mirror of
https://github.com/poseidon/typhoon
synced 2024-06-02 04:46:10 +02:00
413585681b
* Kubelet `--lock-file` and `--exit-on-lock-contention` date back to usage of bootkube and at one point running Kubelet in a "self-hosted" style whereby an on-host Kubelet (rkt) started pods, but then a Kubelet DaemonSet was scheduled and able to take over (hence self-hosted). `lock-file` and `exit-on-lock-contention` flags supported this pivot. The pattern has been out of favor (in bootkube too) for years because of dueling Kubelet complexity * Typhoon runs Kubelet as a container via an on-host systemd unit using podman (Fedora CoreOS) or rkt (Flatcar Linux). In fact, Typhoon no longer uses bootkube or control plane pivot (let alone Kubelet pivot) and uses static pods since v1.16.0 * https://github.com/poseidon/typhoon/pull/536
120 lines
4.3 KiB
YAML
120 lines
4.3 KiB
YAML
---
|
|
variant: fcos
|
|
version: 1.0.0
|
|
systemd:
|
|
units:
|
|
- name: docker.service
|
|
enabled: true
|
|
- name: wait-for-dns.service
|
|
enabled: true
|
|
contents: |
|
|
[Unit]
|
|
Description=Wait for DNS entries
|
|
Before=kubelet.service
|
|
[Service]
|
|
Type=oneshot
|
|
RemainAfterExit=true
|
|
ExecStart=/bin/sh -c 'while ! /usr/bin/grep '^[^#[:space:]]' /etc/resolv.conf > /dev/null; do sleep 1; done'
|
|
[Install]
|
|
RequiredBy=kubelet.service
|
|
- name: kubelet.service
|
|
enabled: true
|
|
contents: |
|
|
[Unit]
|
|
Description=Kubelet (System Container)
|
|
Wants=rpc-statd.service
|
|
[Service]
|
|
Environment=KUBELET_IMAGE=quay.io/poseidon/kubelet:v1.18.3-4-g57fa88a
|
|
ExecStartPre=/bin/mkdir -p /etc/kubernetes/cni/net.d
|
|
ExecStartPre=/bin/mkdir -p /etc/kubernetes/manifests
|
|
ExecStartPre=/bin/mkdir -p /opt/cni/bin
|
|
ExecStartPre=/bin/mkdir -p /var/lib/calico
|
|
ExecStartPre=/bin/mkdir -p /var/lib/kubelet/volumeplugins
|
|
ExecStartPre=/usr/bin/bash -c "grep 'certificate-authority-data' /etc/kubernetes/kubeconfig | awk '{print $2}' | base64 -d > /etc/kubernetes/ca.crt"
|
|
ExecStartPre=-/usr/bin/podman rm kubelet
|
|
ExecStart=/usr/bin/podman run --name kubelet \
|
|
--privileged \
|
|
--pid host \
|
|
--network host \
|
|
--volume /etc/kubernetes:/etc/kubernetes:ro,z \
|
|
--volume /usr/lib/os-release:/etc/os-release:ro \
|
|
--volume /etc/ssl/certs:/etc/ssl/certs:ro \
|
|
--volume /lib/modules:/lib/modules:ro \
|
|
--volume /run:/run \
|
|
--volume /sys/fs/cgroup:/sys/fs/cgroup:ro \
|
|
--volume /sys/fs/cgroup/systemd:/sys/fs/cgroup/systemd \
|
|
--volume /etc/pki/tls/certs:/usr/share/ca-certificates:ro \
|
|
--volume /var/lib/calico:/var/lib/calico:ro \
|
|
--volume /var/lib/docker:/var/lib/docker \
|
|
--volume /var/lib/kubelet:/var/lib/kubelet:rshared,z \
|
|
--volume /var/log:/var/log \
|
|
--volume /var/run/lock:/var/run/lock:z \
|
|
--volume /opt/cni/bin:/opt/cni/bin:z \
|
|
$${KUBELET_IMAGE} \
|
|
--anonymous-auth=false \
|
|
--authentication-token-webhook \
|
|
--authorization-mode=Webhook \
|
|
--bootstrap-kubeconfig=/etc/kubernetes/kubeconfig \
|
|
--cgroup-driver=systemd \
|
|
--cgroups-per-qos=true \
|
|
--enforce-node-allocatable=pods \
|
|
--client-ca-file=/etc/kubernetes/ca.crt \
|
|
--cluster_dns=${cluster_dns_service_ip} \
|
|
--cluster_domain=${cluster_domain_suffix} \
|
|
--cni-conf-dir=/etc/kubernetes/cni/net.d \
|
|
--healthz-port=0 \
|
|
--kubeconfig=/var/lib/kubelet/kubeconfig \
|
|
--network-plugin=cni \
|
|
--node-labels=node.kubernetes.io/node \
|
|
%{~ for label in split(",", node_labels) ~}
|
|
--node-labels=${label} \
|
|
%{~ endfor ~}
|
|
--pod-manifest-path=/etc/kubernetes/manifests \
|
|
--read-only-port=0 \
|
|
--rotate-certificates \
|
|
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
|
|
ExecStop=-/usr/bin/podman stop kubelet
|
|
Delegate=yes
|
|
Restart=always
|
|
RestartSec=10
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
- name: delete-node.service
|
|
enabled: true
|
|
contents: |
|
|
[Unit]
|
|
Description=Delete Kubernetes node on shutdown
|
|
[Service]
|
|
Type=oneshot
|
|
RemainAfterExit=true
|
|
ExecStart=/bin/true
|
|
ExecStop=/bin/bash -c '/usr/bin/podman run --volume /etc/kubernetes:/etc/kubernetes:ro,z --entrypoint /usr/local/bin/kubectl quay.io/poseidon/kubelet:v1.18.3-4-g57fa88a --kubeconfig=/etc/kubernetes/kubeconfig delete node $HOSTNAME'
|
|
[Install]
|
|
WantedBy=multi-user.target
|
|
storage:
|
|
directories:
|
|
- path: /etc/kubernetes
|
|
files:
|
|
- path: /etc/kubernetes/kubeconfig
|
|
mode: 0644
|
|
contents:
|
|
inline: |
|
|
${kubeconfig}
|
|
- path: /etc/sysctl.d/max-user-watches.conf
|
|
contents:
|
|
inline: |
|
|
fs.inotify.max_user_watches=16184
|
|
- path: /etc/systemd/system.conf.d/accounting.conf
|
|
contents:
|
|
inline: |
|
|
[Manager]
|
|
DefaultCPUAccounting=yes
|
|
DefaultMemoryAccounting=yes
|
|
DefaultBlockIOAccounting=yes
|
|
passwd:
|
|
users:
|
|
- name: core
|
|
ssh_authorized_keys:
|
|
- ${ssh_authorized_key}
|
|
|