Large changes to the docker deployment. Added kube-addon-manager as a…

… static pod. The addon-manager deploys kube-proxy as a DaemonSet as well as Dashboard and DNS automatically. SecurityContextDeny is removed from the manifests. Also, the turnup.sh and turndown.sh scripts are removed because we don't need them anymore, they're covered by the online documentation
ArtfulCoder · May 20, 2016 · 73947cc · 73947cc
1 parent bff87ff
commit 73947cc
Show file tree

Hide file tree

Showing 19 changed files with 407 additions and 117 deletions.
diff --git a/cluster/addons/dashboard/dashboard-controller.yaml b/cluster/addons/dashboard/dashboard-controller.yaml
@@ -1,8 +1,8 @@
+# This file should be kept in sync with cluster/images/hyperkube/dashboard-rc.yaml
+# and cluster/gce/coreos/kube-manifests/addons/dashboard/dashboard-controller.yaml
 apiVersion: v1
 kind: ReplicationController
 metadata:
-  # Keep the name in sync with image version and
-  # gce/coreos/kube-manifests/addons/dashboard counterparts
   name: kubernetes-dashboard-v1.0.1
   namespace: kube-system
   labels:

diff --git a/cluster/addons/dashboard/dashboard-service.yaml b/cluster/addons/dashboard/dashboard-service.yaml
@@ -1,3 +1,5 @@
+# This file should be kept in sync with cluster/images/hyperkube/dashboard-svc.yaml
+# and cluster/gce/coreos/kube-manifests/addons/dashboard/dashboard-service.yaml
 apiVersion: v1
 kind: Service
 metadata:

diff --git a/cluster/addons/dns/skydns-rc.yaml.in b/cluster/addons/dns/skydns-rc.yaml.in
@@ -1,3 +1,4 @@
+# This file should be kept in sync with cluster/images/hyperkube/dns-rc.yaml
 apiVersion: v1
 kind: ReplicationController
 metadata:

diff --git a/cluster/addons/dns/skydns-svc.yaml.in b/cluster/addons/dns/skydns-svc.yaml.in
@@ -1,3 +1,4 @@
+# This file should be kept in sync with cluster/images/hyperkube/dns-svc.yaml
 apiVersion: v1
 kind: Service
 metadata:

diff --git a/cluster/images/hyperkube/Dockerfile b/cluster/images/hyperkube/Dockerfile
@@ -38,25 +38,28 @@ RUN cp /usr/bin/nsenter /nsenter
 COPY hyperkube /hyperkube
 
 # Manifests for the docker guide
-COPY master.json /etc/kubernetes/manifests/master.json
-COPY etcd.json /etc/kubernetes/manifests/etcd.json
-COPY kube-proxy.json /etc/kubernetes/manifests/kube-proxy.json
+COPY static-pods/master.json /etc/kubernetes/manifests/
+COPY static-pods/etcd.json /etc/kubernetes/manifests/
+COPY static-pods/addon-manager.json /etc/kubernetes/manifests/
 
 # Manifests for the docker-multinode guide
-COPY master-multi.json /etc/kubernetes/manifests-multi/master.json
-COPY kube-proxy.json /etc/kubernetes/manifests-multi/kube-proxy.json
+COPY static-pods/master-multi.json /etc/kubernetes/manifests-multi/
+COPY static-pods/addon-manager.json /etc/kubernetes/manifests-multi/
+
+# Copy over all addons
+COPY addons /etc/kubernetes/addons
 
 # Other required scripts for the setup
 COPY safe_format_and_mount /usr/share/google/safe_format_and_mount
 COPY setup-files.sh /setup-files.sh
 COPY make-ca-cert.sh /make-ca-cert.sh
+COPY copy-addons.sh /copy-addons.sh
 
 # easy-rsa package required by make-ca-cert
 ADD https://storage.googleapis.com/kubernetes-release/easy-rsa/easy-rsa.tar.gz /root/kube/
 
-RUN mkdir -p /opt/cni
-RUN curl https://storage.googleapis.com/kubernetes-release/network-plugins/cni-c864f0e1ea73719b8f4582402b0847064f9883b0.tar.gz \
-  | tar xzv -C /opt/cni
+# Copy the cni folder into /opt/
+COPY cni /opt/cni
 
 # Create symlinks for each hyperkube server
 # TODO: this is unreliable for now (e.g. running "/kubelet" panics)

diff --git a/cluster/images/hyperkube/Makefile b/cluster/images/hyperkube/Makefile
@@ -20,6 +20,7 @@
 REGISTRY?="gcr.io/google_containers"
 ARCH?=amd64
 TEMP_DIR:=$(shell mktemp -d)
+CNI_RELEASE=c864f0e1ea73719b8f4582402b0847064f9883b0
 
 UNAME_S:=$(shell uname -s)
 ifeq ($(UNAME_S),Darwin)
@@ -28,6 +29,7 @@ endif
 ifeq ($(UNAME_S),Linux)
 	SED_CMD?=sed -i
 endif
+
 ifeq ($(ARCH),amd64)
 	BASEIMAGE?=debian:jessie
 endif
@@ -51,27 +53,32 @@ build:
 ifndef VERSION
     $(error VERSION is undefined)
 endif
-	cp ./* ${TEMP_DIR}
+	cp -r ./* ${TEMP_DIR}
+	mkdir -p ${TEMP_DIR}/cni
 	cp ../../saltbase/salt/helpers/safe_format_and_mount ${TEMP_DIR}
 	cp ../../saltbase/salt/generate-cert/make-ca-cert.sh ${TEMP_DIR}
 	cp ../../../_output/dockerized/bin/linux/${ARCH}/hyperkube ${TEMP_DIR}
-	cd ${TEMP_DIR} && sed -i.back "s|VERSION|${VERSION}|g" master-multi.json master.json kube-proxy.json
-	cd ${TEMP_DIR} && sed -i.back "s|ARCH|${ARCH}|g" master-multi.json master.json kube-proxy.json etcd.json
+
+	cd ${TEMP_DIR} && sed -i.back "s|VERSION|${VERSION}|g" addons/*.yaml static-pods/*.json
+	cd ${TEMP_DIR} && sed -i.back "s|ARCH|${ARCH}|g" addons/*.yaml static-pods/*.json
 	cd ${TEMP_DIR} && sed -i.back "s|ARCH|${QEMUARCH}|g" Dockerfile
 	cd ${TEMP_DIR} && sed -i.back "s|BASEIMAGE|${BASEIMAGE}|g" Dockerfile
-	rm ${TEMP_DIR}/*.back
+	rm ${TEMP_DIR}/addons/*.back
 
 	# Make scripts executable before they are copied into the Docker image. If we make them executable later, in another layer
 	# they'll take up twice the space because the new executable binary differs from the old one, but everything is cached in layers.
 	cd ${TEMP_DIR} && chmod a+rx \
-        hyperkube \
-        safe_format_and_mount \
-        setup-files.sh \
-        make-ca-cert.sh
+		hyperkube \
+		safe_format_and_mount \
+		setup-files.sh \
+		make-ca-cert.sh \
+		copy-addons.sh
 
 ifeq ($(ARCH),amd64)
 	# When building "normally" for amd64, remove the whole line, it has no part in the amd64 image
 	cd ${TEMP_DIR} && ${SED_CMD} "/CROSS_BUILD_/d" Dockerfile
+	# Download CNI
+	curl -sSL --retry 5 https://storage.googleapis.com/kubernetes-release/network-plugins/cni-${CNI_RELEASE}.tar.gz | tar -xz -C ${TEMP_DIR}/cni
 else
 	# When cross-building, only the placeholder "CROSS_BUILD_" should be removed
 	# Register /usr/bin/qemu-ARCH-static as the handler for ARM binaries in the kernel

diff --git a/cluster/images/hyperkube/addons/dashboard-rc.yaml b/cluster/images/hyperkube/addons/dashboard-rc.yaml
@@ -0,0 +1,51 @@
+# Copyright 2016 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This file should be kept in sync with cluster/addons/dashboard/dashboard-controller.yaml
+apiVersion: v1
+kind: ReplicationController
+metadata:
+  name: kubernetes-dashboard
+  namespace: kube-system
+  labels:
+    app: kubernetes-dashboard
+    version: v1.0.1
+    kubernetes.io/cluster-service: "true"
+spec:
+  replicas: 1
+  selector:
+    app: kubernetes-dashboard
+    version: v1.0.1
+    kubernetes.io/cluster-service: "true"
+  template:
+    metadata:
+      labels:
+        app: kubernetes-dashboard
+        version: v1.0.1
+        kubernetes.io/cluster-service: "true"
+    spec:
+      containers:
+      - name: kubernetes-dashboard
+        # ARCH will be replaced with the architecture it's built for. Check out the Makefile for more details
+        image: gcr.io/google_containers/kubernetes-dashboard-ARCH:v1.0.1
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 9090
+          protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 9090
+          initialDelaySeconds: 30
+          timeoutSeconds: 30
diff --git a/cluster/images/hyperkube/teardown.sh → ...mages/hyperkube/addons/dashboard-svc.yaml b/cluster/images/hyperkube/teardown.sh → ...mages/hyperkube/addons/dashboard-svc.yaml
@@ -1,6 +1,4 @@
-#!/bin/bash
-
-# Copyright 2015 The Kubernetes Authors All rights reserved.
+# Copyright 2016 The Kubernetes Authors All rights reserved.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -14,18 +12,18 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-# Tears down an existing cluster.  Warning destroys _all_ docker containers on the machine
-
-set -o errexit
-set -o nounset
-set -o pipefail
-
-echo "Warning, this will delete all Docker containers on this machine."
-echo "Proceed? [Y/n]"
-
-read resp
-if [[ $resp == "n" || $resp == "N" ]]; then
-  exit 0
-fi
-
-docker ps -aq | xargs docker rm -f
+# This file should be kept in sync with cluster/addons/dashboard/dashboard-service.yaml
+kind: Service
+apiVersion: v1
+metadata:
+  name: kubernetes-dashboard
+  namespace: kube-system
+  labels:
+    app: kubernetes-dashboard
+    kubernetes.io/cluster-service: "true"
+spec:
+  ports:
+  - port: 80
+    targetPort: 9090
+  selector:
+    app: kubernetes-dashboard
diff --git a/cluster/images/hyperkube/addons/dns-rc.yaml b/cluster/images/hyperkube/addons/dns-rc.yaml
@@ -0,0 +1,144 @@
+# Copyright 2016 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This file should be kept in sync with cluster/addons/dns/skydns-rc.yaml.in
+apiVersion: v1
+kind: ReplicationController
+metadata:
+  name: kube-dns-v11
+  namespace: kube-system
+  labels:
+    k8s-app: kube-dns
+    version: v11
+    kubernetes.io/cluster-service: "true"
+spec:
+  replicas: 1
+  selector:
+    k8s-app: kube-dns
+    version: v11
+  template:
+    metadata:
+      labels:
+        k8s-app: kube-dns
+        version: v11
+        kubernetes.io/cluster-service: "true"
+    spec:
+      containers:
+      - name: etcd
+        # ARCH will be replaced with the architecture it's built for. Check out the Makefile for more details
+        image: gcr.io/google_containers/etcd-ARCH:2.2.5
+        resources:
+          # TODO: Set memory limits when we've profiled the container for large
+          # clusters, then set request = limit to keep this container in
+          # guaranteed class. Currently, this container falls into the
+          # "burstable" category so the kubelet doesn't backoff from restarting it.
+          limits:
+            cpu: 100m
+            memory: 500Mi
+          requests:
+            cpu: 100m
+            memory: 50Mi
+        command:
+        - /usr/local/bin/etcd
+        - -data-dir
+        - /var/etcd/data
+        - -listen-client-urls
+        - http://127.0.0.1:2379,http://127.0.0.1:4001
+        - -advertise-client-urls
+        - http://127.0.0.1:2379,http://127.0.0.1:4001
+        - -initial-cluster-token
+        - skydns-etcd
+        volumeMounts:
+        - name: etcd-storage
+          mountPath: /var/etcd/data
+      - name: kube2sky
+        image: gcr.io/google_containers/kube2sky-ARCH:1.15
+        resources:
+          # TODO: Set memory limits when we've profiled the container for large
+          # clusters, then set request = limit to keep this container in
+          # guaranteed class. Currently, this container falls into the
+          # "burstable" category so the kubelet doesn't backoff from restarting it.
+          limits:
+            cpu: 100m
+            # Kube2sky watches all pods.
+            memory: 200Mi
+          requests:
+            cpu: 100m
+            memory: 50Mi
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8080
+            scheme: HTTP
+          initialDelaySeconds: 60
+          timeoutSeconds: 5
+          successThreshold: 1
+          failureThreshold: 5
+        readinessProbe:
+          httpGet:
+            path: /readiness
+            port: 8081
+            scheme: HTTP
+          # we poll on pod startup for the Kubernetes master service and
+          # only setup the /readiness HTTP server once that's available.
+          initialDelaySeconds: 30
+          timeoutSeconds: 5
+        args:
+        # command = "/kube2sky"
+        - --domain=cluster.local
+      - name: skydns
+        image: gcr.io/google_containers/skydns-ARCH:1.0
+        resources:
+          # TODO: Set memory limits when we've profiled the container for large
+          # clusters, then set request = limit to keep this container in
+          # guaranteed class. Currently, this container falls into the
+          # "burstable" category so the kubelet doesn't backoff from restarting it.
+          limits:
+            cpu: 100m
+            memory: 200Mi
+          requests:
+            cpu: 100m
+            memory: 50Mi
+        args:
+        - -machines=http://127.0.0.1:4001
+        - -addr=0.0.0.0:53
+        - -ns-rotate=false
+        - -domain=cluster.local.
+        ports:
+        - containerPort: 53
+          name: dns
+          protocol: UDP
+        - containerPort: 53
+          name: dns-tcp
+          protocol: TCP
+      - name: healthz
+        image: gcr.io/google_containers/exechealthz-ARCH:1.0
+        resources:
+          # keep request = limit to keep this container in guaranteed class
+          limits:
+            cpu: 10m
+            memory: 20Mi
+          requests:
+            cpu: 10m
+            memory: 20Mi
+        args:
+        - -cmd=nslookup kubernetes.default.svc.cluster.local 127.0.0.1 >/dev/null
+        - -port=8080
+        ports:
+        - containerPort: 8080
+          protocol: TCP
+      volumes:
+      - name: etcd-storage
+        emptyDir: {}
+      dnsPolicy: Default  # Don't use cluster DNS.
diff --git a/cluster/images/hyperkube/addons/dns-svc.yaml b/cluster/images/hyperkube/addons/dns-svc.yaml
@@ -0,0 +1,35 @@
+# Copyright 2016 The Kubernetes Authors All rights reserved.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+# This file should be kept in sync with cluster/addons/dns/skydns-svc.yaml.in
+apiVersion: v1
+kind: Service
+metadata:
+  name: kube-dns
+  namespace: kube-system
+  labels:
+    k8s-app: kube-dns
+    kubernetes.io/cluster-service: "true"
+    kubernetes.io/name: "KubeDNS"
+spec:
+  selector:
+    k8s-app: kube-dns
+  clusterIP: 10.0.0.10
+  ports:
+  - name: dns
+    port: 53
+    protocol: UDP
+  - name: dns-tcp
+    port: 53
+    protocol: TCP