Fix the kured reboot command
This commit is contained in:
parent
b123845937
commit
573155e5b7
@ -1,141 +0,0 @@
|
|||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRole
|
|
||||||
metadata:
|
|
||||||
name: kured
|
|
||||||
rules:
|
|
||||||
# Allow kured to read spec.unschedulable
|
|
||||||
# Allow kubectl to drain/uncordon
|
|
||||||
#
|
|
||||||
# NB: These permissions are tightly coupled to the bundled version of kubectl; the ones below
|
|
||||||
# match https://github.com/kubernetes/kubernetes/blob/v1.19.4/staging/src/k8s.io/kubectl/pkg/cmd/drain/drain.go
|
|
||||||
#
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["nodes"]
|
|
||||||
verbs: ["get", "patch"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["pods"]
|
|
||||||
verbs: ["list","delete","get"]
|
|
||||||
- apiGroups: ["apps"]
|
|
||||||
resources: ["daemonsets"]
|
|
||||||
verbs: ["get"]
|
|
||||||
- apiGroups: [""]
|
|
||||||
resources: ["pods/eviction"]
|
|
||||||
verbs: ["create"]
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
metadata:
|
|
||||||
name: kured
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: ClusterRole
|
|
||||||
name: kured
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: kured
|
|
||||||
namespace: kube-system
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: Role
|
|
||||||
metadata:
|
|
||||||
namespace: kube-system
|
|
||||||
name: kured
|
|
||||||
rules:
|
|
||||||
# Allow kured to lock/unlock itself
|
|
||||||
- apiGroups: ["apps"]
|
|
||||||
resources: ["daemonsets"]
|
|
||||||
resourceNames: ["kured"]
|
|
||||||
verbs: ["update"]
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
|
||||||
kind: RoleBinding
|
|
||||||
metadata:
|
|
||||||
namespace: kube-system
|
|
||||||
name: kured
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
namespace: kube-system
|
|
||||||
name: kured
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: Role
|
|
||||||
name: kured
|
|
||||||
---
|
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: kured
|
|
||||||
namespace: kube-system
|
|
||||||
---
|
|
||||||
apiVersion: apps/v1
|
|
||||||
kind: DaemonSet
|
|
||||||
metadata:
|
|
||||||
name: kured # Must match `--ds-name`
|
|
||||||
namespace: kube-system # Must match `--ds-namespace`
|
|
||||||
spec:
|
|
||||||
selector:
|
|
||||||
matchLabels:
|
|
||||||
name: kured
|
|
||||||
updateStrategy:
|
|
||||||
type: RollingUpdate
|
|
||||||
template:
|
|
||||||
metadata:
|
|
||||||
labels:
|
|
||||||
name: kured
|
|
||||||
spec:
|
|
||||||
serviceAccountName: kured
|
|
||||||
tolerations:
|
|
||||||
- key: node-role.kubernetes.io/master
|
|
||||||
effect: NoSchedule
|
|
||||||
hostPID: true # Facilitate entering the host mount namespace via init
|
|
||||||
restartPolicy: Always
|
|
||||||
containers:
|
|
||||||
- name: kured
|
|
||||||
image: registry.opensuse.org/kubic/kured:1.9.1
|
|
||||||
# If you find yourself here wondering why there is no
|
|
||||||
# :latest tag on Docker Hub,see the FAQ in the README
|
|
||||||
imagePullPolicy: Always
|
|
||||||
securityContext:
|
|
||||||
privileged: true # Give permission to nsenter /proc/1/ns/mnt
|
|
||||||
env:
|
|
||||||
# Pass in the name of the node on which this pod is scheduled
|
|
||||||
# for use with drain/uncordon operations and lock acquisition
|
|
||||||
- name: KURED_NODE_ID
|
|
||||||
valueFrom:
|
|
||||||
fieldRef:
|
|
||||||
fieldPath: spec.nodeName
|
|
||||||
command:
|
|
||||||
- /usr/bin/kured
|
|
||||||
# - --force-reboot=false
|
|
||||||
# - --drain-grace-period=-1
|
|
||||||
# - --skip-wait-for-delete-timeout=0
|
|
||||||
# - --drain-timeout=0
|
|
||||||
# - --period=1h
|
|
||||||
# - --ds-namespace=kube-system
|
|
||||||
# - --ds-name=kured
|
|
||||||
# - --lock-annotation=weave.works/kured-node-lock
|
|
||||||
# - --lock-ttl=0
|
|
||||||
# - --prometheus-url=http://prometheus.monitoring.svc.cluster.local
|
|
||||||
# - --alert-filter-regexp=^RebootRequired$
|
|
||||||
# - --alert-firing-only=false
|
|
||||||
# - --reboot-sentinel=/var/run/reboot-required
|
|
||||||
# - --prefer-no-schedule-taint=""
|
|
||||||
# - --reboot-sentinel-command=""
|
|
||||||
# - --slack-hook-url=https://hooks.slack.com/...
|
|
||||||
# - --slack-username=prod
|
|
||||||
# - --slack-channel=alerting
|
|
||||||
# - --notify-url="" # See also shoutrrr url format
|
|
||||||
# - --message-template-drain=Draining node %s
|
|
||||||
# - --message-template-drain=Rebooting node %s
|
|
||||||
# - --blocking-pod-selector=runtime=long,cost=expensive
|
|
||||||
# - --blocking-pod-selector=name=temperamental
|
|
||||||
# - --blocking-pod-selector=...
|
|
||||||
# - --reboot-days=sun,mon,tue,wed,thu,fri,sat
|
|
||||||
# - --reboot-delay=90s
|
|
||||||
# - --start-time=0:00
|
|
||||||
# - --end-time=23:59:59
|
|
||||||
# - --time-zone=UTC
|
|
||||||
# - --annotate-nodes=false
|
|
||||||
# - --lock-release-delay=30m
|
|
||||||
# - --log-format=text
|
|
20
kured/patch.yaml
Normal file
20
kured/patch.yaml
Normal file
@ -0,0 +1,20 @@
|
|||||||
|
apiVersion: apps/v1
|
||||||
|
kind: DaemonSet
|
||||||
|
metadata:
|
||||||
|
name: kured
|
||||||
|
namespace: kube-system
|
||||||
|
spec:
|
||||||
|
selector:
|
||||||
|
matchLabels:
|
||||||
|
name: kured
|
||||||
|
template:
|
||||||
|
metadata:
|
||||||
|
labels:
|
||||||
|
name: kured
|
||||||
|
spec:
|
||||||
|
serviceAccountName: kured
|
||||||
|
containers:
|
||||||
|
- name: kured
|
||||||
|
command:
|
||||||
|
- /usr/bin/kured
|
||||||
|
- --reboot-command=/usr/bin/systemctl reboot
|
@ -124,7 +124,7 @@ resource "hcloud_server" "first_control_plane" {
|
|||||||
provisioner "local-exec" {
|
provisioner "local-exec" {
|
||||||
command = <<-EOT
|
command = <<-EOT
|
||||||
set -ex
|
set -ex
|
||||||
kubectl -n kube-system apply ${path.module}/config/kured.yaml --kubeconfig ${path.module}/kubeconfig.yaml
|
kubectl -n kube-system apply -k ${dirname(local_file.kured_config.filename)} --kubeconfig ${path.module}/kubeconfig.yaml
|
||||||
EOT
|
EOT
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user