If the user has provided a KubeProxyConfiguration component
config with 'mode: ipvs' show a warning saying that IPVS
mode has been deprecated since 1.35. Recommend 'nftables'
which has been GA since 1.33, or the legacy 'iptables' on
older kernels.
RetrieveValidatedConfigInfo previously read the response body of the
cluster-info HTTP GET unconditionally, then attempted to parse it as a
kubeconfig. A non-200 response (e.g. 404, 5xx, or an HTML error page
from a misconfigured server) would silently flow into clientcmd.Load()
and produce a confusing parse error far from the actual cause.
Match the pattern already used in cmd/kubeadm/app/util/version.go and
return a clear error if the server responds with anything other than
200 OK.
fetchInitConfigurationFromJoinConfiguration assigned to
`tlsBootstrapCfg.Contexts[tlsBootstrapCfg.CurrentContext].Cluster`
without checking that the current-context entry actually exists in the
context map. If the TLS bootstrap kubeconfig is malformed (or the
current-context name has been edited away), this produces a nil pointer
dereference and crashes `kubeadm join` instead of returning a clear
error.
Adopt the same defensive pattern already used in
`cmd/kubeadm/app/cmd/phases/init/kubeletfinalize.go`:
currentContext, ok := tlsBootstrapCfg.Contexts[tlsBootstrapCfg.CurrentContext]
if !ok || currentContext == nil {
return nil, errors.Errorf("...current-context...not found...")
}
currentContext.Cluster = initConfiguration.ClusterName
- The feature gate graduated to GA in 1.36 and was already
locked to enabled. It can now be removed in 1.37.
- Error if the instance-config.yaml is not present.
- The phases/patchnode is now redundant and can be removed.
- The annotation constant AnnotationKubeadmCRISocket is now removed.
FetchInitConfigurationFromCluster always called SetAPIEndpointDynamicDefaults,
which invokes ChooseAPIServerBindAddress and requires a default route on the
host. Worker nodes joining the cluster don't need a LocalAPIEndpoint and may
legitimately have no default route, causing kubeadm join to fail with:
```
unable to fetch the kubeadm-config ConfigMap: unable to select an IP from
default routes.
```
Add a skipAPIEndpoint parameter to SetInitDynamicDefaults and pass
`!getAPIEndpoint` from FetchInitConfigurationFromCluster, so the endpoint
defaulter is bypassed when the caller did not request the endpoint (worker
join, non-control-plane reset/certs/upgrade paths).
Signed-off-by: Seena Fallah <seenafallah@gmail.com>
Simplify the interface between cmd/kube-proxy and the backends by
passing the complete KubeProxyConfiguration to the backend rather than
having kube-proxy need to know specifically which fields each backend
cares about.
Historicaly the kubeadm clients have used the 'admin.conf'
and 'super-admin.conf' directly, which makes all API calls
go trough the CPE (control plane endpoint). This can create
problems for scenarios when the LB is provisioned only after
'init' starts the kube-apiserver.
Instead of using the '.conf' as they are, modify them
in memory to point to the LAE (localAPIEndpoint).
This was already done by the WaitControlPlaneClient for
the WaitControlPlane phase, which required it. This separate
client is no longer needed.
However, do use a unmodified kubeconfig to the init phase
bootstrap-token since this is the phase that creates
the cluster-info CM and for that we need the original CPE
server address.
This aligns with other uses and allows v1.12.0 to be dropped.
Remaining users of older semconv versions (v1.17.0) use http.target
which is no longer defined after v1.25.0.
Signed-off-by: Stephen Kitt <skitt@redhat.com>
Move isLearner and isStarted variables to the outer var block of
MemberPromote so their values are accessible after the poll loop.
After the poll, if isLearner is false the member was already promoted,
so return nil early without issuing a redundant promote call.
- PortOpenCheck now accepts an address to check port availability on a
specific interface.
- InitNodeChecks uses the bind-address knowledge for the port checks.
- For ETCD we check the advertise address instead
Note: This works for bindAddress set through extraArgs. It will not work for patches that are applied later.
Signed-off-by: Lennart Jern <lennart.jern@est.tech>
