Skip to content

Commit

Permalink
Merge branch 'master' of https://github.com/Azure/acs-engine into soa…
Browse files Browse the repository at this point in the history 
…k-jenkins-test
  • Loading branch information
CecileRobertMichon committed Jan 16, 2018
2 parents 03742ae + 39ec217 commit 66918b8
Show file tree
Hide file tree
Showing 3,567 changed files with 80,863 additions and 1,012,587 deletions.
The diff you're trying to view is too large. We only load the first 3000 changed files.
2 changes: 2 additions & 0 deletions cmd/scale.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -188,6 +188,8 @@ func (sc *scaleCmd) run(cmd *cobra.Command, args []string) error {
vms, err := sc.client.ListVirtualMachines(sc.resourceGroupName)
if err != nil {
log.Fatalln("failed to get vms in the resource group. Error: %s", err.Error())
} else if len(*vms.Value) < 1 {
log.Fatalln("The provided resource group does not contain any vms.")
}
for _, vm := range *vms.Value {

Expand Down
16 changes: 12 additions & 4 deletions docs/clusterdefinition.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ Here are the valid values for the orchestrator types:

|Name|Required|Description|
|---|---|---|
|kubernetesImageBase|no|This specifies the base URL (everything preceding the actual image filename) of the kubernetes hyperkube image to use for cluster deploymenbt, e.g., `gcrio.azureedge.net/google_containers/`.|
|kubernetesImageBase|no|This specifies the base URL (everything preceding the actual image filename) of the kubernetes hyperkube image to use for cluster deployment, e.g., `k8s-gcrio.azureedge.net/`.|
|dockerEngineVersion|no|Which version of docker-engine to use in your cluster, e.g.. "17.03.*"|
|networkPolicy|no|Specifies the network policy tool for the cluster. Valid values are:<br>`"azure"` (default), which provides an Azure native networking experience,<br>`none` for not enforcing any network policy,<br>`calico` for Calico network policy (clusters with Linux agents only).<br>See [network policy examples](../examples/networkpolicy) for more information.|
|clusterSubnet|no|The IP subnet used for allocating IP addresses for pod network interfaces. The subnet must be in the VNET address space. Default value is 10.244.0.0/16.|
Expand All @@ -45,7 +45,10 @@ Here are the valid values for the orchestrator types:
|gcLowThreshold|no|Sets the --image-gc-low-threshold value on the kublet configuration. Default is 80. [See kubelet Garbage Collection](https://kubernetes.io/docs/concepts/cluster-administration/kubelet-garbage-collection/) |
|useInstanceMetadata|no|Use the Azure cloudprovider instance metadata service for appropriate resource discovery operations. Default is `true`.|
|addons|no|Configure various Kubernetes addons configuration (currently supported: tiller, kubernetes-dashboard). See `addons` configuration below.|
|kubeletConfig|no|Configure various runtime configuration for kubelet. See `kubeletConfig` below.|
|kubeletConfig|no|Configure various runtime configuration for kubelet. See `kubeletConfig` [below](#feat-kubelet-config).|
|controllerManagerConfig|no|Configure various runtime configuration for controller-manager. See `controllerManagerConfig` [below](#feat-controller-manager-config).|
|cloudControllerManagerConfig|no|Configure various runtime configuration for cloud-controller-manager. See `cloudControllerManagerConfig` [below](#feat-cloud-controller-manager-config).|
|apiServerConfig|no|Configure various runtime configuration for apiserver. See `apiServerConfig` [below](#feat-apiserver-config).|

#### addons

Expand Down Expand Up @@ -136,6 +139,7 @@ Additionally above, we specified a custom docker image for tiller, let's say we

Finally, the `addons.enabled` boolean property was omitted above; that's by design. If you specify a `containers` configuration, acs-engine assumes you're enabling the addon. The very first example above demonstrates a simple "enable this addon with default configuration" declaration.

<a name="feat-kubelet-config"></a>
#### kubeletConfig

`kubeletConfig` declares runtime configuration for the kubelet running on all master and agent nodes. It is a generic key/value object, and a child property of `kubernetesConfig`. An example custom kubelet config:
Expand Down Expand Up @@ -184,6 +188,7 @@ Below is a list of kubelet options that are *not* currently user-configurable, e
|"--keep-terminated-pod-volumes"|"false"|
|"--feature-gates" (agent nodes only)|"Accelerators=true"|

<a name="feat-controller-manager-config"></a>
#### controllerManagerConfig

`controllerManagerConfig` declares runtime configuration for the kube-controller-manager daemon running on all master nodes. Like `kubeletConfig` it is a generic key/value object, and a child property of `kubernetesConfig`. An example custom controller-manager config:
Expand Down Expand Up @@ -228,6 +233,7 @@ Below is a list of controller-manager options that are *not* currently user-conf
|"--profiling"|"false"|
|"--use-service-account-credentials"|"false" ("true" if kubernetesConfig.enableRbac is true)|

<a name="feat-cloud-controller-manager-config"></a>
#### cloudControllerManagerConfig

`cloudControllerManagerConfig` declares runtime configuration for the cloud-controller-manager daemon running on all master nodes in a Cloud Controller Manager configuration. Like `kubeletConfig` it is a generic key/value object, and a child property of `kubernetesConfig`. An example custom cloud-controller-manager config:
Expand Down Expand Up @@ -262,6 +268,7 @@ Below is a list of cloud-controller-manager options that are *not* currently use
|"--leader-elect"|"true"|
|"--v"|"2"|

<a name="feat-apiserver-config"></a>
#### apiServerConfig

`apiServerConfig` declares runtime configuration for the kube-apiserver daemon running on all master nodes. Like `kubeletConfig` and `controllerManagerConfig` it is a generic key/value object, and a child property of `kubernetesConfig`. An example custom apiserver config:
Expand Down Expand Up @@ -325,6 +332,7 @@ Below is a list of apiserver options that are *not* currently user-configurable,
|"--cloud-provider"|"azure" (*unless useCloudControllerManager is true*)|
|"--cloud-config"|"/etc/kubernetes/azure.json" (*unless useCloudControllerManager is true*)|
|"--oidc-username-claim"|"oid" (*if has AADProfile*)|
|"--oidc-groups-claim"|"groups" (*if has AADProfile*)|
|"--oidc-client-id"|*calculated value that represents OID client ID* (*if has AADProfile*)|
|"--oidc-issuer-url"|*calculated value that represents OID issuer URL* (*if has AADProfile*)|

Expand All @@ -343,7 +351,7 @@ We consider `kubeletConfig`, `controllerManagerConfig`, and `apiServerConfig` to
|vnetSubnetId|no|specifies the Id of an alternate VNET subnet. The subnet id must specify a valid VNET ID owned by the same subscription. ([bring your own VNET examples](../examples/vnet))|
|extensions|no|This is an array of extensions. This indicates that the extension be run on a single master. The name in the extensions array must exactly match the extension name in the extensionProfiles.|
|vnetCidr|no| specifies the vnet cidr when using custom Vnets ([bring your own VNET examples](../examples/vnet))|
|distro|no| Select Master(s) Operating System (Linux). Currently supported values are: `ubuntu` and `coreos`. Defaults to `ubuntu` if undefined. Currently supported OS and orchestrator configurations -- `ubuntu`: DCOS, Docker Swarm, Kubernetes; `coreos`: Kubernetes. [Example of CoreOS Master with CoreOS Agents](../examples/coreos/kubernetes-coreos.json)|
|distro|no| Select Master(s) Operating System (Linux). Currently supported values are: `ubuntu` and `coreos` (CoreOS support is currently experimental). Defaults to `ubuntu` if undefined. Currently supported OS and orchestrator configurations -- `ubuntu`: DCOS, Docker Swarm, Kubernetes; `coreos`: Kubernetes. [Example of CoreOS Master with CoreOS Agents](../examples/coreos/kubernetes-coreos.json)|

### agentPoolProfiles
A cluster can have 0 to 12 agent pool profiles. Agent Pool Profiles are used for creating agents with different capabilities such as VMSizes, VMSS or Availability Set, Public/Private access, [attached storage disks](../examples/disks-storageaccount), [attached managed disks](../examples/disks-managed), or [Windows](../examples/windows).
Expand All @@ -360,7 +368,7 @@ A cluster can have 0 to 12 agent pool profiles. Agent Pool Profiles are used for
|vmsize|yes|Describes a valid [Azure VM Sizes](https://azure.microsoft.com/en-us/documentation/articles/virtual-machines-windows-sizes/). These are restricted to machines with at least 2 cores|
|osDiskSizeGB|no|Describes the OS Disk Size in GB|
|vnetSubnetId|no|specifies the Id of an alternate VNET subnet. The subnet id must specify a valid VNET ID owned by the same subscription. ([bring your own VNET examples](../examples/vnet))|
|distro|no| Select Agent Pool(s) Operating System (Linux). Currently supported values are: `ubuntu` and `coreos`. Defaults to `ubuntu` if undefined, unless `osType` is defined as `Windows` (in which case `distro` is unused). Currently supported OS and orchestrator configurations -- `ubuntu`: DCOS, Docker Swarm, Kubernetes; `coreos`: Kubernetes. [Example of CoreOS Master with Windows and Linux (CoreOS and Ubuntu) Agents](../examples/coreos/kubernetes-coreos-hybrid.json) |
|distro|no| Select Agent Pool(s) Operating System (Linux). Currently supported values are: `ubuntu` and `coreos` (CoreOS support is currently experimental). Defaults to `ubuntu` if undefined, unless `osType` is defined as `Windows` (in which case `distro` is unused). Currently supported OS and orchestrator configurations -- `ubuntu`: DCOS, Docker Swarm, Kubernetes; `coreos`: Kubernetes. [Example of CoreOS Master with Windows and Linux (CoreOS and Ubuntu) Agents](../examples/coreos/kubernetes-coreos-hybrid.json) |

### linuxProfile

Expand Down
9 changes: 7 additions & 2 deletions docs/kubernetes/aad.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@ Please also refer to [Azure Active Directory plugin for client authentication](h

## Prerequision
1. An Azure Active Directory tenant, will refer as `AAD Tenant`. You can use the tenant for your Azure subscription;
2. A `Web app / API` type AAD application, will refer as `Server Application`. This application represents the `apiserver`;
2. A `Web app / API` type AAD application, will refer as `Server Application`. This application represents the `apiserver`; For groups to work properly, you'll need to edit the `Server Application` Manifest and set `groupMembershipClaims` to either `All` or `SecurityGroup`.
3. A `Native` type AAD application, will refer as `Client Application`. This application is for user login via `kubectl`. You'll need to add delegated permission to `Server Application`, please see [troubleshooting](#loginpageerror) section for detail.

## Deployment
Expand Down Expand Up @@ -46,10 +46,15 @@ Following instructions are for turnning on RBAC manually together with AAD integ
```
kubectl create clusterrolebinding aad-default-cluster-admin-binding --clusterrole=cluster-admin --user={UserName}
```
For example, if your `IssuerUrl` is `https://sts.windows.net/e2917176-1632-47a0-ad18-671d485757a3/`, and your `ObjectID` is `22fa281b-bf62-4b14-972c-0dbca24a25a2`, the command would be:
For example, if your `IssuerUrl` is `https://sts.windows.net/e2917176-1632-47a0-ad18-671d485757a3/`, and your User `ObjectID` is `22fa281b-bf62-4b14-972c-0dbca24a25a2`, the command would be:
```
kubectl create clusterrolebinding aad-default-cluster-admin-binding --clusterrole=cluster-admin --user=https://sts.windows.net/e2917176-1632-47a0-ad18-671d485757a3/#22fa281b-bf62-4b14-972c-0dbca24a25a2
```
4. (Optional) Add groups into your admin role
For example, if your `IssuerUrl` is `https://sts.windows.net/e2917176-1632-47a0-ad18-671d485757a3/`, and your Group `ObjectID` is `7d04bcd3-3c48-49ab-a064-c0b7d69896da`, the command would be:
```
kubectl create clusterrolebinding aad-default-group-cluster-admin-binding --clusterrole=cluster-admin --group=7d04bcd3-3c48-49ab-a064-c0b7d69896da
```

4. Turn on RBAC on master nodes.
On master nodes, edit `/etc/kubernetes/manifests/kube-apiserver.yaml`, add `--authorization-mode=RBAC` under `command` property. Reboot nodes.
Expand Down
18 changes: 9 additions & 9 deletions examples/scale-up/kubernetes_orignal_params.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -45,31 +45,31 @@
"value": ""
},
"kubernetesAddonManagerSpec": {
"value": "k8s.gcr.io/kube-addon-manager-amd64:v6.2"
"value": "k8s-gcrio.azureedge.net/kube-addon-manager-amd64:v6.2"
},
"kubernetesAddonResizerSpec": {
"value": "k8s.gcr.io/addon-resizer:1.6"
"value": "k8s-gcrio.azureedge.net/addon-resizer:1.6"
},
"kubernetesDNSMasqSpec": {
"value": "k8s.gcr.io/kube-dnsmasq-amd64:1.3"
"value": "k8s-gcrio.azureedge.net/kube-dnsmasq-amd64:1.3"
},
"kubernetesDashboardSpec": {
"value": "k8s.gcr.io/kubernetes-dashboard-amd64:v1.5.1"
"value": "k8s-gcrio.azureedge.net/kubernetes-dashboard-amd64:v1.5.1"
},
"kubernetesExecHealthzSpec": {
"value": "k8s.gcr.io/exechealthz-amd64:1.2"
"value": "k8s-gcrio.azureedge.net/exechealthz-amd64:1.2"
},
"kubernetesHeapsterSpec": {
"value": "k8s.gcr.io/heapster:v1.2.0"
"value": "k8s-gcrio.azureedge.net/heapster:v1.2.0"
},
"kubernetesHyperkubeSpec": {
"value": "k8s.gcr.io/hyperkube-amd64:v1.5.3"
"value": "k8s-gcrio.azureedge.net/hyperkube-amd64:v1.5.3"
},
"kubernetesKubeDNSSpec": {
"value": "k8s.gcr.io/kubedns-amd64:1.7"
"value": "k8s-gcrio.azureedge.net/kubedns-amd64:1.7"
},
"kubernetesPodInfraContainerSpec": {
"value": "k8s.gcr.io/pause-amd64:3.0"
"value": "k8s-gcrio.azureedge.net/pause-amd64:3.0"
},
"linuxAdminUsername": {
"value": "azureuser"
Expand Down
18 changes: 9 additions & 9 deletions examples/scale-up/kubernetes_scale_up_params.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,31 +51,31 @@
"value": ""
},
"kubernetesAddonManagerSpec": {
"value": "k8s.gcr.io/kube-addon-manager-amd64:v6.2"
"value": "k8s-gcrio.azureedge.net/kube-addon-manager-amd64:v6.2"
},
"kubernetesAddonResizerSpec": {
"value": "k8s.gcr.io/addon-resizer:1.6"
"value": "k8s-gcrio.azureedge.net/addon-resizer:1.6"
},
"kubernetesDNSMasqSpec": {
"value": "k8s.gcr.io/kube-dnsmasq-amd64:1.3"
"value": "k8s-gcrio.azureedge.net/kube-dnsmasq-amd64:1.3"
},
"kubernetesDashboardSpec": {
"value": "k8s.gcr.io/kubernetes-dashboard-amd64:v1.5.1"
"value": "k8s-gcrio.azureedge.net/kubernetes-dashboard-amd64:v1.5.1"
},
"kubernetesExecHealthzSpec": {
"value": "k8s.gcr.io/exechealthz-amd64:1.2"
"value": "k8s-gcrio.azureedge.net/exechealthz-amd64:1.2"
},
"kubernetesHeapsterSpec": {
"value": "k8s.gcr.io/heapster:v1.2.0"
"value": "k8s-gcrio.azureedge.net/heapster:v1.2.0"
},
"kubernetesHyperkubeSpec": {
"value": "k8s.gcr.io/hyperkube-amd64:v1.5.3"
"value": "k8s-gcrio.azureedge.net/hyperkube-amd64:v1.5.3"
},
"kubernetesKubeDNSSpec": {
"value": "k8s.gcr.io/kubedns-amd64:1.7"
"value": "k8s-gcrio.azureedge.net/kubedns-amd64:1.7"
},
"kubernetesPodInfraContainerSpec": {
"value": "k8s.gcr.io/pause-amd64:3.0"
"value": "k8s-gcrio.azureedge.net/pause-amd64:3.0"
},
"linuxAdminUsername": {
"value": "azureuser"
Expand Down
2 changes: 1 addition & 1 deletion extensions/prometheus-grafana-k8s/v1/prometheus_values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -186,7 +186,7 @@ kubeStateMetrics:
## kube-state-metrics container image
##
image:
repository: k8s.gcr.io/kube-state-metrics
repository: k8s-gcrio.azureedge.net/kube-state-metrics
tag: v1.1.0-rc.0
pullPolicy: IfNotPresent

Expand Down
22 changes: 11 additions & 11 deletions glide.lock
View file

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

2 changes: 1 addition & 1 deletion glide.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ import:
- package: github.com/mitchellh/go-homedir
version: b8bc1bf767474819792c23f32d8286a45736f1c6
- package: github.com/satori/go.uuid
version: v1.1.0
version: ~1.2.0
- package: github.com/spf13/cobra
version: 4cdb38c072b86bf795d2c81de50784d9fdd6eb77
- package: github.com/spf13/pflag
Expand Down
18 changes: 17 additions & 1 deletion pkg/acsengine/defaults-apiserver.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@ func setAPIServerConfig(cs *api.ContainerService) {
// AAD configuration
if cs.Properties.HasAadProfile() {
staticLinuxAPIServerConfig["--oidc-username-claim"] = "oid"
staticLinuxAPIServerConfig["--oidc-groups-claim"] = "groups"
staticLinuxAPIServerConfig["--oidc-client-id"] = "spn:" + cs.Properties.AADProfile.ServerAppID
issuerHost := "sts.windows.net"
if GetCloudTargetEnv(cs.Location) == "AzureChinaCloud" {
Expand All @@ -87,7 +88,15 @@ func setAPIServerConfig(cs *api.ContainerService) {

// RBAC configuration
if helpers.IsTrueBoolPointer(o.KubernetesConfig.EnableRbac) {
defaultAPIServerConfig["--authorization-mode"] = "Node,RBAC"
defaultAPIServerConfig["--authorization-mode"] = "RBAC"
if isKubernetesVersionGe(o.OrchestratorVersion, "1.7.0") {
defaultAPIServerConfig["--authorization-mode"] = "Node,RBAC"
}
} else if !isKubernetesVersionGe(o.OrchestratorVersion, "1.7.0") {
// remove authorization-mode for 1.6 clusters without RBAC since Node authorization isn't supported
for _, key := range []string{"--authorization-mode"} {
delete(defaultAPIServerConfig, key)
}
}

// If no user-configurable apiserver config values exists, use the defaults
Expand All @@ -114,4 +123,11 @@ func setAPIServerConfig(cs *api.ContainerService) {
for key, val := range overrideAPIServerConfig {
o.KubernetesConfig.APIServerConfig[key] = val
}

// Remove flags for secure communication to kubelet, if configured
if !helpers.IsTrueBoolPointer(o.KubernetesConfig.EnableSecureKubelet) {
for _, key := range []string{"--kubelet-client-certificate", "--kubelet-client-key"} {
delete(o.KubernetesConfig.APIServerConfig, key)
}
}
}
Loading

0 comments on commit 66918b8

Please sign in to comment.