Upgrade to kubernetes v1.8.0 (#1730)

* Upgrade to kubernetes v1.8.0 hyperkube no longer contains rsync, so now use cp * Enable node authorization mode * change kube-proxy cert group name
2026-02-01 09:38:12 -03:30 · 2017-10-05 10:51:21 +01:00
parent 9c86da1403
commit f14f04c5ea
9 changed files with 25 additions and 36 deletions
--- a/roles/download/defaults/main.yml
+++ b/roles/download/defaults/main.yml
@@ -18,9 +18,8 @@ download_localhost: False
 download_always_pull: False

 # Versions
-kube_version: v1.7.5
-# Change to kube_version after v1.8.0 release
-kubeadm_version: "v1.8.0-rc.1"
+kube_version: v1.8.0
+kubeadm_version: "{{ kube_version }}"
 etcd_version: v3.2.4
 # TODO(mattymo): Move calico versions to roles/network_plugins/calico/defaults
 # after migration to container download
@@ -37,7 +36,7 @@ pod_infra_version: 3.0
 kubeadm_download_url: "https://storage.googleapis.com/kubernetes-release/release/{{ kubeadm_version }}/bin/linux/amd64/kubeadm"

 # Checksums
-kubeadm_checksum: "8f6ceb26b8503bfc36a99574cf6f853be1c55405aa31669561608ad8099bf5bf"
+kubeadm_checksum: "9f4b9cf255d5ef45481d5a1b20bfe84c1d633d67cd50eeaa5c8712fb8fc1bd5b"

 # Containers
 etcd_image_repo: "quay.io/coreos/etcd"
--- a/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
+++ b/roles/kubernetes/master/templates/kubeadm-config.yaml.j2
@@ -18,7 +18,6 @@ networking:
 kubernetesVersion: {{ kube_version }}
 cloudProvider: {{ cloud_provider|default('') }}
 authorizationModes:
- Node
 {% for mode in authorization_modes %}
 - {{ mode }}
 {% endfor %}
--- a/roles/kubernetes/secrets/files/make-ssl.sh
+++ b/roles/kubernetes/secrets/files/make-ssl.sh
@@ -109,12 +109,12 @@ if [ -n "$HOSTS" ]; then
    done
 fi

-# system:kube-proxy
+# system:node-proxier
 if [ -n "$HOSTS" ]; then
    for host in $HOSTS; do
        cn="${host%%.*}"
        # kube-proxy
-        gen_key_and_cert "kube-proxy-${host}" "/CN=system:kube-proxy"
+        gen_key_and_cert "kube-proxy-${host}" "/CN=system:kube-proxy/O=system:node-proxier"
    done
 fi

--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -146,9 +146,9 @@ openstack_lbaas_enabled: false
 # openstack_lbaas_monitor_max_retries: false

 ## List of authorization modes that must be configured for
-## the k8s cluster. Only 'AlwaysAllow','AlwaysDeny', and
+## the k8s cluster. Only 'AlwaysAllow', 'AlwaysDeny', 'Node' and
 ## 'RBAC' modes are tested.
-authorization_modes: []
+authorization_modes: ['RBAC', 'Node']
 rbac_enabled: "{{ 'RBAC' in authorization_modes or kubeadm_enabled }}"

 ## List of key=value pairs that describe feature gates for
--- a/roles/network_plugin/calico/tasks/main.yml
+++ b/roles/network_plugin/calico/tasks/main.yml
@@ -48,7 +48,7 @@
  changed_when: false

 - name: Calico | Copy cni plugins from hyperkube
-  command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /usr/bin/rsync -ac /opt/cni/bin/ /cnibindir/"
+  command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /bin/cp -r /opt/cni/bin/. /cnibindir/"
  register: cni_task_result
  until: cni_task_result.rc == 0
  retries: 4
--- a/roles/network_plugin/canal/tasks/main.yml
+++ b/roles/network_plugin/canal/tasks/main.yml
@@ -50,7 +50,7 @@
    - rbac_enabled or item.type not in rbac_resources

 - name: Canal | Copy cni plugins from hyperkube
-  command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /usr/bin/rsync -ac /opt/cni/bin/ /cnibindir/"
+  command: "{{ docker_bin_dir }}/docker run --rm -v /opt/cni/bin:/cnibindir {{ hyperkube_image_repo }}:{{ hyperkube_image_tag }} /bin/cp -r /opt/cni/bin/. /cnibindir/"
  register: cni_task_result
  until: cni_task_result.rc == 0
  retries: 4