet-client.key`). The certificate should: | ||
- Be with `kube-apiserver-kubelet-client` CN. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is not a requirement; can you separate between requirements (clientcert and system:masters) and what kubeadm additionally does (the CN)
docs/design/design_v1.9.md
Outdated
1. The token will be used to validate temporary user during TLS bootstrap process; those users will be member of `system:bootstrappers:kubeadm:default-node-token` group (nb. formerly `system:bootstrappers` in v1.7) | ||
2. Starting from 1.8 token has a limited validity, default 24Hours (that can be changed with `—token-ttl` flag) | ||
1. The token will be used to validate temporary user during TLS bootstrap process; those users will be member of `system:bootstrappers:kubeadm:default-node-token` group. | ||
2. Token has a limited validity, default 24Hours (that can be changed with `—token-ttl` flag) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The token... (referencing "The default token created by kubeadm init" above)
default 24 hours (the interval may be changed with the --token-ttl
flag)
@@ -318,7 +368,6 @@ Additionally it is created a role and a RoleBinding granting access for to the C | |||
Please note that | |||
|
|||
1. The access to the `cluster-info` ConfigMap _is not_ rate-limited. This may or may not be a problem if you expose your master to the internet; worst-case scenario here is a DoS attack where an attacker uses all the in-flight requests the kube-apiserver can handle to serving the `cluster-info` ConfigMap. | |||
2. This phase can be invoked individually with the `kubeadm phase bootstrap-token node allow-auto-approve` command. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
change this to reference phase bootstrap-token cluster-info
instead?
docs/design/design_v1.9.md
Outdated
|
||
If kubeadm is invoked with `--feature-gates=DynamicKubeletConfig`: | ||
|
||
1. Read the kubelet base configuration from the `kubelet-base-config-v1.9` ConfigMap in the `kube-system` namespace, and write it to disk as kubelet init configuration file `/var/lib/kubelet/config/init/kubelet`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kubelet-base-config-v1.9
ConfigMap in the kube-system
namespace using the Bootstrap Token credentials, and write it to ...
nit: one space instead of two spaces here
You could point out that this will make the kubelet start if the right params (also outlined above, but could be copied here as well) are set
docs/design/design_v1.9.md
Outdated
If kubeadm is invoked with `--feature-gates=DynamicKubeletConfig`: | ||
|
||
1. Read the kubelet base configuration from the `kubelet-base-config-v1.9` ConfigMap in the `kube-system` namespace, and write it to disk as kubelet init configuration file `/var/lib/kubelet/config/init/kubelet`. | ||
2. As soon as kubelet starts, update current node configuration specifying that the the source for the node/kubelet configuration is the above ConfigMap. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is done using the Node's own credential (/etc/kubernetes/kubelet.conf
)
You could copy the text I proposed above for this
docs/design/design_v1.9.md
Outdated
|
||
Please note that: | ||
|
||
1. Self hosting is not yet resilient to node restarts; this can be fixed with external checkpointing; in 1.9 kubelet checkpointing for the control plane pods will be available as well | ||
1. Self hosting is not yet resilient to node restarts; this can be fixed with external checkpointing; kubelet checkpointing for the control plane Pods will fix this soon |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're hoping to have this fixed in v1.9 😁
030e6ed
to
9b468d6
Compare
|
||
### (Optional) self-hosting | ||
### (Optional and alpha in v1.9) self-hosting | ||
|
||
This phase is performed only if `kubeadm init` is invoked with `—features-gates=self-hosting` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
—features-gates=self-hosting
--> --feature-gates=SelfHosting
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
Thanks, let's move this to the official docs now as well!
can fix @xiangpengzhao comment later as a follow-up |
fixes #563 Update design doc for v1.9
Nb. this document will be moved into the official kubernetes.io docs after reshuffle of kubeadm reference doc will merge (kubernetes/website#6103)