coredns / cluster upgrade

TODO.md

@@ -0,0 +1,9 @@
+root@pine01:/etc/kubernetes# kubeadm upgrade apply v1.24.9 --ignore-preflight-errors=CoreDNSUnsupportedPlugins
+[upgrade/config] Making sure the configuration is correct:
+[upgrade/config] Reading configuration from the cluster...
+[upgrade/config] FYI: You can look at this config file with 'kubectl -n kube-system get cm kubeadm-config -o yaml'
+W0112 18:28:48.533830   21616 initconfiguration.go:120] Usage of CRI endpoints without URL scheme is deprecated and can cause kubelet errors in the future. Automatically prepending scheme "unix" to the "criSocket" with value "/run/containerd/containerd.sock". Please update your configuration!
+
+
+CoreDNS                   v1.8.6    v1.9.3
+

_CI-CD/tekton-pvc.yaml

@@ -0,0 +1,33 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: tektoncd-workspaces
+  namespace: default
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 40Gi
+  storageClassName: nfs-ssd-ebin02
+  volumeMode: Filesystem
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: tektoncd-workspaces 
+spec:
+  storageClassName: "nfs-ssd-ebin02"
+  nfs:
+    path: /data/raid1-ssd/k8s-data/tektoncd-workspaces
+    server: ebin02
+  capacity:
+    storage: 40Gi
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  persistentVolumeReclaimPolicy: Retain
+  claimRef:
+    kind: PersistentVolumeClaim
+    name: tektoncd-workspaces
+    namespace: default

_CI-CD/tektoncd-kaniko-task.yaml

@@ -46,6 +46,15 @@ spec:
     description: Digest of the image just built.
 
   steps:
+  - name: debug
+    workingDir: $(workspaces.source.path)
+    image: bash
+    script: |
+      #!/usr/bin/env bash
+      export
+      pwd
+      mount
+      ls -al
   - name: build-and-push
     workingDir: $(workspaces.source.path)
     image: $(params.BUILDER_IMAGE)

_sys/README.md

@@ -1,3 +1,87 @@
+Upgrade:
+
+```
+export KV=1.26.0-00;
+apt-mark unhold kubeadm=$KV kubectl=$KV kubelet=$KV;
+apt install -y kubeadm=$KV;
+```
+
+```
+kubeadm upgrade node #Other pines in the wood
+```
+
+```
+#pine01
+kubeadm upgrade plan --ignore-preflight-errors=CoreDNSUnsupportedPlugins;
+kubeadm config images pull;
+kubeadm upgrade apply ${KV/\-*/} --ignore-preflight-errors=CoreDNSUnsupportedPlugins --certificate-renewal=false; #sometimes true
+```
+
+```
+apt install kubectl=$KV kubelet=$KV;
+systemctl daemon-reload && systemctl restart kubelet;
+apt-mark hold kubeadm=$KV kubectl=$KV kubelet=$KV;
+echo 'You can now uncordon, der Geraet'; 
+```
+
+
+
+# Infos:
+
+```
+$ kubectl -n kube-system get cm kubeadm-config -o yaml
+apiVersion: v1
+data:
+  ClusterConfiguration: |
+    apiServer:
+      extraArgs:
+        authorization-mode: Node,RBAC
+      timeoutForControlPlane: 4m0s
+    apiVersion: kubeadm.k8s.io/v1beta3
+    certificatesDir: /etc/kubernetes/pki
+    clusterName: kubernetes
+    controllerManager: {}
+    dns: {}
+    etcd:
+      local:
+        dataDir: /var/lib/etcd
+    imageRepository: registry.k8s.io
+    kind: ClusterConfiguration
+    kubernetesVersion: v1.23.15
+    networking:
+      dnsDomain: cluster.local
+      podSubnet: 172.23.0.0/16
+      serviceSubnet: 10.96.0.0/12
+    scheduler: {}
+  ClusterStatus: |
+    apiEndpoints:
+      pine01:
+        advertiseAddress: 172.16.23.21
+        bindPort: 6443
+    apiVersion: kubeadm.k8s.io/v1beta2
+    kind: ClusterStatus
+kind: ConfigMap
+metadata:
+  creationTimestamp: "2021-01-20T14:55:12Z"
+  managedFields:
+  - apiVersion: v1
+    fieldsType: FieldsV1
+    fieldsV1:
+      f:data:
+        .: {}
+        f:ClusterConfiguration: {}
+        f:ClusterStatus: {}
+    manager: kubeadm
+    operation: Update
+    time: "2021-01-20T14:55:12Z"
+  name: kubeadm-config
+  namespace: kube-system
+  resourceVersion: "441685033"
+  uid: c70fefd3-02c3-44c8-a37d-7b17ec445455
+```
+
+
+
 Descheduler (reschedule pods)
 # https://github.com/kubernetes-sigs/descheduler
 # kubectl apply -n kube-system -f https://raw.githubusercontent.com/kubernetes-sigs/descheduler/master/kubernetes/base/rbac.yaml

_sys/coredns-deployment.yaml

@@ -84,8 +84,8 @@ spec:
 ---
 apiVersion: apps/v1
 kind: Deployment
-name: coredns
 metadata:
+  name: coredns
   labels:
     k8s-app: kube-dns
 spec:
@@ -109,7 +109,7 @@ spec:
       - args:
         - -conf
         - /etc/coredns/Corefile
-        image: k8s.gcr.io/coredns/coredns:v1.8.6
+        image:  registry.k8s.io/coredns/coredns:v1.9.3
         imagePullPolicy: IfNotPresent
         livenessProbe:
           failureThreshold: 5
@@ -132,6 +132,16 @@ spec:
         - containerPort: 9153
           name: metrics
           protocol: TCP
+        livenessProbe:
+            httpGet:
+              path: /health
+              port: 8080
+              scheme: HTTP
+            initialDelaySeconds: 60
+            timeoutSeconds: 5
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 5
         readinessProbe:
           failureThreshold: 3
           httpGet:
@@ -155,6 +165,7 @@ spec:
             drop:
             - all
           readOnlyRootFilesystem: true
+          allowPrivilegeEscalation: false
         terminationMessagePath: /dev/termination-log
         terminationMessagePolicy: File
         volumeMounts:

_sys/kube-flannel.yml

@@ -1,60 +1,16 @@
 ---
-apiVersion: policy/v1beta1
-kind: PodSecurityPolicy
+kind: Namespace
+apiVersion: v1
 metadata:
-  name: psp.flannel.unprivileged
-  annotations:
-    seccomp.security.alpha.kubernetes.io/allowedProfileNames: docker/default
-    seccomp.security.alpha.kubernetes.io/defaultProfileName: docker/default
-    apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
-    apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
-spec:
-  privileged: false
-  volumes:
-  - configMap
-  - secret
-  - emptyDir
-  - hostPath
-  allowedHostPaths:
-  - pathPrefix: "/etc/cni/net.d"
-  - pathPrefix: "/etc/kube-flannel"
-  - pathPrefix: "/run/flannel"
-  readOnlyRootFilesystem: false
-  # Users and groups
-  runAsUser:
-    rule: RunAsAny
-  supplementalGroups:
-    rule: RunAsAny
-  fsGroup:
-    rule: RunAsAny
-  # Privilege Escalation
-  allowPrivilegeEscalation: false
-  defaultAllowPrivilegeEscalation: false
-  # Capabilities
-  allowedCapabilities: ['NET_ADMIN', 'NET_RAW']
-  defaultAddCapabilities: []
-  requiredDropCapabilities: []
-  # Host namespaces
-  hostPID: false
-  hostIPC: false
-  hostNetwork: true
-  hostPorts:
-  - min: 0
-    max: 65535
-  # SELinux
-  seLinux:
-    # SELinux is unused in CaaSP
-    rule: 'RunAsAny'
+  name: kube-flannel
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
   name: flannel
 rules:
-- apiGroups: ['extensions']
-  resources: ['podsecuritypolicies']
-  verbs: ['use']
-  resourceNames: ['psp.flannel.unprivileged']
 - apiGroups:
   - ""
   resources:
@@ -66,6 +22,7 @@ rules:
   resources:
   - nodes
   verbs:
+  - get
   - list
   - watch
 - apiGroups:
@@ -86,19 +43,19 @@ roleRef:
 subjects:
 - kind: ServiceAccount
   name: flannel
-  namespace: kube-system
+  namespace: kube-flannel
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   name: flannel
-  namespace: kube-system
+  namespace: kube-flannel
 ---
 kind: ConfigMap
 apiVersion: v1
 metadata:
   name: kube-flannel-cfg
-  namespace: kube-system
+  namespace: kube-flannel
   labels:
     tier: node
     app: flannel
@@ -135,7 +92,7 @@ apiVersion: apps/v1
 kind: DaemonSet
 metadata:
   name: kube-flannel-ds
-  namespace: kube-system
+  namespace: kube-flannel
   labels:
     tier: node
     app: flannel
@@ -165,8 +122,21 @@ spec:
         effect: NoSchedule
       serviceAccountName: flannel
       initContainers:
+      - name: install-cni-plugin
+       #image: flannelcni/flannel-cni-plugin:v1.1.0 for ppc64le and mips64le (dockerhub limitations may apply)
+        image: docker.io/rancher/mirrored-flannelcni-flannel-cni-plugin:v1.1.0
+        command:
+        - cp
+        args:
+        - -f
+        - /flannel
+        - /opt/cni/bin/flannel
+        volumeMounts:
+        - name: cni-plugin
+          mountPath: /opt/cni/bin
       - name: install-cni
-        image: quay.io/coreos/flannel:v0.14.0
+       #image: flannelcni/flannel:v0.20.2 for ppc64le and mips64le (dockerhub limitations may apply)
+        image: docker.io/rancher/mirrored-flannelcni-flannel:v0.20.2
         command:
         - cp
         args:
@@ -180,7 +150,8 @@ spec:
           mountPath: /etc/kube-flannel/
       containers:
       - name: kube-flannel
-        image: quay.io/coreos/flannel:v0.14.0
+       #image: flannelcni/flannel:v0.20.2 for ppc64le and mips64le (dockerhub limitations may apply)
+        image: docker.io/rancher/mirrored-flannelcni-flannel:v0.20.2
         command:
         - /opt/bin/flanneld
         args:
@@ -206,18 +177,29 @@ spec:
           valueFrom:
             fieldRef:
               fieldPath: metadata.namespace
+        - name: EVENT_QUEUE_DEPTH
+          value: "5000"
         volumeMounts:
         - name: run
           mountPath: /run/flannel
         - name: flannel-cfg
           mountPath: /etc/kube-flannel/
+        - name: xtables-lock
+          mountPath: /run/xtables.lock
       volumes:
       - name: run
         hostPath:
           path: /run/flannel
+      - name: cni-plugin
+        hostPath:
+          path: /opt/cni/bin
       - name: cni
         hostPath:
           path: /etc/cni/net.d
       - name: flannel-cfg
         configMap:
           name: kube-flannel-cfg
+      - name: xtables-lock
+        hostPath:
+          path: /run/xtables.lock
+          type: FileOrCreate