-
Notifications
You must be signed in to change notification settings - Fork 14.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kubeadm kubelet integration doc #9652
Kubeadm kubelet integration doc #9652
Conversation
/assign @Bradamant3 |
This comment has been minimized.
This comment has been minimized.
/assign @neolit123 |
Deploy preview for kubernetes-io-master-staging ready! Built with commit 52b1f06 https://deploy-preview-9652--kubernetes-io-master-staging.netlify.com |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Have some nil comments
|
||
Let's say that you have a default service subnet defined as `10.96.0.0/12` and you pass this parameter to kubeadm: | ||
```bash | ||
kubeadm init --service-cidr 10.95.0.0/12 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
replace 10.95.0.0/12
to 10.96.0.0/12
?
``` | ||
|
||
In this example, the modified value is the subnet used for allocating the Service Virtual IPs. | ||
This means that the `--cluster-dns` kubelet flag also has to be set, to `10.95.0.10` following this example. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The same
|
||
- Different kubelet parameters need to be passed depending on what CRI runtime is used. In the case of docker, | ||
you need to specify flags like `--network-plugin=cni` for it to work, but if you're using some other, external runtime | ||
you should set `--container-runtime=remote` and specify the CRI endpoint with `--container-runtime-endpoint=<path>`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
...., but if you're using some external runtime. you should set ....
to make the kubelet pick up the latest dynamic flags which were previously written. After that the rest of the regular | ||
`kubeadm init` workflow continues. | ||
|
||
`kubeadm join` on the other hand, uses the Bootstrap Token credential to download the `kubelet-config-1.X` ConfigMap |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"on the other hand, kubeadm join
.... ", may be seems well
thanks for the review, @stewart-yu |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
some nil format review, thanks
- The file that can contain user specified flag overrides with `KUBELET_EXTRA_ARGS` is sourced from `/etc/default/kubelet` | ||
(for debs), or `/etc/systconfig/kubelet` (for rpms). Note that `KUBELET_EXTRA_ARGS` is last in the flag chain, | ||
therefore it has the highest priority. | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Here some wrong format output, may be add a blank line below Notes
make it work.
https://deploy-preview-9652--kubernetes-io-master-staging.netlify.com/docs/setup/independent/kubelet-integration/
- `kubelet` - ships the `/usr/bin/kubelet` binary. | ||
- `kubectl` - ships the `/usr/bin/kubectl` binary. | ||
- `kubernetes-cni` - ships the official CNI binaries under the `/opt/cni/bin` directory. | ||
- `cri-tools` - ships the `/usr/bin/crictl` binary from https://github.com/kubernetes-incubator/cri-tools |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The same
@stewart-yu |
8d241e1
to
7367f87
Compare
Also apply MD formatting fixes.
7367f87
to
75e84d1
Compare
@stewart-yu |
/lgtm |
@neolit123 PTAL at the copyedit commit I just added on top of yours. I changed the structure of the file a bit and reworked the prose. Let me know if I accidentally changed any technical meaning with my changes and I'll iterate. Thanks! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@mistyhacks
thanks for the review and edits.
i've added some comments about tech deviations and a couple of typos.
i think the new structure is much better.
The default kubeadm deb/rpm packages ship a systemd drop-in file for the kubelet populated with | ||
some CLI flags so that the kubelet is functional. | ||
Like any daemon process, the state of the kubelet needs to be maintained using a lifecycle management | ||
process such as an init system or process manager. When the kubelet is installed using DEBs or RPMs, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the original is arguably more technically valid here:
Given the kubelet is a daemon, it needs to be maintained by some kind of a init system or process manager.
some CLI flags so that the kubelet is functional. | ||
Like any daemon process, the state of the kubelet needs to be maintained using a lifecycle management | ||
process such as an init system or process manager. When the kubelet is installed using DEBs or RPMs, | ||
`systemd` manages the kubelet. You can configure a different process management system to manage the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
here and across the edit, systemd is not a command to be quoted, but rather a tool / project name like etcd or kubelet. for example, kubeadm is a tool, but kubeadm init
is a command line and should be quoted.
## Kubelet configuration patterns | ||
|
||
The following sections describe patterns to kubelet configuration that are simplified by | ||
using kubeadm, rather than managing the kubelet configuration for each Pod manually. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
a kubelet are per Node, not per Pod.
`kubeadm init` and/or `kubeadm join` commands. Common scenarios include customizing the Service | ||
Subnet and using a different CRI runtime. | ||
If you want your services to use the subnet `10.96.0.0/12` as the default for services, you can pass | ||
the `--service-cidr` marameter to kubeadm: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo marameter
### Providing instance-specific configuration details | ||
|
||
Some hosts require specific kubelet configurations, due to differences in hardware, operating system, | ||
networking, or other host-specific parameters. The following list provices a few examples. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
typo provices
named `kubelet-config-1.X`, where `X` is the minor version of the Kubernetes version initialized. `kubeadm init` also | ||
generates the `/etc/kubernetes/kubelet.conf` KubeConfig file with credentials (client certificates) so that the kubelet | ||
can talk to the API server. | ||
When you call `kubeadm init`, the `.kubeletConfiguration.baseConfig` structure is marshalled to disk |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor-nit: we might as well remove the extra space before structure
here.
baseline cluster-wide configuration for all kubelets in the cluster. This configuration file | ||
points to the client certificates that allow the kubelet to communicate with the API server. This | ||
addresses the need to | ||
[propogate cluster-level configuration to each kubelet](#propagating-cluster-level-configuration-to-each-kubelet). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this is good self-linking 👍
On the other hand, `kubeadm join` uses the Bootstrap Token credential to download the `kubelet-config-1.X` ConfigMap | ||
and write it to `/var/lib/kubelet/config.yaml`. | ||
After marshalling these two files to disk, kubeadm attempts to run the following two | ||
commands, if you are using systemd to manage your processes: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
through out the doc, "process manager" and "manage a process" is slightly misused in the case of systemd, because it's more of a "service manager".
a process is not exactly the same as a service in any OS context.
i would omit to manage your processes
to dodge this ambiguity.
is stored in `/etc/kubernetes/kubelet.conf`. As of kubeadm v1.11, `kubeadm join` waits for the `/etc/kubernetes/kubelet.conf` | ||
file to appear on disk, which means that the kubelet has performed the TLS Bootstrap. | ||
When you run `kubeadm join`, kubeadm uses the Bootstrap Token credential to download the | ||
`kubelet-config-1.X` ConfigMap and writes it to `/var/lib/kubelet/config.yaml`. The dynamic |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and writes it
-> and write it
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kubeadm (uses the Bootstrap Token credential....) and writes it. :) Subject-verb agreement.
At that point the Bootstrap Token is used by the kubelet to perform the TLS Bootstrap and to get the unique credential which | ||
is stored in `/etc/kubernetes/kubelet.conf`. As of kubeadm v1.11, `kubeadm join` waits for the `/etc/kubernetes/kubelet.conf` | ||
file to appear on disk, which means that the kubelet has performed the TLS Bootstrap. | ||
When you run `kubeadm join`, kubeadm uses the Bootstrap Token credential to download the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the bootstrap token is use to perform a TLS bootstrap which fetches the credential.
the original is more technically accurate.
@neolit123 Thanks, I've just pushed a new commit to address your comments. PTAL! |
@mistyhacks this is good to go. |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mistyhacks The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Part of kubernetes/kubeadm#849
/cc @kubernetes/sig-cluster-lifecycle-pr-reviews
orginal PR:
#9123
since i cannot push to @luxas branch here are my editorial fixes and also i've moved the file to
setup/independent
.