Kismatic Enterprise Toolkit: Fully-Automated, Production-Grade Kubernetes Operations
apiserver
port. (https://github.com/apprenda/kismatic/issues/750)
apiserver_cert_extra_sans
to specify additional extra SANs for the API Server serving certificate.load_balancer
allows for setting both the IP or DNS and Port.cluster:
# Generated certs configuration.
certificates:
...
# Optional extra Subject Alternative Names (SANs) to use for the API Server serving certificate.
# Can be both IP addresses and DNS names.
apiserver_cert_extra_sans: ""
...
master:
expected_count: 2
# If you have set up load balancing for master nodes, enter the IP or DNS and Port.
# Otherwise, use the IP address of a single master node and port '6443'.
load_balancer: ""
...
reset
command. (https://github.com/apprenda/kismatic/pull/1252)
iptables
.dashboard
command by splitting up the command flags into individual subcommands. See docs. (https://github.com/apprenda/kismatic/pull/1258)add_ons.dashboard.options.node_port
, useful when setting up a simple cluster and exposing the dashboard on a predetermined port. (https://github.com/apprenda/kismatic/pull/1250)go1.10.3
when building the binary. (https://github.com/apprenda/kismatic/pull/1257)Field | Notes |
---|---|
master.load_balanced_fqdn |
Replaced by master.load_balancer . |
master.load_balanced_short_name |
Specify additional SANs in cluster.certificates.apiserver_cert_extra_sans . |
Field | Notes |
---|---|
cluster.certificates.apiserver_cert_extra_sans |
Optional extra Subject Alternative Names (SANs) to use for the API Server serving certificate. |
master.load_balancer |
If you have set up load balancing for master nodes, enter the IP or DNS and Port. Otherwise, use the IP address of a single master node and port '6443'. |
add_ons.dashboard.options.node_port |
When using NodePort set the port to use. When left empty Kubernetes will allocate a random port. |
NoExecute
tolerations in Calico. (https://github.com/apprenda/kismatic/pull/1240) - @TimWoolfordjournald
restarts. (https://github.com/apprenda/kismatic/issues/1208) - @jlmeekerportmap
CNI plugin introduced in KET v1.11.0. (https://github.com/apprenda/kismatic/issues/1235)add_ons:
cni:
options:
portmap:
disable: false
Field | Notes |
---|---|
add_ons.cn.options.portmap.disable |
Set to true to disable the portmap plugin |
10255
(heapster
and metrics-server
deployed by KET will be modified to use the correct port during the upgrade):
10250
or--read-only-port
kubelet:
option_overrides:
read-only-port: 10255
labels
were being overwritten if taints
is also specified for that node. (#1213)/etc/docker/daemon.json
options restarting the docker daemon on change. (#1221)--read-only-port=0
, this disables the unathenticated Kubelet API access on port 10255
. (#1135)
heapster
and metrics-server
deployed on the cluster were modified to use port 10250
and authorize via standard RBAC policies.--authentication-token-webhook
was enabled to support API bearer token authentication to the Kubelet’s HTTPS endpoint.portmap
CNI plugin for both Calico and Weave to suport hostPort
in pods. (#1207)hostNetwork: true
. (#1226)
hostNetworking
is the ability to define networkPolicies
for the Ingress Controller pods.Desired
pod count to Ready
pod count on the DaemonSet resource.option_overrides
with special characters. (#1217)--enable-admission-plugins
instead of the deprecated --admission-contro
. (#1212)--kubelet-certificate-authority
on the kube-apiserver
is now being set. (#1178)
generated/
directory prior to upgrading to allow the tool to regenerate them. (Or regenerated by the user manually)install
or upgrade
to contain the node's hostname
and internalip
.Configuring Certificates============================================================
Found valid certificate for etcd001 etcd server [OK]
Found valid certificate for master001 API server [OK]
Found valid certificate for kubernetes controller manager [OK]
Found valid certificate for kubernetes scheduler [OK]
Found valid certificate for service account signing [OK]
Found certificate for master001 kubelet, but it is not valid [ERROR]
- Certificate "master001-kubelet.pem": SANs validation failed
expected:
[192.168.42.3 master001]
instead got:
[]
error generating certificates for the cluster: invalid certificate found for "master001 kubelet"
v1.10.0
. (#1188)
v1.10.x
versions will be permitted.taints
option in the plan file for master
, worker
, etcd
and storage
nodes. (#1057)worker:
expected_count: 3
nodes:
- host: "worker1"
ip: "1.2.3.1"
labels: {}
taints:
- key: "foo"
value: "bar"
effect: "NoSchedule"
- host: "worker2"
ip: "1.2.3.2"
labels: {}
taints:
- key: "xyz"
value: "zyx"
effect: "PreferNoSchedule"
- host: "worker3"
ip: "1.2.3.3"
labels: {}
taints: []
reset
command to rollback any changes made to the hosts by apply
. (#955)➜ ./kismatic reset --remove-assets
=> Are you sure you want to reset the cluster? All data will be lost [N/y]:
➜ ./kismatic reset --remove-assets --force
Resetting Nodes in the Cluster======================================================
Reset All Nodes [OK]
Removing Assets Directory===========================================================
Remove "generated" directory [OK]
dashboard
command with a new --token
flag that will generate a kubeconfig
file with kubernetes-dashboard-admin
ServiceAccount token without running kismatic proxy
. (#1195)kismatic volume delete
command to properly work with volumes where PVs have been delete with kubectl
. (#1185)nfs:
storage options in the plan file. (#946)
nfs:
tag will still function as before.nfs:
tag.Field | Notes |
---|---|
nfs |
Will be removed completely in a future release. |
Field | Notes |
---|---|
dashboard.options.service_type |
Kubernetes service type of the Dashboard service. Options: ClusterIP , NodePort , LoadBalancer , ExternalName . |
nodes.taints |
Kubernetes taints applied to the nodes during installation. |
hosts
is an array that can consist of hostnames
; node roles: worker
, master
, etcd
, ingress
, storage
; or all
that will copy to all hosts.skip_validation
if the file is not yet present during plan file validation, ie. certificates generated by the tooladditional_files:
- hosts:
- "master001"
source: /tmp/ca-key.pem
destination: /etc/kubernetes/pki/ca-key.pem
skip_validation: true
- hosts:
- "all"
source: /root/foo.txt
destination: /tmp/foo.txt
- hosts:
- "worker"
source: /tmp/bar.txt
destination: /tmp/bar.txt
rescheduler
pod was trying to connect to the API server on port 8080
(https://github.com/apprenda/kismatic/issues/1167)docker
(https://github.com/apprenda/kismatic/issues/976)Field | Notes |
---|---|
add_ons.cni.options.weave.password |
Used by Weave for network traffic encryption. Sets WEAVE_PASSWORD in the deployment. |
add_ons.dns.options.replicas |
The number of cluster DNS pods to run. |
additional_files |
Used to copy arbitrary files and directories to the cluster nodes. |
Please read through the release notes as there are many Kubernetes component flag changes that might impact applications that communicate to either the kube-apiserver
or the kublet
API.
add_ons:
# Metrics Server is a cluster-wide aggregator of resource usage data.
metrics_server:
disable: false
kube-apiserver
insecure access on port 8080
(https://github.com/apprenda/kismatic/issues/1134)kubelet
client auth from kube-apiserver
(https://github.com/apprenda/kismatic/issues/1136)
10255
is still enabled to support heapster and any other client accessing the API on that port. It will be removed in the future (https://github.com/apprenda/kismatic/issues/1135)admission-control
(https://github.com/apprenda/kismatic/pull/1133):NamespaceLifecycle,LimitRanger,ServiceAccount,NodeRestriction,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota
cadvisor-port
to 0
, this will disable access to the cAdvisor API on port 4194
, if your cluster still depends on this API set:cluster:
kube_apiserver:
option_overrides:
cadvisor-port: 4194
kube-apiserver
:
--kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.pem
--kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client-key.pem
--profiling=false
--repair-malformed-updates=false
kube-controller-manager
:
--profiling=false
kube-scheduler
:
--profiling=false
kube-proxy
:
--profiling=false
kubelet
:
--authorization-mode=Webhook
--client-ca-file=/etc/kubernetes/pki/ca.pem
--cadvisor-port=0
--event-qps=0
--make-iptables-util-chains=true
--streaming-connection-idle-timeout=0
Field | Notes |
---|---|
add_ons.cni.options.calico.ip_autodetection_method |
Used to detect the IPv4 address of the host. Sets IP_AUTODETECTION_METHOD in the Calico deployment. |
add_ons.metrics_server |
A cluster-wide aggregator of resource usage data. |
add_ons.metrics_server.disable |
When set to true skips installation of the metrics_server |
v1.7.1
but an improper merge for v1.8.0
caused the regressionminor
version, i.e. KET v1.8.0
will be able to install any v1.9.x
version.cluster:
# Kubernetes cluster version (supported minor version "v1.9.x").
version: v1.9.2
docker.storage.driver
empty to have docker automatically select the best available option.devicemapper
in direct-lvm
modedocker.storage.opts
now support providing docker storage options that will be set directly in docker's daemon.json
file.direct-lvm
mode.IMPORTANT: The storage driver option SHOULD NOT be modified for a running cluster. The result is undetermined and may result in a broken cluster. Only use when creating a brand new cluster.
# Docker daemon configuration of all cluster nodes.
docker:
# Set to true if docker is already installed and configured.
disable: false
storage:
# Leave empty to have docker automatically select the driver.
driver: ""
opts: {}
# Used for setting up Device Mapper storage driver in direct-lvm mode.
direct_lvm_block_device:
# Absolute path to the block device that will be used for direct-lvm mode.
# This device will be wiped and used exclusively by docker.
path: ""
thinpool_percent: "95"
thinpool_metapercent: "1"
thinpool_autoextend_threshold: "80"
thinpool_autoextend_percent: "20"
To maintain backwards compatibility providing the docker.storage.direct_lvm
field will still work like before but it is now considered deprecated and will be removed in a future version.
The new schema allows the user to override any of the previously hardcoded options.
docker:
disable: false
storage:
direct_lvm:
enabled: true
block_device: "/dev/xvdb"
enable_deferred_deletion: false
docker:
storage:
driver: devicemapper
opts:
dm.thinpooldev: /dev/mapper/docker-thinpool
dm.use_deferred_deletion: "false"
dm.use_deferred_removal: "true"
direct_lvm_block_device:
path: /dev/xvdb
thinpool_percent: "95"
thinpool_metapercent: "1"
thinpool_autoextend_threshold: "80"
thinpool_autoextend_percent: "20"
namespace
to deploy tiller in. If the namespace does not already exist, it will be automatically created. (https://github.com/apprenda/kismatic/pull/1064)add_ons:
package_manager:
disable: false
# Options: 'helm'.
provider: helm
options:
helm:
namespace: kube-system
apprenda/kismatic-charts
GitHub repo was deprecated, configuration of this repo has been removed during installation. (https://github.com/apprenda/kismatic/pull/1073)add-worker
command was renamed to add-node
. (https://github.com/apprenda/kismatic/issues/1056)./kismatic install add-node node001 192.168.42.1 --roles worker,ingress
./kismatic install add-node node002 192.168.42.2 --roles ingress
./kismatic install add-node node003 192.168.42.3 --roles storage
./kismatic install add-node node004 192.168.42.4 --roles worker,ingress,storage
The old CLI command (add-worker
) has been aliased to the new add-node
and will still work as before.
./kismatic install add-worker node005 192.168.42.5
add_ons:
dns:
disable: false
# Options: 'kubedns','coredns'.
provider: coredns
IMPORTANT: Switching providers
during an upgrade is not supported at this point. If you choose to switch you may experience downtime.
labels
were appearing for the etcd
nodes even-though the labels
on those nodes are not used during installation. (https://github.com/apprenda/kismatic/issues/887)Golang v1.9.2
and Glide v0.13.1
(https://github.com/apprenda/kismatic/pull/1024)Field | Notes |
---|---|
cluster.version |
Kubernetes version used during installation or upgrade |
docker.disable |
Disables the installation of docker. Set to true if docker has already been installed and configured on the nodes |
docker.storage.driver |
Equivalent to "storage-driver" in docker's daemon.json |
docker.storage.opts |
Equivalent to "storage-opts" in docker's daemon.json |
docker.storage. direct_lvm_block_device |
Block device configuration used with devicemapper storage driver. Replaces docker.storage.direct_lvm options. |
add_ons.dns.provider |
A new in-cluster DNS add-on was added. Options: 'kubedns','coredns' |
add_ons.package_manager.options.helm.namespace |
Configure the kubernetes namespace to deploy tiller |
Field | Notes |
---|---|
docker.storage.direct_lvm |
Replaced by docker.storage. direct_lvm_block_device |
add-worker
command was renamed to add-node
. Note add-worker
is an alias and will still function as before.--hostname-override
option on the kube-proxy
(https://github.com/apprenda/kismatic/pull/1072)kube-proxy
(https://github.com/apprenda/kismatic/issues/1068)controller-manager
and scheduler
for prometheus operator (https://github.com/apprenda/kismatic/issues/1044)PodAntiAffinity
to the kubernetes dashboard (https://github.com/apprenda/kismatic/issues/1058)