chore: remove deprecated codebase

chore: update local-path-provisioner, auto-approver due to deprecations chore: use upstream image repository for additional components chore: kubeadm migrate for v1beta3 feat: k8s version 1.22, 1.23
banzaicloud · Feb 2, 2022 · 7817b97 · 7817b97
1 parent 24aadaa
commit 7817b97
Show file tree

Hide file tree

Showing 70 changed files with 872 additions and 884 deletions.
diff --git a/.gen/pipeline/api/openapi.yaml b/.gen/pipeline/api/openapi.yaml
@@ -23658,7 +23658,7 @@ components:
           type: string
         version:
           description: The Kubernetes version to use for your node pool.
-          example: 1.18.6
+          example: 1.21.6
           type: string
         spotPrice:
           description: The upper limit price for the requested spot instance. If this

diff --git a/README.md b/README.md
@@ -18,7 +18,7 @@ In order to run PKE, you need to meet the following requirements.
 
 #### Operating system
 
-`pke` currently is available for CentOS 8.x, RHEL 8.x. and **Ubuntu 20.04 LTS**.
+`pke` currently is available for AlmaLinux 8.x, RHEL 8.x. and **Ubuntu 20.04 LTS**.
 
 > We recommend using Ubuntu since it contains a much newer Kernel version. If you need support for an OS not listed above feel free to contact us.
 

diff --git a/almalinux8-multi-upgrade.sh b/almalinux8-multi-upgrade.sh
@@ -3,7 +3,7 @@
 # build latest pke tool
 GOOS=linux make pke
 
-KUBERNETES_VERSION="${1:-v1.21.0}"
+KUBERNETES_VERSION="${1:-v1.23.3}"
 
 # upgrade first master node
 echo ""

diff --git a/almalinux8-multi.sh b/almalinux8-multi.sh
@@ -6,7 +6,7 @@ jq --version || (echo "Please install jq command line tool. https://stedolan.git
 # build latest pke tool
 GOOS=linux make pke
 
-KUBERNETES_VERSION="${1:-v1.20.6}"
+KUBERNETES_VERSION="${1:-v1.22.6}"
 
 # install first master node
 echo ""

diff --git a/almalinux8-single-upgrade.sh b/almalinux8-single-upgrade.sh
@@ -3,6 +3,6 @@
 # build latest pke tool
 GOOS=linux make pke
 
-KUBERNETES_VERSION="${1:-v1.21.0}"
+KUBERNETES_VERSION="${1:-v1.23.3}"
 
 vagrant ssh almalinux1 -c "sudo /banzaicloud/pke upgrade master --kubernetes-version='$KUBERNETES_VERSION'"
diff --git a/almalinux8-single.sh b/almalinux8-single.sh
@@ -3,7 +3,7 @@
 # build latest pke tool
 GOOS=linux make pke
 
-KUBERNETES_VERSION="${1:-v1.20.6}"
+KUBERNETES_VERSION="${1:-v1.22.6}"
 
 vagrant up almalinux1
 vagrant ssh almalinux1 -c "sudo /scripts/pke-single.sh '$KUBERNETES_VERSION' '192.168.64.11:6443' containerd cilium"

diff --git a/cmd/pke/app/config/default.go b/cmd/pke/app/config/default.go
@@ -14,7 +14,7 @@
 
 package config
 
-const DefaultKubernetesVersion = "1.19.10"
+const DefaultKubernetesVersion = "1.22.1"
 
 func Default() Config {
 	return Config{

diff --git a/cmd/pke/app/constants/constants.go b/cmd/pke/app/constants/constants.go
@@ -126,9 +126,6 @@ const (
 	// FlagAdmissionPluginPodSecurityPolicy enable admission plugin PodSecurityPolicy.
 	FlagAdmissionPluginPodSecurityPolicy = "with-plugin-psp"
 
-	// FlagNoAdmissionPluginDenyEscalatingExec disable admission plugin DenyEscalatingExec.
-	FlagNoAdmissionPluginDenyEscalatingExec = "without-plugin-deny-escalating-exec"
-
 	// FlagAuditLog enable audit log.
 	FlagAuditLog = "without-audit-log"
 

diff --git a/cmd/pke/app/phases/kubeadm/controlplane/calico.yaml.go b/cmd/pke/app/phases/kubeadm/controlplane/calico.yaml.go
@@ -505,12 +505,6 @@ func calicoTemplate() string {
 		"    metadata:\n" +
 		"      labels:\n" +
 		"        k8s-app: calico-node\n" +
-		"      annotations:\n" +
-		"        # This, along with the CriticalAddonsOnly toleration below,\n" +
-		"        # marks the pod as a critical add-on, ensuring it gets\n" +
-		"        # priority scheduling and that its resources are reserved\n" +
-		"        # if it ever gets evicted.\n" +
-		"        scheduler.alpha.kubernetes.io/critical-pod: ''\n" +
 		"    spec:\n" +
 		"      nodeSelector:\n" +
 		"        beta.kubernetes.io/os: linux\n" +
@@ -756,8 +750,6 @@ func calicoTemplate() string {
 		"      namespace: kube-system\n" +
 		"      labels:\n" +
 		"        k8s-app: calico-kube-controllers\n" +
-		"      annotations:\n" +
-		"        scheduler.alpha.kubernetes.io/critical-pod: ''\n" +
 		"    spec:\n" +
 		"      nodeSelector:\n" +
 		"        beta.kubernetes.io/os: linux\n" +

diff --git a/cmd/pke/app/phases/kubeadm/controlplane/calico.yaml.tmpl b/cmd/pke/app/phases/kubeadm/controlplane/calico.yaml.tmpl
@@ -487,12 +487,6 @@ spec:
     metadata:
       labels:
         k8s-app: calico-node
-      annotations:
-        # This, along with the CriticalAddonsOnly toleration below,
-        # marks the pod as a critical add-on, ensuring it gets
-        # priority scheduling and that its resources are reserved
-        # if it ever gets evicted.
-        scheduler.alpha.kubernetes.io/critical-pod: ''
     spec:
       nodeSelector:
         beta.kubernetes.io/os: linux
@@ -738,8 +732,6 @@ spec:
       namespace: kube-system
       labels:
         k8s-app: calico-kube-controllers
-      annotations:
-        scheduler.alpha.kubernetes.io/critical-pod: ''
     spec:
       nodeSelector:
         beta.kubernetes.io/os: linux

diff --git a/cmd/pke/app/phases/kubeadm/controlplane/certificate_auto_approver.yaml.go b/cmd/pke/app/phases/kubeadm/controlplane/certificate_auto_approver.yaml.go
@@ -19,20 +19,19 @@ func certificateAutoApproverTemplate() string {
 	var tmpl = "apiVersion: v1\n" +
 		"kind: ServiceAccount\n" +
 		"metadata:\n" +
-		"  name: auto-approver\n" +
+		"  name: kubelet-csr-approver\n" +
 		"  namespace: kube-system\n" +
 		"---\n" +
 		"apiVersion: rbac.authorization.k8s.io/v1\n" +
 		"kind: ClusterRole\n" +
 		"metadata:\n" +
-		"  name: auto-approver\n" +
+		"  name: kubelet-csr-approver\n" +
 		"rules:\n" +
 		"- apiGroups:\n" +
 		"  - certificates.k8s.io\n" +
 		"  resources:\n" +
 		"  - certificatesigningrequests\n" +
 		"  verbs:\n" +
-		"  - delete\n" +
 		"  - get\n" +
 		"  - list\n" +
 		"  - watch\n" +
@@ -41,70 +40,82 @@ func certificateAutoApproverTemplate() string {
 		"  resources:\n" +
 		"  - certificatesigningrequests/approval\n" +
 		"  verbs:\n" +
-		"  - create\n" +
 		"  - update\n" +
 		"- apiGroups:\n" +
 		"  - certificates.k8s.io\n" +
-		"  resources:\n" +
-		"  - signers\n" +
 		"  resourceNames:\n" +
 		"  - kubernetes.io/kubelet-serving\n" +
-		"  - kubernetes.io/kube-apiserver-client-kubelet\n" +
-		"  verbs:\n" +
-		"  - approve\n" +
-		"- apiGroups:\n" +
-		"  - authorization.k8s.io\n" +
 		"  resources:\n" +
-		"  - subjectaccessreviews\n" +
+		"  - signers\n" +
 		"  verbs:\n" +
-		"  - create\n" +
+		"  - approve\n" +
 		"---\n" +
-		"kind: ClusterRoleBinding\n" +
 		"apiVersion: rbac.authorization.k8s.io/v1\n" +
+		"kind: ClusterRoleBinding\n" +
 		"metadata:\n" +
-		"  name: auto-approver\n" +
-		"subjects:\n" +
-		"- kind: ServiceAccount\n" +
+		"  name: kubelet-csr-approver\n" +
 		"  namespace: kube-system\n" +
-		"  name: auto-approver\n" +
 		"roleRef:\n" +
-		"  kind: ClusterRole\n" +
-		"  name: auto-approver\n" +
 		"  apiGroup: rbac.authorization.k8s.io\n" +
+		"  kind: ClusterRole\n" +
+		"  name: kubelet-csr-approver\n" +
+		"subjects:\n" +
+		"- kind: ServiceAccount\n" +
+		"  name: kubelet-csr-approver\n" +
+		"  namespace: kube-system\n" +
 		"---\n" +
 		"apiVersion: apps/v1\n" +
 		"kind: Deployment\n" +
 		"metadata:\n" +
-		"  name: auto-approver\n" +
+		"  name: kubelet-csr-approver\n" +
 		"  namespace: kube-system\n" +
 		"spec:\n" +
-		"  replicas: 1\n" +
 		"  selector:\n" +
 		"    matchLabels:\n" +
-		"      name: auto-approver\n" +
+		"      app: kubelet-csr-approver\n" +
 		"  template:\n" +
 		"    metadata:\n" +
+		"      annotations:\n" +
+		"        prometheus.io/port: '8080'\n" +
+		"        prometheus.io/scrape: 'true'\n" +
 		"      labels:\n" +
-		"        name: auto-approver\n" +
+		"        app: kubelet-csr-approver\n" +
 		"    spec:\n" +
-		"      serviceAccountName: auto-approver\n" +
-		"      tolerations:\n" +
-		"        - effect: NoSchedule\n" +
-		"          operator: Exists\n" +
+		"      serviceAccountName: kubelet-csr-approver\n" +
 		"      priorityClassName: system-cluster-critical\n" +
 		"      containers:\n" +
-		"        - name: auto-approver\n" +
-		"          image: {{ .ImageRepository }}/auto-approver:0.1.0\n" +
-		"          imagePullPolicy: Always\n" +
+		"        - name: kubelet-csr-approver\n" +
+		"          {{ if ne .ImageRepository \"banzaicloud\" }}\n" +
+		"          image: \"{{ .ImageRepository }}/kubelet-csr-approver:v0.1.2\"\n" +
+		"          {{ else }}\n" +
+		"          image: \"postfinance/kubelet-csr-approver:v0.1.2\"\n" +
+		"          {{ end }}\n" +
+		"          resources:\n" +
+		"            limits:\n" +
+		"              memory: \"128Mi\"\n" +
+		"              cpu: \"500m\"\n" +
+		"          args:\n" +
+		"            - -metrics-bind-address\n" +
+		"            - \":8080\"\n" +
+		"            - -health-probe-bind-address\n" +
+		"            - \":8081\"\n" +
+		"          livenessProbe:\n" +
+		"            httpGet:\n" +
+		"              path: /healthz\n" +
+		"              port: 8081\n" +
 		"          env:\n" +
-		"            - name: WATCH_NAMESPACE\n" +
-		"              value: \"\"\n" +
-		"            - name: POD_NAME\n" +
-		"              valueFrom:\n" +
-		"                fieldRef:\n" +
-		"                  fieldPath: metadata.name\n" +
-		"            - name: OPERATOR_NAME\n" +
-		"              value: \"auto-approver\"\n" +
-		""
+		"            - name: PROVIDER_REGEX\n" +
+		"              value: \\w*\n" +
+		"            - name: MAX_EXPIRATION_SECONDS\n" +
+		"              value: '31622400' # 366 days\n" +
+		"            - name: BYPASS_DNS_RESOLUTION\n" +
+		"              value: 'true'\n" +
+		"      tolerations:\n" +
+		"        - effect: NoSchedule\n" +
+		"          key: node-role.kubernetes.io/master\n" +
+		"          operator: Equal\n" +
+		"        - effect: NoSchedule\n" +
+		"          key: node-role.kubernetes.io/control-plane\n" +
+		"          operator: Equal"
 	return tmpl
 }
diff --git a/cmd/pke/app/phases/kubeadm/controlplane/certificate_auto_approver.yaml.tmpl b/cmd/pke/app/phases/kubeadm/controlplane/certificate_auto_approver.yaml.tmpl
@@ -1,20 +1,19 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: auto-approver
+  name: kubelet-csr-approver
   namespace: kube-system
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRole
 metadata:
-  name: auto-approver
+  name: kubelet-csr-approver
 rules:
 - apiGroups:
   - certificates.k8s.io
   resources:
   - certificatesigningrequests
   verbs:
-  - delete
   - get
   - list
   - watch
@@ -23,67 +22,80 @@ rules:
   resources:
   - certificatesigningrequests/approval
   verbs:
-  - create
   - update
 - apiGroups:
   - certificates.k8s.io
-  resources:
-  - signers
   resourceNames:
   - kubernetes.io/kubelet-serving
-  - kubernetes.io/kube-apiserver-client-kubelet
-  verbs:
-  - approve
-- apiGroups:
-  - authorization.k8s.io
   resources:
-  - subjectaccessreviews
+  - signers
   verbs:
-  - create
+  - approve
 ---
-kind: ClusterRoleBinding
 apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
 metadata:
-  name: auto-approver
-subjects:
-- kind: ServiceAccount
+  name: kubelet-csr-approver
   namespace: kube-system
-  name: auto-approver
 roleRef:
-  kind: ClusterRole
-  name: auto-approver
   apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kubelet-csr-approver
+subjects:
+- kind: ServiceAccount
+  name: kubelet-csr-approver
+  namespace: kube-system
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
-  name: auto-approver
+  name: kubelet-csr-approver
   namespace: kube-system
 spec:
-  replicas: 1
   selector:
     matchLabels:
-      name: auto-approver
+      app: kubelet-csr-approver
   template:
     metadata:
+      annotations:
+        prometheus.io/port: '8080'
+        prometheus.io/scrape: 'true'
       labels:
-        name: auto-approver
+        app: kubelet-csr-approver
     spec:
-      serviceAccountName: auto-approver
-      tolerations:
-        - effect: NoSchedule
-          operator: Exists
+      serviceAccountName: kubelet-csr-approver
       priorityClassName: system-cluster-critical
       containers:
-        - name: auto-approver
-          image: {{ .ImageRepository }}/auto-approver:0.1.0
-          imagePullPolicy: Always
+        - name: kubelet-csr-approver
+          {{ if ne .ImageRepository "banzaicloud" }}
+          image: "{{ .ImageRepository }}/kubelet-csr-approver:v0.1.2"
+          {{ else }}
+          image: "postfinance/kubelet-csr-approver:v0.1.2"
+          {{ end }}
+          resources:
+            limits:
+              memory: "128Mi"
+              cpu: "500m"
+          args:
+            - -metrics-bind-address
+            - ":8080"
+            - -health-probe-bind-address
+            - ":8081"
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 8081
           env:
-            - name: WATCH_NAMESPACE
-              value: ""
-            - name: POD_NAME
-              valueFrom:
-                fieldRef:
-                  fieldPath: metadata.name
-            - name: OPERATOR_NAME
-              value: "auto-approver"
+            - name: PROVIDER_REGEX
+              value: \w*
+            - name: MAX_EXPIRATION_SECONDS
+              value: '31622400' # 366 days
+            - name: BYPASS_DNS_RESOLUTION
+              value: 'true'
+      tolerations:
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/master
+          operator: Equal
+        - effect: NoSchedule
+          key: node-role.kubernetes.io/control-plane
+          operator: Equal