The feature was left in alpha for a few releases, since
k8s started planning on a broader feature UserNamespacesSupport,
which is what kubeadm should integrate with.
UserNamespacesSupport graduated to beta in 1.30.
Once it graduates to GA kubeadm can start using it an remove
RootlessControlPlane.
When using UpgradeNodeConfiguration.IgnorePreflightErrors the field
is currently ignored in favor of the "defualted" field created
by configutil.FetchInitConfigurationFromCluster.
Fix this bug.
Add Upgrade{Apply|Node}Configuration.{ImagePullPolicy|ImagePullSerial}.
The same feature already exists in NodeRegistrationOptions for
{Init|Join}Configuration.
Use GetCurrentProcessToken() instead of checking the groups of a user.
The Go stdlib way of fetching the groups of an user appears
to be failing on some Windows setups. Which could be a regression
in later Go versions, or simply the code does not work on certain
setups.
Allow the user to pass custom cert validity period with
ClusterConfiguration.CertificateValidityPeriod and
CACertificateValidityPeriod.
The defaults remain 1 year for regular cert and 10 years for CA.
Show warnings if the provided values are more than the defaults.
Additional changes:
- In "certs show-expiration" use HumanDuration() to print
more detailed durations instead of ShortHumanDuration().
- Add a new kubeadm util GetStartTime() which can be used
to consistently get a UTC time for tasks like writing certs
and unit tests.
- Update unit tests to validate the new customizable NotAfter.
Instead of erroring during the preflight check 'CreateJob'
from "upgrade" commands when there are no schedulable nodes,
show a warning.
This can happen in single node clusters.
Also increase the Job TTL after completion to 20 seconds
to make sure it's more than the timeout what waits
for the Job to complete.
There is no point to track more than 3 etcd versions at a time
where each etcd versions maps to a k8s CP version.
It's 3 instead of 2 (k8s CP / kubeadm version skew size) because
there is a period of time where the 3rd version (newest) will
be WIP at k/k master - e.g. at the time of this commit it's 1.31.
Add a unit test to block on this.
Also fixate the min etcd version to 3.5.11.
During upgrade apply we had logic to download the kubelet and
kubeproxy configs from the cluster as part of the call to:
FetchInitConfigurationFromCluster()
With the introduction of UpgradeConfiguration there was
some refactor in this area and the function no longer
had the argument skipComponentConfigs set to false.
It is set to 'true', an InitConfiguration is downloaded
but it would contain empty / defaulted component configs.
- Set the argument to 'false'
- Perform minor cleanup of STDOUT messages and comments.
that were missed in 1.30.
- Mark the phase 'init kubelet-finilize experimental-cert-rotation'
as deprecated and print a warning if its used directly. It should be
removed in 1.32.
- Add a replacement phase 'enable-client-cert-rotation'.
(!!) We should stop using the 'experimental' and 'alpha' names for
phases, clI flags and k8s object names as this complicates
the graduation and users will use the feature in production regardless.
Having a 'DEPRECATED' or 'EXPERIMENTAL' text in descriptions is
sufficient to indicate a status of a feature that should not be used
in production.
The function KubernetesReleaseVersion is being called in
a number of locations during unit tests but by default it
uses a "fetch version from URL" approach.
- Update the function to return a placeholder version
during unit tests.
- Update unit tests for this function.
- Update strings / comments in other version_tests.go
locations.
The improvement is significant:
time go test k8s.io/kubernetes/cmd/kubeadm/app/... -count=1
before:
real 2m47.733s
after:
real 0m10.234s
According to kubeadm repo ticket 1665, /etc/pki
can contain subdirectories with private keys on some distros.
Avoid mounting the entire /etc/pki and mount /etc/pki/ca-trust
and /etc/pki/tls/certs instead. These directories are mounted
as an extra locations which can be used to search
for additional system CAs.
