From ba8d466601ad93970aaa22197266c99a5460b5ed Mon Sep 17 00:00:00 2001 From: Artiom Diomin Date: Mon, 22 Mar 2021 19:46:36 +0200 Subject: [PATCH 1/5] Unattended upgrades For * APT based * YUM based * Flatcar Signed-off-by: Artiom Diomin --- addons/unattended-upgrades/README.md | 3 + addons/unattended-upgrades/apt.yaml | 57 ++++ addons/unattended-upgrades/fluo.yaml | 414 ++++++++++++++++++++++++++ addons/unattended-upgrades/kured.yaml | 146 +++++++++ addons/unattended-upgrades/yum.yaml | 77 +++++ 5 files changed, 697 insertions(+) create mode 100644 addons/unattended-upgrades/README.md create mode 100644 addons/unattended-upgrades/apt.yaml create mode 100644 addons/unattended-upgrades/fluo.yaml create mode 100644 addons/unattended-upgrades/kured.yaml create mode 100644 addons/unattended-upgrades/yum.yaml diff --git a/addons/unattended-upgrades/README.md b/addons/unattended-upgrades/README.md new file mode 100644 index 000000000..9108fb0c3 --- /dev/null +++ b/addons/unattended-upgrades/README.md @@ -0,0 +1,3 @@ +# Unnatended Upgrades + +This addon will automate upgrading system packages of the distro of your choice. diff --git a/addons/unattended-upgrades/apt.yaml b/addons/unattended-upgrades/apt.yaml new file mode 100644 index 000000000..750a99ca6 --- /dev/null +++ b/addons/unattended-upgrades/apt.yaml @@ -0,0 +1,57 @@ +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: unnatended-upgrades-install + namespace: kube-system +spec: + selector: + matchLabels: + name: unnatended-upgrades-install + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + name: unnatended-upgrades-install + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: v1.machine-controller.kubermatic.io/operating-system + operator: In + values: + - ubuntu + - matchExpressions: + - key: v1.kubeone.io/operating-system + operator: In + values: + - ubuntu + - debian + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + hostPID: true + containers: + - name: "unnatended-upgrades-install" + image: "alpine:3.12.4" + securityContext: + privileged: true + command: + - /bin/sh + - -c + - | + set -xeuo pipefail + apk add --no-cache bash util-linux + nsenter -t 1 -m -u -i -n -p -- bash -c "${STARTUP_SCRIPT}" + sleep inf + env: + - name: STARTUP_SCRIPT + value: | + set -xeuo pipefail + export DEBIAN_FRONTEND=noninteractive + apt-get install -y --no-install-recommends \ + apt-utils \ + unattended-upgrades diff --git a/addons/unattended-upgrades/fluo.yaml b/addons/unattended-upgrades/fluo.yaml new file mode 100644 index 000000000..57a1a7f64 --- /dev/null +++ b/addons/unattended-upgrades/fluo.yaml @@ -0,0 +1,414 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: reboot-coordinator +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: flatcar-linux-update-operator + namespace: reboot-coordinator +rules: + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - get + - update + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - watch + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - delete + - apiGroups: + - "apps" + resources: + - daemonsets + verbs: + - get + - apiGroups: + - policy + resourceNames: + - flatcar-linux-update-operator + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: flatcar-linux-update-agent + namespace: reboot-coordinator +rules: + - apiGroups: + - "" + resources: + - nodes + verbs: + - get + - list + - watch + - update + - apiGroups: + - "" + resources: + - configmaps + verbs: + - create + - get + - update + - list + - watch + - apiGroups: + - "" + resources: + - events + verbs: + - create + - watch + - apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - delete + - apiGroups: + - "apps" + resources: + - daemonsets + verbs: + - get + - apiGroups: + - policy + resourceNames: + - flatcar-linux-update-agent + resources: + - podsecuritypolicies + verbs: + - use +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: flatcar-linux-update-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: flatcar-linux-update-operator +subjects: + - kind: ServiceAccount + name: flatcar-linux-update-operator-sa + namespace: reboot-coordinator +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: flatcar-linux-update-agent +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: flatcar-linux-update-agent +subjects: + - kind: ServiceAccount + name: flatcar-linux-update-agent + namespace: reboot-coordinator +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: flatcar-linux-update-operator +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + volumes: + - 'secret' + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: true +--- +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: flatcar-linux-update-agent +spec: + privileged: false + allowPrivilegeEscalation: false + requiredDropCapabilities: + - ALL + volumes: + - 'configMap' + - 'emptyDir' + - 'hostPath' + - 'secret' + allowedHostPaths: + - pathPrefix: "/etc/flatcar" + readOnly: true + - pathPrefix: "/etc/os-release" + readOnly: true + - pathPrefix: "/usr/share/flatcar" + readOnly: true + - pathPrefix: "/var/run/dbus" + readOnly: false + hostNetwork: false + hostIPC: false + hostPID: false + runAsUser: + rule: 'RunAsAny' + seLinux: + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + - min: 1 + max: 65535 + readOnlyRootFilesystem: true +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: flatcar-linux-update-agent + namespace: reboot-coordinator +spec: + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + selector: + matchLabels: + app: flatcar-linux-update-agent + template: + metadata: + labels: + app: flatcar-linux-update-agent + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: v1.machine-controller.kubermatic.io/operating-system + operator: In + values: + - flatcar + - matchExpressions: + - key: v1.kubeone.io/operating-system + operator: In + values: + - flatcar + serviceAccountName: flatcar-linux-update-agent + containers: + - name: update-agent + image: quay.io/kinvolk/flatcar-linux-update-operator:v0.7.3 + command: + - "/bin/update-agent" + volumeMounts: + - mountPath: /var/run/dbus + name: var-run-dbus + readOnly: false + - mountPath: /etc/flatcar + name: etc-flatcar + readOnly: true + - mountPath: /usr/share/flatcar + name: usr-share-flatcar + readOnly: true + - mountPath: /etc/os-release + name: etc-os-release + readOnly: true + env: + # read by update-agent as the node name to manage reboots for + - name: UPDATE_AGENT_NODE + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + # Update agent must run with a UID that is allowed to reboot nodes via logind using the D-Bus interface. + # FLUO Docker image runs as 65534 (nobody) by default, so we need to escalate the privileges here, + # as we cannot ensure, that host configuration of PolicyKit and D-Bus allows UID 65534 to execute that. + securityContext: + runAsUser: 0 + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule + volumes: + - name: var-run-dbus + hostPath: + path: /var/run/dbus + - name: etc-flatcar + hostPath: + path: /etc/flatcar + - name: usr-share-flatcar + hostPath: + path: /usr/share/flatcar + - name: etc-os-release + hostPath: + path: /etc/os-release +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: flatcar-linux-update-operator-sa + namespace: reboot-coordinator +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: flatcar-linux-update-operator + namespace: reboot-coordinator +spec: + replicas: 1 + selector: + matchLabels: + app: flatcar-linux-update-operator + template: + metadata: + labels: + app: flatcar-linux-update-operator + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: v1.machine-controller.kubermatic.io/operating-system + operator: In + values: + - flatcar + - matchExpressions: + - key: v1.kubeone.io/operating-system + operator: In + values: + - flatcar + serviceAccountName: flatcar-linux-update-operator-sa + containers: + - name: update-operator + image: quay.io/kinvolk/flatcar-linux-update-operator:v0.7.3 + command: + - "/bin/update-operator" + env: + - name: POD_NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: flatcar-linux-update-agent + namespace: reboot-coordinator + +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: flatcar-updates-config + namespace: kube-system +spec: + selector: + matchLabels: + name: flatcar-updates-config + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + name: flatcar-updates-config + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: v1.machine-controller.kubermatic.io/operating-system + operator: In + values: + - flatcar + - matchExpressions: + - key: v1.kubeone.io/operating-system + operator: In + values: + - flatcar + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + hostPID: true + containers: + - name: "flatcar-updates-config" + image: "alpine:3.12.4" + imagePullPolicy: IfNotPresent + securityContext: + privileged: true + command: + - /bin/sh + - -c + - | + set -xeuo pipefail + apk add --no-cache bash util-linux + nsenter -t 1 -m -u -i -n -p -- bash -c "${STARTUP_SCRIPT}" + sleep inf + env: + - name: STARTUP_SCRIPT + value: | + set -xeuo pipefail + # per https://github.com/kinvolk/flatcar-linux-update-operator#requirements + systemctl mask locksmithd.service + systemctl enable --now update-engine.service diff --git a/addons/unattended-upgrades/kured.yaml b/addons/unattended-upgrades/kured.yaml new file mode 100644 index 000000000..001380450 --- /dev/null +++ b/addons/unattended-upgrades/kured.yaml @@ -0,0 +1,146 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: kured +rules: +# Allow kured to read spec.unschedulable +# Allow kubectl to drain/uncordon +# +# NB: These permissions are tightly coupled to the bundled version of kubectl; the ones below +# match https://github.com/kubernetes/kubernetes/blob/v1.19.4/staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go +# +- apiGroups: [""] + resources: ["nodes"] + verbs: ["get", "patch"] +- apiGroups: [""] + resources: ["pods"] + verbs: ["list","delete","get"] +- apiGroups: ["apps"] + resources: ["daemonsets"] + verbs: ["get"] +- apiGroups: [""] + resources: ["pods/eviction"] + verbs: ["create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kured +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: kured +subjects: +- kind: ServiceAccount + name: kured + namespace: kube-system +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + namespace: kube-system + name: kured +rules: +# Allow kured to lock/unlock itself +- apiGroups: ["apps"] + resources: ["daemonsets"] + resourceNames: ["kured"] + verbs: ["update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + namespace: kube-system + name: kured +subjects: +- kind: ServiceAccount + namespace: kube-system + name: kured +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: kured +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: kured + namespace: kube-system +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: kured # Must match `--ds-name` + namespace: kube-system # Must match `--ds-namespace` +spec: + selector: + matchLabels: + name: kured + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + name: kured + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: v1.machine-controller.kubermatic.io/operating-system + operator: In + values: + - ubuntu + - centos + - rhel + - matchExpressions: + - key: v1.kubeone.io/operating-system + operator: In + values: + - ubuntu + - debian + - centos + - rhel + serviceAccountName: kured + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + hostPID: true # Facilitate entering the host mount namespace via init + containers: + - name: kured + image: docker.io/weaveworks/kured:1.6.1 + # If you find yourself here wondering why there is no + # :latest tag on Docker Hub,see the FAQ in the README + imagePullPolicy: IfNotPresent + securityContext: + privileged: true # Give permission to nsenter /proc/1/ns/mnt + env: + # Pass in the name of the node on which this pod is scheduled + # for use with drain/uncordon operations and lock acquisition + - name: KURED_NODE_ID + valueFrom: + fieldRef: + fieldPath: spec.nodeName + command: + - /usr/bin/kured +# - --alert-filter-regexp=^RebootRequired$ +# - --blocking-pod-selector=runtime=long,cost=expensive +# - --blocking-pod-selector=name=temperamental +# - --blocking-pod-selector=... +# - --ds-name=kured +# - --ds-namespace=kube-system +# - --end-time=23:59:59 +# - --lock-annotation=weave.works/kured-node-lock +# - --period=1h +# - --prometheus-url=http://prometheus.monitoring.svc.cluster.local +# - --reboot-days=sun,mon,tue,wed,thu,fri,sat +# - --reboot-sentinel=/var/run/reboot-required +# - --slack-hook-url=https://hooks.slack.com/... +# - --slack-username=prod +# - --slack-channel=alerting +# - --message-template-drain=Draining node %s +# - --message-template-drain=Rebooting node %s +# - --start-time=0:00 +# - --time-zone=UTC diff --git a/addons/unattended-upgrades/yum.yaml b/addons/unattended-upgrades/yum.yaml new file mode 100644 index 000000000..16992d402 --- /dev/null +++ b/addons/unattended-upgrades/yum.yaml @@ -0,0 +1,77 @@ +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: yum-cron-install + namespace: kube-system +spec: + selector: + matchLabels: + name: yum-cron-install + updateStrategy: + type: RollingUpdate + template: + metadata: + labels: + name: yum-cron-install + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: v1.machine-controller.kubermatic.io/operating-system + operator: In + values: + - centos + - rhel + - matchExpressions: + - key: v1.kubeone.io/operating-system + operator: In + values: + - centos + - rhel + tolerations: + - key: node-role.kubernetes.io/master + effect: NoSchedule + hostPID: true + containers: + - name: "yum-cron-install" + image: "alpine:3.12.4" + imagePullPolicy: IfNotPresent + securityContext: + privileged: true + command: + - /bin/sh + - -c + - | + set -xeuo pipefail + apk add --no-cache bash util-linux + nsenter -t 1 -m -u -i -n -p -- bash -c "${STARTUP_SCRIPT}" + sleep inf + env: + - name: STARTUP_SCRIPT + value: | + set -xeuo pipefail + + source /etc/os-release + + case $VERSION_ID in + 7*) + yum install -y yum-cron + sed -i 's/apply_updates = no/apply_updates = yes/' /etc/yum/yum-cron.conf + sed -i 's/update_cmd = default/update_cmd = security/' /etc/yum/yum-cron.conf + systemctl enable --now yum-cron + ;; + 8*) + dnf install -y dnf-automatic + sed -i 's/apply_updates = no/apply_updates = yes/' /etc/dnf/automatic.conf + sed -i 's/upgrade_type = default/upgrade_type = security/' /etc/dnf/automatic.conf + systemctl enable --now dnf-automatic.timer + ;; + *) + echo "unknown version" + cat /etc/os-release + exit 1 + ;; + esac From 334c1e158119053a9fc0312ec13af5cea10dfb11 Mon Sep 17 00:00:00 2001 From: Artiom Diomin Date: Wed, 24 Mar 2021 01:44:55 +0200 Subject: [PATCH 2/5] Label nodes with detected OS Signed-off-by: Artiom Diomin --- pkg/tasks/nodes.go | 46 ++++++++++++++++++++++++++++++++++++++++++++++ pkg/tasks/tasks.go | 8 ++++++++ 2 files changed, 54 insertions(+) diff --git a/pkg/tasks/nodes.go b/pkg/tasks/nodes.go index 5b7fc8752..101c0b7f5 100644 --- a/pkg/tasks/nodes.go +++ b/pkg/tasks/nodes.go @@ -18,6 +18,7 @@ package tasks import ( "github.com/pkg/errors" + "k8s.io/apimachinery/pkg/util/sets" kubeoneapi "k8c.io/kubeone/pkg/apis/kubeone" "k8c.io/kubeone/pkg/scripts" @@ -87,3 +88,48 @@ func restartKubeAPIServerDocker(s *state.State) error { return errors.WithStack(err) } + +func labelNodeOSes(s *state.State) error { + candidateNodes := sets.NewString() + nodeList := corev1.NodeList{} + + if err := s.DynamicClient.List(s.Context, &nodeList); err != nil { + return err + } + + for _, node := range nodeList.Items { + candidateNodes.Insert(node.Name) + for _, addr := range node.Status.Addresses { + candidateNodes.Insert(addr.Address) + } + } + + hostsSet := map[string]kubeoneapi.HostConfig{} + + for _, host := range append(s.Cluster.ControlPlane.Hosts, s.Cluster.StaticWorkers.Hosts...) { + if candidateNodes.Has(host.Hostname) || candidateNodes.Has(host.PrivateAddress) || candidateNodes.Has(host.PublicAddress) { + hostsSet[host.Hostname] = host + } + } + + for nodeName, host := range hostsSet { + nodeName := nodeName + host := host + updateErr := retry.RetryOnConflict(retry.DefaultRetry, func() error { + var node corev1.Node + + if err := s.DynamicClient.Get(s.Context, types.NamespacedName{Name: nodeName}, &node); err != nil { + return err + } + + node.Labels["v1.kubeone.io/operating-system"] = string(host.OperatingSystem) + return s.DynamicClient.Update(s.Context, &node) + }) + + if updateErr != nil { + return updateErr + } + } + + return nil +} diff --git a/pkg/tasks/tasks.go b/pkg/tasks/tasks.go index 6768c29a0..f85c1dcfd 100644 --- a/pkg/tasks/tasks.go +++ b/pkg/tasks/tasks.go @@ -142,6 +142,10 @@ func WithRefreshResources(t Tasks) Tasks { Desciption: "ensure addons", Predicate: func(s *state.State) bool { return s.Cluster.Addons != nil && s.Cluster.Addons.Enable }, }, + { + Fn: labelNodeOSes, + ErrMsg: "failed to label nodes with their OS", + }, { Fn: credentials.Ensure, ErrMsg: "failed to ensure credentials secret", @@ -258,6 +262,10 @@ func kubernetesResources() Tasks { }, {Fn: patchCNI, ErrMsg: "failed to patch CNI"}, {Fn: joinStaticWorkerNodes, ErrMsg: "failed to join worker nodes to the cluster"}, + { + Fn: labelNodeOSes, + ErrMsg: "failed to label nodes with their OS", + }, { Fn: machinecontroller.Ensure, ErrMsg: "failed to ensure machine-controller", From b5c219209d6a41af6656e40bb479a1d18df1e553 Mon Sep 17 00:00:00 2001 From: Artiom Diomin Date: Fri, 26 Mar 2021 15:06:11 +0200 Subject: [PATCH 3/5] Review changes Signed-off-by: Artiom Diomin --- .golangci.yml | 2 +- addons/unattended-upgrades/README.md | 40 +++++++++++++++++++++++++++- addons/unattended-upgrades/apt.yaml | 8 +++--- pkg/tasks/nodes.go | 2 +- 4 files changed, 45 insertions(+), 7 deletions(-) diff --git a/.golangci.yml b/.golangci.yml index 983287a8a..6d50f66c1 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -42,7 +42,7 @@ linters-settings: govet: check-shadowing: true goimports: - local-prefixes: github.com/kubermatic + local-prefixes: k8c.io/kubeone issues: exclude-rules: diff --git a/addons/unattended-upgrades/README.md b/addons/unattended-upgrades/README.md index 9108fb0c3..7a4669f2f 100644 --- a/addons/unattended-upgrades/README.md +++ b/addons/unattended-upgrades/README.md @@ -1,3 +1,41 @@ -# Unnatended Upgrades +# Unattended Upgrades This addon will automate upgrading system packages of the distro of your choice. + +## Requirements + +Since KubeOne 1.3+ we automatically label control-plane nodes with +`v1.kubeone.io/operating-system` and worker nodes with +`v1.machine-controller.kubermatic.io/operating-system` and use those labels as +nodeAffinity in this addon manifests. + +## What's included + +This addon provides bunch of DaemonSets and operators: + +* **Debian/Ubuntu** + DaemonSet that will install `unattended-upgrades` +* **RHEL/CentOS** + DaemonSet that will install and configure `yum-cron`/`dnf-automatic` +* **Debian/Ubuntu/RHEL/CentOS** + [Kured](https://github.com/weaveworks/kured) (DaemonSet and operator) that + will orchestrate node rebootes in case when it's required (kernel upgrades) +* **Flatcar Linux** + [Flatcar Linux Update Operator](https://github.com/kinvolk/flatcar-linux-update-operator) + +## Deployment instructions + +Copy files from this directory to your configured addons directory. + +In `kubeone.yaml` config: +```yaml +addons: + enable: true + path: "./addons" +``` + +## Information about permissions + +Since daemonSets provided by this addon are making changes on the nodes +themselves they require elevated permissions like full root access to the host +machine. diff --git a/addons/unattended-upgrades/apt.yaml b/addons/unattended-upgrades/apt.yaml index 750a99ca6..3fb9508b0 100644 --- a/addons/unattended-upgrades/apt.yaml +++ b/addons/unattended-upgrades/apt.yaml @@ -2,18 +2,18 @@ apiVersion: apps/v1 kind: DaemonSet metadata: - name: unnatended-upgrades-install + name: unattended-upgrades-install namespace: kube-system spec: selector: matchLabels: - name: unnatended-upgrades-install + name: unattended-upgrades-install updateStrategy: type: RollingUpdate template: metadata: labels: - name: unnatended-upgrades-install + name: unattended-upgrades-install spec: affinity: nodeAffinity: @@ -35,7 +35,7 @@ spec: effect: NoSchedule hostPID: true containers: - - name: "unnatended-upgrades-install" + - name: "unattended-upgrades-install" image: "alpine:3.12.4" securityContext: privileged: true diff --git a/pkg/tasks/nodes.go b/pkg/tasks/nodes.go index 101c0b7f5..c1800635d 100644 --- a/pkg/tasks/nodes.go +++ b/pkg/tasks/nodes.go @@ -18,7 +18,6 @@ package tasks import ( "github.com/pkg/errors" - "k8s.io/apimachinery/pkg/util/sets" kubeoneapi "k8c.io/kubeone/pkg/apis/kubeone" "k8c.io/kubeone/pkg/scripts" @@ -27,6 +26,7 @@ import ( corev1 "k8s.io/api/core/v1" "k8s.io/apimachinery/pkg/types" + "k8s.io/apimachinery/pkg/util/sets" "k8s.io/client-go/util/retry" ) From 5ec038af727fb3b29946ee245f9f4343a2480fe4 Mon Sep 17 00:00:00 2001 From: Artiom Diomin Date: Fri, 26 Mar 2021 15:45:46 +0200 Subject: [PATCH 4/5] add amzn2 Signed-off-by: Artiom Diomin --- addons/unattended-upgrades/yum.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/addons/unattended-upgrades/yum.yaml b/addons/unattended-upgrades/yum.yaml index 16992d402..cce29b2a6 100644 --- a/addons/unattended-upgrades/yum.yaml +++ b/addons/unattended-upgrades/yum.yaml @@ -23,12 +23,14 @@ spec: - key: v1.machine-controller.kubermatic.io/operating-system operator: In values: + - amzn - centos - rhel - matchExpressions: - key: v1.kubeone.io/operating-system operator: In values: + - amzn - centos - rhel tolerations: @@ -56,14 +58,14 @@ spec: source /etc/os-release - case $VERSION_ID in - 7*) + case "$ID$VERSION_ID" in + amzn2 | centos7 | rhel7*) yum install -y yum-cron sed -i 's/apply_updates = no/apply_updates = yes/' /etc/yum/yum-cron.conf sed -i 's/update_cmd = default/update_cmd = security/' /etc/yum/yum-cron.conf systemctl enable --now yum-cron ;; - 8*) + centos8 | rhel8*) dnf install -y dnf-automatic sed -i 's/apply_updates = no/apply_updates = yes/' /etc/dnf/automatic.conf sed -i 's/upgrade_type = default/upgrade_type = security/' /etc/dnf/automatic.conf From a00b5b705a35e29cd70c6b8cd73744f2510ef111 Mon Sep 17 00:00:00 2001 From: Artiom Diomin Date: Fri, 26 Mar 2021 19:00:13 +0200 Subject: [PATCH 5/5] Deploy kured to Amazon Linux 2 too Signed-off-by: Artiom Diomin --- addons/unattended-upgrades/README.md | 4 ++-- addons/unattended-upgrades/kured.yaml | 8 +++++--- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/addons/unattended-upgrades/README.md b/addons/unattended-upgrades/README.md index 7a4669f2f..ba790c9eb 100644 --- a/addons/unattended-upgrades/README.md +++ b/addons/unattended-upgrades/README.md @@ -15,9 +15,9 @@ This addon provides bunch of DaemonSets and operators: * **Debian/Ubuntu** DaemonSet that will install `unattended-upgrades` -* **RHEL/CentOS** +* **RHEL/CentOS/Amazon Linux 2** DaemonSet that will install and configure `yum-cron`/`dnf-automatic` -* **Debian/Ubuntu/RHEL/CentOS** +* **Debian/Ubuntu/RHEL/CentOS/Amazon Linux 2** [Kured](https://github.com/weaveworks/kured) (DaemonSet and operator) that will orchestrate node rebootes in case when it's required (kernel upgrades) * **Flatcar Linux** diff --git a/addons/unattended-upgrades/kured.yaml b/addons/unattended-upgrades/kured.yaml index 001380450..57e6fb952 100644 --- a/addons/unattended-upgrades/kured.yaml +++ b/addons/unattended-upgrades/kured.yaml @@ -92,17 +92,19 @@ spec: - key: v1.machine-controller.kubermatic.io/operating-system operator: In values: - - ubuntu + - amzn - centos - rhel + - ubuntu - matchExpressions: - key: v1.kubeone.io/operating-system operator: In values: - - ubuntu - - debian + - amzn - centos + - debian - rhel + - ubuntu serviceAccountName: kured tolerations: - key: node-role.kubernetes.io/master