kubernetes
/
minikube
mirror of https://github.com/kubernetes/minikube.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge branch 'master' into none-timeout

pull/8664/head
Thomas Stromberg 2020-07-08 13:48:34 -07:00
parent 7df4075297 b6f0829d7d
commit f8068d06f7
24 changed files with 359 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
Makefile Executable file → Normal file
View File

2
cmd/minikube/cmd/root_test.go
View File

@ -115,7 +115,7 @@ func hideEnv(t *testing.T) func(t *testing.T) {
func TestPreRunDirectories(t *testing.T) {
// Make sure we create the required directories.
tempDir := tests.MakeTempDir()
defer os.RemoveAll(tempDir)
defer tests.RemoveTempDir(tempDir)
runCommand(RootCmd.PersistentPreRun)

14
cmd/minikube/cmd/start.go
View File

@ -898,6 +898,20 @@ func validateFlags(cmd *cobra.Command, drvName string) {
}
}
// validate kubeadm extra args
if invalidOpts := bsutil.FindInvalidExtraConfigFlags(config.ExtraOptions); len(invalidOpts) > 0 {
out.ErrT(
out.Warning,
"These --extra-config parameters are invalid: {{.invalid_extra_opts}}",
out.V{"invalid_extra_opts": invalidOpts},
)
exit.WithCodeT(
exit.Config,
"Valid components are: {{.valid_extra_opts}}",
out.V{"valid_extra_opts": bsutil.KubeadmExtraConfigOpts},
)
}
// check that kubeadm extra args contain only allowed parameters
for param := range config.ExtraOptions.AsMap().Get(bsutil.Kubeadm) {
if !config.ContainsParam(bsutil.KubeadmExtraArgsAllowed[bsutil.KubeadmCmdParam], param) &&

132
deploy/addons/pod-security-policy/pod-security-policy.yaml.tmpl Normal file
View File

@ -0,0 +1,132 @@
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: privileged
annotations:
seccomp.security.alpha.kubernetes.io/allowedProfileNames: "*"
labels:
addonmanager.kubernetes.io/mode: EnsureExists
spec:
privileged: true
allowPrivilegeEscalation: true
allowedCapabilities:
- "*"
volumes:
- "*"
hostNetwork: true
hostPorts:
- min: 0
max: 65535
hostIPC: true
hostPID: true
runAsUser:
rule: 'RunAsAny'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'RunAsAny'
fsGroup:
rule: 'RunAsAny'
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted
labels:
addonmanager.kubernetes.io/mode: EnsureExists
spec:
privileged: false
allowPrivilegeEscalation: false
requiredDropCapabilities:
- ALL
volumes:
- 'configMap'
- 'emptyDir'
- 'projected'
- 'secret'
- 'downwardAPI'
- 'persistentVolumeClaim'
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
# Forbid adding the root group.
- min: 1
max: 65535
readOnlyRootFilesystem: false
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: psp:privileged
labels:
addonmanager.kubernetes.io/mode: EnsureExists
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- privileged
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: psp:restricted
labels:
addonmanager.kubernetes.io/mode: EnsureExists
rules:
- apiGroups: ['policy']
resources: ['podsecuritypolicies']
verbs: ['use']
resourceNames:
- restricted
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: default:restricted
labels:
addonmanager.kubernetes.io/mode: EnsureExists
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: psp:restricted
subjects:
- kind: Group
name: system:authenticated
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: default:privileged
namespace: kube-system
labels:
addonmanager.kubernetes.io/mode: EnsureExists
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: psp:privileged
subjects:
- kind: Group
name: system:masters
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: system:nodes
apiGroup: rbac.authorization.k8s.io
- kind: Group
name: system:serviceaccounts:kube-system
apiGroup: rbac.authorization.k8s.io

5
pkg/addons/config.go
View File

@ -156,4 +156,9 @@ var Addons = []*Addon{
set: SetBool,
callbacks: []setFn{enableOrDisableAddon},
},
{
name: "pod-security-policy",
set: SetBool,
callbacks: []setFn{enableOrDisableAddon},
},
}

2
pkg/drivers/common_test.go
View File

@ -27,7 +27,7 @@ import (
func Test_createDiskImage(t *testing.T) {
tmpdir := tests.MakeTempDir()
defer os.RemoveAll(tmpdir)
defer tests.RemoveTempDir(tmpdir)
sshPath := filepath.Join(tmpdir, "ssh")
if err := ioutil.WriteFile(sshPath, []byte("mysshkey"), 0644); err != nil {

2
pkg/drivers/hyperkit/network_test.go
View File

@ -51,7 +51,7 @@ var validLeases = []byte(`{
func Test_getIpAddressFromFile(t *testing.T) {
tmpdir := tests.MakeTempDir()
defer os.RemoveAll(tmpdir)
defer tests.RemoveTempDir(tmpdir)
dhcpFile := filepath.Join(tmpdir, "dhcp")
if err := ioutil.WriteFile(dhcpFile, validLeases, 0644); err != nil {

8
pkg/minikube/assets/addons.go
View File

@ -81,6 +81,14 @@ var Addons = map[string]*Addon{
"0640",
false),
}, true, "default-storageclass"),
"pod-security-policy": NewAddon([]*BinAsset{
MustBinAsset(
"deploy/addons/pod-security-policy/pod-security-policy.yaml.tmpl",
vmpath.GuestAddonsDir,
"pod-security-policy.yaml",
"0640",
false),
}, false, "pod-security-policy"),
"storage-provisioner": NewAddon([]*BinAsset{
MustBinAsset(
"deploy/addons/storage-provisioner/storage-provisioner.yaml.tmpl",

33
pkg/minikube/bootstrapper/bsutil/extraconfig.go
View File

@ -95,6 +95,21 @@ func CreateFlagsFromExtraArgs(extraOptions config.ExtraOptionSlice) string {
return convertToFlags(kubeadmExtraOpts)
}
// FindInvalidExtraConfigFlags returns all invalid 'extra-config' options
func FindInvalidExtraConfigFlags(opts config.ExtraOptionSlice) []string {
invalidOptsMap := make(map[string]struct{})
var invalidOpts []string
for _, extraOpt := range opts {
if _, ok := componentToKubeadmConfigKey[extraOpt.Component]; !ok {
if _, ok := invalidOptsMap[extraOpt.Component]; !ok {
invalidOpts = append(invalidOpts, extraOpt.Component)
invalidOptsMap[extraOpt.Component] = struct{}{}
}
}
}
return invalidOpts
}
// extraConfigForComponent generates a map of flagname-value pairs for a k8s
// component.
func extraConfigForComponent(component string, opts config.ExtraOptionSlice, version semver.Version) (map[string]string, error) {
@ -133,20 +148,12 @@ func defaultOptionsForComponentAndVersion(component string, version semver.Versi
// newComponentOptions creates a new componentOptions
func newComponentOptions(opts config.ExtraOptionSlice, version semver.Version, featureGates string, cp config.Node) ([]componentOptions, error) {
if invalidOpts := FindInvalidExtraConfigFlags(opts); len(invalidOpts) > 0 {
return nil, fmt.Errorf("unknown components %v. valid components are: %v", invalidOpts, KubeadmExtraConfigOpts)
}
var kubeadmExtraArgs []componentOptions
for _, extraOpt := range opts {
if _, ok := componentToKubeadmConfigKey[extraOpt.Component]; !ok {
return nil, fmt.Errorf("unknown component %q. valid components are: %v", componentToKubeadmConfigKey, componentToKubeadmConfigKey)
}
}
keys := []string{}
for k := range componentToKubeadmConfigKey {
keys = append(keys, k)
}
sort.Strings(keys)
for _, component := range keys {
for _, component := range KubeadmExtraConfigOpts {
kubeadmComponentKey := componentToKubeadmConfigKey[component]
if kubeadmComponentKey == "" {
continue

59
pkg/minikube/bootstrapper/bsutil/extraconfig_test.go Normal file
View File

@ -0,0 +1,59 @@
/*
Copyright 2016 The Kubernetes Authors All rights reserved.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
// Package bsutil will eventually be renamed to kubeadm package after getting rid of older one
package bsutil
import (
"reflect"
"testing"
"k8s.io/minikube/pkg/minikube/config"
)
func TestFindInvalidExtraConfigFlags(t *testing.T) {
defaultOpts := getExtraOpts()
badOption1 := config.ExtraOption{Component: "bad_option_1"}
badOption2 := config.ExtraOption{Component: "bad_option_2"}
tests := []struct {
name string
opts config.ExtraOptionSlice
want []string
}{
{
name: "with valid options only",
opts: defaultOpts,
want: nil,
},
{
name: "with invalid options",
opts: append(defaultOpts, badOption1, badOption2),
want: []string{"bad_option_1", "bad_option_2"},
},
{
name: "with invalid options and duplicates",
opts: append(defaultOpts, badOption2, badOption1, badOption1),
want: []string{"bad_option_2", "bad_option_1"},
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := FindInvalidExtraConfigFlags(tt.opts); !reflect.DeepEqual(got, tt.want) {
t.Errorf("FindInvalidExtraConfigFlags() = %v, want %v", got, tt.want)
}
})
}
}

19
pkg/minikube/bootstrapper/bsutil/kubeadm.go
View File

@ -147,15 +147,26 @@ func GenerateKubeadmYAML(cc config.ClusterConfig, n config.Node, r cruntime.Mana
// These are the components that can be configured
// through the "extra-config"
const (
Kubelet = "kubelet"
Kubeadm = "kubeadm"
Apiserver = "apiserver"
Scheduler = "scheduler"
ControllerManager = "controller-manager"
Kubeproxy = "kube-proxy"
Scheduler = "scheduler"
Etcd = "etcd"
Kubeadm = "kubeadm"
Kubeproxy = "kube-proxy"
Kubelet = "kubelet"
)
// KubeadmExtraConfigOpts is a list of allowed "extra-config" components
var KubeadmExtraConfigOpts = []string{
Apiserver,
ControllerManager,
Scheduler,
Etcd,
Kubeadm,
Kubelet,
Kubeproxy,
}
// InvokeKubeadm returns the invocation command for Kubeadm
func InvokeKubeadm(version string) string {
return fmt.Sprintf("sudo env PATH=%s:$PATH kubeadm", binRoot(version))

2
pkg/minikube/bootstrapper/certs_test.go
View File

@ -30,7 +30,7 @@ import (
func TestSetupCerts(t *testing.T) {
tempDir := tests.MakeTempDir()
defer os.RemoveAll(tempDir)
defer tests.RemoveTempDir(tempDir)
k8s := config.KubernetesConfig{
APIServerName: constants.APIServerName,

1
pkg/minikube/kubeconfig/context_test.go
View File

@ -26,6 +26,7 @@ import (
func TestDeleteContext(t *testing.T) {
// See kubeconfig_test
fn := tempFile(t, kubeConfigWithoutHTTPS)
defer os.Remove(fn)
if err := DeleteContext("la-croix", fn); err != nil {
t.Fatal(err)
}

3
pkg/minikube/kubeconfig/kubeconfig_test.go
View File

@ -263,6 +263,7 @@ func TestVerifyEndpoint(t *testing.T) {
t.Run(test.description, func(t *testing.T) {
t.Parallel()
configFilename := tempFile(t, test.existing)
defer os.Remove(configFilename)
err := VerifyEndpoint("minikube", test.hostname, test.port, configFilename)
if err != nil && !test.err {
t.Errorf("Got unexpected error: %v", err)
@ -330,6 +331,7 @@ func TestUpdateIP(t *testing.T) {
t.Run(test.description, func(t *testing.T) {
t.Parallel()
configFilename := tempFile(t, test.existing)
defer os.Remove(configFilename)
statusActual, err := UpdateEndpoint("minikube", test.hostname, test.port, configFilename)
if err != nil && !test.err {
t.Errorf("Got unexpected error: %v", err)
@ -419,6 +421,7 @@ func Test_Endpoint(t *testing.T) {
for _, test := range tests {
t.Run(test.description, func(t *testing.T) {
configFilename := tempFile(t, test.cfg)
defer os.Remove(configFilename)
hostname, port, err := Endpoint("minikube", configFilename)
if err != nil && !test.err {
t.Errorf("Got unexpected error: %v", err)

28
pkg/minikube/machine/client_test.go
View File

@ -19,18 +19,15 @@ package machine
import (
"bufio"
"fmt"
"io/ioutil"
"log"
"net"
"os"
"path/filepath"
"testing"
"github.com/docker/machine/libmachine/drivers/plugin/localbinary"
"k8s.io/minikube/pkg/minikube/driver"
"k8s.io/minikube/pkg/minikube/localpath"
_ "k8s.io/minikube/pkg/minikube/registry/drvs/virtualbox"
testutil "k8s.io/minikube/pkg/minikube/tests"
)
const vboxConfig = `
@ -113,24 +110,9 @@ func TestLocalClientNewHost(t *testing.T) {
}
}
func makeTempDir() string {
tempDir, err := ioutil.TempDir("", "minipath")
if err != nil {
log.Fatal(err)
}
tempDir = filepath.Join(tempDir, ".minikube")
os.Setenv(localpath.MinikubeHome, tempDir)
return localpath.MiniPath()
}
func TestRunNotDriver(t *testing.T) {
tempDir := makeTempDir()
defer func() { //clean up tempdir
err := os.RemoveAll(tempDir)
if err != nil {
t.Errorf("failed to clean up temp folder %q", tempDir)
}
}()
tempDir := testutil.MakeTempDir()
defer testutil.RemoveTempDir(tempDir)
StartDriver()
if !localbinary.CurrentBinaryIsDockerMachine {
t.Fatal("CurrentBinaryIsDockerMachine not set. This will break driver initialization.")
@ -140,8 +122,8 @@ func TestRunNotDriver(t *testing.T) {
func TestRunDriver(t *testing.T) {
// This test is a bit complicated. It verifies that when the root command is
// called with the proper environment variables, we setup the libmachine driver.
tempDir := makeTempDir()
defer os.RemoveAll(tempDir)
tempDir := testutil.MakeTempDir()
defer testutil.RemoveTempDir(tempDir)
os.Setenv(localbinary.PluginEnvKey, localbinary.PluginEnvVal)
os.Setenv(localbinary.PluginEnvDriverName, driver.VirtualBox)

25
pkg/minikube/machine/filesync_test.go
View File

@ -17,26 +17,16 @@ limitations under the License.
package machine
import (
"io/ioutil"
"os"
"path/filepath"
"testing"
"github.com/google/go-cmp/cmp"
"k8s.io/minikube/pkg/minikube/localpath"
testutil "k8s.io/minikube/pkg/minikube/tests"
"k8s.io/minikube/pkg/minikube/vmpath"
)
func setupTestDir() (string, error) {
path, err := ioutil.TempDir("", "minipath")
if err != nil {
return "", err
}
os.Setenv(localpath.MinikubeHome, path)
return path, err
}
func TestAssetsFromDir(t *testing.T) {
tests := []struct {
description string
@ -107,17 +97,8 @@ func TestAssetsFromDir(t *testing.T) {
for _, test := range tests {
t.Run(test.description, func(t *testing.T) {
testDir, err := setupTestDir()
defer func() { //clean up tempdir
err := os.RemoveAll(testDir)
if err != nil {
t.Errorf("failed to clean up temp folder %q", testDir)
}
}()
if err != nil {
t.Errorf("got unexpected error creating test dir: %v", err)
return
}
testDir := testutil.MakeTempDir()
defer testutil.RemoveTempDir(testDir)
testDirs = append(testDirs, testDir)
testFileBaseDir := filepath.Join(testDir, test.baseDir)

4
pkg/minikube/notify/notify_test.go
View File

@ -43,7 +43,7 @@ func TestMaybePrintUpdateTextFromGithub(t *testing.T) {
func TestShouldCheckURL(t *testing.T) {
tempDir := tests.MakeTempDir()
defer os.RemoveAll(tempDir)
defer tests.RemoveTempDir(tempDir)
lastUpdateCheckFilePath := filepath.Join(tempDir, "last_update_check")
@ -152,7 +152,7 @@ func TestGetLatestVersionFromURLMalformed(t *testing.T) {
func TestMaybePrintUpdateText(t *testing.T) {
tempDir := tests.MakeTempDir()
defer os.RemoveAll(tempDir)
defer tests.RemoveTempDir(tempDir)
outputBuffer := tests.NewFakeFile()
out.SetErrFile(outputBuffer)

7
pkg/minikube/tests/dir_utils.go
View File

@ -45,6 +45,13 @@ func MakeTempDir() string {
return localpath.MiniPath()
}
func RemoveTempDir(tempdir string) {
if filepath.Base(tempdir) == ".minikube" {
tempdir = filepath.Dir(tempdir)
}
os.RemoveAll(tempdir)
}
// FakeFile satisfies fdWriter
type FakeFile struct {
b bytes.Buffer

22
site/content/en/docs/drivers/includes/podman_usage.inc
View File

@ -1,20 +1,22 @@
## experimental
## Experimental
This is an experimental driver. please use it only for experimental reasons.
for a better kubernetes in container experience, use docker [driver]({{< ref "/docs/drivers/docker/" >}})
## Install Podman
- [Podman](https://podman.io/getting-started/installation.html)
This is an experimental driver. Please use it only for experimental reasons until it has reached maturity. For a more reliable minikube experience, use a non-experimental driver, like [Docker]({{< ref "/docs/drivers/docker.md" >}}).
## Usage
Start a cluster using the podman driver:
It's recommended to run minikube with the podman driver and [CRI-O container runtime](https://https://cri-o.io/):
```shell
minikube start --driver=podman
minikube start --driver=podman --container-runtime=cri-o
```
To make docker the default driver:
Alternatively, start minikube with the podman driver only:
```shell
minikube start --driver=podman
```
To make podman the default driver:
```shell
minikube config set driver podman

4
site/content/en/docs/drivers/kvm2.md
View File

@ -37,6 +37,10 @@ The `minikube start` command supports 3 additional kvm specific flags:
Also see [co/kvm2 open issues](https://github.com/kubernetes/minikube/labels/co%2Fkvm2)
### Nested Virtulization
If you are running KVM in a nested virtualization environment ensure your config the kernel modules correctly follow either [this](https://stafwag.github.io/blog/blog/2018/06/04/nested-virtualization-in-kvm/) or [this](VM follow to config the kernel modules. also https://computingforgeeks.com/how-to-install-kvm-virtualization-on-debian/) tutorial.
## Troubleshooting
* Run `virt-host-validate` and check for the suggestions.
* Run `minikube start --alsologtostderr -v=7` to debug crashes

31
site/content/en/docs/drivers/podman.md
View File

@ -11,21 +11,36 @@ aliases:
This driver is experimental and in active development. Help wanted!
{{% /pageinfo %}}
The podman driver is another kubernetes in container driver for minikube. similar to [docker](https://minikube.sigs.k8s.io/docs/drivers/docker/) driver. The podman driver is experimental, and only supported on Linux and macOS (with a remote podman server).
The podman driver is an alternative container runtime to the [Docker]({{< ref "/docs/drivers/docker.md" >}}) driver.
## Requirements
- Install [Podman](https://podman.io/getting-started/installation)
- amd64 system
- Linux or macOS operating systems on amd64 architecture
- Install [podman](https://podman.io/getting-started/installation.html)
## Try it with CRI-O container runtime.
```shell
minikube start --driver=podman --container-runtime=cri-o
```
{{% readfile file="/docs/drivers/includes/podman_usage.inc" %}}
## Known Issues
- Podman driver is not supported on non-amd64 architectures such as arm yet. For non-amd64 archs please use [other drivers]({{< ref "/docs/drivers/_index.md" >}})
- Podman requirements passwordless running of sudo. If you run into an error about sudo, do the following:
```shell
$ sudo visudo
```
Then append the following to the section *at the very bottom* of the file where `username` is your user account.
```shell
username ALL=(ALL) NOPASSWD: /usr/bin/podman
```
Be sure this text is *after* `#includedir /etc/sudoers.d`. To confirm it worked, try:
```shell
sudo -k -n podman version
```
## Troubleshooting
- Run `minikube start --alsologtostderr -v=7` to debug errors and crashes

2
site/content/en/docs/handbook/registry.md
View File

@ -107,4 +107,4 @@ docker push localhost:5000/myimage
After the image is pushed, refer to it by `localhost:5000/{name}` in kubectl specs.
##
##

44
site/content/en/docs/tutorials/using_psp.md
View File

@ -13,18 +13,33 @@ This tutorial explains how to start minikube with Pod Security Policies (PSP) en
## Prerequisites
- Minikube 1.5.2 with Kubernetes 1.16.x or higher
- Minikube 1.11.1 with Kubernetes 1.16.x or higher
## Tutorial
Before starting minikube, you need to give it the PSP YAMLs in order to allow minikube to bootstrap.
Start minikube with the `PodSecurityPolicy` admission controller and the
`pod-security-policy` addon enabled.
Create the directory:
`minikube start --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy --addons=pod-security-policy`
The `pod-security-policy` addon must be enabled along with the admission
controller to prevent issues during bootstrap.
## Older versions of minikube
Older versions of minikube do not ship with the `pod-security-policy` addon, so
the policies that addon enables must be separately applied to the cluster.
## Minikube 1.5.2 through 1.6.2
Before starting minikube, you need to give it the PSP YAMLs in order to allow minikube to bootstrap.
Create the directory:
`mkdir -p ~/.minikube/files/etc/kubernetes/addons`
Copy the YAML below into this file: `~/.minikube/files/etc/kubernetes/addons/psp.yaml`
Now start minikube:
Now start minikube:
`minikube start --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy`
```yaml
@ -161,3 +176,24 @@ subjects:
name: system:serviceaccounts:kube-system
apiGroup: rbac.authorization.k8s.io
```
### Minikube between 1.6.2 and 1.11.1
With minikube versions greater than 1.6.2 and less than 1.11.1, the YAML files
shown above will not be automatically applied to the cluster. You may have
errors during bootstrap of the cluster if the admission controller is enabled.
To use Pod Security Policies with these versions of minikube, first start a
cluster without the `PodSecurityPolicy` admission controller enabled.
Next, apply the YAML shown above to the cluster.
Finally, stop the cluster and then restart it with the admission controller
enabled.
```
minikube start
kubectl apply -f /path/to/psp.yaml
minikube stop
minikube start --extra-config=apiserver.enable-admission-plugins=PodSecurityPolicy
```

1
test.sh
View File

@ -67,6 +67,7 @@ then
${pkgs} \
&& echo ok || ((exitcode += 32))
tail -n +2 "${cov_tmp}" >>"${COVERAGE_PATH}"
rm ${cov_tmp}
fi
exit "${exitcode}"