- Jan 22, 2018
-
-
Stanislav Makar authored
Fix 'no such host' problem reported by commands *kubectl logs* and *kubectl exec* when cloud_provider is OpenStack Closes: #2147
-
- Jan 09, 2018
-
-
abelgana authored
-
abelgana authored
-
Peter Slijkhuis authored
-
- Jan 05, 2018
-
-
Philippe Chepy authored
-
- Jan 03, 2018
-
-
RongZhang authored
Remove blank lines
-
- Dec 25, 2017
-
-
Matthew Mosesohn authored
Update checksum for kubeadm Use v1.9.0 kubeadm params Include hash of ca.crt for kubeadm join Update tag for testing upgrades Add workaround for testing upgrades Remove scale CI scenarios because of slow inventory parsing in ansible 2.4.x. Change region for tests to us-central1 to improve ansible performance
-
- Dec 23, 2017
-
-
Jan Jungnickel authored
-
- Dec 22, 2017
-
-
Matthew Mosesohn authored
-
- Dec 20, 2017
-
-
Matthew Mosesohn authored
This does not update v1.9.0, but fixes two incompatibilities when trying to deploy v1.9.0.
-
- Dec 19, 2017
-
-
Matthew Mosesohn authored
Starting with Kubernetes v1.8.4, kubelet ignores the AWS cloud provider string and uses the override hostname, which fails Node admission checks. Fixes #2094
-
- Dec 12, 2017
-
-
Chad Swenson authored
As we have seen with other containers, sometimes container removal fails on the first attempt due to some Docker bugs. Retrying typically corrects the issue.
-
- Dec 11, 2017
-
-
ArchiFleKs authored
OpenStack authentication does not support using a mix of DomainID and DomainName, only one or the other should be used.
-
- Dec 06, 2017
-
-
Kuldip Madnani authored
* Adding changes to handle updation of yum cache in rhel. * Removed the redundant spaces
-
Matthew Mosesohn authored
-
- Nov 29, 2017
-
-
Steven Hardy authored
* Allow setting --bind-address for apiserver hyperkube This is required if you wish to configure a loadbalancer (e.g haproxy) running on the master nodes without choosing a different port for the vip from that used by the API - in this case you need the API to bind to a specific interface, then haproxy can bind the same port on the VIP: root@overcloud-controller-0 ~]# netstat -taupen | grep 6443 tcp 0 0 192.168.24.6:6443 0.0.0.0:* LISTEN 0 680613 134504/haproxy tcp 0 0 192.168.24.16:6443 0.0.0.0:* LISTEN 0 653329 131423/hyperkube tcp 0 0 192.168.24.16:6443 192.168.24.16:58404 ESTABLISHED 0 652991 131423/hyperkube tcp 0 0 192.168.24.16:58404 192.168.24.16:6443 ESTABLISHED 0 652986 131423/hyperkube This can be achieved e.g via: kube_apiserver_bind_address: 192.168.24.16 * Address code review feedback * Update kube-apiserver.manifest.j2
-
unclejack authored
* Add Contiv support Contiv is a network plugin for Kubernetes and Docker. It supports vlan/vxlan/BGP/Cisco ACI technologies. It support firewall policies, multiple networks and bridging pods onto physical networks. * Update contiv version to 1.1.4 Update contiv version to 1.1.4 and added SVC_SUBNET in contiv-config. * Load openvswitch module to workaround on CentOS7.4 * Set contiv cni version to 0.1.0 Correct contiv CNI version to 0.1.0. * Use kube_apiserver_endpoint for K8S_API_SERVER Use kube_apiserver_endpoint as K8S_API_SERVER to make contiv talks to a available endpoint no matter if there's a loadbalancer or not. * Make contiv use its own etcd Before this commit, contiv is using a etcd proxy mode to k8s etcd, this work fine when the etcd hosts are co-located with contiv etcd proxy, however the k8s peering certs are only in etcd group, as a result the etcd-proxy is not able to peering with the k8s etcd on etcd group, plus the netplugin is always trying to find the etcd endpoint on localhost, this will cause problem for all netplugins not runnign on etcd group nodes. This commit make contiv uses its own etcd, separate from k8s one. on kube-master nodes (where net-master runs), it will run as leader mode and on all rest nodes it will run as proxy mode. * Use cp instead of rsync to copy cni binaries Since rsync has been removed from hyperkube, this commit changes it to use cp instead. * Make contiv-etcd able to run on master nodes * Add rbac_enabled flag for contiv pods * Add contiv into CNI network plugin lists * migrate contiv test to tests/files Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com> * Add required rules for contiv netplugin * Better handling json return of fwdMode * Make contiv etcd port configurable * Use default var instead of templating * roles/download/defaults/main.yml: use contiv 1.1.7 Signed-off-by: Cristian Staretu <cristian.staretu@gmail.com>
-
Di Xu authored
-
- Nov 23, 2017
-
-
Bogdan Dobrelya authored
* Defaults for apiserver_loadbalancer_domain_name When loadbalancer_apiserver is defined, use the apiserver_loadbalancer_domain_name with a given default value. Fix unconsistencies for checking if apiserver_loadbalancer_domain_name is defined AND using it with a default value provided at once. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru> * Define defaults for LB modes in common defaults Adjust the defaults for apiserver_loadbalancer_domain_name and loadbalancer_apiserver_localhost to come from a single source, which is kubespray-defaults. Removes some confusion and simplefies the code. Signed-off-by: Bogdan Dobrelya <bogdando@mail.ru>
-
Bob Killen authored
-
- Nov 15, 2017
-
-
Chad Swenson authored
This version required changing the previous access model for dashboard completely but it's a change for the better. Docs were updated. * New login/auth options that use apiserver auth proxying by default * Requires RBAC in `authorization_modes` * Only serves over https * No longer available at https://first_master:6443/ui until apiserver is updated with the https proxy URL: * Can access from https://first_master:6443/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/#!/login you will be prompted for credentials * Or you can run 'kubectl proxy' from your local machine to access dashboard in your browser from: http://localhost:8001/api/v1/namespaces/kube-system/services/https:kubernetes-dashboard:/proxy/ * It is recommended to access dashboard from behind a gateway that enforces an authentication token, details and other access options here: https://github.com/kubernetes/dashboard/wiki/Accessing-Dashboard---1.7.X-and-above
-
- Nov 14, 2017
-
-
Matthew Mosesohn authored
-
Chad Swenson authored
Thought this wasn't required at first but I forgot there's no auto flush at the end of these tasks since the `kubernetes/master` role is not the end of the play.
-
- Nov 13, 2017
-
-
neith00 authored
* adding mount for kubelet to enable rbd mounts * fix conditionnal variable name
-
- Nov 08, 2017
-
-
Chad Swenson authored
* Fixes an issue where apiserver and friends (controller manager, scheduler) were prevented from restarting after manifests/secrets are changed. This occurred when a replaced kubelet doesn't reconcile new master manifests, which caused old master component versions to linger during deployment. In my case this was causing upgrades from k8s 1.6/1.7 -> k8s 1.8 to fail * Improves transitions from kubelet container to host kubelet by preventing issues where kubelet container reappeared during the deployment
-
- Nov 06, 2017
-
-
Chad Swenson authored
This allows `kube_apiserver_insecure_port` to be set to 0 (disabled). It's working, but so far I have had to: 1. Make the `uri` module "Wait for apiserver up" checks use `kube_apiserver_port` (HTTPS) 2. Add apiserver client cert/key to the "Wait for apiserver up" checks 3. Update apiserver liveness probe to use HTTPS ports 4. Set `kube_api_anonymous_auth` to true to allow liveness probe to hit apiserver's /healthz over HTTPS (livenessProbes can't use client cert/key unfortunately) 5. RBAC has to be enabled. Anonymous requests are in the `system:unauthenticated` group which is granted access to /healthz by one of RBAC's default ClusterRoleBindings. An equivalent ABAC rule could allow this as well. Changes 1 and 2 should work for everyone, but 3, 4, and 5 require new coupling of currently independent configuration settings. So I also added a new settings check. Options: 1. The problem goes away if you have both anonymous-auth and RBAC enabled. This is how kubeadm does it. This may be the best way to go since RBAC is already on by default but anonymous auth is not. 2. Include conditional templates to set a different liveness probe for possible combinations of `kube_apiserver_insecure_port = 0`, RBAC, and `kube_api_anonymous_auth` (won't be possible to cover every case without a guaranteed authorizer for the secure port) 3. Use basic auth headers for the liveness probe (I really don't like this, it adds a new dependency on basic auth which I'd also like to leave independently configurable, and it requires encoded passwords in the apiserver manifest) Option 1 seems like the clear winner to me, but is there a reason we wouldn't want anonymous-auth on by default? The apiserver binary defaults anonymous-auth to true, but kubespray's default was false.
-
Günther Grill authored
-
Haiwei Liu authored
Signed-off-by: Haiwei Liu <carllhw@gmail.com>
-
- Nov 05, 2017
-
-
Stanislav Makar authored
-
- Nov 03, 2017
-
-
Matthew Mosesohn authored
* Set host IP for kubelet always Use ansible default IP if ip var is not set. * Update main.yml
-
Günther Grill authored
* Change deprecated vagrant ansible flag 'sudo' to 'become' * Workaround ansible bug where access var via dict doesn't get real value When accessing a variable via it's name "{{ foo }}" its value is retrieved. But when the variable value is retrieved via the vars-dict "{{ vars['foo'] }}" this doesn't resolve the expression of the variable any more due to a bug. So e.g. a expression foo="{{ 1 == 1 }}" isn't longer resolved but just returned as string "1 == 1". * Make file yamllint complient
-
Spencer Smith authored
-
- Nov 02, 2017
-
-
Matthew Mosesohn authored
-
- Nov 01, 2017
-
-
Chad Swenson authored
Some time ago I think the hardcoded `/var/lib/docker` was required, but kubelet running in a container has been aware of the Docker path since at least as far back as k8s 1.6. Without this change, you see a large number of errors in the kubelet logs if you installed with a non-default `docker_daemon_graph`
-
Matthew Mosesohn authored
-
Vicenç Juan Tomàs Montserrat authored
-
- Oct 31, 2017
-
-
Spencer Smith authored
-
- Oct 30, 2017
-
-
Matthew Mosesohn authored
-
Spencer Smith authored
-
abelgana authored
-