-
-
Notifications
You must be signed in to change notification settings - Fork 14.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubernetes: 1.19.5 -> 1.20.4 (dockerd -> containerd) #114737
Conversation
I believe the kube-addons manager can be provided with a deprecation message since upstream did deprecate the concept (not meant to block anything, jut a chore idea). The CI tests fail at the same point as temhe other two PRs for good reason, the attribute is effectively not devlared in Thank you a lot for pushing this! |
|
||
# iptables must be disabled for kubernetes | ||
extraOptions = "--iptables=false --ip-masq=false"; | ||
systemd.services.containerd = |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think creating a containerd
module would be better rather than adding it here, would also allow it to be used independent of k8s.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Will look into separating this now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
First version separate module here (7fc7d420b32f8dae291990a8ef5f6670a98f43d4)
Heads up for reviewers: 964ee25fed6772b955f6d5d603bbf9a4a8385e2a adds limits and oomscore for the containerd systemd-service. Personally, I feel |
e9b2d54
to
73946c9
Compare
Added release note. IMHO manual changes are not needed for now, since sec-kubernetes doesn't mention docker specifically. With regards to the deprecated addon-manager, I plan to create an issue on removing this, but that's likely gonna be a next-release (21.11) thing. (kind of expected we now have rel-note merge conflicts, will rebase nixos-unstable shortly) |
ba0d335
to
0c54bc9
Compare
0c54bc9
to
5e0b48e
Compare
LGTM, thanks @johanot. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
….X as well as coredns v1.7.X
also, nixos/containerd: module init
5e0b48e
to
7b5c38e
Compare
Rebased on master to resolve a merge conflict in I'm running the nixos tests , I'll merge after they pass. |
@ofborg build kubernetes |
For informative purposes only: We should try to get this change into packages before next NixOS release. |
Motivation for this change
This is an alternative to #109275 and #114722
Since docker 20.X has removed dockershim and Kubernetes as well has deprecated docker as container-runtime, it seemed sensible to switch to containerd as default runtime for the NixOS module.
The standard RBAC and DNS tests pass on my machine:
nix-build nixos/release.nix -A tests.kubernetes.rbac.singlenode -A tests.kubernetes.rbac.multinode -A tests.kubernetes.dns.singlenode -A tests.kubernetes.dns.multinode
The PR is WIP because it still lacks documentation. Notably rel-notes, but probably also updates to sec-kubernetes in the manual.
Also, I'd like reviewers input to the question of how production ready the container runtime should be configured? Currently, I've gone with a minimal containerd.toml and minimal systemd parameters for the service. For production workloads, one likely want to configure things like ulimiits, oom-scores, cgroup params etc. Some of these settings are already set explicitly for
virtualisation.docker
, so users might expect this to be taken care of upstream.Let me hear your thoughts.
cc @saschagrunert @srhb
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)