Browse Source
[kubernetes] Support kubernetes 1.29 (#10820 )
* [kubernetes] Make kubernetes 1.29.1 default
* [cri-o]: support cri-o 1.29
Use "crio status" instead of "crio-status" for cri-o >=1.29.0
* Remove GAed feature gates SecCompDefault
The SecCompDefault feature gate was removed since k8s 1.29
https://github.com/kubernetes/kubernetes/pull/121246
Takuya Murakami
1 year ago
GitHub
GPG Key ID:
13 changed files with
42 additions and
17 deletions
README.md
docs/hardening.md
inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
roles/container-engine/cri-o/defaults/main.yml
roles/container-engine/cri-o/tasks/load_vars.yml
roles/container-engine/cri-o/tasks/main.yaml
roles/container-engine/cri-o/tasks/reset.yml
roles/container-engine/cri-o/vars/v1.28.yml
roles/container-engine/cri-o/vars/v1.29.yml
roles/kubernetes/node/tasks/facts.yml
roles/kubespray-defaults/defaults/main/download.yml
roles/kubespray-defaults/defaults/main/main.yml
tests/files/packet_ubuntu20-calico-all-in-one-hardening.yml
@ -160,11 +160,11 @@ Note: Upstart/SysV init based OS types are not supported.
## Supported Components
- Core
- [kubernetes ](https://github.com/kubernetes/kubernetes ) v1.28.6
- [kubernetes ](https://github.com/kubernetes/kubernetes ) v1.29.1
- [etcd ](https://github.com/etcd-io/etcd ) v3.5.10
- [docker ](https://www.docker.com/ ) v20.10 (see note)
- [containerd ](https://containerd.io/ ) v1.7.11
- [cri-o ](http://cri-o.io/ ) v1.27 (experimental: see [CRI-O Note ](docs/cri-o.md ). Only on fedora, ubuntu and centos based OS)
- [cri-o ](http://cri-o.io/ ) v1.29.1 (experimental: see [CRI-O Note ](docs/cri-o.md ). Only on fedora, ubuntu and centos based OS)
- Network Plugin
- [cni-plugins ](https://github.com/containernetworking/plugins ) v1.2.0
- [calico ](https://github.com/projectcalico/calico ) v3.26.4
@ -97,7 +97,7 @@ kubelet_event_record_qps: 1
kubelet_rotate_certificates: true
kubelet_streaming_connection_idle_timeout: "5m"
kubelet_make_iptables_util_chains: true
kubelet_feature_gates: ["RotateKubeletServerCertificate=true", "SeccompDefault=true" ]
kubelet_feature_gates: ["RotateKubeletServerCertificate=true"]
kubelet_seccomp_default: true
kubelet_systemd_hardening: true
# In case you have multiple interfaces in your
@ -17,7 +17,7 @@ kube_token_dir: "{{ kube_config_dir }}/tokens"
kube_api_anonymous_auth : true
## Change this to use another Kubernetes version, e.g. a current beta release
kube_version : v1.28.6
kube_version : v1.29.1
# Where the binaries will be downloaded.
# Note: ensure that you've enough disk space (about 1G)
@ -78,13 +78,6 @@ crio_subuid_length: 16777216
crio_subgid_start : 2130706432
crio_subgid_length : 16777216
# cri-o binary files
crio_bin_files:
- conmon
- crio
- crio-status
- pinns
# cri-o manual files
crio_man_files:
5 :
@ -0,0 +1,8 @@
---
- name : Cri-o | include vars/v1.28.yml
include_vars : v1.28.yml
when : crio_version is version("v1.29.0", operator="<")
- name : Cri-o | include vars/v1.29.yml
include_vars : v1.29.yml
when : crio_version is version("v1.29.0", operator=">=")
@ -1,4 +1,7 @@
---
- name : Cri-o | load vars
import_tasks : load_vars.yml
- name : Cri-o | check if fedora coreos
stat:
path : /run/ostree-booted
@ -203,7 +206,7 @@
- not service_start.changed
- name : Cri-o | verify that crio is running
command : "{{ bin_dir }}/crio-status info"
command : "{{ bin_dir }}/{{ crio_status_command }} info"
register : get_crio_info
until : get_crio_info is succeeded
changed_when : false
@ -1,4 +1,7 @@
---
- name : Cri-o | load vars
import_tasks : load_vars.yml
- name : CRI-O | Kubic repo name for debian os family
set_fact:
crio_kubic_debian_repo_name : "{{ ((ansible_distribution == 'Ubuntu') | ternary('x', '')) ~ ansible_distribution ~ '_' ~ ansible_distribution_version }}"
@ -0,0 +1,9 @@
---
# cri-o binary files
crio_bin_files:
- conmon
- crio
- crio-status
- pinns
crio_status_command : crio-status
@ -0,0 +1,9 @@
---
# cri-o binary files
crio_bin_files:
- conmon
- conmonrs
- crio
- pinns
crio_status_command : crio status
@ -18,7 +18,7 @@
when : container_manager == 'crio'
block:
- name : Look up crio cgroup driver
shell : "set -o pipefail && {{ bin_dir }}/crio-status info | grep 'cgroup driver' | awk -F': ' '{ print $2; }'"
shell : "set -o pipefail && {{ bin_dir }}/{{ crio_status_command }} info | grep 'cgroup driver' | awk -F': ' '{ print $2; }'"
args:
executable : /bin/bash
register : crio_cgroup_driver_result
@ -133,9 +133,9 @@ skopeo_version: "v1.13.2"
kube_major_version : "{{ kube_version | regex_replace('^v([0-9])+\\.([0-9]+)\\.[0-9]+', 'v\\1.\\2') }}"
pod_infra_supported_versions:
v1.29 : "3.9"
v1.28 : "3.9"
v1.27 : "3.9"
v1.26 : "3.9"
pod_infra_version : "{{ pod_infra_supported_versions[kube_major_version] }}"
etcd_supported_versions:
@ -158,9 +158,9 @@ crio_version: "{{ crio_supported_versions[kube_major_version] }}"
# Scheduler plugins doesn't build for K8s 1.28 yet
scheduler_plugins_supported_versions:
v1.29 : 0
v1.28 : 0
v1.27 : v0.27.8
v1.26 : v0.26.7
scheduler_plugins_version : "{{ scheduler_plugins_supported_versions[kube_major_version] }}"
yq_version : "v4.35.2"
@ -16,7 +16,7 @@ kubelet_fail_swap_on: true
kubelet_swap_behavior : LimitedSwap
## Change this to use another Kubernetes version, e.g. a current beta release
kube_version : v1.28.6
kube_version : v1.29.1
## The minimum version working
kube_version_min_required : v1.27.0
@ -86,7 +86,7 @@ kubelet_event_record_qps: 1
kubelet_rotate_certificates : true
kubelet_streaming_connection_idle_timeout : "5m"
kubelet_make_iptables_util_chains : true
kubelet_feature_gates : [ "RotateKubeletServerCertificate=true" , "SeccompDefault=true" ]
kubelet_feature_gates : [ "RotateKubeletServerCertificate=true" ]
kubelet_seccomp_default : true
kubelet_systemd_hardening : true
# In case you have multiple interfaces in your
Takuya Murakami
1 year ago
GitHub