feat: respect nodepool tags for disabling kubelet serving certificate rotation (#4911)

Co-authored-by: Cameron Meissner <cameissner@microsoft.com>
This commit is contained in:
Cameron Meissner 2024-09-12 13:00:01 -07:00 коммит произвёл GitHub
Родитель cb45912bd1
Коммит 6d6960b123
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
371 изменённых файлов: 5919 добавлений и 292 удалений

Просмотреть файл

@ -984,6 +984,144 @@ func Test_ubuntu2204Wasm(t *testing.T) {
})
}
func Test_Ubuntu2204DisableKubeletServingCertificateRotationWithTags(t *testing.T) {
RunScenario(t, &Scenario{
Tags: Tags{
ServerTLSBootstrapping: true,
},
Description: "tests that a node on ubuntu 2204 bootstrapped with kubelet serving certificate rotation enabled will disable certificate rotation due to nodepool tags",
Config: Config{
Cluster: ClusterKubenet,
VHD: config.VHDUbuntu2204Gen2Containerd,
BootstrapConfigMutator: func(nbc *datamodel.NodeBootstrappingConfiguration) {
nbc.ContainerService.Properties.AgentPoolProfiles[0].Distro = "aks-ubuntu-containerd-22.04-gen2"
nbc.AgentPoolProfile.Distro = "aks-ubuntu-containerd-22.04-gen2"
if nbc.KubeletConfig == nil {
nbc.KubeletConfig = map[string]string{}
}
nbc.KubeletConfig["--rotate-server-certificates"] = "true"
},
VMConfigMutator: func(vmss *armcompute.VirtualMachineScaleSet) {
if vmss.Tags == nil {
vmss.Tags = map[string]*string{}
}
vmss.Tags["aks-disable-kubelet-serving-certificate-rotation"] = to.Ptr("true")
},
LiveVMValidators: []*LiveVMValidator{
FileExcludesContentsValidator("/etc/default/kubelet", "\\-\\-rotate-server-certificates=true", "\\-\\-rotate-server-certificates=true"),
FileExcludesContentsValidator("/etc/default/kubelet", "kubernetes.azure.com/kubelet-serving-ca=cluster", "kubernetes.azure.com/kubelet-serving-ca=cluster"),
FileHasContentsValidator("/etc/default/kubelet", "\\-\\-rotate-server-certificates=false"),
},
},
})
}
func Test_Ubuntu2204DisableKubeletServingCertificateRotationWithTags_CustomKubeletConfig(t *testing.T) {
RunScenario(t, &Scenario{
Tags: Tags{
ServerTLSBootstrapping: true,
},
Description: "tests that a node on ubuntu 2204 bootstrapped with custom kubelet config and kubelet serving certificate rotation enabled will disable certificate rotation due to nodepool tags",
Config: Config{
Cluster: ClusterKubenet,
VHD: config.VHDUbuntu2204Gen2Containerd,
BootstrapConfigMutator: func(nbc *datamodel.NodeBootstrappingConfiguration) {
nbc.ContainerService.Properties.AgentPoolProfiles[0].Distro = "aks-ubuntu-containerd-22.04-gen2"
nbc.AgentPoolProfile.Distro = "aks-ubuntu-containerd-22.04-gen2"
// to force kubelet config file
customKubeletConfig := &datamodel.CustomKubeletConfig{
FailSwapOn: to.Ptr(true),
AllowedUnsafeSysctls: &[]string{"kernel.msg*", "net.ipv4.route.min_pmtu"},
}
nbc.AgentPoolProfile.CustomKubeletConfig = customKubeletConfig
nbc.ContainerService.Properties.AgentPoolProfiles[0].CustomKubeletConfig = customKubeletConfig
if nbc.KubeletConfig == nil {
nbc.KubeletConfig = map[string]string{}
}
nbc.KubeletConfig["--rotate-server-certificates"] = "true"
},
VMConfigMutator: func(vmss *armcompute.VirtualMachineScaleSet) {
if vmss.Tags == nil {
vmss.Tags = map[string]*string{}
}
vmss.Tags["aks-disable-kubelet-serving-certificate-rotation"] = to.Ptr("true")
},
LiveVMValidators: []*LiveVMValidator{
FileExcludesContentsValidator("/etc/default/kubelet", "\\-\\-rotate-server-certificates=true", "\\-\\-rotate-server-certificates=true"),
FileExcludesContentsValidator("/etc/default/kubelet", "kubernetes.azure.com/kubelet-serving-ca=cluster", "kubernetes.azure.com/kubelet-serving-ca=cluster"),
FileExcludesContentsValidator("/etc/default/kubeletconfig.json", "\"serverTLSBootstrap\": true", "serverTLSBootstrap: true"),
FileHasContentsValidator("/etc/default/kubeletconfig.json", "\"serverTLSBootstrap\": false"),
},
},
})
}
func Test_Ubuntu2204DisableKubeletServingCertificateRotationWithTags_AlreadyDisabled(t *testing.T) {
RunScenario(t, &Scenario{
Tags: Tags{
ServerTLSBootstrapping: true,
},
Description: "tests that a node on ubuntu 2204 bootstrapped with kubelet serving certificate rotation disabled will disable certificate rotation regardless of nodepool tags",
Config: Config{
Cluster: ClusterKubenet,
VHD: config.VHDUbuntu2204Gen2Containerd,
BootstrapConfigMutator: func(nbc *datamodel.NodeBootstrappingConfiguration) {
nbc.ContainerService.Properties.AgentPoolProfiles[0].Distro = "aks-ubuntu-containerd-22.04-gen2"
nbc.AgentPoolProfile.Distro = "aks-ubuntu-containerd-22.04-gen2"
},
VMConfigMutator: func(vmss *armcompute.VirtualMachineScaleSet) {
if vmss.Tags == nil {
vmss.Tags = map[string]*string{}
}
vmss.Tags["aks-disable-kubelet-serving-certificate-rotation"] = to.Ptr("true")
},
LiveVMValidators: []*LiveVMValidator{
FileExcludesContentsValidator("/etc/default/kubelet", "\\-\\-rotate-server-certificates=true", "\\-\\-rotate-server-certificates=true"),
FileExcludesContentsValidator("/etc/default/kubelet", "kubernetes.azure.com/kubelet-serving-ca=cluster", "kubernetes.azure.com/kubelet-serving-ca=cluster"),
FileExcludesContentsValidator("/etc/default/kubeletconfig.json", "\"serverTLSBootstrap\": true", "serverTLSBootstrap: true"),
},
},
})
}
func Test_Ubuntu2204DisableKubeletServingCertificateRotationWithTags_AlreadyDisabled_CustomKubeletConfig(t *testing.T) {
RunScenario(t, &Scenario{
Tags: Tags{
ServerTLSBootstrapping: true,
},
Description: "tests that a node on ubuntu 2204 bootstrapped with kubelet serving certificate rotation disabled and custom kubelet config will disable certificate rotation regardless of nodepool tags",
Config: Config{
Cluster: ClusterKubenet,
VHD: config.VHDUbuntu2204Gen2Containerd,
BootstrapConfigMutator: func(nbc *datamodel.NodeBootstrappingConfiguration) {
nbc.ContainerService.Properties.AgentPoolProfiles[0].Distro = "aks-ubuntu-containerd-22.04-gen2"
nbc.AgentPoolProfile.Distro = "aks-ubuntu-containerd-22.04-gen2"
// to force kubelet config file
customKubeletConfig := &datamodel.CustomKubeletConfig{
FailSwapOn: to.Ptr(true),
AllowedUnsafeSysctls: &[]string{"kernel.msg*", "net.ipv4.route.min_pmtu"},
}
nbc.AgentPoolProfile.CustomKubeletConfig = customKubeletConfig
nbc.ContainerService.Properties.AgentPoolProfiles[0].CustomKubeletConfig = customKubeletConfig
},
VMConfigMutator: func(vmss *armcompute.VirtualMachineScaleSet) {
if vmss.Tags == nil {
vmss.Tags = map[string]*string{}
}
vmss.Tags["aks-disable-kubelet-serving-certificate-rotation"] = to.Ptr("true")
},
LiveVMValidators: []*LiveVMValidator{
FileExcludesContentsValidator("/etc/default/kubelet", "\\-\\-rotate-server-certificates=true", "\\-\\-rotate-server-certificates=true"),
FileExcludesContentsValidator("/etc/default/kubelet", "kubernetes.azure.com/kubelet-serving-ca=cluster", "kubernetes.azure.com/kubelet-serving-ca=cluster"),
FileExcludesContentsValidator("/etc/default/kubeletconfig.json", "\"serverTLSBootstrap\": true", "serverTLSBootstrap: true"),
},
},
})
}
func Test_ubuntu2204WasmAirGap(t *testing.T) {
RunScenario(t, &Scenario{
Description: "tests that a new ubuntu 2204 node using krustlet can be properly bootstrapepd when it is network isolated cluster",

Просмотреть файл

@ -17,13 +17,14 @@ import (
)
type Tags struct {
Name string
ImageName string
OS string
Arch string
Airgap bool
GPU bool
WASM bool
Name string
ImageName string
OS string
Arch string
Airgap bool
GPU bool
WASM bool
ServerTLSBootstrapping bool
}
// MatchesFilters checks if the Tags struct matches all given filters.

Просмотреть файл

@ -17,7 +17,7 @@ func DirectoryValidator(path string, files []string) *LiveVMValidator {
}
for _, file := range files {
if !strings.Contains(stdout, file) {
return fmt.Errorf(fmt.Sprintf("expected to find file %s within directory %s, but did not", file, path))
return fmt.Errorf("expected to find file %s within directory %s, but did not", file, path)
}
}
return nil
@ -41,7 +41,7 @@ func SysctlConfigValidator(customSysctls map[string]string) *LiveVMValidator {
}
for name, value := range customSysctls {
if !strings.Contains(stdout, fmt.Sprintf("%s = %v", name, value)) {
return fmt.Errorf(fmt.Sprintf("expected to find %s set to %v, but was not", name, value))
return fmt.Errorf("expected to find %s set to %v, but was not", name, value)
}
}
return nil
@ -107,9 +107,8 @@ func NonEmptyDirectoryValidator(dirName string) *LiveVMValidator {
func FileHasContentsValidator(fileName string, contents string) *LiveVMValidator {
steps := []string{
// Verify the service is active - print the state then verify so we have logs
fmt.Sprintf("ls -la %[1]s", fileName),
fmt.Sprintf("(sudo cat %[1]s | grep -q '%[2]s')", fileName, contents),
fmt.Sprintf("(sudo cat %[1]s | grep -q %[2]q)", fileName, contents),
}
command := makeExecutableCommand(steps)
@ -142,9 +141,7 @@ func FileExcludesContentsValidator(fileName string, contents string, contentsNam
// this function is just used to remove some bash specific tokens so we can echo the command to stdout.
func cleanse(str string) string {
str = strings.Replace(str, "'", "", -1)
return str
return strings.Replace(str, "'", "", -1)
}
func makeExecutableCommand(steps []string) string {
@ -208,7 +205,6 @@ func ServiceCanRestartValidator(serviceName string, restartTimeoutInSeconds int)
func CommandHasOutputValidator(commandToExecute string, expectedOutput string) *LiveVMValidator {
steps := []string{
// Verify the service is active - print the state then verify so we have logs
fmt.Sprint(commandToExecute),
}

Просмотреть файл

@ -249,8 +249,11 @@ EOF
sed -i "/cloudProviderBackoffJitter/d" /etc/kubernetes/azure.json
fi
# generate a kubelet serving certificate if we aren't relying on
# TLS bootstrapping to generate one for us
# generate a kubelet serving certificate if we aren't relying on TLS bootstrapping to generate one for us.
# NOTE: in the case where ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION is true but
# the customer has disabled serving certificate rotation via nodepool tags,
# the self-signed serving certificate will be bootstrapped by the kubelet instead of this function
# TODO(cameissner): remove configureKubeletServerCert altogether
if [ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]; then
configureKubeletServerCert
fi
@ -402,6 +405,53 @@ ensureDHCPv6() {
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
}
# removes the specified LABEL_STRING (which should be in the form of 'label=value') from KUBELET_NODE_LABELS
clearKubeletNodeLabel() {
local LABEL_STRING=$1
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
fi
}
disableKubeletServingCertificateRotationForTags() {
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
echo "kubelet serving certificate rotation is already disabled"
return 0
fi
# check if kubelet serving certificate rotation is disabled by customer-specified nodepool tags
export -f should_disable_kubelet_serving_certificate_rotation
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
if [ $? -ne 0 ]; then
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
fi
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
return 0
fi
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
# set the --rotate-server-certificates flag to false if needed
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
set +x
# set the serverTLSBootstrap property to false if needed
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
set -x
fi
# remove the "kubernetes.azure.com/kubelet-serving-ca=cluster" label if needed
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
}
ensureKubelet() {
KUBELET_DEFAULT_FILE=/etc/default/kubelet
mkdir -p /etc/default

Просмотреть файл

@ -119,6 +119,9 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210 # Error pulling artifact with oras from registr
ERR_ORAS_PULL_FAIL_RESERVE_4=211 # Error pulling artifact with oras from registry
ERR_ORAS_PULL_FAIL_RESERVE_5=212 # Error pulling artifact with oras from registry
# Error checking nodepools tags for whether we need to disable kubelet serving certificate rotation
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
# For both Ubuntu and Mariner, /etc/*-release should exist.
# For unit tests, the OS and OS_VERSION will be set in the unit test script.
# So whether it's if or else actually doesn't matter to our unit test.
@ -438,6 +441,17 @@ should_skip_nvidia_drivers() {
echo "$should_skip"
}
should_disable_kubelet_serving_certificate_rotation() {
set -x
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
ret=$?
if [ "$ret" != "0" ]; then
return $ret
fi
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
echo "$should_disable"
}
isMarinerOrAzureLinux() {
local os=$1
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then

Просмотреть файл

@ -219,6 +219,11 @@ fi
# for drop ins, so they don't all have to check/create the dir
mkdir -p "/etc/systemd/system/kubelet.service.d"
# we do this here since this function has the potential to mutate kubelet flags,
# kubelet config file, and node labels if a special tag has been added to the underlying VM.
# kubelet config file content is decoded and written to disk by configureK8s, thus we need to make sure the content is correct beforehand.
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
logs_to_events "AKS.CSE.configureK8s" configureK8s
logs_to_events "AKS.CSE.configureCNI" configureCNI

Просмотреть файл

@ -213,6 +213,8 @@ $global:RebootNeeded = $false
$global:IsSkipCleanupNetwork = [System.Convert]::ToBoolean("{{GetVariable "isSkipCleanupNetwork" }}");
$global:EnableKubeletServingCertificateRotation = [System.Convert]::ToBoolean("{{EnableKubeletServingCertificateRotation}}")
# Extract cse helper script from ZIP
[io.file]::WriteAllBytes("scripts.zip", [System.Convert]::FromBase64String($zippedFiles))
Expand-Archive scripts.zip -DestinationPath "C:\\AzureData\\" -Force
@ -291,6 +293,9 @@ try
icacls.exe "c:\k"
Get-ProvisioningScripts
Get-LogCollectionScripts
# TODO(cameissner): uncomment once next CSE package is rolled out to all regions
# Disable-KubeletServingCertificateRotationForTags
Write-KubeClusterConfig -MasterIP $MasterIP -KubeDnsServiceIp $KubeDnsServiceIp

Просмотреть файл

@ -72,9 +72,10 @@ $global:WINDOWS_CSE_ERROR_INSTALL_CREDENTIAL_PROVIDER = 65 # exit code for insta
$global:WINDOWS_CSE_ERROR_DOWNLOAD_CREDEDNTIAL_PROVIDER=66 # exit code for downloading credential provider failure
$global:WINDOWS_CSE_ERROR_CREDENTIAL_PROVIDER_CONFIG=67 # exit code for checking credential provider config failure
$global:WINDOWS_CSE_ERROR_ADJUST_PAGEFILE_SIZE=68
$global:WINDOWS_CSE_ERROR_LOOKUP_INSTANCE_DATA_TAG=69 # exit code for looking up nodepool/VM tags via IMDS
# WINDOWS_CSE_ERROR_MAX_CODE is only used in unit tests to verify whether new error code name is added in $global:ErrorCodeNames
# Please use the current value of WINDOWS_CSE_ERROR_MAX_CODE as the value of the new error code and increment it by 1
$global:WINDOWS_CSE_ERROR_MAX_CODE=69
$global:WINDOWS_CSE_ERROR_MAX_CODE=70
# Please add new error code for downloading new packages in RP code too
$global:ErrorCodeNames = @(
@ -146,7 +147,8 @@ $global:ErrorCodeNames = @(
"WINDOWS_CSE_ERROR_INSTALL_CREDENTIAL_PROVIDER",
"WINDOWS_CSE_ERROR_DOWNLOAD_CREDEDNTIAL_PROVIDER",
"WINDOWS_CSE_ERROR_CREDENTIAL_PROVIDER_CONFIG",
"WINDOWS_CSE_ERROR_ADJUST_PAGEFILE_SIZE"
"WINDOWS_CSE_ERROR_ADJUST_PAGEFILE_SIZE",
"WINDOWS_CSE_ERROR_LOOKUP_INSTANCE_DATA_TAG"
)
# NOTE: KubernetesVersion does not contain "v"

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -192,6 +192,8 @@ fi
mkdir -p "/etc/systemd/system/kubelet.service.d"
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
logs_to_events "AKS.CSE.configureK8s" configureK8s
logs_to_events "AKS.CSE.configureCNI" configureCNI

Просмотреть файл

@ -389,6 +389,48 @@ ensureDHCPv6() {
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
}
clearKubeletNodeLabel() {
local LABEL_STRING=$1
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
fi
}
disableKubeletServingCertificateRotationForTags() {
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
echo "kubelet serving certificate rotation is already disabled"
return 0
fi
export -f should_disable_kubelet_serving_certificate_rotation
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
if [ $? -ne 0 ]; then
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
fi
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
return 0
fi
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
set +x
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
set -x
fi
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
}
ensureKubelet() {
KUBELET_DEFAULT_FILE=/etc/default/kubelet
mkdir -p /etc/default

Просмотреть файл

@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
ERR_ORAS_PULL_FAIL_RESERVE_4=211
ERR_ORAS_PULL_FAIL_RESERVE_5=212
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
echo "$should_skip"
}
should_disable_kubelet_serving_certificate_rotation() {
set -x
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
ret=$?
if [ "$ret" != "0" ]; then
return $ret
fi
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
echo "$should_disable"
}
isMarinerOrAzureLinux() {
local os=$1
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -192,6 +192,8 @@ fi
mkdir -p "/etc/systemd/system/kubelet.service.d"
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
logs_to_events "AKS.CSE.configureK8s" configureK8s
logs_to_events "AKS.CSE.configureCNI" configureCNI

Просмотреть файл

@ -389,6 +389,48 @@ ensureDHCPv6() {
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
}
clearKubeletNodeLabel() {
local LABEL_STRING=$1
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
fi
}
disableKubeletServingCertificateRotationForTags() {
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
echo "kubelet serving certificate rotation is already disabled"
return 0
fi
export -f should_disable_kubelet_serving_certificate_rotation
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
if [ $? -ne 0 ]; then
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
fi
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
return 0
fi
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
set +x
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
set -x
fi
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
}
ensureKubelet() {
KUBELET_DEFAULT_FILE=/etc/default/kubelet
mkdir -p /etc/default

Просмотреть файл

@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
ERR_ORAS_PULL_FAIL_RESERVE_4=211
ERR_ORAS_PULL_FAIL_RESERVE_5=212
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
echo "$should_skip"
}
should_disable_kubelet_serving_certificate_rotation() {
set -x
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
ret=$?
if [ "$ret" != "0" ]; then
return $ret
fi
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
echo "$should_disable"
}
isMarinerOrAzureLinux() {
local os=$1
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -192,6 +192,8 @@ fi
mkdir -p "/etc/systemd/system/kubelet.service.d"
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
logs_to_events "AKS.CSE.configureK8s" configureK8s
logs_to_events "AKS.CSE.configureCNI" configureCNI

Просмотреть файл

@ -389,6 +389,48 @@ ensureDHCPv6() {
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
}
clearKubeletNodeLabel() {
local LABEL_STRING=$1
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
fi
}
disableKubeletServingCertificateRotationForTags() {
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
echo "kubelet serving certificate rotation is already disabled"
return 0
fi
export -f should_disable_kubelet_serving_certificate_rotation
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
if [ $? -ne 0 ]; then
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
fi
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
return 0
fi
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
set +x
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
set -x
fi
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
}
ensureKubelet() {
KUBELET_DEFAULT_FILE=/etc/default/kubelet
mkdir -p /etc/default

Просмотреть файл

@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
ERR_ORAS_PULL_FAIL_RESERVE_4=211
ERR_ORAS_PULL_FAIL_RESERVE_5=212
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
echo "$should_skip"
}
should_disable_kubelet_serving_certificate_rotation() {
set -x
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
ret=$?
if [ "$ret" != "0" ]; then
return $ret
fi
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
echo "$should_disable"
}
isMarinerOrAzureLinux() {
local os=$1
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -192,6 +192,8 @@ fi
mkdir -p "/etc/systemd/system/kubelet.service.d"
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
logs_to_events "AKS.CSE.configureK8s" configureK8s
logs_to_events "AKS.CSE.configureCNI" configureCNI

Просмотреть файл

@ -389,6 +389,48 @@ ensureDHCPv6() {
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
}
clearKubeletNodeLabel() {
local LABEL_STRING=$1
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
fi
}
disableKubeletServingCertificateRotationForTags() {
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
echo "kubelet serving certificate rotation is already disabled"
return 0
fi
export -f should_disable_kubelet_serving_certificate_rotation
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
if [ $? -ne 0 ]; then
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
fi
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
return 0
fi
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
set +x
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
set -x
fi
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
}
ensureKubelet() {
KUBELET_DEFAULT_FILE=/etc/default/kubelet
mkdir -p /etc/default

Просмотреть файл

@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
ERR_ORAS_PULL_FAIL_RESERVE_4=211
ERR_ORAS_PULL_FAIL_RESERVE_5=212
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
echo "$should_skip"
}
should_disable_kubelet_serving_certificate_rotation() {
set -x
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
ret=$?
if [ "$ret" != "0" ]; then
return $ret
fi
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
echo "$should_disable"
}
isMarinerOrAzureLinux() {
local os=$1
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -192,6 +192,8 @@ fi
mkdir -p "/etc/systemd/system/kubelet.service.d"
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
logs_to_events "AKS.CSE.configureK8s" configureK8s
logs_to_events "AKS.CSE.configureCNI" configureCNI

Просмотреть файл

@ -389,6 +389,48 @@ ensureDHCPv6() {
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
}
clearKubeletNodeLabel() {
local LABEL_STRING=$1
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
fi
}
disableKubeletServingCertificateRotationForTags() {
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
echo "kubelet serving certificate rotation is already disabled"
return 0
fi
export -f should_disable_kubelet_serving_certificate_rotation
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
if [ $? -ne 0 ]; then
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
fi
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
return 0
fi
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
set +x
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
set -x
fi
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
}
ensureKubelet() {
KUBELET_DEFAULT_FILE=/etc/default/kubelet
mkdir -p /etc/default

Просмотреть файл

@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
ERR_ORAS_PULL_FAIL_RESERVE_4=211
ERR_ORAS_PULL_FAIL_RESERVE_5=212
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
echo "$should_skip"
}
should_disable_kubelet_serving_certificate_rotation() {
set -x
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
ret=$?
if [ "$ret" != "0" ]; then
return $ret
fi
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
echo "$should_disable"
}
isMarinerOrAzureLinux() {
local os=$1
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -192,6 +192,8 @@ fi
mkdir -p "/etc/systemd/system/kubelet.service.d"
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
logs_to_events "AKS.CSE.configureK8s" configureK8s
logs_to_events "AKS.CSE.configureCNI" configureCNI

Просмотреть файл

@ -389,6 +389,48 @@ ensureDHCPv6() {
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
}
clearKubeletNodeLabel() {
local LABEL_STRING=$1
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
fi
}
disableKubeletServingCertificateRotationForTags() {
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
echo "kubelet serving certificate rotation is already disabled"
return 0
fi
export -f should_disable_kubelet_serving_certificate_rotation
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
if [ $? -ne 0 ]; then
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
fi
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
return 0
fi
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
set +x
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
set -x
fi
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
}
ensureKubelet() {
KUBELET_DEFAULT_FILE=/etc/default/kubelet
mkdir -p /etc/default

Просмотреть файл

@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
ERR_ORAS_PULL_FAIL_RESERVE_4=211
ERR_ORAS_PULL_FAIL_RESERVE_5=212
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
echo "$should_skip"
}
should_disable_kubelet_serving_certificate_rotation() {
set -x
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
ret=$?
if [ "$ret" != "0" ]; then
return $ret
fi
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
echo "$should_disable"
}
isMarinerOrAzureLinux() {
local os=$1
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -192,6 +192,8 @@ fi
mkdir -p "/etc/systemd/system/kubelet.service.d"
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
logs_to_events "AKS.CSE.configureK8s" configureK8s
logs_to_events "AKS.CSE.configureCNI" configureCNI

Просмотреть файл

@ -389,6 +389,48 @@ ensureDHCPv6() {
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
}
clearKubeletNodeLabel() {
local LABEL_STRING=$1
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
fi
}
disableKubeletServingCertificateRotationForTags() {
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
echo "kubelet serving certificate rotation is already disabled"
return 0
fi
export -f should_disable_kubelet_serving_certificate_rotation
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
if [ $? -ne 0 ]; then
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
fi
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
return 0
fi
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
set +x
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
set -x
fi
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
}
ensureKubelet() {
KUBELET_DEFAULT_FILE=/etc/default/kubelet
mkdir -p /etc/default

Просмотреть файл

@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
ERR_ORAS_PULL_FAIL_RESERVE_4=211
ERR_ORAS_PULL_FAIL_RESERVE_5=212
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
echo "$should_skip"
}
should_disable_kubelet_serving_certificate_rotation() {
set -x
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
ret=$?
if [ "$ret" != "0" ]; then
return $ret
fi
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
echo "$should_disable"
}
isMarinerOrAzureLinux() {
local os=$1
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -192,6 +192,8 @@ fi
mkdir -p "/etc/systemd/system/kubelet.service.d"
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
logs_to_events "AKS.CSE.configureK8s" configureK8s
logs_to_events "AKS.CSE.configureCNI" configureCNI

Просмотреть файл

@ -389,6 +389,48 @@ ensureDHCPv6() {
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
}
clearKubeletNodeLabel() {
local LABEL_STRING=$1
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
fi
}
disableKubeletServingCertificateRotationForTags() {
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
echo "kubelet serving certificate rotation is already disabled"
return 0
fi
export -f should_disable_kubelet_serving_certificate_rotation
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
if [ $? -ne 0 ]; then
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
fi
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
return 0
fi
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
set +x
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
set -x
fi
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
}
ensureKubelet() {
KUBELET_DEFAULT_FILE=/etc/default/kubelet
mkdir -p /etc/default

Просмотреть файл

@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
ERR_ORAS_PULL_FAIL_RESERVE_4=211
ERR_ORAS_PULL_FAIL_RESERVE_5=212
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
echo "$should_skip"
}
should_disable_kubelet_serving_certificate_rotation() {
set -x
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
ret=$?
if [ "$ret" != "0" ]; then
return $ret
fi
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
echo "$should_disable"
}
isMarinerOrAzureLinux() {
local os=$1
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -192,6 +192,8 @@ fi
mkdir -p "/etc/systemd/system/kubelet.service.d"
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
logs_to_events "AKS.CSE.configureK8s" configureK8s
logs_to_events "AKS.CSE.configureCNI" configureCNI

Просмотреть файл

@ -389,6 +389,48 @@ ensureDHCPv6() {
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
}
clearKubeletNodeLabel() {
local LABEL_STRING=$1
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
fi
}
disableKubeletServingCertificateRotationForTags() {
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
echo "kubelet serving certificate rotation is already disabled"
return 0
fi
export -f should_disable_kubelet_serving_certificate_rotation
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
if [ $? -ne 0 ]; then
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
fi
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
return 0
fi
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
set +x
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
set -x
fi
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
}
ensureKubelet() {
KUBELET_DEFAULT_FILE=/etc/default/kubelet
mkdir -p /etc/default

Просмотреть файл

@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
ERR_ORAS_PULL_FAIL_RESERVE_4=211
ERR_ORAS_PULL_FAIL_RESERVE_5=212
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
echo "$should_skip"
}
should_disable_kubelet_serving_certificate_rotation() {
set -x
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
ret=$?
if [ "$ret" != "0" ]; then
return $ret
fi
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
echo "$should_disable"
}
isMarinerOrAzureLinux() {
local os=$1
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -192,6 +192,8 @@ fi
mkdir -p "/etc/systemd/system/kubelet.service.d"
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
logs_to_events "AKS.CSE.configureK8s" configureK8s
logs_to_events "AKS.CSE.configureCNI" configureCNI

Просмотреть файл

@ -389,6 +389,48 @@ ensureDHCPv6() {
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
}
clearKubeletNodeLabel() {
local LABEL_STRING=$1
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
fi
}
disableKubeletServingCertificateRotationForTags() {
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
echo "kubelet serving certificate rotation is already disabled"
return 0
fi
export -f should_disable_kubelet_serving_certificate_rotation
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
if [ $? -ne 0 ]; then
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
fi
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
return 0
fi
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
set +x
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
set -x
fi
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
}
ensureKubelet() {
KUBELET_DEFAULT_FILE=/etc/default/kubelet
mkdir -p /etc/default

Просмотреть файл

@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
ERR_ORAS_PULL_FAIL_RESERVE_4=211
ERR_ORAS_PULL_FAIL_RESERVE_5=212
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
echo "$should_skip"
}
should_disable_kubelet_serving_certificate_rotation() {
set -x
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
ret=$?
if [ "$ret" != "0" ]; then
return $ret
fi
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
echo "$should_disable"
}
isMarinerOrAzureLinux() {
local os=$1
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -192,6 +192,8 @@ fi
mkdir -p "/etc/systemd/system/kubelet.service.d"
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
logs_to_events "AKS.CSE.configureK8s" configureK8s
logs_to_events "AKS.CSE.configureCNI" configureCNI

Просмотреть файл

@ -389,6 +389,48 @@ ensureDHCPv6() {
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
}
clearKubeletNodeLabel() {
local LABEL_STRING=$1
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
fi
}
disableKubeletServingCertificateRotationForTags() {
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
echo "kubelet serving certificate rotation is already disabled"
return 0
fi
export -f should_disable_kubelet_serving_certificate_rotation
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
if [ $? -ne 0 ]; then
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
fi
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
return 0
fi
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
set +x
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
set -x
fi
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
}
ensureKubelet() {
KUBELET_DEFAULT_FILE=/etc/default/kubelet
mkdir -p /etc/default

Просмотреть файл

@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
ERR_ORAS_PULL_FAIL_RESERVE_4=211
ERR_ORAS_PULL_FAIL_RESERVE_5=212
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
echo "$should_skip"
}
should_disable_kubelet_serving_certificate_rotation() {
set -x
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
ret=$?
if [ "$ret" != "0" ]; then
return $ret
fi
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
echo "$should_disable"
}
isMarinerOrAzureLinux() {
local os=$1
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -192,6 +192,8 @@ fi
mkdir -p "/etc/systemd/system/kubelet.service.d"
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
logs_to_events "AKS.CSE.configureK8s" configureK8s
logs_to_events "AKS.CSE.configureCNI" configureCNI

Просмотреть файл

@ -389,6 +389,48 @@ ensureDHCPv6() {
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
}
clearKubeletNodeLabel() {
local LABEL_STRING=$1
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
fi
}
disableKubeletServingCertificateRotationForTags() {
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
echo "kubelet serving certificate rotation is already disabled"
return 0
fi
export -f should_disable_kubelet_serving_certificate_rotation
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
if [ $? -ne 0 ]; then
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
fi
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
return 0
fi
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
set +x
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
set -x
fi
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
}
ensureKubelet() {
KUBELET_DEFAULT_FILE=/etc/default/kubelet
mkdir -p /etc/default

Просмотреть файл

@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
ERR_ORAS_PULL_FAIL_RESERVE_4=211
ERR_ORAS_PULL_FAIL_RESERVE_5=212
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
echo "$should_skip"
}
should_disable_kubelet_serving_certificate_rotation() {
set -x
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
ret=$?
if [ "$ret" != "0" ]; then
return $ret
fi
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
echo "$should_disable"
}
isMarinerOrAzureLinux() {
local os=$1
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -192,6 +192,8 @@ fi
mkdir -p "/etc/systemd/system/kubelet.service.d"
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
logs_to_events "AKS.CSE.configureK8s" configureK8s
logs_to_events "AKS.CSE.configureCNI" configureCNI

Просмотреть файл

@ -389,6 +389,48 @@ ensureDHCPv6() {
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
}
clearKubeletNodeLabel() {
local LABEL_STRING=$1
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
fi
}
disableKubeletServingCertificateRotationForTags() {
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
echo "kubelet serving certificate rotation is already disabled"
return 0
fi
export -f should_disable_kubelet_serving_certificate_rotation
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
if [ $? -ne 0 ]; then
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
fi
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
return 0
fi
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
set +x
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
set -x
fi
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
}
ensureKubelet() {
KUBELET_DEFAULT_FILE=/etc/default/kubelet
mkdir -p /etc/default

Просмотреть файл

@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
ERR_ORAS_PULL_FAIL_RESERVE_4=211
ERR_ORAS_PULL_FAIL_RESERVE_5=212
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
echo "$should_skip"
}
should_disable_kubelet_serving_certificate_rotation() {
set -x
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
ret=$?
if [ "$ret" != "0" ]; then
return $ret
fi
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
echo "$should_disable"
}
isMarinerOrAzureLinux() {
local os=$1
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -192,6 +192,8 @@ fi
mkdir -p "/etc/systemd/system/kubelet.service.d"
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
logs_to_events "AKS.CSE.configureK8s" configureK8s
logs_to_events "AKS.CSE.configureCNI" configureCNI

Просмотреть файл

@ -389,6 +389,48 @@ ensureDHCPv6() {
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
}
clearKubeletNodeLabel() {
local LABEL_STRING=$1
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
fi
}
disableKubeletServingCertificateRotationForTags() {
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
echo "kubelet serving certificate rotation is already disabled"
return 0
fi
export -f should_disable_kubelet_serving_certificate_rotation
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
if [ $? -ne 0 ]; then
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
fi
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
return 0
fi
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
set +x
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
set -x
fi
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
}
ensureKubelet() {
KUBELET_DEFAULT_FILE=/etc/default/kubelet
mkdir -p /etc/default

Просмотреть файл

@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
ERR_ORAS_PULL_FAIL_RESERVE_4=211
ERR_ORAS_PULL_FAIL_RESERVE_5=212
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
echo "$should_skip"
}
should_disable_kubelet_serving_certificate_rotation() {
set -x
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
ret=$?
if [ "$ret" != "0" ]; then
return $ret
fi
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
echo "$should_disable"
}
isMarinerOrAzureLinux() {
local os=$1
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -192,6 +192,8 @@ fi
mkdir -p "/etc/systemd/system/kubelet.service.d"
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
logs_to_events "AKS.CSE.configureK8s" configureK8s
logs_to_events "AKS.CSE.configureCNI" configureCNI

Просмотреть файл

@ -389,6 +389,48 @@ ensureDHCPv6() {
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
}
clearKubeletNodeLabel() {
local LABEL_STRING=$1
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
fi
}
disableKubeletServingCertificateRotationForTags() {
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
echo "kubelet serving certificate rotation is already disabled"
return 0
fi
export -f should_disable_kubelet_serving_certificate_rotation
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
if [ $? -ne 0 ]; then
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
fi
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
return 0
fi
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
set +x
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
set -x
fi
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
}
ensureKubelet() {
KUBELET_DEFAULT_FILE=/etc/default/kubelet
mkdir -p /etc/default

Просмотреть файл

@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
ERR_ORAS_PULL_FAIL_RESERVE_4=211
ERR_ORAS_PULL_FAIL_RESERVE_5=212
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
echo "$should_skip"
}
should_disable_kubelet_serving_certificate_rotation() {
set -x
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
ret=$?
if [ "$ret" != "0" ]; then
return $ret
fi
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
echo "$should_disable"
}
isMarinerOrAzureLinux() {
local os=$1
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -192,6 +192,8 @@ fi
mkdir -p "/etc/systemd/system/kubelet.service.d"
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
logs_to_events "AKS.CSE.configureK8s" configureK8s
logs_to_events "AKS.CSE.configureCNI" configureCNI

Просмотреть файл

@ -389,6 +389,48 @@ ensureDHCPv6() {
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
}
clearKubeletNodeLabel() {
local LABEL_STRING=$1
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
fi
}
disableKubeletServingCertificateRotationForTags() {
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
echo "kubelet serving certificate rotation is already disabled"
return 0
fi
export -f should_disable_kubelet_serving_certificate_rotation
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
if [ $? -ne 0 ]; then
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
fi
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
return 0
fi
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
set +x
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
set -x
fi
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
}
ensureKubelet() {
KUBELET_DEFAULT_FILE=/etc/default/kubelet
mkdir -p /etc/default

Просмотреть файл

@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
ERR_ORAS_PULL_FAIL_RESERVE_4=211
ERR_ORAS_PULL_FAIL_RESERVE_5=212
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
echo "$should_skip"
}
should_disable_kubelet_serving_certificate_rotation() {
set -x
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
ret=$?
if [ "$ret" != "0" ]; then
return $ret
fi
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
echo "$should_disable"
}
isMarinerOrAzureLinux() {
local os=$1
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -192,6 +192,8 @@ fi
mkdir -p "/etc/systemd/system/kubelet.service.d"
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
logs_to_events "AKS.CSE.configureK8s" configureK8s
logs_to_events "AKS.CSE.configureCNI" configureCNI

Просмотреть файл

@ -389,6 +389,48 @@ ensureDHCPv6() {
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
}
clearKubeletNodeLabel() {
local LABEL_STRING=$1
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
fi
}
disableKubeletServingCertificateRotationForTags() {
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
echo "kubelet serving certificate rotation is already disabled"
return 0
fi
export -f should_disable_kubelet_serving_certificate_rotation
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
if [ $? -ne 0 ]; then
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
fi
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
return 0
fi
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
set +x
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
set -x
fi
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
}
ensureKubelet() {
KUBELET_DEFAULT_FILE=/etc/default/kubelet
mkdir -p /etc/default

Просмотреть файл

@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
ERR_ORAS_PULL_FAIL_RESERVE_4=211
ERR_ORAS_PULL_FAIL_RESERVE_5=212
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
echo "$should_skip"
}
should_disable_kubelet_serving_certificate_rotation() {
set -x
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
ret=$?
if [ "$ret" != "0" ]; then
return $ret
fi
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
echo "$should_disable"
}
isMarinerOrAzureLinux() {
local os=$1
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -192,6 +192,8 @@ fi
mkdir -p "/etc/systemd/system/kubelet.service.d"
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
logs_to_events "AKS.CSE.configureK8s" configureK8s
logs_to_events "AKS.CSE.configureCNI" configureCNI

Просмотреть файл

@ -389,6 +389,48 @@ ensureDHCPv6() {
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
}
clearKubeletNodeLabel() {
local LABEL_STRING=$1
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
fi
}
disableKubeletServingCertificateRotationForTags() {
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
echo "kubelet serving certificate rotation is already disabled"
return 0
fi
export -f should_disable_kubelet_serving_certificate_rotation
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
if [ $? -ne 0 ]; then
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
fi
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
return 0
fi
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
set +x
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
set -x
fi
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
}
ensureKubelet() {
KUBELET_DEFAULT_FILE=/etc/default/kubelet
mkdir -p /etc/default

Просмотреть файл

@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
ERR_ORAS_PULL_FAIL_RESERVE_4=211
ERR_ORAS_PULL_FAIL_RESERVE_5=212
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
echo "$should_skip"
}
should_disable_kubelet_serving_certificate_rotation() {
set -x
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
ret=$?
if [ "$ret" != "0" ]; then
return $ret
fi
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
echo "$should_disable"
}
isMarinerOrAzureLinux() {
local os=$1
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -192,6 +192,8 @@ fi
mkdir -p "/etc/systemd/system/kubelet.service.d"
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
logs_to_events "AKS.CSE.configureK8s" configureK8s
logs_to_events "AKS.CSE.configureCNI" configureCNI

Просмотреть файл

@ -389,6 +389,48 @@ ensureDHCPv6() {
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
}
clearKubeletNodeLabel() {
local LABEL_STRING=$1
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
fi
}
disableKubeletServingCertificateRotationForTags() {
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
echo "kubelet serving certificate rotation is already disabled"
return 0
fi
export -f should_disable_kubelet_serving_certificate_rotation
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
if [ $? -ne 0 ]; then
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
fi
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
return 0
fi
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
set +x
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
set -x
fi
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
}
ensureKubelet() {
KUBELET_DEFAULT_FILE=/etc/default/kubelet
mkdir -p /etc/default

Просмотреть файл

@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
ERR_ORAS_PULL_FAIL_RESERVE_4=211
ERR_ORAS_PULL_FAIL_RESERVE_5=212
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
echo "$should_skip"
}
should_disable_kubelet_serving_certificate_rotation() {
set -x
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
ret=$?
if [ "$ret" != "0" ]; then
return $ret
fi
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
echo "$should_disable"
}
isMarinerOrAzureLinux() {
local os=$1
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -192,6 +192,8 @@ fi
mkdir -p "/etc/systemd/system/kubelet.service.d"
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
logs_to_events "AKS.CSE.configureK8s" configureK8s
logs_to_events "AKS.CSE.configureCNI" configureCNI

Просмотреть файл

@ -389,6 +389,48 @@ ensureDHCPv6() {
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
}
clearKubeletNodeLabel() {
local LABEL_STRING=$1
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
fi
}
disableKubeletServingCertificateRotationForTags() {
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
echo "kubelet serving certificate rotation is already disabled"
return 0
fi
export -f should_disable_kubelet_serving_certificate_rotation
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
if [ $? -ne 0 ]; then
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
fi
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
return 0
fi
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
set +x
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
set -x
fi
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
}
ensureKubelet() {
KUBELET_DEFAULT_FILE=/etc/default/kubelet
mkdir -p /etc/default

Просмотреть файл

@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
ERR_ORAS_PULL_FAIL_RESERVE_4=211
ERR_ORAS_PULL_FAIL_RESERVE_5=212
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
echo "$should_skip"
}
should_disable_kubelet_serving_certificate_rotation() {
set -x
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
ret=$?
if [ "$ret" != "0" ]; then
return $ret
fi
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
echo "$should_disable"
}
isMarinerOrAzureLinux() {
local os=$1
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -192,6 +192,8 @@ fi
mkdir -p "/etc/systemd/system/kubelet.service.d"
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
logs_to_events "AKS.CSE.configureK8s" configureK8s
logs_to_events "AKS.CSE.configureCNI" configureCNI

Просмотреть файл

@ -389,6 +389,48 @@ ensureDHCPv6() {
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
}
clearKubeletNodeLabel() {
local LABEL_STRING=$1
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
fi
}
disableKubeletServingCertificateRotationForTags() {
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
echo "kubelet serving certificate rotation is already disabled"
return 0
fi
export -f should_disable_kubelet_serving_certificate_rotation
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
if [ $? -ne 0 ]; then
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
fi
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
return 0
fi
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
set +x
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
set -x
fi
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
}
ensureKubelet() {
KUBELET_DEFAULT_FILE=/etc/default/kubelet
mkdir -p /etc/default

Просмотреть файл

@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
ERR_ORAS_PULL_FAIL_RESERVE_4=211
ERR_ORAS_PULL_FAIL_RESERVE_5=212
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
echo "$should_skip"
}
should_disable_kubelet_serving_certificate_rotation() {
set -x
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
ret=$?
if [ "$ret" != "0" ]; then
return $ret
fi
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
echo "$should_disable"
}
isMarinerOrAzureLinux() {
local os=$1
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -192,6 +192,8 @@ fi
mkdir -p "/etc/systemd/system/kubelet.service.d"
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
logs_to_events "AKS.CSE.configureK8s" configureK8s
logs_to_events "AKS.CSE.configureCNI" configureCNI

Просмотреть файл

@ -389,6 +389,48 @@ ensureDHCPv6() {
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
}
clearKubeletNodeLabel() {
local LABEL_STRING=$1
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
fi
}
disableKubeletServingCertificateRotationForTags() {
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
echo "kubelet serving certificate rotation is already disabled"
return 0
fi
export -f should_disable_kubelet_serving_certificate_rotation
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
if [ $? -ne 0 ]; then
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
fi
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
return 0
fi
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
set +x
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
set -x
fi
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
}
ensureKubelet() {
KUBELET_DEFAULT_FILE=/etc/default/kubelet
mkdir -p /etc/default

Просмотреть файл

@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
ERR_ORAS_PULL_FAIL_RESERVE_4=211
ERR_ORAS_PULL_FAIL_RESERVE_5=212
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
echo "$should_skip"
}
should_disable_kubelet_serving_certificate_rotation() {
set -x
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
ret=$?
if [ "$ret" != "0" ]; then
return $ret
fi
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
echo "$should_disable"
}
isMarinerOrAzureLinux() {
local os=$1
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then

Различия файлов скрыты, потому что одна или несколько строк слишком длинны

Просмотреть файл

@ -192,6 +192,8 @@ fi
mkdir -p "/etc/systemd/system/kubelet.service.d"
logs_to_events "AKS.CSE.disableKubeletServingCertificateRotationForTags" disableKubeletServingCertificateRotationForTags
logs_to_events "AKS.CSE.configureK8s" configureK8s
logs_to_events "AKS.CSE.configureCNI" configureCNI

Просмотреть файл

@ -389,6 +389,48 @@ ensureDHCPv6() {
retrycmd_if_failure 120 5 25 modprobe ip6_tables || exit $ERR_MODPROBE_FAIL
}
clearKubeletNodeLabel() {
local LABEL_STRING=$1
if echo "$KUBELET_NODE_LABELS" | grep -e ",${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/,${LABEL_STRING}/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING},"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING},/}"
elif echo "$KUBELET_NODE_LABELS" | grep -e "${LABEL_STRING}"; then
KUBELET_NODE_LABELS="${KUBELET_NODE_LABELS/${LABEL_STRING}/}"
fi
}
disableKubeletServingCertificateRotationForTags() {
if [[ "${ENABLE_KUBELET_SERVING_CERTIFICATE_ROTATION}" != "true" ]]; then
echo "kubelet serving certificate rotation is already disabled"
return 0
fi
export -f should_disable_kubelet_serving_certificate_rotation
DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION=$(retrycmd_if_failure_no_stats 10 1 10 bash -cx should_disable_kubelet_serving_certificate_rotation)
if [ $? -ne 0 ]; then
echo "failed to determine if kubelet serving certificate rotation should be disabled by nodepool tags"
exit $ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG
fi
if [ "${DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION,,}" != "true" ]; then
echo "nodepool tag \"aks-disable-kubelet-serving-certificate-rotation\" is not true, nothing to disable"
return 0
fi
echo "kubelet serving certificate rotation is disabled by nodepool tags, reconfiguring kubelet flags and node labels..."
KUBELET_FLAGS="${KUBELET_FLAGS/--rotate-server-certificates=true/--rotate-server-certificates=false}"
if [ "${KUBELET_CONFIG_FILE_ENABLED,,}" == "true" ]; then
set +x
KUBELET_CONFIG_FILE_CONTENT=$(echo "$KUBELET_CONFIG_FILE_CONTENT" | base64 -d | jq 'if .serverTLSBootstrap == true then .serverTLSBootstrap = false else . end' | base64)
set -x
fi
clearKubeletNodeLabel "kubernetes.azure.com/kubelet-serving-ca=cluster"
}
ensureKubelet() {
KUBELET_DEFAULT_FILE=/etc/default/kubelet
mkdir -p /etc/default

Просмотреть файл

@ -113,6 +113,8 @@ ERR_ORAS_PULL_FAIL_RESERVE_3=210
ERR_ORAS_PULL_FAIL_RESERVE_4=211
ERR_ORAS_PULL_FAIL_RESERVE_5=212
ERR_LOOKUP_DISABLE_KUBELET_SERVING_CERTIFICATE_ROTATION_TAG=213
if find /etc -type f,l -name "*-release" -print -quit 2>/dev/null | grep -q '.'; then
OS=$(sort -r /etc/*-release | gawk 'match($0, /^(ID_LIKE=(coreos)|ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }')
OS_VERSION=$(sort -r /etc/*-release | gawk 'match($0, /^(VERSION_ID=(.*))$/, a) { print toupper(a[2] a[3]); exit }' | tr -d '"')
@ -414,6 +416,17 @@ should_skip_nvidia_drivers() {
echo "$should_skip"
}
should_disable_kubelet_serving_certificate_rotation() {
set -x
body=$(curl -fsSL -H "Metadata: true" --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2021-02-01")
ret=$?
if [ "$ret" != "0" ]; then
return $ret
fi
should_disable=$(echo "$body" | jq -r '.compute.tagsList[] | select(.name == "aks-disable-kubelet-serving-certificate-rotation") | .value')
echo "$should_disable"
}
isMarinerOrAzureLinux() {
local os=$1
if [[ $os == $MARINER_OS_NAME ]] || [[ $os == $MARINER_KATA_OS_NAME ]] || [[ $os == $AZURELINUX_OS_NAME ]]; then

Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше