From 6caf5b0ac3061d50987d5f2df339b734f40b4d53 Mon Sep 17 00:00:00 2001 From: Aleksandr Didenko Date: Tue, 27 Sep 2016 11:10:13 +0200 Subject: [PATCH 1/6] Fix delegate_to expression in download tasks "else omit" is causing problems in this expression. Replacing it with more strict "inventory_hostname" fixes the issue and handles `download_run_once` as expected. Closes issue #514 --- roles/download/tasks/main.yml | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/roles/download/tasks/main.yml b/roles/download/tasks/main.yml index 6329a1108..72cf0a374 100644 --- a/roles/download/tasks/main.yml +++ b/roles/download/tasks/main.yml @@ -9,7 +9,7 @@ - name: Create dest directories file: path={{local_release_dir}}/{{download.dest|dirname}} state=directory recurse=yes when: "{{ download.enabled|bool and not download.container|bool }}" - delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else omit }}" + delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else inventory_hostname }}" run_once: "{{ download_run_once|bool }}" - name: Download items @@ -24,7 +24,7 @@ retries: 4 delay: "{{ retry_stagger | random + 3 }}" when: "{{ download.enabled|bool and not download.container|bool }}" - delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else omit }}" + delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else inventory_hostname }}" run_once: "{{ download_run_once|bool }}" - name: Extract archives @@ -35,7 +35,7 @@ mode: "{{ download.mode|default(omit) }}" copy: no when: "{{ download.enabled|bool and not download.container|bool and download.unarchive is defined and download.unarchive == True }}" - delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else omit }}" + delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else inventory_hostname }}" run_once: "{{ download_run_once|bool }}" - name: Fix permissions @@ -45,7 +45,7 @@ owner: "{{ download.owner|default(omit) }}" mode: "{{ download.mode|default(omit) }}" when: "{{ download.enabled|bool and not download.container|bool and (download.unarchive is not defined or download.unarchive == False) }}" - delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else omit }}" + delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else inventory_hostname }}" run_once: "{{ download_run_once|bool }}" - name: pulling... @@ -65,7 +65,7 @@ retries: 4 delay: "{{ retry_stagger | random + 3 }}" when: "{{ download.enabled|bool and download.container|bool }}" - delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else omit }}" + delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else inventory_hostname }}" run_once: "{{ download_run_once|bool }}" - set_fact: From 2b6866484e857f9fb28e060ae9ebfaa8ffb789c4 Mon Sep 17 00:00:00 2001 From: Aleksandr Didenko Date: Thu, 22 Sep 2016 17:34:11 +0200 Subject: [PATCH 2/6] Allow to use custom "canalized" calico cni - Allow to overwrite calico cni binaries copied from hyperkube by the custom ones. - Fix calico-ipam deployment (it had wrong source in rsync) - Make copy from hyperkube idempotent (use rsync instead of cp) - Remove some orphaned comments --- roles/network_plugin/calico/defaults/main.yml | 5 +++-- roles/network_plugin/calico/tasks/main.yml | 22 +++++++++---------- 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/roles/network_plugin/calico/defaults/main.yml b/roles/network_plugin/calico/defaults/main.yml index b5b275e04..45b04c8a9 100644 --- a/roles/network_plugin/calico/defaults/main.yml +++ b/roles/network_plugin/calico/defaults/main.yml @@ -5,5 +5,6 @@ nat_outgoing: true # Use IP-over-IP encapsulation across hosts ipip: false -# cloud_provider can only be set to 'gce' or 'aws' -# cloud_provider: +# Set to true if you want your calico cni binaries to overwrite the +# ones from hyperkube while leaving other cni plugins intact. +overwrite_hyperkube_cni: false diff --git a/roles/network_plugin/calico/tasks/main.yml b/roles/network_plugin/calico/tasks/main.yml index d0d5c47c9..2ce342b20 100644 --- a/roles/network_plugin/calico/tasks/main.yml +++ b/roles/network_plugin/calico/tasks/main.yml @@ -32,18 +32,8 @@ use_hyperkube_cni: true when: kube_version | version_compare('v1.3.4','>=') -- name: Calico | Install calico cni bin - command: rsync -piu "{{ local_release_dir }}/calico/bin/calico" "/opt/cni/bin/calico" - changed_when: false - when: "{{ not use_hyperkube_cni|bool }}" - -- name: Calico | Install calico-ipam cni bin - command: rsync -piu "{{ local_release_dir }}/calico/bin/calico" "/opt/cni/bin/calico-ipam" - changed_when: false - when: "{{ not use_hyperkube_cni|bool }}" - - name: Calico | Copy cni plugins from hyperkube - command: "/usr/bin/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /bin/cp -r /opt/cni/bin/. /cnibindir/" + command: "/usr/bin/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /usr/bin/rsync -a /opt/cni/bin/ /cnibindir/" register: cni_task_result until: cni_task_result.rc == 0 retries: 4 @@ -51,6 +41,16 @@ changed_when: false when: "{{ use_hyperkube_cni|bool }}" +- name: Calico | Install calico cni bin + command: rsync -pi "{{ local_release_dir }}/calico/bin/calico" "/opt/cni/bin/calico" + changed_when: false + when: "{{ not use_hyperkube_cni|bool or overwrite_hyperkube_cni|bool }}" + +- name: Calico | Install calico-ipam cni bin + command: rsync -pi "{{ local_release_dir }}/calico/bin/calico-ipam" "/opt/cni/bin/calico-ipam" + changed_when: false + when: "{{ not use_hyperkube_cni|bool or overwrite_hyperkube_cni|bool }}" + - name: Calico | wait for etcd uri: url=http://localhost:2379/health register: result From d548cb6ac200be07b6712ca484102b37ad19db60 Mon Sep 17 00:00:00 2001 From: keglevich3 Date: Thu, 29 Sep 2016 17:44:24 +0300 Subject: [PATCH 3/6] changed to the correct link --- docs/aws.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/aws.md b/docs/aws.md index 1070958b9..429e77a54 100644 --- a/docs/aws.md +++ b/docs/aws.md @@ -1,7 +1,7 @@ AWS =============== -To deploy kubespray on [AWS](https://www.openstack.org/) uncomment the `cloud_provider` option in `group_vars/all.yml` and set it to `'aws'`. +To deploy kubespray on [AWS](https://aws.amazon.com/) uncomment the `cloud_provider` option in `group_vars/all.yml` and set it to `'aws'`. Prior to creating your instances, you **must** ensure that you have created IAM roles and policies for both "kubernetes-master" and "kubernetes-node". You can find the IAM policies [here](https://github.com/kubernetes/kubernetes/tree/master/cluster/aws/templates/iam). See the [IAM Documentation](https://aws.amazon.com/documentation/iam/) if guidance is needed on how to set these up. When you bring your instances online, associate them with the respective IAM role. Nodes that are only to be used for Etcd do not need a role. From a6a5d0e068c9029817ef1e8c9f03761b1069f420 Mon Sep 17 00:00:00 2001 From: Bogdan Dobrelya Date: Thu, 29 Sep 2016 17:24:31 +0200 Subject: [PATCH 4/6] Skip download_run_once for binaries as unimplemented yet Signed-off-by: Bogdan Dobrelya --- roles/download/tasks/main.yml | 8 -------- 1 file changed, 8 deletions(-) diff --git a/roles/download/tasks/main.yml b/roles/download/tasks/main.yml index b6d03433d..528e449b1 100644 --- a/roles/download/tasks/main.yml +++ b/roles/download/tasks/main.yml @@ -9,8 +9,6 @@ - name: Create dest directories file: path={{local_release_dir}}/{{download.dest|dirname}} state=directory recurse=yes when: "{{ download.enabled|bool and not download.container|bool }}" - delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else inventory_hostname }}" - run_once: "{{ download_run_once|bool }}" - name: Download items get_url: @@ -24,8 +22,6 @@ retries: 4 delay: "{{ retry_stagger | random + 3 }}" when: "{{ download.enabled|bool and not download.container|bool }}" - delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else inventory_hostname }}" - run_once: "{{ download_run_once|bool }}" - name: Extract archives unarchive: @@ -35,8 +31,6 @@ mode: "{{ download.mode|default(omit) }}" copy: no when: "{{ download.enabled|bool and not download.container|bool and download.unarchive is defined and download.unarchive == True }}" - delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else inventory_hostname }}" - run_once: "{{ download_run_once|bool }}" - name: Fix permissions file: @@ -45,8 +39,6 @@ owner: "{{ download.owner|default(omit) }}" mode: "{{ download.mode|default(omit) }}" when: "{{ download.enabled|bool and not download.container|bool and (download.unarchive is not defined or download.unarchive == False) }}" - delegate_to: "{{ groups['kube-master'][0] if download_run_once|bool else inventory_hostname }}" - run_once: "{{ download_run_once|bool }}" - name: pulling... debug: From fb0ee9d84a5d093ff55bb1efc79749188b6405b6 Mon Sep 17 00:00:00 2001 From: Aleksandr Didenko Date: Mon, 3 Oct 2016 12:08:41 +0200 Subject: [PATCH 5/6] Add support for --masquerade-all in kube-proxy New boolean var `kube_proxy_masquerade_all` which enables/disables `--masquerade-all` argument for kube-proxy. Closes #524 --- roles/kubernetes/node/defaults/main.yml | 3 +++ .../kubernetes/node/templates/manifests/kube-proxy.manifest.j2 | 3 +++ 2 files changed, 6 insertions(+) diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml index 94da756be..2c1738370 100644 --- a/roles/kubernetes/node/defaults/main.yml +++ b/roles/kubernetes/node/defaults/main.yml @@ -8,6 +8,9 @@ kube_resolv_conf: "/etc/resolv.conf" kube_proxy_mode: iptables +# If using the pure iptables proxy, SNAT everything +kube_proxy_masquerade_all: true + # kube_api_runtime_config: # - extensions/v1beta1/daemonsets=true # - extensions/v1beta1/deployments=true diff --git a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 index 296658cbd..f0c4bc211 100644 --- a/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 +++ b/roles/kubernetes/node/templates/manifests/kube-proxy.manifest.j2 @@ -18,6 +18,9 @@ spec: {% endif %} - --bind-address={{ ip | default(ansible_default_ipv4.address) }} - --proxy-mode={{ kube_proxy_mode }} +{% if kube_proxy_masquerade_all and kube_proxy_mode == "iptables" %} + - --masquerade-all +{% endif %} securityContext: privileged: true volumeMounts: From f4e6fdc19373e021dfabad18fe6d17c84f38422b Mon Sep 17 00:00:00 2001 From: Matthew Mosesohn Date: Tue, 4 Oct 2016 18:31:42 +0300 Subject: [PATCH 6/6] Enable quorum read for apiserver This reduces the likelihood of apiserver status updates timing out due to etcd write conflicts. --- .../master/templates/manifests/kube-apiserver.manifest.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 index cd6d77715..56023b997 100644 --- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 +++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2 @@ -13,6 +13,7 @@ spec: - apiserver - --advertise-address={{ ip | default(ansible_default_ipv4.address) }} - --etcd-servers={{ etcd_access_endpoint }} + - --etcd-quorum-read=true - --insecure-bind-address={{ kube_apiserver_insecure_bind_address }} - --apiserver-count={{ kube_apiserver_count }} - --admission-control=NamespaceLifecycle,NamespaceExists,LimitRanger,ServiceAccount,ResourceQuota