Merge pull request #1993 from zalando-incubator/beta-to-stable

beta to stable

cluster/config-defaults.yaml

@@ -26,6 +26,7 @@ skipper_ingress_max_replicas: "30"
 skipper_ingress_min_replicas: "3"
 skipper_ingress_cpu: "500m"
 skipper_ingress_memory: "500Mi"
+skipper_ingress_tracing_buffer: "16384"
 
 # skipper backend timeout defaults
 skipper_expect_continue_timeout_backend: "30s"
@@ -65,7 +66,7 @@ image_policy: "trusted"
 {{else}}
 image_policy: "dev"
 {{end}}
-compliance_checker_enabled: "false"
+compliance_checker_enabled: "true"
 
 # Egress configuration
 nat_cidr_blocks: "172.31.64.0/28,172.31.64.16/28,172.31.64.32/28"
@@ -194,4 +195,8 @@ coreos_image: "ami-012abdf0d2781f0a5" # Container Linux 2023.5.0 (HVM, eu-centra
 enable_ingress_template_controller: "false"
 
 # Temporary feature toggle for the new daemonset scheduler
+{{if eq .Environment "e2e"}}
+experimental_schedule_daemonset_pods: "true"
+{{else}}
 experimental_schedule_daemonset_pods: "false"
+{{end}}

cluster/manifests/external-dns/deployment.yaml

@@ -35,6 +35,7 @@ spec:
         - --provider=aws
         - --registry=txt
         - --txt-owner-id={{ .Region }}:{{ .LocalID }}
+        - --aws-batch-change-size=350
         resources:
           limits:
             cpu: 50m

cluster/manifests/external-dns/vpa.yaml

@@ -1,4 +1,4 @@
-apiVersion: autoscaling.k8s.io/v1beta1
+apiVersion: autoscaling.k8s.io/v1beta2
 kind: VerticalPodAutoscaler
 metadata:
   name: external-dns
@@ -16,5 +16,5 @@ spec:
     containerPolicies:
     - containerName: external-dns
       maxAllowed:
-        cpu: 50m
-        memory: 100Mi
+        cpu: 500m
+        memory: 2Gi

cluster/manifests/heapster/vpa.yaml

@@ -1,4 +1,4 @@
-apiVersion: autoscaling.k8s.io/v1beta1
+apiVersion: autoscaling.k8s.io/v1beta2
 kind: VerticalPodAutoscaler
 metadata:
   name: heapster

cluster/manifests/ingress-controller/vpa.yaml

@@ -0,0 +1,20 @@
+apiVersion: autoscaling.k8s.io/v1beta2
+kind: VerticalPodAutoscaler
+metadata:
+  name: kube-ingress-aws-controller
+  namespace: kube-system
+  labels:
+    application: kube-ingress-aws-controller
+spec:
+  targetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: kube-ingress-aws-controller
+  updatePolicy:
+    updateMode: Auto
+  resourcePolicy:
+    containerPolicies:
+    - containerName: kube-ingress-aws-controller
+      maxAllowed:
+        cpu: 250m
+        memory: 1Gi

cluster/manifests/kube-cluster-autoscaler/daemonset.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: kube-system
   labels:
     application: kube-cluster-autoscaler
-    version: v1.12.2-internal49
+    version: v1.12.2-internal63
 spec:
   selector:
     matchLabels:
@@ -16,7 +16,7 @@ spec:
     metadata:
       labels:
         application: kube-cluster-autoscaler
-        version: v1.12.2-internal49
+        version: v1.12.2-internal63
       annotations:
         iam.amazonaws.com/role: "{{ .LocalID }}-app-autoscaler"
         config/pool-sizes: "{{range .NodePools}}{{.Name}}-{{.MinSize}}-{{.MaxSize}} {{end}}"
@@ -33,7 +33,7 @@ spec:
         effect: NoSchedule
       containers:
       - name: cluster-autoscaler
-        image: registry.opensource.zalan.do/teapot/kube-cluster-autoscaler:v1.12.2-internal49
+        image: registry.opensource.zalan.do/teapot/kube-cluster-autoscaler:v1.12.2-internal63
         command:
           - ./cluster-autoscaler
           - --v=4

cluster/manifests/kube-downscaler/deployment.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: kube-system
   labels:
     application: kube-downscaler
-    version: v0.6
+    version: v0.12
 spec:
   replicas: 1
   selector:
@@ -15,7 +15,7 @@ spec:
     metadata:
       labels:
         application: kube-downscaler
-        version: v0.7
+        version: v0.12
     spec:
       dnsConfig:
         options:
@@ -26,7 +26,7 @@ spec:
       containers:
       - name: downscaler
         # see https://github.com/hjacobs/kube-downscaler/releases
-        image: registry.opensource.zalan.do/teapot/kube-downscaler:0.7
+        image: registry.opensource.zalan.do/teapot/kube-downscaler:0.12
         args:
           - --interval=30
           - --exclude-namespaces=kube-system,visibility

cluster/manifests/kube-metrics-adapter/deployment.yaml

@@ -25,7 +25,7 @@ spec:
       serviceAccountName: custom-metrics-apiserver
       containers:
       - name: kube-metrics-adapter
-        image: registry.opensource.zalan.do/teapot/kube-metrics-adapter:master-20
+        image: registry.opensource.zalan.do/teapot/kube-metrics-adapter:master-25
         args:
         - --prometheus-server=http://prometheus.kube-system.svc.cluster.local
         - --skipper-ingress-metrics

cluster/manifests/kube-static-egress-controller/deployment.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: kube-system
   labels:
     application: kube-static-egress-controller
-    version: v0.1.5
+    version: v0.1.6
 spec:
   replicas: 1
   selector:
@@ -15,7 +15,7 @@ spec:
     metadata:
       labels:
         application: kube-static-egress-controller
-        version: v0.1.5
+        version: v0.1.6
       annotations:
         iam.amazonaws.com/role: "{{ .LocalID }}-static-egress-controller"
     spec:
@@ -26,7 +26,7 @@ spec:
       priorityClassName: system-cluster-critical
       containers:
       - name: controller
-        image: registry.opensource.zalan.do/teapot/kube-static-egress-controller:v0.1.5
+        image: registry.opensource.zalan.do/teapot/kube-static-egress-controller:v0.1.6
         args:
         - "--log-level=debug"
         - "--provider=aws"

cluster/manifests/kubernetes-lifecycle-metrics/vpa.yaml

@@ -1,4 +1,4 @@
-apiVersion: autoscaling.k8s.io/v1beta1
+apiVersion: autoscaling.k8s.io/v1beta2
 kind: VerticalPodAutoscaler
 metadata:
   name: kubernetes-lifecycle-metrics-vpa

cluster/manifests/logging-agent/config.yaml

@@ -69,6 +69,8 @@ data:
       @type s3
       s3_bucket {{ index .ConfigItems "logging_s3_bucket" }}
       s3_region eu-central-1
+      auto_create_bucket false
+      check_bucket false
       <instance_profile_credentials>
         retries 10
       </instance_profile_credentials>

cluster/manifests/metrics-server/deployment.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: kube-system
   labels:
     application: metrics-server
-    version: v0.2.1
+    version: v0.3.2
 spec:
   replicas: 1
   selector:
@@ -16,24 +16,34 @@ spec:
       name: metrics-server
       labels:
         application: metrics-server
-        version: v0.2.1
+        version: v0.3.2
     spec:
       dnsConfig:
         options:
           - name: ndots
             value: "1"
       priorityClassName: system-cluster-critical
-      serviceAccountName: system
+      serviceAccountName: metrics-server
       containers:
       - name: metrics-server
-        image: registry.opensource.zalan.do/teapot/metrics-server:v0.2.1
-        command:
-        - /metrics-server
-        - --source=kubernetes.summary_api:''
+        image: registry.opensource.zalan.do/teapot/metrics-server:v0.3.2
+        args:
+        # Connect to kubelet on 'completely insecure' port.
+        # We need to configure kubelet differently to be able to use the secure
+        # port 10250.
+        - --deprecated-kubelet-completely-insecure
+        - --kubelet-port=10255
         resources:
           limits:
             cpu: "{{.ConfigItems.metrics_service_cpu}}"
             memory: "{{.ConfigItems.metrics_service_mem}}"
           requests:
             cpu: "{{.ConfigItems.metrics_service_cpu}}"
             memory: "{{.ConfigItems.metrics_service_mem}}"
+        volumeMounts:
+        - name: tmp-dir
+          mountPath: /tmp
+      volumes:
+      # mount in tmp so we can safely use from-scratch images and/or read-only containers
+      - name: tmp-dir
+        emptyDir: {}

cluster/manifests/metrics-server/metrics-server-vpa.yaml

@@ -1,4 +1,4 @@
-apiVersion: autoscaling.k8s.io/v1beta1
+apiVersion: autoscaling.k8s.io/v1beta2
 kind: VerticalPodAutoscaler
 metadata:
   name: metrics-server-vpa

cluster/manifests/metrics-server/rbac.yaml

@@ -0,0 +1,61 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: metrics-server
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: system:metrics-server
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - nodes
+  - nodes/stats
+  verbs:
+  - get
+  - list
+  - watch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: system:metrics-server
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:metrics-server
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: RoleBinding
+metadata:
+  name: metrics-server-auth-reader
+  namespace: kube-system
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: extension-apiserver-authentication-reader
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system
+---
+apiVersion: rbac.authorization.k8s.io/v1beta1
+kind: ClusterRoleBinding
+metadata:
+  name: metrics-server:system:auth-delegator
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:auth-delegator
+subjects:
+- kind: ServiceAccount
+  name: metrics-server
+  namespace: kube-system

cluster/manifests/nvidia/nvidia-driver-installer.yaml

@@ -53,10 +53,10 @@ spec:
         resources:
           limits:
             cpu: 150m
-            memory: 512Mi
+            memory: 768Mi
           requests:
             cpu: 150m
-            memory: 512Mi
+            memory: 768Mi
         securityContext:
           privileged: true
         env:
@@ -82,7 +82,7 @@ spec:
         resources:
           limits:
             cpu: 150m
-            memory: 512Mi
+            memory: 768Mi
           requests:
             cpu: 150m
-            memory: 512Mi
+            memory: 768Mi

cluster/manifests/prometheus/prometheus-vpa.yaml

@@ -1,4 +1,4 @@
-apiVersion: autoscaling.k8s.io/v1beta1
+apiVersion: autoscaling.k8s.io/v1beta2
 kind: VerticalPodAutoscaler
 metadata:
   name: prometheus-vpa

cluster/manifests/prometheus/statefulset.yaml

@@ -4,7 +4,7 @@ metadata:
   annotations:
   labels:
     application: prometheus
-    version: v2.6.0
+    version: v2.8.1
   name: prometheus
   namespace: kube-system
 spec:
@@ -17,7 +17,7 @@ spec:
     metadata:
       labels:
         application: prometheus
-        version: v2.6.0
+        version: v2.8.1
       annotations:
         config/hash: {{"configmap.yaml" | manifestHash}}
     spec:
@@ -28,7 +28,7 @@ spec:
       priorityClassName: system-cluster-critical
       containers:
       - name: prometheus
-        image: registry.opensource.zalan.do/teapot/prometheus:v2.6.0
+        image: registry.opensource.zalan.do/teapot/prometheus:v2.8.1
         args:
         - "--config.file=/etc/prometheus/prometheus.yml"
         - "--storage.tsdb.path=/prometheus/"

cluster/manifests/skipper/deployment.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: kube-system
   labels:
     application: skipper-ingress
-    version: v0.10.195
+    version: v0.10.203
     component: ingress
 spec:
   strategy:
@@ -18,7 +18,7 @@ spec:
     metadata:
       labels:
         application: skipper-ingress
-        version: v0.10.195
+        version: v0.10.203
         component: ingress
       annotations:
         kubernetes-log-watcher/scalyr-parser: |
@@ -42,7 +42,7 @@ spec:
       hostNetwork: true
       containers:
       - name: skipper-ingress
-        image: registry.opensource.zalan.do/pathfinder/skipper:v0.10.195
+        image: registry.opensource.zalan.do/pathfinder/skipper:v0.10.203
         ports:
         - name: ingress-port
           containerPort: 9999
@@ -80,6 +80,7 @@ spec:
           - "-api-usage-monitoring-realm-keys=https://identity.zalando.com/realm"
           - "-api-usage-monitoring-client-keys=https://identity.zalando.com/managed-id,sub"
           - "-api-usage-monitoring-default-client-tracking-pattern=services[.].*"
+          - "-default-filters-dir=/etc/config/default-filters"
 {{ end }}
           - "-max-audit-body=0"
 {{ if eq .ConfigItems.skipper_clusterratelimit "true"}}
@@ -88,7 +89,7 @@ spec:
 {{ end }}
           - "-oauth2-tokeninfo-url={{ .ConfigItems.tokeninfo_url }}"
           - "-histogram-metric-buckets=.0001,.00025,.0005,.00075,.001,.0025,.005,.0075,.01,.025,.05,.075,.1,.2,.3,.4,.5,.75,1,2,3,4,5,7,10,15,20,30,60,120,300,600"
-          - "-opentracing=lightstep component-name=skipper-ingress token=$(LIGHTSTEP_TOKEN) collector=tracing.stups.zalan.do:8444 cmd-line=skipper-ingress max-buffered-spans=4096"
+          - "-opentracing=lightstep component-name=skipper-ingress token=$(LIGHTSTEP_TOKEN) collector=tracing.stups.zalan.do:8444 cmd-line=skipper-ingress max-buffered-spans={{ .ConfigItems.skipper_ingress_tracing_buffer }}"
           - "-expect-continue-timeout-backend={{ .ConfigItems.skipper_expect_continue_timeout_backend }}"
           - "-keepalive-backend={{ .ConfigItems.skipper_keepalive_backend }}"
           - "-max-idle-connection-backend={{ .ConfigItems.skipper_max_idle_connection_backend }}"