From a08556934f6436fe85eb55c64054d05eba4082dd Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Tue, 5 Jun 2018 08:15:20 -0300 Subject: [PATCH 01/22] ensure there is pin priority for docker package to avoid upgrade of docker to incompatible version --- roles/docker/tasks/main.yml | 9 +++++++++ .../docker/templates/apt_preferences.d/debian_docker.j2 | 3 +++ 2 files changed, 12 insertions(+) create mode 100644 roles/docker/templates/apt_preferences.d/debian_docker.j2 diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index f2ce701829c..c2c8cc5d2df 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -118,6 +118,15 @@ notify: restart docker when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) and (docker_package_info.pkgs|length > 0) +# This is required to ensure any apt upgrade will not break kubernetes +- name: Set docker pin priority to apt_preferences on Debian family + template: + src: "apt_preferences.d/debian_docker.j2" + dest: "/etc/apt/preferences.d/docker" + owner: "root" + mode: 0644 + when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic) + - name: ensure service is started if docker packages are already present service: name: docker diff --git a/roles/docker/templates/apt_preferences.d/debian_docker.j2 b/roles/docker/templates/apt_preferences.d/debian_docker.j2 new file mode 100644 index 00000000000..f21008b6c14 --- /dev/null +++ b/roles/docker/templates/apt_preferences.d/debian_docker.j2 @@ -0,0 +1,3 @@ +Package: docker-ce +Pin: version {{ docker_version }}.* +Pin-Priority: 1001 \ No newline at end of file From 11858363e40b034a64bbce281e3f9abc87029fca Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Tue, 5 Jun 2018 08:15:20 -0300 Subject: [PATCH 02/22] ensure there is pin priority for docker package to avoid upgrade of docker to incompatible version --- roles/docker/tasks/main.yml | 9 +++++++++ .../docker/templates/apt_preferences.d/debian_docker.j2 | 3 +++ 2 files changed, 12 insertions(+) create mode 100644 roles/docker/templates/apt_preferences.d/debian_docker.j2 diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index f2ce701829c..c2c8cc5d2df 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -118,6 +118,15 @@ notify: restart docker when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) and (docker_package_info.pkgs|length > 0) +# This is required to ensure any apt upgrade will not break kubernetes +- name: Set docker pin priority to apt_preferences on Debian family + template: + src: "apt_preferences.d/debian_docker.j2" + dest: "/etc/apt/preferences.d/docker" + owner: "root" + mode: 0644 + when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic) + - name: ensure service is started if docker packages are already present service: name: docker diff --git a/roles/docker/templates/apt_preferences.d/debian_docker.j2 b/roles/docker/templates/apt_preferences.d/debian_docker.j2 new file mode 100644 index 00000000000..f21008b6c14 --- /dev/null +++ b/roles/docker/templates/apt_preferences.d/debian_docker.j2 @@ -0,0 +1,3 @@ +Package: docker-ce +Pin: version {{ docker_version }}.* +Pin-Priority: 1001 \ No newline at end of file From 51e9efa9a3d0480c4020dd2b0fec90eff76f9ab1 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Sun, 10 Jun 2018 13:46:54 -0300 Subject: [PATCH 03/22] remove empty when line --- roles/etcd/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index c35a9cab656..1a934ed1a69 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -6,7 +6,6 @@ - facts - include_tasks: "gen_certs_{{ cert_management }}.yml" - when: tags: - etcd-secrets From 39165bed6432317e53b3b14ce60a0a62fa69ddba Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Tue, 5 Jun 2018 08:15:20 -0300 Subject: [PATCH 04/22] ensure there is pin priority for docker package to avoid upgrade of docker to incompatible version --- roles/docker/tasks/main.yml | 9 +++++++++ .../docker/templates/apt_preferences.d/debian_docker.j2 | 3 +++ 2 files changed, 12 insertions(+) create mode 100644 roles/docker/templates/apt_preferences.d/debian_docker.j2 diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index f2ce701829c..c2c8cc5d2df 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -118,6 +118,15 @@ notify: restart docker when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) and (docker_package_info.pkgs|length > 0) +# This is required to ensure any apt upgrade will not break kubernetes +- name: Set docker pin priority to apt_preferences on Debian family + template: + src: "apt_preferences.d/debian_docker.j2" + dest: "/etc/apt/preferences.d/docker" + owner: "root" + mode: 0644 + when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic) + - name: ensure service is started if docker packages are already present service: name: docker diff --git a/roles/docker/templates/apt_preferences.d/debian_docker.j2 b/roles/docker/templates/apt_preferences.d/debian_docker.j2 new file mode 100644 index 00000000000..f21008b6c14 --- /dev/null +++ b/roles/docker/templates/apt_preferences.d/debian_docker.j2 @@ -0,0 +1,3 @@ +Package: docker-ce +Pin: version {{ docker_version }}.* +Pin-Priority: 1001 \ No newline at end of file From 62e80bcf451b359e66f32ddddd28e3c06a905558 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Sun, 10 Jun 2018 13:46:54 -0300 Subject: [PATCH 05/22] remove empty when line --- roles/etcd/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index c35a9cab656..1a934ed1a69 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -6,7 +6,6 @@ - facts - include_tasks: "gen_certs_{{ cert_management }}.yml" - when: tags: - etcd-secrets From 5cb8761fe0f2941b532bcbbbfb9b69113055a9a4 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Thu, 21 Jun 2018 13:39:46 -0300 Subject: [PATCH 06/22] force kubeadm upgrade due to failure without --force flag --- roles/kubernetes/master/tasks/kubeadm-setup.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/kubernetes/master/tasks/kubeadm-setup.yml b/roles/kubernetes/master/tasks/kubeadm-setup.yml index b841d83572b..f08c771026b 100644 --- a/roles/kubernetes/master/tasks/kubeadm-setup.yml +++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml @@ -89,6 +89,7 @@ --ignore-preflight-errors=all --allow-experimental-upgrades --allow-release-candidate-upgrades + --force register: kubeadm_upgrade # Retry is because upload config sometimes fails retries: 3 From 2a279e30b0341d8ac6e7a3aae7e003d90a5e297a Mon Sep 17 00:00:00 2001 From: Miouge1 Date: Thu, 28 Jun 2018 20:10:38 +0200 Subject: [PATCH 07/22] CheckNodePIDPressure is not supported in v1.10 --- roles/kubernetes/master/templates/kube-scheduler-policy.yaml.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/kubernetes/master/templates/kube-scheduler-policy.yaml.j2 b/roles/kubernetes/master/templates/kube-scheduler-policy.yaml.j2 index b87ec971b66..5a13d7a1ea2 100644 --- a/roles/kubernetes/master/templates/kube-scheduler-policy.yaml.j2 +++ b/roles/kubernetes/master/templates/kube-scheduler-policy.yaml.j2 @@ -10,7 +10,6 @@ {"name" : "GeneralPredicates"}, {"name" : "CheckNodeMemoryPressure"}, {"name" : "CheckNodeDiskPressure"}, - {"name" : "CheckNodePIDPressure"}, {"name" : "CheckNodeCondition"}, {"name" : "PodToleratesNodeTaints"}, {"name" : "CheckVolumeBinding"} From 3b773e6381cfe802fbb928ddf493185da07e9537 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Tue, 5 Jun 2018 08:15:20 -0300 Subject: [PATCH 08/22] ensure there is pin priority for docker package to avoid upgrade of docker to incompatible version --- roles/docker/tasks/main.yml | 9 +++++++++ .../docker/templates/apt_preferences.d/debian_docker.j2 | 3 +++ 2 files changed, 12 insertions(+) create mode 100644 roles/docker/templates/apt_preferences.d/debian_docker.j2 diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index f2ce701829c..c2c8cc5d2df 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -118,6 +118,15 @@ notify: restart docker when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) and (docker_package_info.pkgs|length > 0) +# This is required to ensure any apt upgrade will not break kubernetes +- name: Set docker pin priority to apt_preferences on Debian family + template: + src: "apt_preferences.d/debian_docker.j2" + dest: "/etc/apt/preferences.d/docker" + owner: "root" + mode: 0644 + when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic) + - name: ensure service is started if docker packages are already present service: name: docker diff --git a/roles/docker/templates/apt_preferences.d/debian_docker.j2 b/roles/docker/templates/apt_preferences.d/debian_docker.j2 new file mode 100644 index 00000000000..f21008b6c14 --- /dev/null +++ b/roles/docker/templates/apt_preferences.d/debian_docker.j2 @@ -0,0 +1,3 @@ +Package: docker-ce +Pin: version {{ docker_version }}.* +Pin-Priority: 1001 \ No newline at end of file From 4e40d9a91b5a0c1df791124679e524516b28d1fa Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Sun, 10 Jun 2018 13:46:54 -0300 Subject: [PATCH 09/22] remove empty when line --- roles/etcd/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index c35a9cab656..1a934ed1a69 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -6,7 +6,6 @@ - facts - include_tasks: "gen_certs_{{ cert_management }}.yml" - when: tags: - etcd-secrets From 6c069bcf6ddc63f7e74f927bbcd5bdfbc854f9dc Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Thu, 21 Jun 2018 13:39:46 -0300 Subject: [PATCH 10/22] force kubeadm upgrade due to failure without --force flag --- roles/kubernetes/master/tasks/kubeadm-setup.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/kubernetes/master/tasks/kubeadm-setup.yml b/roles/kubernetes/master/tasks/kubeadm-setup.yml index b841d83572b..f08c771026b 100644 --- a/roles/kubernetes/master/tasks/kubeadm-setup.yml +++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml @@ -89,6 +89,7 @@ --ignore-preflight-errors=all --allow-experimental-upgrades --allow-release-candidate-upgrades + --force register: kubeadm_upgrade # Retry is because upload config sometimes fails retries: 3 From 89d442400f3ca195115ba08497a56dde5985ea2d Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Tue, 3 Jul 2018 09:55:24 -0300 Subject: [PATCH 11/22] added nodeSelector to have compatibility with hybrid cluster with win nodes, also fix for download with missing container type --- cluster.yml | 1 + inventory/sample/group_vars/all.yml | 3 ++ .../templates/dnsmasq-autoscaler.yml.j2 | 5 +++ roles/dnsmasq/templates/dnsmasq-deploy.yml | 5 +++ roles/download/tasks/main.yml | 2 +- .../templates/kubedns-autoscaler.yml.j2 | 5 +++ .../ansible/templates/kubedns-deploy.yml.j2 | 5 +++ .../templates/netchecker-agent-ds.yml.j2 | 5 +++ .../netchecker-agent-hostnet-ds.yml.j2 | 5 +++ .../efk/fluentd/templates/fluentd-ds.yml.j2 | 5 +++ .../ingress-nginx-controller-ds.yml.j2 | 4 +++ .../ingress-nginx-default-backend-rs.yml.j2 | 5 +++ .../manifests/kube-proxy.manifest.j2 | 5 +++ .../manifests/nginx-proxy.manifest.j2 | 5 +++ .../flannel/templates/cni-flannel.yml.j2 | 5 +++ .../kubernetes_patch/defaults/main.yml | 3 ++ .../files/nodeselector-os-linux-patch.json | 1 + .../win_nodes/kubernetes_patch/tasks/main.yml | 34 +++++++++++++++++++ 18 files changed, 102 insertions(+), 1 deletion(-) create mode 100644 roles/win_nodes/kubernetes_patch/defaults/main.yml create mode 100644 roles/win_nodes/kubernetes_patch/files/nodeselector-os-linux-patch.json create mode 100644 roles/win_nodes/kubernetes_patch/tasks/main.yml diff --git a/cluster.yml b/cluster.yml index c77e9e1b51c..cb500ed6e68 100644 --- a/cluster.yml +++ b/cluster.yml @@ -93,6 +93,7 @@ roles: - { role: kubespray-defaults} - { role: kubernetes-apps/rotate_tokens, tags: rotate_tokens, when: "secret_changed|default(false)" } + - { role: win_nodes/kubernetes_patch, tags: win_nodes, when: "kubeadm_enabled and kube_patch_win_nodes" } - hosts: kube-master any_errors_fatal: "{{ any_errors_fatal | default(true) }}" diff --git a/inventory/sample/group_vars/all.yml b/inventory/sample/group_vars/all.yml index d856d064cfb..73e3b785b2f 100644 --- a/inventory/sample/group_vars/all.yml +++ b/inventory/sample/group_vars/all.yml @@ -103,6 +103,9 @@ bin_dir: /usr/local/bin ## Refer to roles/kubespray-defaults/defaults/main.yml before modifying no_proxy #no_proxy: "" +# patch deployments with selectors when running hybrid with win nodes +kube_patch_win_nodes: false + ## Uncomment this if you want to force overlay/overlay2 as docker storage driver ## Please note that overlay2 is only supported on newer kernels #docker_storage_options: -s overlay2 diff --git a/roles/dnsmasq/templates/dnsmasq-autoscaler.yml.j2 b/roles/dnsmasq/templates/dnsmasq-autoscaler.yml.j2 index d871bcbf96d..50ba6069ee3 100644 --- a/roles/dnsmasq/templates/dnsmasq-autoscaler.yml.j2 +++ b/roles/dnsmasq/templates/dnsmasq-autoscaler.yml.j2 @@ -54,3 +54,8 @@ spec: - --default-params={"linear":{"nodesPerReplica":{{ dnsmasq_nodes_per_replica }},"preventSinglePointFailure":true}} - --logtostderr=true - --v={{ kube_log_level }} +{% if kube_patch_win_nodes %} + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + nodeSelector: + beta.kubernetes.io/os: linux +{% endif %} diff --git a/roles/dnsmasq/templates/dnsmasq-deploy.yml b/roles/dnsmasq/templates/dnsmasq-deploy.yml index 0fb6045e826..2ab57849a6b 100644 --- a/roles/dnsmasq/templates/dnsmasq-deploy.yml +++ b/roles/dnsmasq/templates/dnsmasq-deploy.yml @@ -57,6 +57,11 @@ spec: mountPath: /etc/dnsmasq.d - name: etcdnsmasqdavailable mountPath: /etc/dnsmasq.d-available +{% if kube_patch_win_nodes %} + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + nodeSelector: + beta.kubernetes.io/os: linux +{% endif %} volumes: - name: etcdnsmasqd hostPath: diff --git a/roles/download/tasks/main.yml b/roles/download/tasks/main.yml index 2474b402902..06def41d629 100644 --- a/roles/download/tasks/main.yml +++ b/roles/download/tasks/main.yml @@ -20,6 +20,6 @@ when: - not skip_downloads|default(false) - item.value.enabled - - item.value.container + - item.value.container|default(false) - download_run_once - group_names | intersect(download.groups) | length diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml.j2 b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml.j2 index d7c30ecebca..7a3594315e0 100644 --- a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml.j2 @@ -28,6 +28,11 @@ spec: labels: k8s-app: kubedns-autoscaler spec: +{% if kube_patch_win_nodes %} + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + nodeSelector: + beta.kubernetes.io/os: linux +{% endif %} tolerations: - effect: NoSchedule operator: Exists diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2 b/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2 index cfce65f0efe..0030cd40d3c 100644 --- a/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2 @@ -27,6 +27,11 @@ spec: annotations: scheduler.alpha.kubernetes.io/critical-pod: '' spec: +{% if kube_patch_win_nodes %} + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + nodeSelector: + beta.kubernetes.io/os: linux +{% endif %} tolerations: - key: "CriticalAddonsOnly" operator: "Exists" diff --git a/roles/kubernetes-apps/ansible/templates/netchecker-agent-ds.yml.j2 b/roles/kubernetes-apps/ansible/templates/netchecker-agent-ds.yml.j2 index 4f32214ebd9..7976d2acb66 100644 --- a/roles/kubernetes-apps/ansible/templates/netchecker-agent-ds.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/netchecker-agent-ds.yml.j2 @@ -15,6 +15,11 @@ spec: tolerations: - effect: NoSchedule operator: Exists +{% if kube_patch_win_nodes %} + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + nodeSelector: + beta.kubernetes.io/os: linux +{% endif %} containers: - name: netchecker-agent image: "{{ agent_img }}" diff --git a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-ds.yml.j2 b/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-ds.yml.j2 index 76fca481283..512b59533fa 100644 --- a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-ds.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-ds.yml.j2 @@ -13,6 +13,11 @@ spec: app: netchecker-agent-hostnet spec: hostNetwork: True +{% if kube_patch_win_nodes %} + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + nodeSelector: + beta.kubernetes.io/os: linux +{% endif %} {% if kube_version | version_compare('v1.6', '>=') %} dnsPolicy: ClusterFirstWithHostNet {% endif %} diff --git a/roles/kubernetes-apps/efk/fluentd/templates/fluentd-ds.yml.j2 b/roles/kubernetes-apps/efk/fluentd/templates/fluentd-ds.yml.j2 index 3a911cf3894..55545f54822 100644 --- a/roles/kubernetes-apps/efk/fluentd/templates/fluentd-ds.yml.j2 +++ b/roles/kubernetes-apps/efk/fluentd/templates/fluentd-ds.yml.j2 @@ -30,6 +30,11 @@ spec: priorityClassName: system-node-critical {% if rbac_enabled %} serviceAccountName: efk +{% endif %} +{% if kube_patch_win_nodes %} + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + nodeSelector: + beta.kubernetes.io/os: linux {% endif %} containers: - name: fluentd-es diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingress-nginx-controller-ds.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingress-nginx-controller-ds.yml.j2 index 40e1d471503..c188b650e09 100644 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingress-nginx-controller-ds.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingress-nginx-controller-ds.yml.j2 @@ -29,6 +29,10 @@ spec: {% endif %} nodeSelector: node-role.kubernetes.io/ingress: "true" +{% if kube_patch_win_nodes %} + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + beta.kubernetes.io/os: linux +{% endif %} terminationGracePeriodSeconds: 60 containers: - name: ingress-nginx-controller diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingress-nginx-default-backend-rs.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingress-nginx-default-backend-rs.yml.j2 index c0bed920b25..ae32a7056d9 100644 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingress-nginx-default-backend-rs.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingress-nginx-default-backend-rs.yml.j2 @@ -35,3 +35,8 @@ spec: timeoutSeconds: 5 ports: - containerPort: 8080 +{% if kube_patch_win_nodes %} + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + nodeSelector: + beta.kubernetes.io/os: linux +{% endif %} diff --git a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 index 2209709b6f8..7b305c18811 100644 --- a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 +++ b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 @@ -11,6 +11,11 @@ spec: hostNetwork: true {% if kube_version | version_compare('v1.6', '>=') %} dnsPolicy: ClusterFirst +{% endif %} +{% if kube_patch_win_nodes %} + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + nodeSelector: + beta.kubernetes.io/os: linux {% endif %} containers: - name: kube-proxy diff --git a/roles/kubernetes/node/templates/manifests/nginx-proxy.manifest.j2 b/roles/kubernetes/node/templates/manifests/nginx-proxy.manifest.j2 index a1e9a78156a..8205bb054f3 100644 --- a/roles/kubernetes/node/templates/manifests/nginx-proxy.manifest.j2 +++ b/roles/kubernetes/node/templates/manifests/nginx-proxy.manifest.j2 @@ -7,6 +7,11 @@ metadata: k8s-app: kube-nginx spec: hostNetwork: true +{% if kube_patch_win_nodes %} + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + nodeSelector: + beta.kubernetes.io/os: linux +{% endif %} containers: - name: nginx-proxy image: {{ nginx_image_repo }}:{{ nginx_image_tag }} diff --git a/roles/network_plugin/flannel/templates/cni-flannel.yml.j2 b/roles/network_plugin/flannel/templates/cni-flannel.yml.j2 index 7ecb21ad068..10f6e1264f7 100644 --- a/roles/network_plugin/flannel/templates/cni-flannel.yml.j2 +++ b/roles/network_plugin/flannel/templates/cni-flannel.yml.j2 @@ -54,6 +54,11 @@ spec: spec: {% if rbac_enabled %} serviceAccountName: flannel +{% endif %} +{% if kube_patch_win_nodes %} + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + nodeSelector: + beta.kubernetes.io/os: linux {% endif %} containers: - name: kube-flannel diff --git a/roles/win_nodes/kubernetes_patch/defaults/main.yml b/roles/win_nodes/kubernetes_patch/defaults/main.yml new file mode 100644 index 00000000000..6254f29ae18 --- /dev/null +++ b/roles/win_nodes/kubernetes_patch/defaults/main.yml @@ -0,0 +1,3 @@ +--- + +kubernetes_user_manifests_path: "{{ ansible_env.HOME }}/kube-manifests" diff --git a/roles/win_nodes/kubernetes_patch/files/nodeselector-os-linux-patch.json b/roles/win_nodes/kubernetes_patch/files/nodeselector-os-linux-patch.json new file mode 100644 index 00000000000..d718ff4465e --- /dev/null +++ b/roles/win_nodes/kubernetes_patch/files/nodeselector-os-linux-patch.json @@ -0,0 +1 @@ +{"spec":{"template":{"spec":{"nodeSelector":{"beta.kubernetes.io/os":"linux"}}}}} \ No newline at end of file diff --git a/roles/win_nodes/kubernetes_patch/tasks/main.yml b/roles/win_nodes/kubernetes_patch/tasks/main.yml new file mode 100644 index 00000000000..37e57f33614 --- /dev/null +++ b/roles/win_nodes/kubernetes_patch/tasks/main.yml @@ -0,0 +1,34 @@ +--- + +- name: Ensure that user manifests directory exists + file: + path: "{{ kubernetes_user_manifests_path }}/kubernetes" + state: directory + recurse: yes + tags: [init, cni] + +- name: Apply kube-proxy nodeselector + block: + - name: Copy kube-proxy daemonset nodeselector patch + copy: + src: nodeselector-os-linux-patch.json + dest: "{{ kubernetes_user_manifests_path }}/nodeselector-os-linux-patch.json" + + # Due to https://github.com/kubernetes/kubernetes/issues/58212 we cannot rely on exit code for "kubectl patch" + - name: Check current nodeselector for kube-proxy daemonset + shell: kubectl get ds kube-proxy --namespace=kube-system -o jsonpath='{.spec.template.spec.nodeSelector.beta\.kubernetes\.io/os}' + register: current_kube_proxy_state + + - name: Apply nodeselector patch for kube-proxy daemonset + shell: kubectl patch ds kube-proxy --namespace=kube-system --type=strategic -p "$(cat nodeselector-os-linux-patch.json)" + args: + chdir: "{{ kubernetes_user_manifests_path }}" + register: patch_kube_proxy_state + when: current_kube_proxy_state.stdout | trim | lower != "linux" + + - debug: msg={{ patch_kube_proxy_state.stdout_lines }} + when: patch_kube_proxy_state is not skipped + + - debug: msg={{ patch_kube_proxy_state.stderr_lines }} + when: patch_kube_proxy_state is not skipped + tags: init From e6f82590a79907d445b78e5b173ea36d3afeb420 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Wed, 4 Jul 2018 10:06:20 -0300 Subject: [PATCH 12/22] fixes in syntax and LF for newline in files --- roles/dnsmasq/templates/dnsmasq-deploy.yml | 2 - .../kubernetes_patch/defaults/main.yml | 6 +- .../win_nodes/kubernetes_patch/tasks/main.yml | 68 +++++++++---------- 3 files changed, 37 insertions(+), 39 deletions(-) diff --git a/roles/dnsmasq/templates/dnsmasq-deploy.yml b/roles/dnsmasq/templates/dnsmasq-deploy.yml index 2ab57849a6b..72a7a160358 100644 --- a/roles/dnsmasq/templates/dnsmasq-deploy.yml +++ b/roles/dnsmasq/templates/dnsmasq-deploy.yml @@ -57,11 +57,9 @@ spec: mountPath: /etc/dnsmasq.d - name: etcdnsmasqdavailable mountPath: /etc/dnsmasq.d-available -{% if kube_patch_win_nodes %} # When having win nodes in cluster without this patch, this pod cloud try to be created in windows nodeSelector: beta.kubernetes.io/os: linux -{% endif %} volumes: - name: etcdnsmasqd hostPath: diff --git a/roles/win_nodes/kubernetes_patch/defaults/main.yml b/roles/win_nodes/kubernetes_patch/defaults/main.yml index 6254f29ae18..587f73ab42b 100644 --- a/roles/win_nodes/kubernetes_patch/defaults/main.yml +++ b/roles/win_nodes/kubernetes_patch/defaults/main.yml @@ -1,3 +1,3 @@ ---- - -kubernetes_user_manifests_path: "{{ ansible_env.HOME }}/kube-manifests" +--- + +kubernetes_user_manifests_path: "{{ ansible_env.HOME }}/kube-manifests" diff --git a/roles/win_nodes/kubernetes_patch/tasks/main.yml b/roles/win_nodes/kubernetes_patch/tasks/main.yml index 37e57f33614..8d88818a513 100644 --- a/roles/win_nodes/kubernetes_patch/tasks/main.yml +++ b/roles/win_nodes/kubernetes_patch/tasks/main.yml @@ -1,34 +1,34 @@ ---- - -- name: Ensure that user manifests directory exists - file: - path: "{{ kubernetes_user_manifests_path }}/kubernetes" - state: directory - recurse: yes - tags: [init, cni] - -- name: Apply kube-proxy nodeselector - block: - - name: Copy kube-proxy daemonset nodeselector patch - copy: - src: nodeselector-os-linux-patch.json - dest: "{{ kubernetes_user_manifests_path }}/nodeselector-os-linux-patch.json" - - # Due to https://github.com/kubernetes/kubernetes/issues/58212 we cannot rely on exit code for "kubectl patch" - - name: Check current nodeselector for kube-proxy daemonset - shell: kubectl get ds kube-proxy --namespace=kube-system -o jsonpath='{.spec.template.spec.nodeSelector.beta\.kubernetes\.io/os}' - register: current_kube_proxy_state - - - name: Apply nodeselector patch for kube-proxy daemonset - shell: kubectl patch ds kube-proxy --namespace=kube-system --type=strategic -p "$(cat nodeselector-os-linux-patch.json)" - args: - chdir: "{{ kubernetes_user_manifests_path }}" - register: patch_kube_proxy_state - when: current_kube_proxy_state.stdout | trim | lower != "linux" - - - debug: msg={{ patch_kube_proxy_state.stdout_lines }} - when: patch_kube_proxy_state is not skipped - - - debug: msg={{ patch_kube_proxy_state.stderr_lines }} - when: patch_kube_proxy_state is not skipped - tags: init +--- + +- name: Ensure that user manifests directory exists + file: + path: "{{ kubernetes_user_manifests_path }}/kubernetes" + state: directory + recurse: yes + tags: [init, cni] + +- name: Apply kube-proxy nodeselector + block: + - name: Copy kube-proxy daemonset nodeselector patch + copy: + src: nodeselector-os-linux-patch.json + dest: "{{ kubernetes_user_manifests_path }}/nodeselector-os-linux-patch.json" + + # Due to https://github.com/kubernetes/kubernetes/issues/58212 we cannot rely on exit code for "kubectl patch" + - name: Check current nodeselector for kube-proxy daemonset + shell: kubectl get ds kube-proxy --namespace=kube-system -o jsonpath='{.spec.template.spec.nodeSelector.beta\.kubernetes\.io/os}' + register: current_kube_proxy_state + + - name: Apply nodeselector patch for kube-proxy daemonset + shell: kubectl patch ds kube-proxy --namespace=kube-system --type=strategic -p "$(cat nodeselector-os-linux-patch.json)" + args: + chdir: "{{ kubernetes_user_manifests_path }}" + register: patch_kube_proxy_state + when: current_kube_proxy_state.stdout | trim | lower != "linux" + + - debug: msg={{ patch_kube_proxy_state.stdout_lines }} + when: patch_kube_proxy_state is not skipped + + - debug: msg={{ patch_kube_proxy_state.stderr_lines }} + when: patch_kube_proxy_state is not skipped + tags: init From 67e15c46e9d85d830fc24649366ff95d166f9fc9 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Wed, 4 Jul 2018 10:12:47 -0300 Subject: [PATCH 13/22] fix on yamllint check --- roles/dnsmasq/templates/dnsmasq-deploy.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/dnsmasq/templates/dnsmasq-deploy.yml b/roles/dnsmasq/templates/dnsmasq-deploy.yml index 72a7a160358..c3a32f02e68 100644 --- a/roles/dnsmasq/templates/dnsmasq-deploy.yml +++ b/roles/dnsmasq/templates/dnsmasq-deploy.yml @@ -24,6 +24,9 @@ spec: tolerations: - effect: NoSchedule operator: Exists + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + nodeSelector: + beta.kubernetes.io/os: linux containers: - name: dnsmasq image: "{{ dnsmasq_image_repo }}:{{ dnsmasq_image_tag }}" @@ -57,9 +60,6 @@ spec: mountPath: /etc/dnsmasq.d - name: etcdnsmasqdavailable mountPath: /etc/dnsmasq.d-available - # When having win nodes in cluster without this patch, this pod cloud try to be created in windows - nodeSelector: - beta.kubernetes.io/os: linux volumes: - name: etcdnsmasqd hostPath: From 4d7426ec95b23bc28f8460ae604466d0972a4849 Mon Sep 17 00:00:00 2001 From: Rong Zhang Date: Thu, 5 Jul 2018 17:20:02 +0800 Subject: [PATCH 14/22] Fix terraform env Not effective (#2966) Add TF_VAR_ to terraform env --- contrib/terraform/aws/README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/contrib/terraform/aws/README.md b/contrib/terraform/aws/README.md index 2354deac0f0..709d0633faf 100644 --- a/contrib/terraform/aws/README.md +++ b/contrib/terraform/aws/README.md @@ -17,10 +17,10 @@ This project will create: - Export the variables for your AWS credentials or edit `credentials.tfvars`: ``` -export AWS_ACCESS_KEY_ID="www" -export AWS_SECRET_ACCESS_KEY ="xxx" -export AWS_SSH_KEY_NAME="yyy" -export AWS_DEFAULT_REGION="zzz" +export TF_VAR_AWS_ACCESS_KEY_ID="www" +export TF_VAR_AWS_SECRET_ACCESS_KEY ="xxx" +export TF_VAR_AWS_SSH_KEY_NAME="yyy" +export TF_VAR_AWS_DEFAULT_REGION="zzz" ``` - Rename `contrib/terraform/aws/terraform.tfvars.example` to `terraform.tfvars` From 0b939a495bfe1340d5af5f55bb9fc87dd843f166 Mon Sep 17 00:00:00 2001 From: Matthew Mosesohn Date: Thu, 5 Jul 2018 12:27:45 +0300 Subject: [PATCH 15/22] Improve vault etcd initialization check (#2959) --- roles/vault/tasks/cluster/init.yml | 1 - roles/vault/tasks/shared/check_vault.yml | 6 ++++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/vault/tasks/cluster/init.yml b/roles/vault/tasks/cluster/init.yml index 30f64f3b1cc..fea670df2f5 100644 --- a/roles/vault/tasks/cluster/init.yml +++ b/roles/vault/tasks/cluster/init.yml @@ -1,5 +1,4 @@ --- - - name: cluster/init | wait for vault command: /bin/true notify: wait for vault up diff --git a/roles/vault/tasks/shared/check_vault.yml b/roles/vault/tasks/shared/check_vault.yml index 1ffd515fd7c..999a36f32ba 100644 --- a/roles/vault/tasks/shared/check_vault.yml +++ b/roles/vault/tasks/shared/check_vault.yml @@ -9,7 +9,9 @@ # Check if vault is reachable on the localhost - name: check_vault | Attempt to pull local https Vault health command: /bin/true - notify: wait for vault up nowait + notify: + - wait for vault up nowait + - set facts about local Vault health - meta: flush_handlers @@ -44,6 +46,6 @@ vault_cluster_is_initialized: >- {{ vault_is_initialized or hostvars[item]['vault_is_initialized'] or - 'Key not found' not in vault_etcd_exists.stdout|default('Key not found') }} + ('value' in vault_etcd_exists.stdout|default('')) }} with_items: "{{ groups.vault }}" run_once: true From 5c617c5a8bef92f1a2966672754c91ece594ea11 Mon Sep 17 00:00:00 2001 From: Matthew Mosesohn Date: Fri, 6 Jul 2018 09:12:13 +0300 Subject: [PATCH 16/22] Add tags to deploy components by --tags option (#2960) * Add tags for cert serial tasks This will help facilitate tag-based deployment of specific components. * fixup kubernetes node --- docs/upgrades.md | 52 +++++++++++++++++++++ roles/etcd/tasks/main.yml | 6 +++ roles/kubernetes/node/tasks/install.yml | 15 ------ roles/kubernetes/secrets/tasks/main.yml | 16 +++++++ roles/kubespray-defaults/defaults/main.yaml | 12 +++++ 5 files changed, 86 insertions(+), 15 deletions(-) diff --git a/docs/upgrades.md b/docs/upgrades.md index 6297976ddb5..26a4a180b85 100644 --- a/docs/upgrades.md +++ b/docs/upgrades.md @@ -81,3 +81,55 @@ kubernetes-apps/rotate_tokens role, only pods in kube-system are destroyed and recreated. All other invalidated service account tokens are cleaned up automatically, but other pods are not deleted out of an abundance of caution for impact to user deployed pods. + +### Component-based upgrades + +A deployer may want to upgrade specific components in order to minimize risk +or save time. This strategy is not covered by CI as of this writing, so it is +not guaranteed to work. + +These commands are useful only for upgrading fully-deployed, healthy, existing +hosts. This will definitely not work for undeployed or partially deployed +hosts. + +Upgrade etcd: + +``` +ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=etcd +``` + +Upgrade vault: + +``` +ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=vault +``` + +Upgrade kubelet: + +``` +ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=node --skip-tags=k8s-gen-certs,k8s-gen-tokens +``` + +Upgrade Kubernetes master components: + +``` +ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=master +``` + +Upgrade network plugins: + +``` +ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=network +``` + +Upgrade all add-ons: + +``` +ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=apps +``` + +Upgrade just helm (assuming `helm_enabled` is true): + +``` +ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=helm +``` diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index c35a9cab656..38df04d731a 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -19,11 +19,17 @@ register: "etcd_client_cert_serial_result" changed_when: false when: inventory_hostname in groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort + tags: + - master + - network - name: Set etcd_client_cert_serial set_fact: etcd_client_cert_serial: "{{ etcd_client_cert_serial_result.stdout }}" when: inventory_hostname in groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort + tags: + - master + - network - include_tasks: "install_{{ etcd_deployment_type }}.yml" when: is_etcd_master diff --git a/roles/kubernetes/node/tasks/install.yml b/roles/kubernetes/node/tasks/install.yml index 63a529aceba..fe4b6c9c808 100644 --- a/roles/kubernetes/node/tasks/install.yml +++ b/roles/kubernetes/node/tasks/install.yml @@ -1,19 +1,4 @@ --- -- name: install | Set SSL CA directories - set_fact: - ssl_ca_dirs: "[ - {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%} - '/usr/share/ca-certificates', - {% elif ansible_os_family == 'RedHat' -%} - '/etc/pki/tls', - '/etc/pki/ca-trust', - {% elif ansible_os_family == 'Debian' -%} - '/usr/share/ca-certificates', - {% endif -%} - ]" - tags: - - facts - - name: Set kubelet deployment to host if kubeadm is enabled set_fact: kubelet_deployment_type: host diff --git a/roles/kubernetes/secrets/tasks/main.yml b/roles/kubernetes/secrets/tasks/main.yml index 52fedae5b03..d36c3a05728 100644 --- a/roles/kubernetes/secrets/tasks/main.yml +++ b/roles/kubernetes/secrets/tasks/main.yml @@ -2,11 +2,13 @@ - import_tasks: check-certs.yml tags: - k8s-secrets + - k8s-gen-certs - facts - import_tasks: check-tokens.yml tags: - k8s-secrets + - k8s-gen-tokens - facts - name: Make sure the certificate directory exits @@ -70,10 +72,12 @@ - include_tasks: "gen_certs_{{ cert_management }}.yml" tags: - k8s-secrets + - k8s-gen-certs - import_tasks: upd_ca_trust.yml tags: - k8s-secrets + - k8s-gen-certs - name: "Gen_certs | Get certificate serials on kube masters" shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2" @@ -85,6 +89,10 @@ - "kube-controller-manager.pem" - "kube-scheduler.pem" when: inventory_hostname in groups['kube-master'] + tags: + - master + - kubelet + - node - name: "Gen_certs | set kube master certificate serial facts" set_fact: @@ -93,6 +101,10 @@ controller_manager_cert_serial: "{{ master_certificate_serials.results[2].stdout|default() }}" scheduler_cert_serial: "{{ master_certificate_serials.results[3].stdout|default() }}" when: inventory_hostname in groups['kube-master'] + tags: + - master + - kubelet + - node - name: "Gen_certs | Get certificate serials on kube nodes" shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2" @@ -108,7 +120,11 @@ kubelet_cert_serial: "{{ node_certificate_serials.results[0].stdout|default() }}" kube_proxy_cert_serial: "{{ node_certificate_serials.results[1].stdout|default() }}" when: inventory_hostname in groups['k8s-cluster'] + tags: + - kubelet + - node - import_tasks: gen_tokens.yml tags: - k8s-secrets + - k8s-gen-tokens diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml index 3471508509a..074bd4b1e45 100644 --- a/roles/kubespray-defaults/defaults/main.yaml +++ b/roles/kubespray-defaults/defaults/main.yaml @@ -279,6 +279,18 @@ proxy_env: https_proxy: "{{ https_proxy| default ('') }}" no_proxy: "{{ no_proxy| default ('') }}" +ssl_ca_dirs: >- + [ + {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%} + '/usr/share/ca-certificates', + {% elif ansible_os_family == 'RedHat' -%} + '/etc/pki/tls', + '/etc/pki/ca-trust', + {% elif ansible_os_family == 'Debian' -%} + '/usr/share/ca-certificates', + {% endif -%} + ] + # Vars for pointing to kubernetes api endpoints is_kube_master: "{{ inventory_hostname in groups['kube-master'] }}" kube_apiserver_count: "{{ groups['kube-master'] | length }}" From 915ea2666d02e47e4e34de08a6696374610afc43 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Tue, 5 Jun 2018 08:15:20 -0300 Subject: [PATCH 17/22] ensure there is pin priority for docker package to avoid upgrade of docker to incompatible version --- roles/docker/tasks/main.yml | 9 +++++++++ .../docker/templates/apt_preferences.d/debian_docker.j2 | 3 +++ 2 files changed, 12 insertions(+) create mode 100644 roles/docker/templates/apt_preferences.d/debian_docker.j2 diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml index f2ce701829c..c2c8cc5d2df 100644 --- a/roles/docker/tasks/main.yml +++ b/roles/docker/tasks/main.yml @@ -118,6 +118,15 @@ notify: restart docker when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) and (docker_package_info.pkgs|length > 0) +# This is required to ensure any apt upgrade will not break kubernetes +- name: Set docker pin priority to apt_preferences on Debian family + template: + src: "apt_preferences.d/debian_docker.j2" + dest: "/etc/apt/preferences.d/docker" + owner: "root" + mode: 0644 + when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic) + - name: ensure service is started if docker packages are already present service: name: docker diff --git a/roles/docker/templates/apt_preferences.d/debian_docker.j2 b/roles/docker/templates/apt_preferences.d/debian_docker.j2 new file mode 100644 index 00000000000..f21008b6c14 --- /dev/null +++ b/roles/docker/templates/apt_preferences.d/debian_docker.j2 @@ -0,0 +1,3 @@ +Package: docker-ce +Pin: version {{ docker_version }}.* +Pin-Priority: 1001 \ No newline at end of file From 0d1bd1e528ae27d11f1fb49084679cdc6a4abd8b Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Sun, 10 Jun 2018 13:46:54 -0300 Subject: [PATCH 18/22] remove empty when line --- roles/etcd/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/etcd/tasks/main.yml b/roles/etcd/tasks/main.yml index 38df04d731a..db59a983fa7 100644 --- a/roles/etcd/tasks/main.yml +++ b/roles/etcd/tasks/main.yml @@ -6,7 +6,6 @@ - facts - include_tasks: "gen_certs_{{ cert_management }}.yml" - when: tags: - etcd-secrets From f32a14b5f00660b7ccb80ad6fa8f4e4b0303c1f8 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Thu, 21 Jun 2018 13:39:46 -0300 Subject: [PATCH 19/22] force kubeadm upgrade due to failure without --force flag --- roles/kubernetes/master/tasks/kubeadm-setup.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/kubernetes/master/tasks/kubeadm-setup.yml b/roles/kubernetes/master/tasks/kubeadm-setup.yml index b841d83572b..f08c771026b 100644 --- a/roles/kubernetes/master/tasks/kubeadm-setup.yml +++ b/roles/kubernetes/master/tasks/kubeadm-setup.yml @@ -89,6 +89,7 @@ --ignore-preflight-errors=all --allow-experimental-upgrades --allow-release-candidate-upgrades + --force register: kubeadm_upgrade # Retry is because upload config sometimes fails retries: 3 From d961d40cf4346ae0c8d9a5664928bc2d2ad432e8 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Tue, 3 Jul 2018 09:55:24 -0300 Subject: [PATCH 20/22] added nodeSelector to have compatibility with hybrid cluster with win nodes, also fix for download with missing container type --- cluster.yml | 1 + inventory/sample/group_vars/all.yml | 3 ++ .../templates/dnsmasq-autoscaler.yml.j2 | 5 +++ roles/dnsmasq/templates/dnsmasq-deploy.yml | 5 +++ roles/download/tasks/main.yml | 2 +- .../templates/kubedns-autoscaler.yml.j2 | 5 +++ .../ansible/templates/kubedns-deploy.yml.j2 | 5 +++ .../templates/netchecker-agent-ds.yml.j2 | 5 +++ .../netchecker-agent-hostnet-ds.yml.j2 | 5 +++ .../efk/fluentd/templates/fluentd-ds.yml.j2 | 5 +++ .../ingress-nginx-controller-ds.yml.j2 | 4 +++ .../ingress-nginx-default-backend-rs.yml.j2 | 5 +++ .../manifests/kube-proxy.manifest.j2 | 5 +++ .../manifests/nginx-proxy.manifest.j2 | 5 +++ .../flannel/templates/cni-flannel.yml.j2 | 5 +++ .../kubernetes_patch/defaults/main.yml | 3 ++ .../files/nodeselector-os-linux-patch.json | 1 + .../win_nodes/kubernetes_patch/tasks/main.yml | 34 +++++++++++++++++++ 18 files changed, 102 insertions(+), 1 deletion(-) create mode 100644 roles/win_nodes/kubernetes_patch/defaults/main.yml create mode 100644 roles/win_nodes/kubernetes_patch/files/nodeselector-os-linux-patch.json create mode 100644 roles/win_nodes/kubernetes_patch/tasks/main.yml diff --git a/cluster.yml b/cluster.yml index c77e9e1b51c..cb500ed6e68 100644 --- a/cluster.yml +++ b/cluster.yml @@ -93,6 +93,7 @@ roles: - { role: kubespray-defaults} - { role: kubernetes-apps/rotate_tokens, tags: rotate_tokens, when: "secret_changed|default(false)" } + - { role: win_nodes/kubernetes_patch, tags: win_nodes, when: "kubeadm_enabled and kube_patch_win_nodes" } - hosts: kube-master any_errors_fatal: "{{ any_errors_fatal | default(true) }}" diff --git a/inventory/sample/group_vars/all.yml b/inventory/sample/group_vars/all.yml index d856d064cfb..73e3b785b2f 100644 --- a/inventory/sample/group_vars/all.yml +++ b/inventory/sample/group_vars/all.yml @@ -103,6 +103,9 @@ bin_dir: /usr/local/bin ## Refer to roles/kubespray-defaults/defaults/main.yml before modifying no_proxy #no_proxy: "" +# patch deployments with selectors when running hybrid with win nodes +kube_patch_win_nodes: false + ## Uncomment this if you want to force overlay/overlay2 as docker storage driver ## Please note that overlay2 is only supported on newer kernels #docker_storage_options: -s overlay2 diff --git a/roles/dnsmasq/templates/dnsmasq-autoscaler.yml.j2 b/roles/dnsmasq/templates/dnsmasq-autoscaler.yml.j2 index d871bcbf96d..50ba6069ee3 100644 --- a/roles/dnsmasq/templates/dnsmasq-autoscaler.yml.j2 +++ b/roles/dnsmasq/templates/dnsmasq-autoscaler.yml.j2 @@ -54,3 +54,8 @@ spec: - --default-params={"linear":{"nodesPerReplica":{{ dnsmasq_nodes_per_replica }},"preventSinglePointFailure":true}} - --logtostderr=true - --v={{ kube_log_level }} +{% if kube_patch_win_nodes %} + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + nodeSelector: + beta.kubernetes.io/os: linux +{% endif %} diff --git a/roles/dnsmasq/templates/dnsmasq-deploy.yml b/roles/dnsmasq/templates/dnsmasq-deploy.yml index 0fb6045e826..2ab57849a6b 100644 --- a/roles/dnsmasq/templates/dnsmasq-deploy.yml +++ b/roles/dnsmasq/templates/dnsmasq-deploy.yml @@ -57,6 +57,11 @@ spec: mountPath: /etc/dnsmasq.d - name: etcdnsmasqdavailable mountPath: /etc/dnsmasq.d-available +{% if kube_patch_win_nodes %} + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + nodeSelector: + beta.kubernetes.io/os: linux +{% endif %} volumes: - name: etcdnsmasqd hostPath: diff --git a/roles/download/tasks/main.yml b/roles/download/tasks/main.yml index 2474b402902..06def41d629 100644 --- a/roles/download/tasks/main.yml +++ b/roles/download/tasks/main.yml @@ -20,6 +20,6 @@ when: - not skip_downloads|default(false) - item.value.enabled - - item.value.container + - item.value.container|default(false) - download_run_once - group_names | intersect(download.groups) | length diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml.j2 b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml.j2 index d7c30ecebca..7a3594315e0 100644 --- a/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml.j2 @@ -28,6 +28,11 @@ spec: labels: k8s-app: kubedns-autoscaler spec: +{% if kube_patch_win_nodes %} + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + nodeSelector: + beta.kubernetes.io/os: linux +{% endif %} tolerations: - effect: NoSchedule operator: Exists diff --git a/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2 b/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2 index cfce65f0efe..0030cd40d3c 100644 --- a/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2 @@ -27,6 +27,11 @@ spec: annotations: scheduler.alpha.kubernetes.io/critical-pod: '' spec: +{% if kube_patch_win_nodes %} + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + nodeSelector: + beta.kubernetes.io/os: linux +{% endif %} tolerations: - key: "CriticalAddonsOnly" operator: "Exists" diff --git a/roles/kubernetes-apps/ansible/templates/netchecker-agent-ds.yml.j2 b/roles/kubernetes-apps/ansible/templates/netchecker-agent-ds.yml.j2 index 4f32214ebd9..7976d2acb66 100644 --- a/roles/kubernetes-apps/ansible/templates/netchecker-agent-ds.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/netchecker-agent-ds.yml.j2 @@ -15,6 +15,11 @@ spec: tolerations: - effect: NoSchedule operator: Exists +{% if kube_patch_win_nodes %} + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + nodeSelector: + beta.kubernetes.io/os: linux +{% endif %} containers: - name: netchecker-agent image: "{{ agent_img }}" diff --git a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-ds.yml.j2 b/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-ds.yml.j2 index 76fca481283..512b59533fa 100644 --- a/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-ds.yml.j2 +++ b/roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-ds.yml.j2 @@ -13,6 +13,11 @@ spec: app: netchecker-agent-hostnet spec: hostNetwork: True +{% if kube_patch_win_nodes %} + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + nodeSelector: + beta.kubernetes.io/os: linux +{% endif %} {% if kube_version | version_compare('v1.6', '>=') %} dnsPolicy: ClusterFirstWithHostNet {% endif %} diff --git a/roles/kubernetes-apps/efk/fluentd/templates/fluentd-ds.yml.j2 b/roles/kubernetes-apps/efk/fluentd/templates/fluentd-ds.yml.j2 index 3a911cf3894..55545f54822 100644 --- a/roles/kubernetes-apps/efk/fluentd/templates/fluentd-ds.yml.j2 +++ b/roles/kubernetes-apps/efk/fluentd/templates/fluentd-ds.yml.j2 @@ -30,6 +30,11 @@ spec: priorityClassName: system-node-critical {% if rbac_enabled %} serviceAccountName: efk +{% endif %} +{% if kube_patch_win_nodes %} + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + nodeSelector: + beta.kubernetes.io/os: linux {% endif %} containers: - name: fluentd-es diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingress-nginx-controller-ds.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingress-nginx-controller-ds.yml.j2 index 40e1d471503..c188b650e09 100644 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingress-nginx-controller-ds.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingress-nginx-controller-ds.yml.j2 @@ -29,6 +29,10 @@ spec: {% endif %} nodeSelector: node-role.kubernetes.io/ingress: "true" +{% if kube_patch_win_nodes %} + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + beta.kubernetes.io/os: linux +{% endif %} terminationGracePeriodSeconds: 60 containers: - name: ingress-nginx-controller diff --git a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingress-nginx-default-backend-rs.yml.j2 b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingress-nginx-default-backend-rs.yml.j2 index c0bed920b25..ae32a7056d9 100644 --- a/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingress-nginx-default-backend-rs.yml.j2 +++ b/roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingress-nginx-default-backend-rs.yml.j2 @@ -35,3 +35,8 @@ spec: timeoutSeconds: 5 ports: - containerPort: 8080 +{% if kube_patch_win_nodes %} + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + nodeSelector: + beta.kubernetes.io/os: linux +{% endif %} diff --git a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 index 2209709b6f8..7b305c18811 100644 --- a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 +++ b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 @@ -11,6 +11,11 @@ spec: hostNetwork: true {% if kube_version | version_compare('v1.6', '>=') %} dnsPolicy: ClusterFirst +{% endif %} +{% if kube_patch_win_nodes %} + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + nodeSelector: + beta.kubernetes.io/os: linux {% endif %} containers: - name: kube-proxy diff --git a/roles/kubernetes/node/templates/manifests/nginx-proxy.manifest.j2 b/roles/kubernetes/node/templates/manifests/nginx-proxy.manifest.j2 index a1e9a78156a..8205bb054f3 100644 --- a/roles/kubernetes/node/templates/manifests/nginx-proxy.manifest.j2 +++ b/roles/kubernetes/node/templates/manifests/nginx-proxy.manifest.j2 @@ -7,6 +7,11 @@ metadata: k8s-app: kube-nginx spec: hostNetwork: true +{% if kube_patch_win_nodes %} + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + nodeSelector: + beta.kubernetes.io/os: linux +{% endif %} containers: - name: nginx-proxy image: {{ nginx_image_repo }}:{{ nginx_image_tag }} diff --git a/roles/network_plugin/flannel/templates/cni-flannel.yml.j2 b/roles/network_plugin/flannel/templates/cni-flannel.yml.j2 index 7ecb21ad068..10f6e1264f7 100644 --- a/roles/network_plugin/flannel/templates/cni-flannel.yml.j2 +++ b/roles/network_plugin/flannel/templates/cni-flannel.yml.j2 @@ -54,6 +54,11 @@ spec: spec: {% if rbac_enabled %} serviceAccountName: flannel +{% endif %} +{% if kube_patch_win_nodes %} + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + nodeSelector: + beta.kubernetes.io/os: linux {% endif %} containers: - name: kube-flannel diff --git a/roles/win_nodes/kubernetes_patch/defaults/main.yml b/roles/win_nodes/kubernetes_patch/defaults/main.yml new file mode 100644 index 00000000000..6254f29ae18 --- /dev/null +++ b/roles/win_nodes/kubernetes_patch/defaults/main.yml @@ -0,0 +1,3 @@ +--- + +kubernetes_user_manifests_path: "{{ ansible_env.HOME }}/kube-manifests" diff --git a/roles/win_nodes/kubernetes_patch/files/nodeselector-os-linux-patch.json b/roles/win_nodes/kubernetes_patch/files/nodeselector-os-linux-patch.json new file mode 100644 index 00000000000..d718ff4465e --- /dev/null +++ b/roles/win_nodes/kubernetes_patch/files/nodeselector-os-linux-patch.json @@ -0,0 +1 @@ +{"spec":{"template":{"spec":{"nodeSelector":{"beta.kubernetes.io/os":"linux"}}}}} \ No newline at end of file diff --git a/roles/win_nodes/kubernetes_patch/tasks/main.yml b/roles/win_nodes/kubernetes_patch/tasks/main.yml new file mode 100644 index 00000000000..37e57f33614 --- /dev/null +++ b/roles/win_nodes/kubernetes_patch/tasks/main.yml @@ -0,0 +1,34 @@ +--- + +- name: Ensure that user manifests directory exists + file: + path: "{{ kubernetes_user_manifests_path }}/kubernetes" + state: directory + recurse: yes + tags: [init, cni] + +- name: Apply kube-proxy nodeselector + block: + - name: Copy kube-proxy daemonset nodeselector patch + copy: + src: nodeselector-os-linux-patch.json + dest: "{{ kubernetes_user_manifests_path }}/nodeselector-os-linux-patch.json" + + # Due to https://github.com/kubernetes/kubernetes/issues/58212 we cannot rely on exit code for "kubectl patch" + - name: Check current nodeselector for kube-proxy daemonset + shell: kubectl get ds kube-proxy --namespace=kube-system -o jsonpath='{.spec.template.spec.nodeSelector.beta\.kubernetes\.io/os}' + register: current_kube_proxy_state + + - name: Apply nodeselector patch for kube-proxy daemonset + shell: kubectl patch ds kube-proxy --namespace=kube-system --type=strategic -p "$(cat nodeselector-os-linux-patch.json)" + args: + chdir: "{{ kubernetes_user_manifests_path }}" + register: patch_kube_proxy_state + when: current_kube_proxy_state.stdout | trim | lower != "linux" + + - debug: msg={{ patch_kube_proxy_state.stdout_lines }} + when: patch_kube_proxy_state is not skipped + + - debug: msg={{ patch_kube_proxy_state.stderr_lines }} + when: patch_kube_proxy_state is not skipped + tags: init From d1af8bd4738771d05930ba4f31d1f4526beb8dcd Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Wed, 4 Jul 2018 10:06:20 -0300 Subject: [PATCH 21/22] fixes in syntax and LF for newline in files --- roles/dnsmasq/templates/dnsmasq-deploy.yml | 2 - .../kubernetes_patch/defaults/main.yml | 6 +- .../win_nodes/kubernetes_patch/tasks/main.yml | 68 +++++++++---------- 3 files changed, 37 insertions(+), 39 deletions(-) diff --git a/roles/dnsmasq/templates/dnsmasq-deploy.yml b/roles/dnsmasq/templates/dnsmasq-deploy.yml index 2ab57849a6b..72a7a160358 100644 --- a/roles/dnsmasq/templates/dnsmasq-deploy.yml +++ b/roles/dnsmasq/templates/dnsmasq-deploy.yml @@ -57,11 +57,9 @@ spec: mountPath: /etc/dnsmasq.d - name: etcdnsmasqdavailable mountPath: /etc/dnsmasq.d-available -{% if kube_patch_win_nodes %} # When having win nodes in cluster without this patch, this pod cloud try to be created in windows nodeSelector: beta.kubernetes.io/os: linux -{% endif %} volumes: - name: etcdnsmasqd hostPath: diff --git a/roles/win_nodes/kubernetes_patch/defaults/main.yml b/roles/win_nodes/kubernetes_patch/defaults/main.yml index 6254f29ae18..587f73ab42b 100644 --- a/roles/win_nodes/kubernetes_patch/defaults/main.yml +++ b/roles/win_nodes/kubernetes_patch/defaults/main.yml @@ -1,3 +1,3 @@ ---- - -kubernetes_user_manifests_path: "{{ ansible_env.HOME }}/kube-manifests" +--- + +kubernetes_user_manifests_path: "{{ ansible_env.HOME }}/kube-manifests" diff --git a/roles/win_nodes/kubernetes_patch/tasks/main.yml b/roles/win_nodes/kubernetes_patch/tasks/main.yml index 37e57f33614..8d88818a513 100644 --- a/roles/win_nodes/kubernetes_patch/tasks/main.yml +++ b/roles/win_nodes/kubernetes_patch/tasks/main.yml @@ -1,34 +1,34 @@ ---- - -- name: Ensure that user manifests directory exists - file: - path: "{{ kubernetes_user_manifests_path }}/kubernetes" - state: directory - recurse: yes - tags: [init, cni] - -- name: Apply kube-proxy nodeselector - block: - - name: Copy kube-proxy daemonset nodeselector patch - copy: - src: nodeselector-os-linux-patch.json - dest: "{{ kubernetes_user_manifests_path }}/nodeselector-os-linux-patch.json" - - # Due to https://github.com/kubernetes/kubernetes/issues/58212 we cannot rely on exit code for "kubectl patch" - - name: Check current nodeselector for kube-proxy daemonset - shell: kubectl get ds kube-proxy --namespace=kube-system -o jsonpath='{.spec.template.spec.nodeSelector.beta\.kubernetes\.io/os}' - register: current_kube_proxy_state - - - name: Apply nodeselector patch for kube-proxy daemonset - shell: kubectl patch ds kube-proxy --namespace=kube-system --type=strategic -p "$(cat nodeselector-os-linux-patch.json)" - args: - chdir: "{{ kubernetes_user_manifests_path }}" - register: patch_kube_proxy_state - when: current_kube_proxy_state.stdout | trim | lower != "linux" - - - debug: msg={{ patch_kube_proxy_state.stdout_lines }} - when: patch_kube_proxy_state is not skipped - - - debug: msg={{ patch_kube_proxy_state.stderr_lines }} - when: patch_kube_proxy_state is not skipped - tags: init +--- + +- name: Ensure that user manifests directory exists + file: + path: "{{ kubernetes_user_manifests_path }}/kubernetes" + state: directory + recurse: yes + tags: [init, cni] + +- name: Apply kube-proxy nodeselector + block: + - name: Copy kube-proxy daemonset nodeselector patch + copy: + src: nodeselector-os-linux-patch.json + dest: "{{ kubernetes_user_manifests_path }}/nodeselector-os-linux-patch.json" + + # Due to https://github.com/kubernetes/kubernetes/issues/58212 we cannot rely on exit code for "kubectl patch" + - name: Check current nodeselector for kube-proxy daemonset + shell: kubectl get ds kube-proxy --namespace=kube-system -o jsonpath='{.spec.template.spec.nodeSelector.beta\.kubernetes\.io/os}' + register: current_kube_proxy_state + + - name: Apply nodeselector patch for kube-proxy daemonset + shell: kubectl patch ds kube-proxy --namespace=kube-system --type=strategic -p "$(cat nodeselector-os-linux-patch.json)" + args: + chdir: "{{ kubernetes_user_manifests_path }}" + register: patch_kube_proxy_state + when: current_kube_proxy_state.stdout | trim | lower != "linux" + + - debug: msg={{ patch_kube_proxy_state.stdout_lines }} + when: patch_kube_proxy_state is not skipped + + - debug: msg={{ patch_kube_proxy_state.stderr_lines }} + when: patch_kube_proxy_state is not skipped + tags: init From 3fad479752484f8bed713ff4d37897c9473e0050 Mon Sep 17 00:00:00 2001 From: Pablo Estigarribia Date: Wed, 4 Jul 2018 10:12:47 -0300 Subject: [PATCH 22/22] fix on yamllint check --- roles/dnsmasq/templates/dnsmasq-deploy.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/dnsmasq/templates/dnsmasq-deploy.yml b/roles/dnsmasq/templates/dnsmasq-deploy.yml index 72a7a160358..c3a32f02e68 100644 --- a/roles/dnsmasq/templates/dnsmasq-deploy.yml +++ b/roles/dnsmasq/templates/dnsmasq-deploy.yml @@ -24,6 +24,9 @@ spec: tolerations: - effect: NoSchedule operator: Exists + # When having win nodes in cluster without this patch, this pod cloud try to be created in windows + nodeSelector: + beta.kubernetes.io/os: linux containers: - name: dnsmasq image: "{{ dnsmasq_image_repo }}:{{ dnsmasq_image_tag }}" @@ -57,9 +60,6 @@ spec: mountPath: /etc/dnsmasq.d - name: etcdnsmasqdavailable mountPath: /etc/dnsmasq.d-available - # When having win nodes in cluster without this patch, this pod cloud try to be created in windows - nodeSelector: - beta.kubernetes.io/os: linux volumes: - name: etcdnsmasqd hostPath: