Kismatic Enterprise Toolkit: Fully-Automated, Production-Grade Kubernetes Operations
apiserver port. (https://github.com/apprenda/kismatic/issues/750)
apiserver_cert_extra_sans to specify additional extra SANs for the API Server serving certificate.load_balancer allows for setting both the IP or DNS and Port.cluster:
# Generated certs configuration.
certificates:
...
# Optional extra Subject Alternative Names (SANs) to use for the API Server serving certificate.
# Can be both IP addresses and DNS names.
apiserver_cert_extra_sans: ""
...
master:
expected_count: 2
# If you have set up load balancing for master nodes, enter the IP or DNS and Port.
# Otherwise, use the IP address of a single master node and port '6443'.
load_balancer: ""
...
reset command. (https://github.com/apprenda/kismatic/pull/1252)
iptables.dashboard command by splitting up the command flags into individual subcommands. See docs. (https://github.com/apprenda/kismatic/pull/1258)add_ons.dashboard.options.node_port, useful when setting up a simple cluster and exposing the dashboard on a predetermined port. (https://github.com/apprenda/kismatic/pull/1250)go1.10.3 when building the binary. (https://github.com/apprenda/kismatic/pull/1257)| Field | Notes |
|---|---|
master.load_balanced_fqdn |
Replaced by master.load_balancer. |
master.load_balanced_short_name |
Specify additional SANs in cluster.certificates.apiserver_cert_extra_sans. |
| Field | Notes |
|---|---|
cluster.certificates.apiserver_cert_extra_sans |
Optional extra Subject Alternative Names (SANs) to use for the API Server serving certificate. |
master.load_balancer |
If you have set up load balancing for master nodes, enter the IP or DNS and Port. Otherwise, use the IP address of a single master node and port '6443'. |
add_ons.dashboard.options.node_port |
When using NodePort set the port to use. When left empty Kubernetes will allocate a random port. |
NoExecute tolerations in Calico. (https://github.com/apprenda/kismatic/pull/1240) - @TimWoolfordjournald restarts. (https://github.com/apprenda/kismatic/issues/1208) - @jlmeekerportmap CNI plugin introduced in KET v1.11.0. (https://github.com/apprenda/kismatic/issues/1235)add_ons:
cni:
options:
portmap:
disable: false
| Field | Notes |
|---|---|
add_ons.cn.options.portmap.disable |
Set to true to disable the portmap plugin |
10255 (heapster and metrics-server deployed by KET will be modified to use the correct port during the upgrade):
10250 or--read-only-port
kubelet:
option_overrides:
read-only-port: 10255
labels were being overwritten if taints is also specified for that node. (#1213)/etc/docker/daemon.json options restarting the docker daemon on change. (#1221)--read-only-port=0, this disables the unathenticated Kubelet API access on port 10255. (#1135)
heapster and metrics-server deployed on the cluster were modified to use port 10250 and authorize via standard RBAC policies.--authentication-token-webhook was enabled to support API bearer token authentication to the Kubelet’s HTTPS endpoint.portmap CNI plugin for both Calico and Weave to suport hostPort in pods. (#1207)hostNetwork: true. (#1226)
hostNetworking is the ability to define networkPolicies for the Ingress Controller pods.Desired pod count to Ready pod count on the DaemonSet resource.option_overrides with special characters. (#1217)--enable-admission-plugins instead of the deprecated --admission-contro. (#1212)--kubelet-certificate-authority on the kube-apiserver is now being set. (#1178)
generated/ directory prior to upgrading to allow the tool to regenerate them. (Or regenerated by the user manually)install or upgrade to contain the node's hostname and internalip.Configuring Certificates============================================================
Found valid certificate for etcd001 etcd server [OK]
Found valid certificate for master001 API server [OK]
Found valid certificate for kubernetes controller manager [OK]
Found valid certificate for kubernetes scheduler [OK]
Found valid certificate for service account signing [OK]
Found certificate for master001 kubelet, but it is not valid [ERROR]
- Certificate "master001-kubelet.pem": SANs validation failed
expected:
[192.168.42.3 master001]
instead got:
[]
error generating certificates for the cluster: invalid certificate found for "master001 kubelet"
v1.10.0. (#1188)
v1.10.x versions will be permitted.taints option in the plan file for master, worker, etcd and storage nodes. (#1057)worker:
expected_count: 3
nodes:
- host: "worker1"
ip: "1.2.3.1"
labels: {}
taints:
- key: "foo"
value: "bar"
effect: "NoSchedule"
- host: "worker2"
ip: "1.2.3.2"
labels: {}
taints:
- key: "xyz"
value: "zyx"
effect: "PreferNoSchedule"
- host: "worker3"
ip: "1.2.3.3"
labels: {}
taints: []
reset command to rollback any changes made to the hosts by apply. (#955)➜ ./kismatic reset --remove-assets
=> Are you sure you want to reset the cluster? All data will be lost [N/y]:
➜ ./kismatic reset --remove-assets --force
Resetting Nodes in the Cluster======================================================
Reset All Nodes [OK]
Removing Assets Directory===========================================================
Remove "generated" directory [OK]
dashboard command with a new --token flag that will generate a kubeconfig file with kubernetes-dashboard-admin ServiceAccount token without running kismatic proxy. (#1195)kismatic volume delete command to properly work with volumes where PVs have been delete with kubectl. (#1185)nfs: storage options in the plan file. (#946)
nfs: tag will still function as before.nfs: tag.| Field | Notes |
|---|---|
nfs |
Will be removed completely in a future release. |
| Field | Notes |
|---|---|
dashboard.options.service_type |
Kubernetes service type of the Dashboard service. Options: ClusterIP, NodePort, LoadBalancer, ExternalName. |
nodes.taints |
Kubernetes taints applied to the nodes during installation. |
hosts is an array that can consist of hostnames; node roles: worker, master, etcd, ingress, storage; or all that will copy to all hosts.skip_validation if the file is not yet present during plan file validation, ie. certificates generated by the tooladditional_files:
- hosts:
- "master001"
source: /tmp/ca-key.pem
destination: /etc/kubernetes/pki/ca-key.pem
skip_validation: true
- hosts:
- "all"
source: /root/foo.txt
destination: /tmp/foo.txt
- hosts:
- "worker"
source: /tmp/bar.txt
destination: /tmp/bar.txt
rescheduler pod was trying to connect to the API server on port 8080 (https://github.com/apprenda/kismatic/issues/1167)docker (https://github.com/apprenda/kismatic/issues/976)| Field | Notes |
|---|---|
add_ons.cni.options.weave.password |
Used by Weave for network traffic encryption. Sets WEAVE_PASSWORD in the deployment. |
add_ons.dns.options.replicas |
The number of cluster DNS pods to run. |
additional_files |
Used to copy arbitrary files and directories to the cluster nodes. |
Please read through the release notes as there are many Kubernetes component flag changes that might impact applications that communicate to either the kube-apiserver or the kublet API.
add_ons:
# Metrics Server is a cluster-wide aggregator of resource usage data.
metrics_server:
disable: false
kube-apiserver insecure access on port 8080 (https://github.com/apprenda/kismatic/issues/1134)kubelet client auth from kube-apiserver (https://github.com/apprenda/kismatic/issues/1136)
10255 is still enabled to support heapster and any other client accessing the API on that port. It will be removed in the future (https://github.com/apprenda/kismatic/issues/1135)admission-control (https://github.com/apprenda/kismatic/pull/1133):NamespaceLifecycle,LimitRanger,ServiceAccount,NodeRestriction,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota
cadvisor-port to 0, this will disable access to the cAdvisor API on port 4194, if your cluster still depends on this API set:cluster:
kube_apiserver:
option_overrides:
cadvisor-port: 4194
kube-apiserver:
--kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.pem
--kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client-key.pem
--profiling=false
--repair-malformed-updates=false
kube-controller-manager:
--profiling=false
kube-scheduler:
--profiling=false
kube-proxy:
--profiling=false
kubelet:
--authorization-mode=Webhook
--client-ca-file=/etc/kubernetes/pki/ca.pem
--cadvisor-port=0
--event-qps=0
--make-iptables-util-chains=true
--streaming-connection-idle-timeout=0
| Field | Notes |
|---|---|
add_ons.cni.options.calico.ip_autodetection_method |
Used to detect the IPv4 address of the host. Sets IP_AUTODETECTION_METHOD in the Calico deployment. |
add_ons.metrics_server |
A cluster-wide aggregator of resource usage data. |
add_ons.metrics_server.disable |
When set to true skips installation of the metrics_server |
v1.7.1 but an improper merge for v1.8.0 caused the regressionminor version, i.e. KET v1.8.0 will be able to install any v1.9.x version.cluster:
# Kubernetes cluster version (supported minor version "v1.9.x").
version: v1.9.2
docker.storage.driver empty to have docker automatically select the best available option.devicemapper in direct-lvm modedocker.storage.opts now support providing docker storage options that will be set directly in docker's daemon.json file.direct-lvm mode.IMPORTANT: The storage driver option SHOULD NOT be modified for a running cluster. The result is undetermined and may result in a broken cluster. Only use when creating a brand new cluster.
# Docker daemon configuration of all cluster nodes.
docker:
# Set to true if docker is already installed and configured.
disable: false
storage:
# Leave empty to have docker automatically select the driver.
driver: ""
opts: {}
# Used for setting up Device Mapper storage driver in direct-lvm mode.
direct_lvm_block_device:
# Absolute path to the block device that will be used for direct-lvm mode.
# This device will be wiped and used exclusively by docker.
path: ""
thinpool_percent: "95"
thinpool_metapercent: "1"
thinpool_autoextend_threshold: "80"
thinpool_autoextend_percent: "20"
To maintain backwards compatibility providing the docker.storage.direct_lvm field will still work like before but it is now considered deprecated and will be removed in a future version.
The new schema allows the user to override any of the previously hardcoded options.
docker:
disable: false
storage:
direct_lvm:
enabled: true
block_device: "/dev/xvdb"
enable_deferred_deletion: false
docker:
storage:
driver: devicemapper
opts:
dm.thinpooldev: /dev/mapper/docker-thinpool
dm.use_deferred_deletion: "false"
dm.use_deferred_removal: "true"
direct_lvm_block_device:
path: /dev/xvdb
thinpool_percent: "95"
thinpool_metapercent: "1"
thinpool_autoextend_threshold: "80"
thinpool_autoextend_percent: "20"
namespace to deploy tiller in. If the namespace does not already exist, it will be automatically created. (https://github.com/apprenda/kismatic/pull/1064)add_ons:
package_manager:
disable: false
# Options: 'helm'.
provider: helm
options:
helm:
namespace: kube-system
apprenda/kismatic-charts GitHub repo was deprecated, configuration of this repo has been removed during installation. (https://github.com/apprenda/kismatic/pull/1073)add-worker command was renamed to add-node. (https://github.com/apprenda/kismatic/issues/1056)./kismatic install add-node node001 192.168.42.1 --roles worker,ingress
./kismatic install add-node node002 192.168.42.2 --roles ingress
./kismatic install add-node node003 192.168.42.3 --roles storage
./kismatic install add-node node004 192.168.42.4 --roles worker,ingress,storage
The old CLI command (add-worker) has been aliased to the new add-node and will still work as before.
./kismatic install add-worker node005 192.168.42.5
add_ons:
dns:
disable: false
# Options: 'kubedns','coredns'.
provider: coredns
IMPORTANT: Switching providers during an upgrade is not supported at this point. If you choose to switch you may experience downtime.
labels were appearing for the etcd nodes even-though the labels on those nodes are not used during installation. (https://github.com/apprenda/kismatic/issues/887)Golang v1.9.2 and Glide v0.13.1 (https://github.com/apprenda/kismatic/pull/1024)| Field | Notes |
|---|---|
cluster.version |
Kubernetes version used during installation or upgrade |
docker.disable |
Disables the installation of docker. Set to true if docker has already been installed and configured on the nodes |
docker.storage.driver |
Equivalent to "storage-driver" in docker's daemon.json |
docker.storage.opts |
Equivalent to "storage-opts" in docker's daemon.json |
docker.storage. direct_lvm_block_device |
Block device configuration used with devicemapper storage driver. Replaces docker.storage.direct_lvm options. |
add_ons.dns.provider |
A new in-cluster DNS add-on was added. Options: 'kubedns','coredns' |
add_ons.package_manager.options.helm.namespace |
Configure the kubernetes namespace to deploy tiller |
| Field | Notes |
|---|---|
docker.storage.direct_lvm |
Replaced by docker.storage. direct_lvm_block_device |
add-worker command was renamed to add-node. Note add-worker is an alias and will still function as before.--hostname-override option on the kube-proxy (https://github.com/apprenda/kismatic/pull/1072)kube-proxy (https://github.com/apprenda/kismatic/issues/1068)controller-manager and scheduler for prometheus operator (https://github.com/apprenda/kismatic/issues/1044)PodAntiAffinity to the kubernetes dashboard (https://github.com/apprenda/kismatic/issues/1058)