Merge pull request #321 from bmcstdio/bmcstdio/base-tech-bump

Kubernetes v1.10.9 and other base tech bumps
pires · Oct 28, 2018 · 56ebbaa · 56ebbaa
2 parents aacc437 + 6f7600e
commit 56ebbaa
Show file tree

Hide file tree

Showing 13 changed files with 83 additions and 460 deletions.
diff --git a/README.md b/README.md
@@ -139,7 +139,7 @@ Most aspects of your cluster setup can be customized with environment variables.
 
  - **KUBERNETES_VERSION** defines the specific kubernetes version being used.
 
-   Defaults to `1.10.5`.
+   Defaults to `1.10.9`.
    Versions prior to `1.10.0` **may not work** with current cloud-configs and Kubernetes descriptors.
 
  - **USE_KUBE_UI** defines whether to deploy or not the Kubernetes UI

diff --git a/Vagrantfile b/Vagrantfile
@@ -84,7 +84,7 @@ DOCKERCFG = File.expand_path(ENV["DOCKERCFG"] || "~/.dockercfg")
 
 DOCKER_OPTIONS = ENV["DOCKER_OPTIONS"] || ""
 
-KUBERNETES_VERSION = ENV["KUBERNETES_VERSION"] || "1.10.5"
+KUBERNETES_VERSION = ENV["KUBERNETES_VERSION"] || "1.10.9"
 
 CHANNEL = ENV["CHANNEL"] || "alpha"
 
@@ -259,7 +259,7 @@ Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
           # give setup file executable permissions
           system "chmod +x temp/setup"
 
-          system "#{__dir__}/plugins/dns/coredns/deploy.sh 10.100.0.10/24 #{DNS_DOMAIN} #{__dir__}/plugins/dns/coredns/coredns.yaml.sed > #{__dir__}/temp/coredns-deployment.yaml"
+          system "#{__dir__}/plugins/coredns/deploy.sh 10.100.0.10/24 #{DNS_DOMAIN} #{__dir__}/plugins/coredns/coredns.yaml.sed > #{__dir__}/temp/coredns-deployment.yaml"
 
           # Replace __CLUSTER_CIDR__ in calico.yaml.tmpl with the value of CLUSTER_CIDR
           calicoTmpl = File.read("#{__dir__}/plugins/calico/calico.yaml.tmpl")

diff --git a/plugins/calico/calico-rbac.yaml b/plugins/calico/calico-rbac.yaml
@@ -1,5 +1,5 @@
-# Calico Version v3.2.3
-# https://docs.projectcalico.org/v3.2/releases#v3.2.3
+# Calico Version v3.3.0
+# https://docs.projectcalico.org/v3.3/releases#v3.3.0
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1beta1
 metadata:
@@ -17,15 +17,14 @@ rules:
     resources:
       - pods/status
     verbs:
-      - update
+      - patch
   - apiGroups: [""]
     resources:
       - pods
     verbs:
       - get
       - list
       - watch
-      - patch
   - apiGroups: [""]
     resources:
       - services

diff --git a/plugins/calico/calico.yaml.tmpl b/plugins/calico/calico.yaml.tmpl
@@ -1,8 +1,8 @@
-# Calico Version v3.2.3
-# https://docs.projectcalico.org/v3.2/releases#v3.2.3
+# Calico Version v3.3.0
+# https://docs.projectcalico.org/v3.3/releases#v3.3.0
 # This manifest includes the following component versions:
-#   calico/node:v3.2.3
-#   calico/cni:v3.2.3
+#   calico/node:v3.3.0
+#   calico/cni:v3.3.0
 
 # This ConfigMap is used to configure a self-hosted Calico installation.
 kind: ConfigMap
@@ -104,6 +104,7 @@ spec:
         # add-on, ensuring it gets priority scheduling and that its resources are reserved
         # if it ever gets evicted.
         scheduler.alpha.kubernetes.io/critical-pod: ''
+        cluster-autoscaler.kubernetes.io/safe-to-evict: 'true'
     spec:
       nodeSelector:
         beta.kubernetes.io/os: linux
@@ -116,7 +117,7 @@ spec:
       # as a host-networked pod.
       serviceAccountName: calico-node
       containers:
-      - image: quay.io/calico/typha:v3.2.3
+      - image: quay.io/calico/typha:v3.3.0
         name: calico-typha
         ports:
         - containerPort: 5473
@@ -163,6 +164,23 @@ spec:
 
 ---
 
+# This manifest creates a Pod Disruption Budget for Typha to allow K8s Cluster Autoscaler to evict
+
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: calico-typha
+  namespace: kube-system
+  labels:
+    k8s-app: calico-typha
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      k8s-app: calico-typha
+
+---
+
 # This manifest installs the calico/node container, as well
 # as the Calico CNI plugins and network config on
 # each master and worker node in a Kubernetes cluster.
@@ -213,7 +231,7 @@ spec:
         # container programs network policy and routes on each
         # host.
         - name: calico-node
-          image: quay.io/calico/node:v3.2.3
+          image: quay.io/calico/node:v3.3.0
           env:
             # Use Kubernetes API as the backing datastore.
             - name: DATASTORE_TYPE
@@ -247,9 +265,6 @@ spec:
             # Enable IPIP
             - name: CALICO_IPV4POOL_IPIP
               value: "Always"
-            # Enable IP-in-IP within Felix.
-            - name: FELIX_IPINIPENABLED
-              value: "true"
             # Set MTU for tunnel device used if ipip is enabled
             - name: FELIX_IPINIPMTU
               valueFrom:
@@ -299,6 +314,9 @@ spec:
             - mountPath: /lib/modules
               name: lib-modules
               readOnly: true
+            - mountPath: /run/xtables.lock
+              name: xtables-lock
+              readOnly: false
             - mountPath: /var/run/calico
               name: var-run-calico
               readOnly: false
@@ -308,7 +326,7 @@ spec:
         # This container installs the Calico CNI binaries
         # and CNI network config file on each node.
         - name: install-cni
-          image: quay.io/calico/cni:v3.2.3
+          image: quay.io/calico/cni:v3.3.0
           command: ["/install-cni.sh"]
           env:
             # Name of the CNI config file to create.
@@ -347,6 +365,10 @@ spec:
         - name: var-lib-calico
           hostPath:
             path: /var/lib/calico
+        - name: xtables-lock
+          hostPath:
+            path: /run/xtables.lock
+            type: FileOrCreate
         # Used to install CNI.
         - name: cni-bin-dir
           hostPath:

diff --git a/plugins/dns/coredns/coredns.yaml.sed → plugins/coredns/coredns.yaml.sed b/plugins/dns/coredns/coredns.yaml.sed → plugins/coredns/coredns.yaml.sed
@@ -3,16 +3,12 @@ kind: ServiceAccount
 metadata:
   name: coredns
   namespace: kube-system
-  labels:
-      kubernetes.io/cluster-service: "true"
-      addonmanager.kubernetes.io/mode: Reconcile
 ---
-apiVersion: rbac.authorization.k8s.io/v1
+apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
 metadata:
   labels:
     kubernetes.io/bootstrapping: rbac-defaults
-    addonmanager.kubernetes.io/mode: Reconcile
   name: system:coredns
 rules:
 - apiGroups:
@@ -25,15 +21,20 @@ rules:
   verbs:
   - list
   - watch
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
 ---
-apiVersion: rbac.authorization.k8s.io/v1
+apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRoleBinding
 metadata:
   annotations:
     rbac.authorization.kubernetes.io/autoupdate: "true"
   labels:
     kubernetes.io/bootstrapping: rbac-defaults
-    addonmanager.kubernetes.io/mode: EnsureExists
   name: system:coredns
 roleRef:
   apiGroup: rbac.authorization.k8s.io
@@ -49,51 +50,57 @@ kind: ConfigMap
 metadata:
   name: coredns
   namespace: kube-system
-  labels:
-      addonmanager.kubernetes.io/mode: EnsureExists
 data:
   Corefile: |
     .:53 {
         errors
-        log
         health
         kubernetes CLUSTER_DOMAIN SERVICE_CIDR {
           pods insecure
+          upstream
+          fallthrough in-addr.arpa ip6.arpa
         }
-        prometheus
+        prometheus :9153
         proxy . /etc/resolv.conf
         cache 30
+        loop
+        reload
+        loadbalance
     }
 ---
-apiVersion: apps/v1
+apiVersion: extensions/v1beta1
 kind: Deployment
 metadata:
   name: coredns
   namespace: kube-system
   labels:
-    k8s-app: coredns
-    kubernetes.io/cluster-service: "true"
-    addonmanager.kubernetes.io/mode: Reconcile
+    k8s-app: kube-dns
     kubernetes.io/name: "CoreDNS"
 spec:
-  replicas: 1
+  replicas: 2
+  strategy:
+    type: RollingUpdate
+    rollingUpdate:
+      maxUnavailable: 1
   selector:
     matchLabels:
-      k8s-app: coredns
+      k8s-app: kube-dns
   template:
     metadata:
       labels:
-        k8s-app: coredns
+        k8s-app: kube-dns
     spec:
       serviceAccountName: coredns
       tolerations:
         - key: node-role.kubernetes.io/master
           effect: NoSchedule
         - key: "CriticalAddonsOnly"
           operator: "Exists"
+      nodeSelector:
+        beta.kubernetes.io/os: linux
       containers:
       - name: coredns
-        image: coredns/coredns:1.1.2
+        image: coredns/coredns:1.2.5
         imagePullPolicy: IfNotPresent
         resources:
           limits:
@@ -105,6 +112,7 @@ spec:
         volumeMounts:
         - name: config-volume
           mountPath: /etc/coredns
+          readOnly: true
         ports:
         - containerPort: 53
           name: dns
@@ -115,6 +123,14 @@ spec:
         - containerPort: 9153
           name: metrics
           protocol: TCP
+        securityContext:
+          allowPrivilegeEscalation: false
+          capabilities:
+            add:
+            - NET_BIND_SERVICE
+            drop:
+            - all
+          readOnlyRootFilesystem: true
         livenessProbe:
           httpGet:
             path: /health
@@ -136,24 +152,23 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: coredns
+  name: kube-dns
   namespace: kube-system
+  annotations:
+    prometheus.io/port: "9153"
+    prometheus.io/scrape: "true"
   labels:
-    k8s-app: coredns
+    k8s-app: kube-dns
     kubernetes.io/cluster-service: "true"
-    addonmanager.kubernetes.io/mode: Reconcile
     kubernetes.io/name: "CoreDNS"
 spec:
   selector:
-    k8s-app: coredns
+    k8s-app: kube-dns
   clusterIP: CLUSTER_DNS_IP
   ports:
   - name: dns
     port: 53
     protocol: UDP
   - name: dns-tcp
     port: 53
-    protocol: TCP
-  - name: metrics
-    port: 9153
     protocol: TCP
diff --git a/plugins/dns/coredns/deploy.sh → plugins/coredns/deploy.sh b/plugins/dns/coredns/deploy.sh → plugins/coredns/deploy.sh
diff --git a/plugins/dashboard/dashboard-rbac.yaml b/plugins/dashboard/dashboard-rbac.yaml
@@ -1,5 +1,5 @@
-apiVersion: rbac.authorization.k8s.io/v1
 kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: kubernetes-dashboard-minimal
   namespace: kube-system
@@ -45,18 +45,3 @@ subjects:
 - kind: ServiceAccount
   name: kubernetes-dashboard
   namespace: kube-system
----
-apiVersion: rbac.authorization.k8s.io/v1beta1
-kind: ClusterRoleBinding
-metadata:
-  name: kubernetes-dashboard
-  labels:
-    k8s-app: kubernetes-dashboard
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cluster-admin
-subjects:
-- kind: ServiceAccount
-  name: kubernetes-dashboard
-  namespace: kube-system
diff --git a/plugins/dashboard/dashboard.yaml b/plugins/dashboard/dashboard.yaml
@@ -15,8 +15,8 @@ metadata:
   name: kubernetes-dashboard
   namespace: kube-system
 ---
-apiVersion: apps/v1beta2
 kind: Deployment
+apiVersion: apps/v1beta2
 metadata:
   labels:
     k8s-app: kubernetes-dashboard
@@ -35,7 +35,7 @@ spec:
     spec:
       containers:
       - name: kubernetes-dashboard
-        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.8.3
+        image: k8s.gcr.io/kubernetes-dashboard-amd64:v1.10.0
         ports:
         - containerPort: 8443
           protocol: TCP
@@ -70,8 +70,8 @@ spec:
       - key: node-role.kubernetes.io/master
         effect: NoSchedule
 ---
-apiVersion: v1
 kind: Service
+apiVersion: v1
 metadata:
   labels:
     k8s-app: kubernetes-dashboard

diff --git a/plugins/dns/kube-dns/dns-configmap.yaml b/plugins/dns/kube-dns/dns-configmap.yaml