design1.9-update #573
design1.9-update #573
Conversation
k8s-ci-robot
added
cncf-cla: yes
There was a problem hiding this comment.
Thanks a lot @fabriziopandini for this 👏 👏
Overall it LGTM, but here you have the full review 😁
docs/design/design_v1.9.md
Outdated
| - if external etcd is not provided, [Error] if ports 2379 is used, if Etcd.DataDir folder already exists and it is not empty, | ||
| - if authorization mode is ABAC, [Error] if abac_policy.json does not exists | ||
| - if authorization mode is WebHook, [Error] if webhook_authz.conf does not exists | ||
| In any case the user can skip specific preflight checks (or eventually all preflight checks) with the `--ignore-checks-errors` option. |
There was a problem hiding this comment.
We now renamed this to --ignore-preflight-errors I think, please double check what's at HEAD please
docs/design/design_v1.9.md
Outdated
|
|
||
| - [warning] If the Kubernetes version to use (passed with the `--kubernetes-version` flag) is at least one minor version higher than the kubeadm CLI version. | ||
| - Kubernetes system requirements: | ||
| - if running on linux: |
There was a problem hiding this comment.
we have a couple of new things with windows here as well, please add that
| - if running on linux: | ||
| - [error] if not Kernel 3.10+ or 4+ with specific KernelSpec. | ||
| - [error] if required cgroups subsystem aren't in set up. | ||
| - if using docker: |
There was a problem hiding this comment.
there have been PRs to include CRI-generic functionality, please mention that here
docs/design/design_v1.9.md
Outdated
| - Kubernetes DNS names (e.g. `kubernetes.default.svc.cluster.local` if `--service-dns-domain` is `cluster.local`, `kubernetes.default.svc`, `kubernetes.default`, `kubernetes`). | ||
| - The node-name. | ||
| - The `--apiserver-advertise-address`. | ||
| - Optional extra altnamesspecified by the user. |
docs/design/design_v1.9.md
Outdated
| - The `--apiserver-advertise-address`. | ||
| - Optional extra altnamesspecified by the user. | ||
| - A client certificate for the apiservers to connect to the kubelets securely (`apiserver-kubelet-client.crt`) using `ca.crt` as the CA with its private key (`apiserver-kubelet-client.key`). The certificate should: | ||
| - Be with `kube-apiserver-kubelet-client` CN. |
There was a problem hiding this comment.
this is not a requirement; can you separate between requirements (clientcert and system:masters) and what kubeadm additionally does (the CN)
docs/design/design_v1.9.md
Outdated
| 1. The token will be used to validate temporary user during TLS bootstrap process; those users will be member of `system:bootstrappers:kubeadm:default-node-token` group (nb. formerly `system:bootstrappers` in v1.7) | ||
| 2. Starting from 1.8 token has a limited validity, default 24Hours (that can be changed with `—token-ttl` flag) | ||
| 1. The token will be used to validate temporary user during TLS bootstrap process; those users will be member of `system:bootstrappers:kubeadm:default-node-token` group. | ||
| 2. Token has a limited validity, default 24Hours (that can be changed with `—token-ttl` flag) |
There was a problem hiding this comment.
The token... (referencing "The default token created by kubeadm init" above)
default 24 hours (the interval may be changed with the --token-ttl flag)
| @@ -318,7 +368,6 @@ Additionally it is created a role and a RoleBinding granting access for to the C | |||
| Please note that | |||
|
|
|||
| 1. The access to the `cluster-info` ConfigMap _is not_ rate-limited. This may or may not be a problem if you expose your master to the internet; worst-case scenario here is a DoS attack where an attacker uses all the in-flight requests the kube-apiserver can handle to serving the `cluster-info` ConfigMap. | |||
| 2. This phase can be invoked individually with the `kubeadm phase bootstrap-token node allow-auto-approve` command. | |||
There was a problem hiding this comment.
change this to reference phase bootstrap-token cluster-info instead?
docs/design/design_v1.9.md
Outdated
|
|
||
| If kubeadm is invoked with `--feature-gates=DynamicKubeletConfig`: | ||
|
|
||
| 1. Read the kubelet base configuration from the `kubelet-base-config-v1.9` ConfigMap in the `kube-system` namespace, and write it to disk as kubelet init configuration file `/var/lib/kubelet/config/init/kubelet`. |
There was a problem hiding this comment.
kubelet-base-config-v1.9 ConfigMap in the kube-system namespace using the Bootstrap Token credentials, and write it to ...
nit: one space instead of two spaces here
You could point out that this will make the kubelet start if the right params (also outlined above, but could be copied here as well) are set
docs/design/design_v1.9.md
Outdated
| If kubeadm is invoked with `--feature-gates=DynamicKubeletConfig`: | ||
|
|
||
| 1. Read the kubelet base configuration from the `kubelet-base-config-v1.9` ConfigMap in the `kube-system` namespace, and write it to disk as kubelet init configuration file `/var/lib/kubelet/config/init/kubelet`. | ||
| 2. As soon as kubelet starts, update current node configuration specifying that the the source for the node/kubelet configuration is the above ConfigMap. |
There was a problem hiding this comment.
This is done using the Node's own credential (/etc/kubernetes/kubelet.conf)
You could copy the text I proposed above for this
docs/design/design_v1.9.md
Outdated
|
|
||
| Please note that: | ||
|
|
||
| 1. Self hosting is not yet resilient to node restarts; this can be fixed with external checkpointing; in 1.9 kubelet checkpointing for the control plane pods will be available as well | ||
| 1. Self hosting is not yet resilient to node restarts; this can be fixed with external checkpointing; kubelet checkpointing for the control plane Pods will fix this soon |
There was a problem hiding this comment.
We're hoping to have this fixed in v1.9 😁
fabriziopandini
force-pushed
the
design1.9-update
branch
from
030e6ed
to
9b468d6
Compare
|
|
||
| ### (Optional) self-hosting | ||
| ### (Optional and alpha in v1.9) self-hosting | ||
|
|
||
| This phase is performed only if `kubeadm init` is invoked with `—features-gates=self-hosting` |
There was a problem hiding this comment.
—features-gates=self-hosting --> --feature-gates=SelfHosting
k8s-ci-robot
added
the
lgtm
|
can fix @xiangpengzhao comment later as a follow-up |
fixes #563 Update design doc for v1.9
Nb. this document will be moved into the official kubernetes.io docs after reshuffle of kubeadm reference doc will merge (kubernetes/website#6103)