Feature/k8s win nodes hybrid cluster

cluster.yml

@@ -93,6 +93,7 @@
   roles:
     - { role: kubespray-defaults}
     - { role: kubernetes-apps/rotate_tokens, tags: rotate_tokens, when: "secret_changed|default(false)" }
+    - { role: win_nodes/kubernetes_patch, tags: win_nodes, when: "kubeadm_enabled and kube_patch_win_nodes" }
 
 - hosts: kube-master
   any_errors_fatal: "{{ any_errors_fatal | default(true) }}"

contrib/terraform/aws/README.md

@@ -17,10 +17,10 @@ This project will create:
 - Export the variables for your AWS credentials or edit `credentials.tfvars`:
 
 ```
-export AWS_ACCESS_KEY_ID="www"
-export AWS_SECRET_ACCESS_KEY ="xxx"
-export AWS_SSH_KEY_NAME="yyy"
-export AWS_DEFAULT_REGION="zzz"
+export TF_VAR_AWS_ACCESS_KEY_ID="www"
+export TF_VAR_AWS_SECRET_ACCESS_KEY ="xxx"
+export TF_VAR_AWS_SSH_KEY_NAME="yyy"
+export TF_VAR_AWS_DEFAULT_REGION="zzz"
 ```
 - Rename `contrib/terraform/aws/terraform.tfvars.example` to `terraform.tfvars`
 

docs/upgrades.md

@@ -81,3 +81,55 @@ kubernetes-apps/rotate_tokens role, only pods in kube-system are destroyed and
 recreated. All other invalidated service account tokens are cleaned up
 automatically, but other pods are not deleted out of an abundance of caution
 for impact to user deployed pods.
+
+### Component-based upgrades
+
+A deployer may want to upgrade specific components in order to minimize risk
+or save time. This strategy is not covered by CI as of this writing, so it is
+not guaranteed to work. 
+
+These commands are useful only for upgrading fully-deployed, healthy, existing
+hosts. This will definitely not work for undeployed or partially deployed
+hosts.
+
+Upgrade etcd:
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=etcd
+```
+
+Upgrade vault:
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=vault
+```
+
+Upgrade kubelet:
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=node --skip-tags=k8s-gen-certs,k8s-gen-tokens
+```
+
+Upgrade Kubernetes master components:
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=master
+```
+
+Upgrade network plugins:
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=network
+```
+
+Upgrade all add-ons:
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=apps
+```
+
+Upgrade just helm (assuming `helm_enabled` is true):
+
+```
+ansible-playbook -b -i inventory/sample/hosts.ini cluster.yml --tags=helm
+```

inventory/sample/group_vars/all.yml

@@ -103,6 +103,9 @@ bin_dir: /usr/local/bin
 ## Refer to roles/kubespray-defaults/defaults/main.yml before modifying no_proxy
 #no_proxy: ""
 
+# patch deployments with selectors when running hybrid with win nodes
+kube_patch_win_nodes: false
+
 ## Uncomment this if you want to force overlay/overlay2 as docker storage driver
 ## Please note that overlay2 is only supported on newer kernels
 #docker_storage_options: -s overlay2

roles/dnsmasq/templates/dnsmasq-autoscaler.yml.j2

@@ -54,3 +54,8 @@ spec:
             - --default-params={"linear":{"nodesPerReplica":{{ dnsmasq_nodes_per_replica }},"preventSinglePointFailure":true}}
             - --logtostderr=true
             - --v={{ kube_log_level }}
+{% if kube_patch_win_nodes %}
+      # When having win nodes in cluster without this patch, this pod cloud try to be created in windows
+      nodeSelector:
+        beta.kubernetes.io/os: linux
+{% endif %}

roles/dnsmasq/templates/dnsmasq-deploy.yml

@@ -24,6 +24,9 @@ spec:
       tolerations:
         - effect: NoSchedule
           operator: Exists
+      # When having win nodes in cluster without this patch, this pod cloud try to be created in windows
+      nodeSelector:
+        beta.kubernetes.io/os: linux
       containers:
         - name: dnsmasq
           image: "{{ dnsmasq_image_repo }}:{{ dnsmasq_image_tag }}"

roles/docker/tasks/main.yml

@@ -118,6 +118,15 @@
   notify: restart docker
   when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS"] or is_atomic) and (docker_package_info.pkgs|length > 0)
 
+# This is required to ensure any apt upgrade will not break kubernetes
+- name: Set docker pin priority to apt_preferences on Debian family
+  template:
+    src: "apt_preferences.d/debian_docker.j2"
+    dest: "/etc/apt/preferences.d/docker"
+    owner: "root"
+    mode: 0644
+  when: not (ansible_os_family in ["CoreOS", "Container Linux by CoreOS", "RedHat", "Suse"] or is_atomic)
+
 - name: ensure service is started if docker packages are already present
   service:
     name: docker

roles/docker/templates/apt_preferences.d/debian_docker.j2

@@ -0,0 +1,3 @@
+Package: docker-ce
+Pin: version {{ docker_version }}.*
+Pin-Priority: 1001

roles/download/tasks/main.yml

@@ -20,6 +20,6 @@
   when:
     - not skip_downloads|default(false)
     - item.value.enabled
-    - item.value.container
+    - item.value.container|default(false)
     - download_run_once
     - group_names | intersect(download.groups) | length

roles/etcd/tasks/main.yml

@@ -6,7 +6,6 @@
     - facts
 
 - include_tasks: "gen_certs_{{ cert_management }}.yml"
-  when:
   tags:
     - etcd-secrets
 
@@ -19,11 +18,17 @@
   register: "etcd_client_cert_serial_result"
   changed_when: false
   when: inventory_hostname in groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort
+  tags:
+    - master
+    - network
 
 - name: Set etcd_client_cert_serial
   set_fact:
     etcd_client_cert_serial: "{{ etcd_client_cert_serial_result.stdout }}"
   when: inventory_hostname in groups['k8s-cluster']|union(groups['etcd'])|union(groups['calico-rr']|default([]))|unique|sort
+  tags:
+    - master
+    - network
 
 - include_tasks: "install_{{ etcd_deployment_type }}.yml"
   when: is_etcd_master

roles/kubernetes-apps/ansible/templates/kubedns-autoscaler.yml.j2

@@ -28,6 +28,11 @@ spec:
       labels:
         k8s-app: kubedns-autoscaler
     spec:
+{% if kube_patch_win_nodes %}
+      # When having win nodes in cluster without this patch, this pod cloud try to be created in windows
+      nodeSelector:
+        beta.kubernetes.io/os: linux
+{% endif %}
       tolerations:
         - effect: NoSchedule
           operator: Exists

roles/kubernetes-apps/ansible/templates/kubedns-deploy.yml.j2

@@ -27,6 +27,11 @@ spec:
       annotations:
         scheduler.alpha.kubernetes.io/critical-pod: ''
     spec:
+{% if kube_patch_win_nodes %}
+      # When having win nodes in cluster without this patch, this pod cloud try to be created in windows
+      nodeSelector:
+        beta.kubernetes.io/os: linux
+{% endif %}
       tolerations:
       - key: "CriticalAddonsOnly"
         operator: "Exists"

roles/kubernetes-apps/ansible/templates/netchecker-agent-ds.yml.j2

@@ -15,6 +15,11 @@ spec:
       tolerations:
         - effect: NoSchedule
           operator: Exists
+{% if kube_patch_win_nodes %}
+      # When having win nodes in cluster without this patch, this pod cloud try to be created in windows
+      nodeSelector:
+        beta.kubernetes.io/os: linux
+{% endif %}
       containers:
         - name: netchecker-agent
           image: "{{ agent_img }}"

roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-ds.yml.j2

@@ -13,6 +13,11 @@ spec:
         app: netchecker-agent-hostnet
     spec:
       hostNetwork: True
+{% if kube_patch_win_nodes %}
+      # When having win nodes in cluster without this patch, this pod cloud try to be created in windows
+      nodeSelector:
+        beta.kubernetes.io/os: linux
+{% endif %}
 {% if kube_version | version_compare('v1.6', '>=') %}
       dnsPolicy: ClusterFirstWithHostNet
 {% endif %}

roles/kubernetes-apps/efk/fluentd/templates/fluentd-ds.yml.j2

@@ -30,6 +30,11 @@ spec:
       priorityClassName: system-node-critical
 {% if rbac_enabled %}
       serviceAccountName: efk
+{% endif %}
+{% if kube_patch_win_nodes %}
+      # When having win nodes in cluster without this patch, this pod cloud try to be created in windows
+      nodeSelector:
+        beta.kubernetes.io/os: linux
 {% endif %}
       containers:
       - name: fluentd-es

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingress-nginx-controller-ds.yml.j2

@@ -29,6 +29,10 @@ spec:
 {% endif %}
       nodeSelector:
         node-role.kubernetes.io/ingress: "true"
+{% if kube_patch_win_nodes %}
+      # When having win nodes in cluster without this patch, this pod cloud try to be created in windows
+        beta.kubernetes.io/os: linux
+{% endif %}
       terminationGracePeriodSeconds: 60
       containers:
         - name: ingress-nginx-controller

roles/kubernetes-apps/ingress_controller/ingress_nginx/templates/ingress-nginx-default-backend-rs.yml.j2

@@ -35,3 +35,8 @@ spec:
             timeoutSeconds: 5
           ports:
             - containerPort: 8080
+{% if kube_patch_win_nodes %}
+      # When having win nodes in cluster without this patch, this pod cloud try to be created in windows
+      nodeSelector:
+        beta.kubernetes.io/os: linux
+{% endif %}

roles/kubernetes/master/tasks/kubeadm-setup.yml

@@ -89,6 +89,7 @@
     --ignore-preflight-errors=all
     --allow-experimental-upgrades
     --allow-release-candidate-upgrades
+    --force
   register: kubeadm_upgrade
   # Retry is because upload config sometimes fails
   retries: 3

roles/kubernetes/master/templates/kube-scheduler-policy.yaml.j2

@@ -10,7 +10,6 @@
     {"name" : "GeneralPredicates"},
     {"name" : "CheckNodeMemoryPressure"},
     {"name" : "CheckNodeDiskPressure"},
-    {"name" : "CheckNodePIDPressure"},
     {"name" : "CheckNodeCondition"},
     {"name" : "PodToleratesNodeTaints"},
     {"name" : "CheckVolumeBinding"}

roles/kubernetes/node/tasks/install.yml

@@ -1,19 +1,4 @@
 ---
-- name: install | Set SSL CA directories
-  set_fact:
-    ssl_ca_dirs: "[
-      {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%}
-      '/usr/share/ca-certificates',
-      {% elif ansible_os_family == 'RedHat' -%}
-      '/etc/pki/tls',
-      '/etc/pki/ca-trust',
-      {% elif ansible_os_family == 'Debian' -%}
-      '/usr/share/ca-certificates',
-      {% endif -%}
-    ]"
-  tags:
-    - facts
-
 - name: Set kubelet deployment to host if kubeadm is enabled
   set_fact:
     kubelet_deployment_type: host

roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2

@@ -11,6 +11,11 @@ spec:
   hostNetwork: true
 {% if kube_version | version_compare('v1.6', '>=') %}
   dnsPolicy: ClusterFirst
+{% endif %}
+{% if kube_patch_win_nodes %}
+  # When having win nodes in cluster without this patch, this pod cloud try to be created in windows
+  nodeSelector:
+    beta.kubernetes.io/os: linux
 {% endif %}
   containers:
   - name: kube-proxy

roles/kubernetes/node/templates/manifests/nginx-proxy.manifest.j2

@@ -7,6 +7,11 @@ metadata:
     k8s-app: kube-nginx
 spec:
   hostNetwork: true
+{% if kube_patch_win_nodes %}
+  # When having win nodes in cluster without this patch, this pod cloud try to be created in windows
+  nodeSelector:
+    beta.kubernetes.io/os: linux
+{% endif %}
   containers:
   - name: nginx-proxy
     image: {{ nginx_image_repo }}:{{ nginx_image_tag }}

roles/kubernetes/secrets/tasks/main.yml

@@ -2,11 +2,13 @@
 - import_tasks: check-certs.yml
   tags:
     - k8s-secrets
+    - k8s-gen-certs
     - facts
 
 - import_tasks: check-tokens.yml
   tags:
     - k8s-secrets
+    - k8s-gen-tokens
     - facts
 
 - name: Make sure the certificate directory exits
@@ -70,10 +72,12 @@
 - include_tasks: "gen_certs_{{ cert_management }}.yml"
   tags:
     - k8s-secrets
+    - k8s-gen-certs
 
 - import_tasks: upd_ca_trust.yml
   tags:
     - k8s-secrets
+    - k8s-gen-certs
 
 - name: "Gen_certs | Get certificate serials on kube masters"
   shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2"
@@ -85,6 +89,10 @@
     - "kube-controller-manager.pem"
     - "kube-scheduler.pem"
   when: inventory_hostname in groups['kube-master']
+  tags:
+    - master
+    - kubelet
+    - node
 
 - name: "Gen_certs | set kube master certificate serial facts"
   set_fact:
@@ -93,6 +101,10 @@
     controller_manager_cert_serial: "{{ master_certificate_serials.results[2].stdout|default() }}"
     scheduler_cert_serial: "{{ master_certificate_serials.results[3].stdout|default() }}"
   when: inventory_hostname in groups['kube-master']
+  tags:
+    - master
+    - kubelet
+    - node
 
 - name: "Gen_certs | Get certificate serials on kube nodes"
   shell: "openssl x509 -in {{ kube_cert_dir }}/{{ item }} -noout -serial | cut -d= -f2"
@@ -108,7 +120,11 @@
     kubelet_cert_serial: "{{ node_certificate_serials.results[0].stdout|default() }}"
     kube_proxy_cert_serial: "{{ node_certificate_serials.results[1].stdout|default() }}"
   when: inventory_hostname in groups['k8s-cluster']
+  tags:
+    - kubelet
+    - node
 
 - import_tasks: gen_tokens.yml
   tags:
     - k8s-secrets
+    - k8s-gen-tokens

roles/kubespray-defaults/defaults/main.yaml

@@ -279,6 +279,18 @@ proxy_env:
   https_proxy: "{{ https_proxy| default ('') }}"
   no_proxy: "{{ no_proxy| default ('') }}"
 
+ssl_ca_dirs: >-
+  [
+  {% if ansible_os_family in ['CoreOS', 'Container Linux by CoreOS'] -%}
+  '/usr/share/ca-certificates',
+  {% elif ansible_os_family == 'RedHat' -%}
+  '/etc/pki/tls',
+  '/etc/pki/ca-trust',
+  {% elif ansible_os_family == 'Debian' -%}
+  '/usr/share/ca-certificates',
+  {% endif -%}
+  ]
+
 # Vars for pointing to kubernetes api endpoints
 is_kube_master: "{{ inventory_hostname in groups['kube-master'] }}"
 kube_apiserver_count: "{{ groups['kube-master'] | length }}"

roles/network_plugin/flannel/templates/cni-flannel.yml.j2

@@ -54,6 +54,11 @@ spec:
     spec:
 {% if rbac_enabled %}
       serviceAccountName: flannel
+{% endif %}
+{% if kube_patch_win_nodes %}
+      # When having win nodes in cluster without this patch, this pod cloud try to be created in windows
+      nodeSelector:
+        beta.kubernetes.io/os: linux
 {% endif %}
       containers:
       - name: kube-flannel