34a52a7028
update cilium cli offline download url example ( #9458 )
Signed-off-by: cleverhu <shouping.hu@daocloud.io>
Signed-off-by: cleverhu <shouping.hu@daocloud.io>
1 year ago
ce751cb89d
add variable condition snapshot in vSphere CSI ( #9429 )
1 year ago
5cf2883444
add retry for start calico kube controller ( #9450 )
Signed-off-by: cleverhu <shouping.hu@daocloud.io>
Signed-off-by: cleverhu <shouping.hu@daocloud.io>
1 year ago
6bff338bad
fix: hubble relay tls error ( #9457 )
1 year ago
c78862052c
Stop using python 'test' internal package ( #9454 )
`test` is is a internal Python package (see [doc]), and as such should not be
used here. It make tests fail in some environments.
[doc]: https://docs.python.org/3/library/test.html
1 year ago
1f54cef71c
Add variable to set direct routing on flannel VXLAN ( #9438 )
1 year ago
d00508105b
Removed PodSecurityPolicy from ingress-nginx ( #9448 )
1 year ago
c272421910
Add UOS linux support ( #9432 )
1 year ago
78624c5bcb
When using cilium CNI, install Cilium CLI ( #9436 )
Signed-off-by: dcwbq <biqiang.wu@daocloud.io>
Signed-off-by: dcwbq <biqiang.wu@daocloud.io>
1 year ago
c681435432
Add switch cilium_enable_bandwidth_manager ( #9441 )
Signed-off-by: dcwbq <biqiang.wu@daocloud.io>
Signed-off-by: dcwbq <biqiang.wu@daocloud.io>
1 year ago
4d3f637684
Remove PodSecurityPolicies in Metallb for kubernetes 1.25 ( #9442 )
1 year ago
5e14398af4
Upgrade ruamel.yaml.clib to work with Python 3.11 ( #9426 )
ruamel.yaml.clib did not build with the upcoming Python 3.11.
Cf. https://sourceforge.net/p/ruamel-yaml-clib/tickets/9/
ruamel.yaml.clib==0.2.7 fixes the issue.
1 year ago
990f87acc8
Update kube-vip to v0.5.5 ( #9437 )
Signed-off-by: hang.jiang <hang.jiang@daocloud.io>
Signed-off-by: hang.jiang <hang.jiang@daocloud.io>
1 year ago
eeb376460d
Fix inconsistent handling of admission plugin list ( #9407 )
* Fix inconsistent handling of admission plugin list
* Adjust hardening doc with the normalized admission plugin list
* Add pre-check for admission plugins format change
* Ignore checking admission plugins value when variable is not defined
1 year ago
ef707b3461
update-containerd-1.6.9 ( #9427 )
1 year ago
2af918132e
Update kubernetes dashboard to 2.7.0 (k8s 1.25 support) ( #9425 )
1 year ago
b9b654714e
[nerdctl] upgrade to version 1.0.0 ( #9424 )
1 year ago
fe399e0e0c
[etcd] add 3.5.5 hashes, make it default for k8s 1.25 ( #9419 )
1 year ago
b192053e28
as argocd 2.4.15 is releasesd , update the version ( #9420 )
1 year ago
a84271aa7e
etcd arch can support arm64 and amd64 ( #9421 )
1 year ago
1901b512d2
Make the port of kube-vip dynamic based on the kube_apiserver_port ( #9414 )
variable
Fix wrong referenced variable on bgp_peers
Fix bgp_peeras field to be a string
Set default value for bgp_peeras
1 year ago
9fdda7eca8
Fix iputils install failure in Kylin OS ( #9416 )
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
1 year ago
a68ed897f0
Update kubelet checksum ( #9413 )
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
1 year ago
582ff96d19
Update docker version to 20.10.20 ( #9410 )
1 year ago
0374a55eb3
Specify securityContext for cert-manager ( #9404 )
On hardening environments, cert-manager pods could not be created
from the corresponding deployments. This adds the securityContext
to solve the issue.
1 year ago
ccbe38f78c
make-kube-1.25-default ( #9364 )
1 year ago
958840da89
Add var for control initialDelaySeconds in nginx ingress probe ( #9405 )
Signed-off-by: Zemtsov Vladimir <vl.zemtsov@gmail.com>
Signed-off-by: Zemtsov Vladimir <vl.zemtsov@gmail.com>
1 year ago
1530411218
use cri-o from upstream instead of kubic/OBS ( #9374 )
* [cri-o] use cri-o from upstream instead of kubic/OBS
* [cri-o] add proper molecule coverage
* [skopeo] download skopeo from upstream build
* [cri-o] clean up legacy deployments
* disable cri-o per-distribution variables
1 year ago
e5ec0f18c0
Add packet_ubuntu20-calico-aio-hardening ( #9359 )
To verify the hardening method works always.
The configuration comes from docs/hardening.md
Fix yaml format of hardening.yml
Add condition to skip 040 test for hardening
1 year ago
0f44e8c812
[ingress-nginx] upgrade to 1.4.0 ( #9403 )
1 year ago
1cc0f3c8c9
mirror-for-china
1 year ago
d9c39c274e
fix(defaults): wrong cri_socket path for containerd ( #9401 )
1 year ago
c38fb866b7
Update securityContext of netchecker ( #9398 )
To run netchecker with necessary privilege,
this updates the securityContext.
1 year ago
5ad1d9db5e
[kubernetes] Add hashes for 1.25.3, 1.24.7, 1.23.13 and make v1.24.7 default ( #9397 )
1 year ago
32f3d92d6b
Remove PodSecurityPolicies in Calico ( #9395 )
1 year ago
72b45eec2e
Use agnhost instead of busybox for network test ( #9390 )
busybox container requires a root permission for ping.
For testing hardening method at CI, we need to switch to another image
which doesn't require the root permission for network testing.
On kubernetes/kubernetes repo, we are using agnhost which doesn't
require it. So this makes the test use aghhost image.
In addition, this updates the test manifest to specify securityContext
without any privilege.
1 year ago
23716b0eff
don't define kubeadm_patches by default ( #9372 )
1 year ago
859df84b45
remove-psp-in-flannel ( #9365 )
1 year ago
131bd933a6
Fix ensure ping package error in fedora CoreOS & Flatcar ( #9370 )
* fix-ensure-package-in-coreos
* clean blank line
1 year ago
52904ee6ad
Avoid MetalLB speaker image download when MetalLB speaker is disabled ( #9248 )
* Avoid MetalLB speaker image download when metallb_speaker_enabled is set to
* Move metallb_speaker_enabled var to allow outside metalLB role references
* Move metallb_speaker_enabled var to allow outside metalLB role references
* Improve metallb_speaker_enabled default values
1 year ago
e3339fe3d8
update_calico_doc_for_the_ChecksumOffloadBroken ( #9388 )
1 year ago
547ef747da
fix helm install with password authentication ( #9343 )
1 year ago
63b27ea067
Fix YAML format in hardening.md ( #9387 )
When trying to add a hardening CI job by copying configuration from
hardening.md, yamllint CI job deleted invalid format.
This fixes it for maintaining the CI job.
1 year ago
bc5881b70a
Add the cilium hubble images to download role ( #9376 )
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
1 year ago
f4b95d42a6
Add note for containerd oom_score ( #9384 )
When we saw 0 as the default value of containerd_oom_score, we had
a question why the value was not -999.
This adds the note to explain it.
1 year ago
ef76a578a4
Change dns upstream condition for nodelocaldns ( #9378 )
2 years ago
3b99d24ceb
Fix: install calico-kube-controller on kdd ( #9358 )
* Fix: install policy controller on kdd too
* Remove the calico_policy_version condition altogether
* Install policy controller both on canal and calico under same condition
2 years ago
4701abff4c
upgrade-api-version-for-PodDisruptionBudget ( #9369 )
2 years ago
717b8daafe
Download coredns image to all hosts in k8s_cluster ( #9316 )
Coredns image must be available everywhere as it
may be rescheduled to a non-control-plane-node.
2 years ago
c346e46022
fix(cinder-csi-nodeplugin): Remove the pods-cloud-data volume ( #9362 )
2 years ago
cleverhu
yanggang
charlychiu
Olivier Lemasle
William Turner
lijin-union
biqiang Wu
蒋航
Kay Yan
Mohamed Zaian
Wouter Goedhart
ERIK
Florian Ruynat
Kenichi Omichi
Vladimir
Cristian Calin
Kay Yan
Maxime Leroy
Unai Arríen
ghostloda
Piotr Kowalczyk
Joe Siponen
Kevin Huang