diff --git a/.github/workflows/main.yaml b/.github/workflows/main.yaml index 68b030fd..37073d0c 100644 --- a/.github/workflows/main.yaml +++ b/.github/workflows/main.yaml @@ -17,7 +17,7 @@ jobs: go-version-file: go.mod - name: Check auto-generated files run: make check-generate - - run: docker run -d --network host gcr.io/etcd-development/etcd:v3.5.9 + - run: docker run -d --network host gcr.io/etcd-development/etcd:v3.5.10 - run: make test - run: make install GOBIN=$(pwd)/docker - run: docker build -t quay.io/cybozu/cke:latest ./docker diff --git a/Makefile b/Makefile index a22aef99..02054c6a 100644 --- a/Makefile +++ b/Makefile @@ -1,6 +1,6 @@ # Makefile for cke -ETCD_VERSION = 3.5.9 +ETCD_VERSION = 3.5.10 .PHONY: all all: test diff --git a/example/docker-compose.yml b/example/docker-compose.yml index 669103e1..f32a3695 100644 --- a/example/docker-compose.yml +++ b/example/docker-compose.yml @@ -35,7 +35,7 @@ services: command: /opt/setup/setup.sh vault: container_name: vault - image: quay.io/cybozu/vault:1.13 + image: quay.io/cybozu/vault:1.14 networks: app_net: ipv4_address: 172.30.0.13 diff --git a/images.go b/images.go index 49d7e5ea..b10b5f55 100644 --- a/images.go +++ b/images.go @@ -10,13 +10,13 @@ func (i Image) Name() string { // Container image definitions const ( - EtcdImage = Image("quay.io/cybozu/etcd:3.5.9.1") - KubernetesImage = Image("quay.io/cybozu/kubernetes:1.26.6.1") - ToolsImage = Image("quay.io/cybozu/cke-tools:1.26.0") - PauseImage = Image("quay.io/cybozu/pause:3.9.0.1") - CoreDNSImage = Image("quay.io/cybozu/coredns:1.10.1.1") + EtcdImage = Image("quay.io/cybozu/etcd:3.5.10.1") + KubernetesImage = Image("quay.io/cybozu/kubernetes:1.27.8.1") + ToolsImage = Image("quay.io/cybozu/cke-tools:1.27.0") + PauseImage = Image("quay.io/cybozu/pause:3.9.0.2") + CoreDNSImage = Image("quay.io/cybozu/coredns:1.11.1.1") UnboundImage = Image("ghcr.io/cybozu/unbound:1.18.0.2") - UnboundExporterImage = Image("quay.io/cybozu/unbound_exporter:0.4.1.5") + UnboundExporterImage = Image("quay.io/cybozu/unbound_exporter:0.4.4.1") ) // AllImages return container images list used by CKE diff --git a/mtest/Makefile b/mtest/Makefile index 31479736..addf1054 100644 --- a/mtest/Makefile +++ b/mtest/Makefile @@ -1,11 +1,11 @@ # Makefile for multi-host testing using ginkgo # tool versions -MANAGEMENT_ETCD_VERSION = 3.5.9 -VAULT_VERSION = 1.14.0 -K8S_VERSION = 1.26.6 -CONTAINERD_VERSION = 1.7.2 -CRITOOLS_VERSION = 1.27.1 +MANAGEMENT_ETCD_VERSION = 3.5.10 +VAULT_VERSION = 1.15.2 +K8S_VERSION = 1.27.8 +CONTAINERD_VERSION = 1.7.9 +CRITOOLS_VERSION = 1.28.0 CT_VERSION = 0.9.3 # configuration variables diff --git a/op/k8s/kubelet_boot.go b/op/k8s/kubelet_boot.go index acc15e6c..e29c47b9 100644 --- a/op/k8s/kubelet_boot.go +++ b/op/k8s/kubelet_boot.go @@ -364,7 +364,6 @@ func KubeletServiceParams(n *cke.Node, params cke.KubeletParams) cke.ServicePara "--kubeconfig=/etc/kubernetes/kubelet/kubeconfig", "--hostname-override=" + n.Nodename(), } - args = append(args, "--container-runtime=remote") if len(params.CRIEndpoint) != 0 { args = append(args, "--container-runtime-endpoint="+params.CRIEndpoint) } diff --git a/sonobuoy/Makefile b/sonobuoy/Makefile index 8293cba1..ac95671e 100644 --- a/sonobuoy/Makefile +++ b/sonobuoy/Makefile @@ -1,7 +1,7 @@ ### Configurable variables -SONOBUOY_VERSION = 0.56.17 -KUBECTL_VERSION = 1.26.6 -DOCKER_COMPOSE_VERSION = 2.20.0 +SONOBUOY_VERSION = 0.57.1 +KUBECTL_VERSION = 1.27.8 +DOCKER_COMPOSE_VERSION = 2.23.3 CT_VERSION = 0.9.3 ### Unconfigurable diff --git a/sonobuoy/docker-compose.yml b/sonobuoy/docker-compose.yml index 25bd64e1..09560281 100644 --- a/sonobuoy/docker-compose.yml +++ b/sonobuoy/docker-compose.yml @@ -35,7 +35,7 @@ services: command: /opt/setup/setup.sh vault: container_name: vault - image: quay.io/cybozu/vault:1.13 + image: quay.io/cybozu/vault:1.14 networks: app_net: ipv4_address: 172.30.0.13 diff --git a/static/cluster-dns.yml b/static/cluster-dns.yml index f652d663..df072487 100644 --- a/static/cluster-dns.yml +++ b/static/cluster-dns.yml @@ -22,7 +22,6 @@ rules: - apiGroups: - "" resources: - - endpoints - services - pods - namespaces diff --git a/static/resources.go b/static/resources.go index e2955b45..a7404f11 100644 --- a/static/resources.go +++ b/static/resources.go @@ -25,7 +25,7 @@ var Resources = []cke.ResourceDefinition{ Name: "system:cluster-dns", Revision: 2, Image: "", - Definition: []byte("\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: system:cluster-dns\n labels:\n kubernetes.io/bootstrapping: rbac-defaults\n annotations:\n cke.cybozu.com/revision: \"2\"\n # turn on auto-reconciliation\n # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#auto-reconciliation\n rbac.authorization.kubernetes.io/autoupdate: \"true\"\nrules:\n - apiGroups:\n - \"\"\n resources:\n - endpoints\n - services\n - pods\n - namespaces\n verbs:\n - list\n - watch\n - apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - list\n - watch\n"), + Definition: []byte("\nkind: ClusterRole\napiVersion: rbac.authorization.k8s.io/v1\nmetadata:\n name: system:cluster-dns\n labels:\n kubernetes.io/bootstrapping: rbac-defaults\n annotations:\n cke.cybozu.com/revision: \"2\"\n # turn on auto-reconciliation\n # https://kubernetes.io/docs/reference/access-authn-authz/rbac/#auto-reconciliation\n rbac.authorization.kubernetes.io/autoupdate: \"true\"\nrules:\n - apiGroups:\n - \"\"\n resources:\n - services\n - pods\n - namespaces\n verbs:\n - list\n - watch\n - apiGroups:\n - discovery.k8s.io\n resources:\n - endpointslices\n verbs:\n - list\n - watch\n"), }, { Key: "ClusterRole/system:kube-apiserver-to-kubelet", @@ -60,8 +60,8 @@ var Resources = []cke.ResourceDefinition{ Namespace: "kube-system", Name: "node-dns", Revision: 4, - Image: "ghcr.io/cybozu/unbound:1.18.0.2,quay.io/cybozu/unbound_exporter:0.4.1.5", - Definition: []byte("kind: DaemonSet\napiVersion: apps/v1\nmetadata:\n name: node-dns\n namespace: kube-system\n annotations:\n cke.cybozu.com/image: \"ghcr.io/cybozu/unbound:1.18.0.2,quay.io/cybozu/unbound_exporter:0.4.1.5\"\n cke.cybozu.com/revision: \"4\"\nspec:\n selector:\n matchLabels:\n cke.cybozu.com/appname: node-dns\n updateStrategy:\n type: RollingUpdate\n rollingUpdate:\n maxSurge: 35%\n maxUnavailable: 0\n template:\n metadata:\n labels:\n cke.cybozu.com/appname: node-dns\n spec:\n priorityClassName: system-node-critical\n nodeSelector:\n kubernetes.io/os: linux\n hostNetwork: true\n tolerations:\n - operator: Exists\n terminationGracePeriodSeconds: 1\n containers:\n - name: unbound\n image: ghcr.io/cybozu/unbound:1.18.0.2\n args:\n - -c\n - /etc/unbound/unbound.conf\n securityContext:\n allowPrivilegeEscalation: false\n capabilities:\n add:\n - NET_BIND_SERVICE\n drop:\n - all\n readOnlyRootFilesystem: true\n readinessProbe:\n tcpSocket:\n port: 53\n host: localhost\n periodSeconds: 1\n livenessProbe:\n tcpSocket:\n port: 53\n host: localhost\n periodSeconds: 1\n initialDelaySeconds: 1\n failureThreshold: 6\n volumeMounts:\n - name: config-volume\n mountPath: /etc/unbound\n - name: var-run-unbound\n mountPath: /var/run/unbound\n - name: reload\n image: ghcr.io/cybozu/unbound:1.18.0.2\n command:\n - /usr/local/bin/reload-unbound\n securityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - all\n readOnlyRootFilesystem: true\n volumeMounts:\n - name: config-volume\n mountPath: /etc/unbound\n - name: var-run-unbound\n mountPath: /var/run/unbound\n - name: exporter\n image: quay.io/cybozu/unbound_exporter:0.4.1.5\n args:\n # must be same with the path written in /op/nodedns/nodedns.go\n - --unbound.host=unix:///var/run/unbound/unbound.sock\n - --web.reuse-port=true\n securityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - all\n readOnlyRootFilesystem: true\n volumeMounts:\n - name: var-run-unbound\n mountPath: /var/run/unbound\n volumes:\n - name: config-volume\n configMap:\n name: node-dns\n items:\n - key: unbound.conf\n path: unbound.conf\n - name: var-run-unbound\n emptyDir: {}\n"), + Image: "ghcr.io/cybozu/unbound:1.18.0.2,quay.io/cybozu/unbound_exporter:0.4.4.1", + Definition: []byte("kind: DaemonSet\napiVersion: apps/v1\nmetadata:\n name: node-dns\n namespace: kube-system\n annotations:\n cke.cybozu.com/image: \"ghcr.io/cybozu/unbound:1.18.0.2,quay.io/cybozu/unbound_exporter:0.4.4.1\"\n cke.cybozu.com/revision: \"4\"\nspec:\n selector:\n matchLabels:\n cke.cybozu.com/appname: node-dns\n updateStrategy:\n type: RollingUpdate\n rollingUpdate:\n maxSurge: 35%\n maxUnavailable: 0\n template:\n metadata:\n labels:\n cke.cybozu.com/appname: node-dns\n spec:\n priorityClassName: system-node-critical\n nodeSelector:\n kubernetes.io/os: linux\n hostNetwork: true\n tolerations:\n - operator: Exists\n terminationGracePeriodSeconds: 1\n containers:\n - name: unbound\n image: ghcr.io/cybozu/unbound:1.18.0.2\n args:\n - -c\n - /etc/unbound/unbound.conf\n securityContext:\n allowPrivilegeEscalation: false\n capabilities:\n add:\n - NET_BIND_SERVICE\n drop:\n - all\n readOnlyRootFilesystem: true\n readinessProbe:\n tcpSocket:\n port: 53\n host: localhost\n periodSeconds: 1\n livenessProbe:\n tcpSocket:\n port: 53\n host: localhost\n periodSeconds: 1\n initialDelaySeconds: 1\n failureThreshold: 6\n volumeMounts:\n - name: config-volume\n mountPath: /etc/unbound\n - name: var-run-unbound\n mountPath: /var/run/unbound\n - name: reload\n image: ghcr.io/cybozu/unbound:1.18.0.2\n command:\n - /usr/local/bin/reload-unbound\n securityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - all\n readOnlyRootFilesystem: true\n volumeMounts:\n - name: config-volume\n mountPath: /etc/unbound\n - name: var-run-unbound\n mountPath: /var/run/unbound\n - name: exporter\n image: quay.io/cybozu/unbound_exporter:0.4.4.1\n args:\n # must be same with the path written in /op/nodedns/nodedns.go\n - --unbound.host=unix:///var/run/unbound/unbound.sock\n - --web.reuse-port=true\n securityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - all\n readOnlyRootFilesystem: true\n volumeMounts:\n - name: var-run-unbound\n mountPath: /var/run/unbound\n volumes:\n - name: config-volume\n configMap:\n name: node-dns\n items:\n - key: unbound.conf\n path: unbound.conf\n - name: var-run-unbound\n emptyDir: {}\n"), }, { Key: "Deployment/kube-system/cluster-dns", @@ -69,8 +69,8 @@ var Resources = []cke.ResourceDefinition{ Namespace: "kube-system", Name: "cluster-dns", Revision: 4, - Image: "quay.io/cybozu/coredns:1.10.1.1", - Definition: []byte("\nkind: Deployment\napiVersion: apps/v1\nmetadata:\n name: cluster-dns\n namespace: kube-system\n annotations:\n cke.cybozu.com/image: \"quay.io/cybozu/coredns:1.10.1.1\"\n cke.cybozu.com/revision: \"4\"\nspec:\n replicas: 2\n strategy:\n type: RollingUpdate\n rollingUpdate:\n maxUnavailable: 1\n selector:\n matchLabels:\n cke.cybozu.com/appname: cluster-dns\n template:\n metadata:\n labels:\n cke.cybozu.com/appname: cluster-dns\n k8s-app: coredns # sonobuoy requires\n annotations:\n prometheus.io/port: \"9153\"\n spec:\n priorityClassName: system-cluster-critical\n serviceAccountName: cke-cluster-dns\n tolerations:\n - key: node-role.kubernetes.io/master\n effect: NoSchedule\n - key: \"CriticalAddonsOnly\"\n operator: \"Exists\"\n - key: kubernetes.io/e2e-evict-taint-key\n operator: Exists\n # for sonobuoy https://github.com/vmware-tanzu/sonobuoy/pull/878\n containers:\n - name: coredns\n image: quay.io/cybozu/coredns:1.10.1.1\n imagePullPolicy: IfNotPresent\n resources:\n requests:\n cpu: 100m\n memory: 70Mi\n args: [ \"-conf\", \"/etc/coredns/Corefile\" ]\n lifecycle:\n preStop:\n exec:\n command: [\"sh\", \"-c\", \"sleep 5\"]\n volumeMounts:\n - name: config-volume\n mountPath: /etc/coredns\n readOnly: true\n ports:\n - containerPort: 1053\n name: dns\n protocol: UDP\n - containerPort: 1053\n name: dns-tcp\n protocol: TCP\n - containerPort: 9153\n name: metrics\n protocol: TCP\n securityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - all\n readOnlyRootFilesystem: true\n readinessProbe:\n httpGet:\n path: /ready\n port: 8181\n scheme: HTTP\n livenessProbe:\n httpGet:\n path: /health\n port: 8080\n scheme: HTTP\n initialDelaySeconds: 60\n timeoutSeconds: 5\n successThreshold: 1\n failureThreshold: 5\n dnsPolicy: Default\n volumes:\n - name: config-volume\n configMap:\n name: cluster-dns\n items:\n - key: Corefile\n path: Corefile\n affinity:\n podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n cke.cybozu.com/appname: cluster-dns\n topologyKey: \"kubernetes.io/hostname\"\n"), + Image: "quay.io/cybozu/coredns:1.11.1.1", + Definition: []byte("\nkind: Deployment\napiVersion: apps/v1\nmetadata:\n name: cluster-dns\n namespace: kube-system\n annotations:\n cke.cybozu.com/image: \"quay.io/cybozu/coredns:1.11.1.1\"\n cke.cybozu.com/revision: \"4\"\nspec:\n replicas: 2\n strategy:\n type: RollingUpdate\n rollingUpdate:\n maxUnavailable: 1\n selector:\n matchLabels:\n cke.cybozu.com/appname: cluster-dns\n template:\n metadata:\n labels:\n cke.cybozu.com/appname: cluster-dns\n k8s-app: coredns # sonobuoy requires\n annotations:\n prometheus.io/port: \"9153\"\n spec:\n priorityClassName: system-cluster-critical\n serviceAccountName: cke-cluster-dns\n tolerations:\n - key: node-role.kubernetes.io/master\n effect: NoSchedule\n - key: \"CriticalAddonsOnly\"\n operator: \"Exists\"\n - key: kubernetes.io/e2e-evict-taint-key\n operator: Exists\n # for sonobuoy https://github.com/vmware-tanzu/sonobuoy/pull/878\n containers:\n - name: coredns\n image: quay.io/cybozu/coredns:1.11.1.1\n imagePullPolicy: IfNotPresent\n resources:\n requests:\n cpu: 100m\n memory: 70Mi\n args: [ \"-conf\", \"/etc/coredns/Corefile\" ]\n lifecycle:\n preStop:\n exec:\n command: [\"sh\", \"-c\", \"sleep 5\"]\n volumeMounts:\n - name: config-volume\n mountPath: /etc/coredns\n readOnly: true\n ports:\n - containerPort: 1053\n name: dns\n protocol: UDP\n - containerPort: 1053\n name: dns-tcp\n protocol: TCP\n - containerPort: 9153\n name: metrics\n protocol: TCP\n securityContext:\n allowPrivilegeEscalation: false\n capabilities:\n drop:\n - all\n readOnlyRootFilesystem: true\n readinessProbe:\n httpGet:\n path: /ready\n port: 8181\n scheme: HTTP\n livenessProbe:\n httpGet:\n path: /health\n port: 8080\n scheme: HTTP\n initialDelaySeconds: 60\n timeoutSeconds: 5\n successThreshold: 1\n failureThreshold: 5\n dnsPolicy: Default\n volumes:\n - name: config-volume\n configMap:\n name: cluster-dns\n items:\n - key: Corefile\n path: Corefile\n affinity:\n podAntiAffinity:\n requiredDuringSchedulingIgnoredDuringExecution:\n - labelSelector:\n matchLabels:\n cke.cybozu.com/appname: cluster-dns\n topologyKey: \"kubernetes.io/hostname\"\n"), }, { Key: "PodDisruptionBudget/kube-system/cluster-dns-pdb",