1c4db6132d
optimize cgroups settings for node reserved ( #9209 )
* optimize cgroups settings for node reserved
* fix
* set cgroup slice for multi container engine
* set cgroup slice for crio
* add reserved cgroups variables to sample files
* Compatible with cgroup path for different container managers
* add cgroups doc
* fix markdown
2 years ago
2c2e608eac
fix(k8s-certs-renew): Use kube_apiserver_port instead of hard-coding ( #9620 )
Signed-off-by: Kevin Huang <git@kevin.huang.to>
Signed-off-by: Kevin Huang <git@kevin.huang.to>
2 years ago
791064a3d9
Allow custom timeout for kubeadm init ( #9617 )
Signed-off-by: tu1h <lihai.tu@daocloud.io>
Signed-off-by: tu1h <lihai.tu@daocloud.io>
2 years ago
5e4d68b848
fix kube token dir permissions ( #9590 )
2 years ago
fc0d58ff48
fix-missing-control-plane-taint ( #9592 )
2 years ago
ee3b7c5da5
Use the correct api version and resourcer type. The current values work but do not match the documentation, which can be confusing. ( #9575 )
2 years ago
c036a7d871
Disable 'Check that IP range is enough for the nodes' when calico is used ( #9491 )
2 years ago
20d99886ca
Update etcd log-level parameter name ( #9540 )
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
2 years ago
b9fe301036
add-check-for-resolv-to-avoid-coredns-crash ( #9502 )
2 years ago
4db5e663c3
fix-mistake-regex-for-resolv-conf ( #9523 )
2 years ago
b9a690463d
Add docker support for openEuler linux ( #9498 )
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
2 years ago
8795cf6494
Add support for the OpenEuler Linux ( #9494 )
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
2 years ago
40261fdf14
Fix iputils install failure in Kylin OS ( #9453 )
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
2 years ago
4aa1ef28ea
Don't use coredns_server in dhclient.conf if nodelocaldns is enabled ( #9392 )
2 years ago
c272421910
Add UOS linux support ( #9432 )
2 years ago
990f87acc8
Update kube-vip to v0.5.5 ( #9437 )
Signed-off-by: hang.jiang <hang.jiang@daocloud.io>
Signed-off-by: hang.jiang <hang.jiang@daocloud.io>
2 years ago
eeb376460d
Fix inconsistent handling of admission plugin list ( #9407 )
* Fix inconsistent handling of admission plugin list
* Adjust hardening doc with the normalized admission plugin list
* Add pre-check for admission plugins format change
* Ignore checking admission plugins value when variable is not defined
2 years ago
1901b512d2
Make the port of kube-vip dynamic based on the kube_apiserver_port ( #9414 )
variable
Fix wrong referenced variable on bgp_peers
Fix bgp_peeras field to be a string
Set default value for bgp_peeras
2 years ago
9fdda7eca8
Fix iputils install failure in Kylin OS ( #9416 )
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
2 years ago
1530411218
use cri-o from upstream instead of kubic/OBS ( #9374 )
* [cri-o] use cri-o from upstream instead of kubic/OBS
* [cri-o] add proper molecule coverage
* [skopeo] download skopeo from upstream build
* [cri-o] clean up legacy deployments
* disable cri-o per-distribution variables
2 years ago
23716b0eff
don't define kubeadm_patches by default ( #9372 )
2 years ago
131bd933a6
Fix ensure ping package error in fedora CoreOS & Flatcar ( #9370 )
* fix-ensure-package-in-coreos
* clean blank line
2 years ago
24632ae81b
Add check_typo job ( #9361 )
To block merging pull requests which contain typo automatically.
2 years ago
d689f57c94
Features/support kubeadm patches v1beta3 ( #9326 )
* Support kubeadm patches in v1beta3
* Update kubeadm patches sample files in inventory
* Fix pre-commit syntax
* Set kubeadm_patches enabled to false in sample inventory
2 years ago
ad3f503c0c
Fix default value for kubelet_secure_addresses ( #9355 )
2 years ago
8b9cd3959a
Add possibility to skip adding load balancer name in the hosts file ( #9331 )
2 years ago
dffeab320e
feat: add a paramater to disable host nameservers ( #9357 )
Signed-off-by: eminaktas <eminaktas34@gmail.com>
Signed-off-by: eminaktas <eminaktas34@gmail.com>
2 years ago
999586a110
sysctl_additional ( #9351 )
2 years ago
841e2f44c0
Remove references to 1.22 ( #9342 )
2 years ago
6dff39344b
preinstall: Add nodelocaldns to supersede_nameserver if enabled ( #9282 )
When a machine that use dhclient and resolvconf reboots, this will make /etc/resolv.conf
remain close to the one before reboot
2 years ago
467dc19cbd
support removing options in resolvconf with tab separator ( #9304 )
2 years ago
9468642269
feat: allows users to have more control on DNS ( #9270 )
Signed-off-by: eminaktas <eminaktas34@gmail.com>
Signed-off-by: eminaktas <eminaktas34@gmail.com>
2 years ago
5d3326b93f
add-ping-package ( #9284 )
2 years ago
97ca2f3c78
add-timezone-support ( #9263 )
2 years ago
fc57c0b27e
fix number node name can't be added ( #9266 )
Signed-off-by: cleverhu <shouping.hu@daocloud.io>
Signed-off-by: cleverhu <shouping.hu@daocloud.io>
2 years ago
6386ec029c
add retries for restart of kube-apiserver ( #9256 )
* add retries for restart of kube-apiserver
* change var name
2 years ago
acb6f243fd
feat: add kubelet systemd service hardening option ( #9194 )
* feat: add kubelet systemd service hardening option
* refactor: move variable name to kubelet_secure_addresses
Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>
* docs: add diagram about kubelet_secure_addresses variable
Co-authored-by: Cristian Calin <6627509+cristicalin@users.noreply.github.com>
2 years ago
b46ddf35fc
kube-vip shoud fail if kube_proxy_strict_arp is false in arp mod ( #9223 )
* fix-kube-vip-strict-arp
* fix-kube-vip-strict-arp
2 years ago
c8a61ec98c
optimize the format of evictionHard in kubelet-config.yaml template ( #9204 )
2 years ago
30c77ea4c1
Add the option to enable default Pod Security Configuration ( #9017 )
* Add the option to enable default Pod Security Configuration
Enable Pod Security in all namespaces by default with the option to
exempt some namespaces. Without the change only namespaces explicitly
configured will receive the admission plugin treatment.
* Fix the PR according to code review comments
* Revert the latest changes
- leave the empty file when kube_pod_security_use_default, but add comment explaining the empty file
- don't attempt magic at conditionally adding PodSecurity to kube_apiserver_admission_plugins_needs_configuration
2 years ago
be5fdab3aa
Disable DNSStubListener for Flatcar Linux ( #9160 )
* Disable DNSStubListener for Flatcar Linux
* Fix missing "Flatcar" condition of os_family
2 years ago
0088fe0ab7
add-tar-in-common-package ( #9184 )
2 years ago
47050003a0
Add docker support for Kylin V10 ( #9144 )
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
2 years ago
f2f9f1d377
Add kylin OS support ( #9078 )
Signed-off-by: bo.jiang <bo.jiang@daocloud.io>
2 years ago
e73803c72c
pid reserved must be str ( #9124 )
2 years ago
f592fa1235
add kube-vip sans ( #9099 )
2 years ago
3ce5458f32
hardening: Add `SeccompDefault` admission plugin for kubelet ( #9074 )
* docs(hardening): add SeccompDefault admission plugin to kubelet feature gates
* fix(kubelet-config): enable config through kubelet_feature_gates
* feat(kubelet): add kubelet_seccomp_default variable
2 years ago
c01656b1e3
Allow "openSUSE Tumbleweed" to be run ( #9072 )
The commit 1ce2f04c16efc9
2 years ago
3bb9542606
Adding support for node & pod pid limit ( #9038 )
2 years ago
1d0b3829ed
remove-etcd-unsupported-arch ( #9049 )
2 years ago
Shelming.Song
Kevin Huang
tu1h
C-Romeo
Kay Yan
Lukas Najman
Mohamed Zaian
ERIK
Jiffs Maverick
lijin-union
蒋航
William Turner
Wouter Goedhart
Cristian Calin
Kenichi Omichi
Huang Chen-Yi
William Turner
Eugene Artemenko
Emin AKTAS
Florian Ruynat
Zhong Jianxin
Kei Kori
cleverhu
Krystian Młynek
Alessio Greggi
Tomas Zvala
Ho Kim
Samuel Liu
h9-HSFRQDH