feat: enable protectKernelDefaults in kubelet_spec

Enable the kubelet's builtin kernel configuration checks. Also limits streaming connection timeout. Fixes #5002 Fixes #4990 Signed-off-by: Seán C McCord <ulexus@gmail.com>
2022-02-16 17:07:07 -05:00 · 2022-02-16 17:07:07 -05:00 · a5fb271ac8
commit a5fb271ac8
parent b7a1e04310
5 changed files with 44 additions and 3 deletions
--- a/hack/release.toml
+++ b/hack/release.toml
@ -26,6 +26,16 @@ with a single `--mode` flag that can take the following values:
 - `reboot` force reboot with apply config.
 - `staged` write new machine configuration to STATE, but don't apply it (it will be applied after a reboot).
 - `interactive` starts interactive installer, only for `apply`.
+"""
+
+    [notes.kubelet]
+        title = "Kubelet conformance tweaks"
+        description="""\
+A number of conformance tweaks have been made to the `kubelet` to allow it to run without
+`protectKernelDefaults`.
+This includes both kubelet configuration options and sysctls.
+Of particular note is that Talos now sets the `kernel.panic` reboot interval to 10s instead of 1s.
+If your kubelet fails to start after the upgrade, please check the `kubelet` logs to determine the problem.
 """

    [notes.updates]
--- a/internal/app/machined/pkg/controllers/k8s/kubelet_spec.go
+++ b/internal/app/machined/pkg/controllers/k8s/kubelet_spec.go
@ -8,6 +8,7 @@ import (
 	"context"
 	"fmt"
 	"strings"
+	"time"

 	"github.com/AlekSi/pointer"
 	"github.com/cosi-project/runtime/pkg/controller"
@ -19,13 +20,16 @@ import (
 	"k8s.io/component-base/config/v1alpha1"
 	kubeletconfig "k8s.io/kubelet/config/v1beta1"

+	v1alpha1runtime "github.com/talos-systems/talos/internal/app/machined/pkg/runtime"
 	"github.com/talos-systems/talos/pkg/argsbuilder"
 	"github.com/talos-systems/talos/pkg/machinery/constants"
 	"github.com/talos-systems/talos/pkg/machinery/resources/k8s"
 )

 // KubeletSpecController renders manifests based on templates and config/secrets.
-type KubeletSpecController struct{}
+type KubeletSpecController struct {
+	V1Alpha1Mode v1alpha1runtime.Mode
+}

 // Name implements controller.Controller interface.
 func (ctrl *KubeletSpecController) Name() string {
@ -156,6 +160,13 @@ func (ctrl *KubeletSpecController) Run(ctx context.Context, r controller.Runtime

 		kubeletConfig := newKubeletConfiguration(cfgSpec.ClusterDNS, cfgSpec.ClusterDomain)

+		// If our platform is container, we cannot rely on the ability to change kernel parameters.
+		// Therefore, we need to NOT attempt to enforce the kernel parameter checking done by the kubelet
+		// when the `ProtectKernelDefaults` setting is enabled.
+		if ctrl.V1Alpha1Mode != v1alpha1runtime.ModeContainer {
+			kubeletConfig.ProtectKernelDefaults = false
+		}
+
 		unstructuredConfig, err := runtime.DefaultUnstructuredConverter.ToUnstructured(kubeletConfig)
 		if err != nil {
 			return fmt.Errorf("error converting to unstructured: %w", err)
@ -221,6 +232,8 @@ func newKubeletConfiguration(clusterDNS []string, dnsDomain string) *kubeletconf
 		Logging: v1alpha1.LoggingConfiguration{
 			Format: "json",
 		},
+		ProtectKernelDefaults:          true,
+		StreamingConnectionIdleTimeout: metav1.Duration{Duration: 5 * time.Minute},
 		TLSMinVersion:                  "VersionTLS13",
 	}
 }
--- a/internal/app/machined/pkg/controllers/runtime/kernel_param_defaults.go
+++ b/internal/app/machined/pkg/controllers/runtime/kernel_param_defaults.go
@ -113,10 +113,18 @@ func (ctrl *KernelParamDefaultsController) getKernelParams() []*kernel.Param {
 			Key:   "net.ipv4.tcp_keepalive_intvl",
 			Value: "60",
 		},
+		{
+			Key:   "kernel.panic",
+			Value: "10",
+		},
 		{
 			Key:   "kernel.pid_max",
 			Value: "262144",
 		},
+		{
+			Key:   "vm.overcommit_memory",
+			Value: "1",
+		},
 	}...)

 	// kernel optimization for kubernetes workloads.
--- a/internal/app/machined/pkg/controllers/runtime/kernel_param_defaults_test.go
+++ b/internal/app/machined/pkg/controllers/runtime/kernel_param_defaults_test.go
@ -36,10 +36,18 @@ func getParams(mode runtime.Mode) []*kernel.Param {
 			Key:   "net.ipv6.conf.default.accept_ra",
 			Value: "2",
 		},
+		{
+			Key:   "kernel.panic",
+			Value: "10",
+		},
 		{
 			Key:   "kernel.pid_max",
 			Value: "262144",
 		},
+		{
+			Key:   "vm.overcommit_memory",
+			Value: "1",
+		},
 	}

 	if mode != runtime.ModeContainer {
--- a/internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_controller.go
+++ b/internal/app/machined/pkg/runtime/v1alpha2/v1alpha2_controller.go
@ -114,7 +114,9 @@ func (ctrl *Controller) Run(ctx context.Context, drainer *runtime.Drainer) error
 		&k8s.KubeletServiceController{
 			V1Alpha1Services: system.Services(ctrl.v1alpha1Runtime),
 		},
-		&k8s.KubeletSpecController{},
+		&k8s.KubeletSpecController{
+			V1Alpha1Mode: ctrl.v1alpha1Runtime.State().Platform().Mode(),
+		},
 		&k8s.KubeletStaticPodController{},
 		&k8s.ManifestController{},
 		&k8s.ManifestApplyController{},