Add pod-pid-limit options to kubelet in kubernetes 1.10 (#2736)

Azure · May 30, 2018 · 384a005 · 384a005
1 parent 9645794
commit 384a005
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 0 deletions.
diff --git a/docs/clusterdefinition.md b/docs/clusterdefinition.md
@@ -179,6 +179,7 @@ Below is a list of kubelet options that acs-engine will configure by default:
 |"--image-gc-low-threshold"|"850"|
 |"--non-masquerade-cidr"|"10.0.0.0/8"|
 |"--azure-container-registry-config"|"/etc/kubernetes/azure.json"|
+|"--pod-max-pids"|"100" (need to activate the feature in --feature-gates=SupportPodPidsLimit=true)|
 |"--feature-gates"|No default (can be a comma-separated list). On agent nodes `Accelerators=true` will be applied in the `--feature-gates` option for k8s versions before 1.11.0|
 
 Below is a list of kubelet options that are *not* currently user-configurable, either because a higher order configuration vector is available that enforces kubelet configuration, or because a static configuration is required to build a functional cluster:

diff --git a/pkg/acsengine/const.go b/pkg/acsengine/const.go
@@ -150,6 +150,8 @@ const (
 	DefaultJumpboxDiskSize = 30
 	// DefaultJumpboxUsername specifies the default admin username for the private cluster jumpbox
 	DefaultJumpboxUsername = "azureuser"
+	// DefaultKubeletPodMaxPIDs specifies the default max pid authorized by pods
+	DefaultKubeletPodMaxPIDs = 100
 )
 
 const (

diff --git a/pkg/acsengine/defaults-kubelet.go b/pkg/acsengine/defaults-kubelet.go
@@ -46,6 +46,7 @@ func setKubeletConfig(cs *api.ContainerService) {
 		"--azure-container-registry-config": "/etc/kubernetes/azure.json",
 		"--event-qps":                       DefaultKubeletEventQPS,
 		"--cadvisor-port":                   DefaultKubeletCadvisorPort,
+		"--pod-max-pids":                    strconv.Itoa(DefaultKubeletPodMaxPIDs),
 	}
 
 	// If no user-configurable kubelet config values exists, use the defaults
@@ -82,6 +83,13 @@ func setKubeletConfig(cs *api.ContainerService) {
 		}
 	}
 
+	// Get rid of values not supported in v1.10 clusters
+	if !common.IsKubernetesVersionGe(o.OrchestratorVersion, "1.10.0") {
+		for _, key := range []string{"--pod-max-pids"} {
+			delete(o.KubernetesConfig.KubeletConfig, key)
+		}
+	}
+
 	// Remove secure kubelet flags, if configured
 	if !helpers.IsTrueBoolPointer(o.KubernetesConfig.EnableSecureKubelet) {
 		for _, key := range []string{"--anonymous-auth", "--client-ca-file"} {

diff --git a/pkg/acsengine/defaults_test.go b/pkg/acsengine/defaults_test.go
@@ -120,6 +120,7 @@ func TestSetMissingKubeletValues(t *testing.T) {
 		"--image-gc-low-threshold":       "7",
 		"--non-masquerade-cidr":          "8",
 		"--cloud-provider":               "9",
+		"--pod-max-pids":                 "10",
 	}
 	setMissingKubeletValues(config, defaultKubeletConfig)
 	for key, val := range defaultKubeletConfig {
@@ -145,6 +146,7 @@ func TestSetMissingKubeletValues(t *testing.T) {
 		"--image-gc-low-threshold":       "7",
 		"--non-masquerade-cidr":          "8",
 		"--cloud-provider":               "c",
+		"--pod-max-pids":                 "10",
 	}
 	setMissingKubeletValues(config, defaultKubeletConfig)
 	for key, val := range expectedResult {