From b39c3b91269a8482207863234acc298f623deae6 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sat, 20 Jun 2020 05:20:46 +0200 Subject: kubernetes: add node pruning role --- roles/kubernetes/kubeadm/prune/tasks/main.yml | 9 +++++++++ roles/kubernetes/kubeadm/prune/tasks/net_kubeguard.yml | 14 ++++++++++++++ roles/kubernetes/kubeadm/prune/tasks/net_none.yml | 2 ++ 3 files changed, 25 insertions(+) create mode 100644 roles/kubernetes/kubeadm/prune/tasks/main.yml create mode 100644 roles/kubernetes/kubeadm/prune/tasks/net_kubeguard.yml create mode 100644 roles/kubernetes/kubeadm/prune/tasks/net_none.yml (limited to 'roles/kubernetes/kubeadm/prune') diff --git a/roles/kubernetes/kubeadm/prune/tasks/main.yml b/roles/kubernetes/kubeadm/prune/tasks/main.yml new file mode 100644 index 00000000..71ed0d04 --- /dev/null +++ b/roles/kubernetes/kubeadm/prune/tasks/main.yml @@ -0,0 +1,9 @@ +--- +- name: remove nodes from api server + run_once: true + delegate_to: "{{ groups['_kubernetes_primary_master_'] | first }}" + loop: "{{ groups['_kubernetes_nodes_prune_'] | default([]) }}" + command: "kubectl delete node {{ item }}" + +- name: prune network plugin + include_tasks: "net_{{ kubernetes_network_plugin }}.yml" diff --git a/roles/kubernetes/kubeadm/prune/tasks/net_kubeguard.yml b/roles/kubernetes/kubeadm/prune/tasks/net_kubeguard.yml new file mode 100644 index 00000000..8a8c7752 --- /dev/null +++ b/roles/kubernetes/kubeadm/prune/tasks/net_kubeguard.yml @@ -0,0 +1,14 @@ +--- +- name: stop/disable systemd units for stale kubeguard peers + loop: "{{ groups['_kubernetes_nodes_prune_'] | default([]) }}" + systemd: + name: "kubeguard-peer-{{ item }}.service" + state: stopped + enabled: no + failed_when: false + +- name: remove systemd units for stale kubeguard peers + loop: "{{ groups['_kubernetes_nodes_prune_'] | default([]) }}" + file: + name: "/etc/systemd/system/kubeguard-peer-{{ item }}.service" + state: absent diff --git a/roles/kubernetes/kubeadm/prune/tasks/net_none.yml b/roles/kubernetes/kubeadm/prune/tasks/net_none.yml new file mode 100644 index 00000000..94832c38 --- /dev/null +++ b/roles/kubernetes/kubeadm/prune/tasks/net_none.yml @@ -0,0 +1,2 @@ +--- +## nothing to do here -- cgit v1.2.3 From b77997ae59aedcf9afb292cf2eb7a49999a33e94 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Sat, 20 Jun 2020 19:37:18 +0200 Subject: kubernetes: add network-plugin kube-router --- .../kubeadm/base/tasks/net_kube-router.yml | 8 + .../kubeadm/master/tasks/net_kube-router.yml | 10 + .../templates/net_kube-router/config.0.4.0.yml.j2 | 237 +++++++++++++++++++++ .../kubeadm/prune/tasks/net_kube-router.yml | 2 + roles/kubernetes/kubeadm/reset/tasks/main.yml | 1 + 5 files changed, 258 insertions(+) create mode 100644 roles/kubernetes/kubeadm/base/tasks/net_kube-router.yml create mode 100644 roles/kubernetes/kubeadm/master/tasks/net_kube-router.yml create mode 100644 roles/kubernetes/kubeadm/master/templates/net_kube-router/config.0.4.0.yml.j2 create mode 100644 roles/kubernetes/kubeadm/prune/tasks/net_kube-router.yml (limited to 'roles/kubernetes/kubeadm/prune') diff --git a/roles/kubernetes/kubeadm/base/tasks/net_kube-router.yml b/roles/kubernetes/kubeadm/base/tasks/net_kube-router.yml new file mode 100644 index 00000000..246b20bc --- /dev/null +++ b/roles/kubernetes/kubeadm/base/tasks/net_kube-router.yml @@ -0,0 +1,8 @@ +--- +- name: install packages needed for debugging kube-router + apt: + name: + - iptables + - ipvsadm + - ipset + state: present diff --git a/roles/kubernetes/kubeadm/master/tasks/net_kube-router.yml b/roles/kubernetes/kubeadm/master/tasks/net_kube-router.yml new file mode 100644 index 00000000..5368b6f5 --- /dev/null +++ b/roles/kubernetes/kubeadm/master/tasks/net_kube-router.yml @@ -0,0 +1,10 @@ +--- +- name: generate kube-router configuration + template: + src: "net_kube-router/config.{{ kubernetes_network_plugin_version }}.yml.j2" + dest: /etc/kubernetes/network-plugin.yml + +- name: install kube-router on to the cluster + command: kubectl --kubeconfig /etc/kubernetes/admin.conf apply -f /etc/kubernetes/network-plugin.yml + register: kube_router_apply_result + changed_when: (kube_router_apply_result.stdout_lines | reject("regex", " unchanged$") | list | length) > 0 diff --git a/roles/kubernetes/kubeadm/master/templates/net_kube-router/config.0.4.0.yml.j2 b/roles/kubernetes/kubeadm/master/templates/net_kube-router/config.0.4.0.yml.j2 new file mode 100644 index 00000000..b06687d5 --- /dev/null +++ b/roles/kubernetes/kubeadm/master/templates/net_kube-router/config.0.4.0.yml.j2 @@ -0,0 +1,237 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: kube-router-kubeconfig + namespace: kube-system + labels: + tier: node + k8s-app: kube-router +data: + kubeconfig.conf: | + apiVersion: v1 + kind: Config + clusters: + - cluster: + certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt + server: https://127.0.0.1:{{ kubernetes_api_lb_port | default('6443') }} + name: default + contexts: + - context: + cluster: default + namespace: default + user: default + name: default + current-context: default + users: + - name: default + user: + tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: kube-router-cfg + namespace: kube-system + labels: + tier: node + k8s-app: kube-router +data: + cni-conf.json: | + { + "cniVersion":"0.3.0", + "name":"mynet", + "plugins":[ + { + "name":"kubernetes", + "type":"bridge", + "bridge":"kube-bridge", + "isDefaultGateway":true, + "hairpinMode": true, + "ipam":{ + "type":"host-local" + } + }, + { + "type":"portmap", + "capabilities":{ + "snat":true, + "portMappings":true + } + } + ] + } +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + labels: + k8s-app: kube-router + tier: node + name: kube-router + namespace: kube-system +spec: + selector: + matchLabels: + k8s-app: kube-router + tier: node + template: + metadata: + labels: + k8s-app: kube-router + tier: node + annotations: + prometheus.io/scrape: "true" + prometheus.io/port: "8080" + spec: + priorityClassName: system-node-critical + serviceAccountName: kube-router + serviceAccount: kube-router + containers: + - name: kube-router + image: docker.io/cloudnativelabs/kube-router:v{{ kubernetes_network_plugin_version }} + imagePullPolicy: Always + args: + - --run-router=true + - --run-firewall=true + - --run-service-proxy={{ kubernetes_network_plugin_replaces_kube_proxy | string | lower }} + - --kubeconfig=/var/lib/kube-router/kubeconfig + - --hairpin-mode + - --iptables-sync-period=10s + - --ipvs-sync-period=10s + - --routes-sync-period=10s + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: KUBE_ROUTER_CNI_CONF_FILE + value: /etc/cni/net.d/10-kuberouter.conflist + livenessProbe: + httpGet: + path: /healthz + port: 20244 + initialDelaySeconds: 10 + periodSeconds: 3 + resources: + requests: + cpu: 250m + memory: 250Mi + securityContext: + privileged: true + volumeMounts: + - name: lib-modules + mountPath: /lib/modules + readOnly: true + - name: cni-conf-dir + mountPath: /etc/cni/net.d + - name: kubeconfig + mountPath: /var/lib/kube-router + readOnly: true + - name: xtables-lock + mountPath: /run/xtables.lock + readOnly: false + initContainers: + - name: install-cni + image: busybox + imagePullPolicy: Always + command: + - /bin/sh + - -c + - set -e -x; + if [ ! -f /etc/cni/net.d/10-kuberouter.conflist ]; then + if [ -f /etc/cni/net.d/*.conf ]; then + rm -f /etc/cni/net.d/*.conf; + fi; + TMP=/etc/cni/net.d/.tmp-kuberouter-cfg; + cp /etc/kube-router/cni-conf.json ${TMP}; + mv ${TMP} /etc/cni/net.d/10-kuberouter.conflist; + fi + volumeMounts: + - name: cni-conf-dir + mountPath: /etc/cni/net.d + - name: kube-router-cfg + mountPath: /etc/kube-router + hostNetwork: true + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists + - effect: NoSchedule + key: node.kubernetes.io/not-ready + operator: Exists + volumes: + - name: lib-modules + hostPath: + path: /lib/modules + - name: cni-conf-dir + hostPath: + path: /etc/cni/net.d + - name: kube-router-cfg + configMap: + name: kube-router-cfg + - name: kubeconfig + configMap: + name: kube-router-kubeconfig + items: + - key: kubeconfig.conf + path: kubeconfig + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kube-router + namespace: kube-system +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: kube-router + namespace: kube-system +rules: + - apiGroups: + - "" + resources: + - namespaces + - pods + - services + - nodes + - endpoints + verbs: + - list + - get + - watch + - apiGroups: + - "networking.k8s.io" + resources: + - networkpolicies + verbs: + - list + - get + - watch + - apiGroups: + - extensions + resources: + - networkpolicies + verbs: + - get + - list + - watch +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: kube-router +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kube-router +subjects: +- kind: ServiceAccount + name: kube-router + namespace: kube-system diff --git a/roles/kubernetes/kubeadm/prune/tasks/net_kube-router.yml b/roles/kubernetes/kubeadm/prune/tasks/net_kube-router.yml new file mode 100644 index 00000000..94832c38 --- /dev/null +++ b/roles/kubernetes/kubeadm/prune/tasks/net_kube-router.yml @@ -0,0 +1,2 @@ +--- +## nothing to do here diff --git a/roles/kubernetes/kubeadm/reset/tasks/main.yml b/roles/kubernetes/kubeadm/reset/tasks/main.yml index cf9c125d..8a21fbd5 100644 --- a/roles/kubernetes/kubeadm/reset/tasks/main.yml +++ b/roles/kubernetes/kubeadm/reset/tasks/main.yml @@ -14,6 +14,7 @@ - /etc/kubernetes/network-plugin.yml - /etc/kubernetes/node-local-dns.yml - /etc/kubernetes/addons + - /etc/default/kubelet file: path: "{{ item }}" state: absent -- cgit v1.2.3