Puppet Class: k8s::kubelet

Defined in:
modules/k8s/manifests/kubelet.pp

Overview

SPDX-License-Identifier: Apache-2.0

Class that sets up and configures kubelet

Parameters:

  • version (K8s::KubernetesVersion)
  • kubeconfig (String)
  • cni (Boolean)
  • pod_infra_container_image (String) (defaults to: 'docker-registry.discovery.wmnet/pause')
  • cluster_domain (Stdlib::Fqdn) (defaults to: 'cluster.local')
  • tls_cert (Stdlib::Unixpath) (defaults to: '/var/lib/kubernetes/ssl/certs/cert.pem')
  • tls_key (Stdlib::Unixpath) (defaults to: '/var/lib/kubernetes/ssl/private_keys/server.key')
  • cni_bin_dir (Stdlib::Unixpath) (defaults to: '/opt/cni/bin')
  • cni_conf_dir (Stdlib::Unixpath) (defaults to: '/etc/cni/net.d')
  • logtostderr (Boolean) (defaults to: true)
  • v_log_level (Integer) (defaults to: 0)
  • ipv6dualstack (Boolean) (defaults to: false)
  • listen_address (Optional[Stdlib::IP::Address]) (defaults to: undef)
  • docker_kubernetes_user_password (Optional[String]) (defaults to: undef)
  • cluster_dns (Optional[Stdlib::IP::Address]) (defaults to: undef)
  • node_labels (Optional[Array[String]]) (defaults to: [])
  • node_taints (Optional[Array[K8s::Core::V1Taint]]) (defaults to: [])
  • extra_params (Optional[Array[String]]) (defaults to: undef)


3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# File 'modules/k8s/manifests/kubelet.pp', line 3

class k8s::kubelet (
    K8s::KubernetesVersion $version,
    String $kubeconfig,
    Boolean $cni,
    String $pod_infra_container_image = 'docker-registry.discovery.wmnet/pause',
    Stdlib::Fqdn $cluster_domain = 'cluster.local',
    Stdlib::Unixpath $tls_cert = '/var/lib/kubernetes/ssl/certs/cert.pem',
    Stdlib::Unixpath $tls_key = '/var/lib/kubernetes/ssl/private_keys/server.key',
    Stdlib::Unixpath $cni_bin_dir = '/opt/cni/bin',
    Stdlib::Unixpath $cni_conf_dir = '/etc/cni/net.d',
    Boolean $logtostderr = true,
    Integer $v_log_level = 0,
    Boolean $ipv6dualstack = false,
    Optional[Stdlib::IP::Address] $listen_address = undef,
    Optional[String] $docker_kubernetes_user_password = undef,
    Optional[Stdlib::IP::Address] $cluster_dns = undef, #FIXME: This should be an array of V4 addresses
    Optional[Array[String]] $node_labels = [],
    Optional[Array[K8s::Core::V1Taint]] $node_taints = [],
    Optional[Array[String]] $extra_params = undef,
) {
    k8s::package { 'kubelet':
        package => 'node',
        version => $version,
    }
    # apparmor is needed for PodSecurityPolicy to be able to enforce profiles
    ensure_packages('apparmor')
    # socat is needed on k8s nodes for kubectl proxying to work
    ensure_packages('socat')

    # Create the KubeletConfiguration YAML
    $config_yaml = {
        apiVersion         => 'kubelet.config.k8s.io/v1beta1',
        kind               => 'KubeletConfiguration',
        address            => $listen_address,
        tlsPrivateKeyFile  => $tls_key,
        tlsCertFile        => $tls_cert,
        clusterDomain      => $cluster_domain,
        clusterDNS         => [$cluster_dns],
        # IPv6DualStack is GA and enabled by default in k8s >=1.22
        featureGates       => if $ipv6dualstack and versioncmp($version, '1.22') < 0 { { 'IPv6DualStack' => true } },
        # FIXME: Do we really need anonymous read only access to kubelets enabled?
        #
        # When kubelet is run without --config, --read-only-port defaults to 10255 (e.g. is enabled).
        # Using --config the default changes to 0 (e.g. disabled).
        # 10255 is used by prometheus to scrape kubelet and cadvisor metrics.
        readOnlyPort       => 10255,

        # --anonymous-auth which is enabled by default without --config but disabled when --config is used.
        # TODO: With k8s 1.23, the default for anonymous auth via --config changed back to 'true'
        authentication     => { anonymous => { enabled => true } },
        # Authorization mode defaults to 'AlwaysAllow' when running without --config but
        # 'Webhook' when --config is used.
        authorization      => { mode => 'AlwaysAllow' },
        registerWithTaints => if versioncmp($version, '1.23') >= 0 { $node_taints },
        # Use systemd cgroup driver with k8s >= 1.23
        cgroupDriver       => if versioncmp($version, '1.23') >= 0 { 'systemd' },
    }
    $config_file = '/etc/kubernetes/kubelet-config.yaml'
    file { $config_file:
        ensure  => file,
        owner   => 'kube',
        group   => 'kube',
        mode    => '0400',
        content => $config_yaml.filter |$k, $v| { $v =~ NotUndef and !$v.empty }.to_yaml,
        notify  => Service['kubelet'],
    }

    file { '/etc/default/kubelet':
        ensure  => file,
        owner   => 'root',
        group   => 'root',
        mode    => '0644',
        content => template('k8s/kubelet.default.erb'),
        notify  => Service['kubelet'],
    }

    file { [
        '/var/run/kubernetes',
        '/var/lib/kubelet',
    ]:
        ensure => directory,
        owner  => 'root',
        group  => 'root',
        mode   => '0700',
    }

    if $docker_kubernetes_user_password {
        # TODO: pass the docker registry to this class as a variable.
        docker::credentials { '/var/lib/kubelet/config.json':
            owner             => 'root',
            group             => 'root',
            registry          => 'docker-registry.discovery.wmnet',
            registry_username => 'kubernetes',
            registry_password => $docker_kubernetes_user_password,
        }
    }

    service { 'kubelet':
        ensure    => running,
        enable    => true,
        subscribe => [
            File[$kubeconfig],
            File['/etc/default/kubelet'],
        ],
    }
}