From 19ad5d6276ceae89f8ef2f9d68298e7ac54d6fe0 Mon Sep 17 00:00:00 2001 From: shabir61 <54858493+shabir61@users.noreply.github.com> Date: Tue, 12 May 2020 21:29:23 -0500 Subject: [PATCH] sync code with upstream (#10) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Moving log collector script to Amazon eks ami repo (#243) * Moving log collector script to this repo * Added changes according to 1.4.1 * Update eks-log-collector.sh URL on readme The instructions on readme were still pointing at the original repository. Updating to reflect the new location * remove kubectl dependency (#295) * Added CHANGELOG for v20190701 * Install ec2-instance-connect * refactor packer variables * Add c5.12xlarge and c5.24xlarge instances * Add new m5 and r5 instances * Fix t3a.small limit * add support for ap-east-1 region (#305) * 2107 allow private ssh when building (#303) * added a set of variables to allow private ssh to non-default vpc * make filepaths of ./files/ and install-worker relative to packer template dir * updated ami_description to a variable * change the amiName pattern to use minor version (#307) * update S3_URL_BASE environment variable in install-worker.sh * v20190814 release (#316) * Update list of instance types (#320) * Add all new instance types already added to the CNI * Add support for the u-*tb1.metal instances (Fix #319) * add support for me-south-1 region (#322) * Adding new directory and file for 1.14 and above by removing --allow-privileged=true flag (#327) * Add Change log for AMI Release v20190906 (#329) * sync nodegroup template to latest available (#335) * sync eks node group template to be latest available 1. add support to use ssm parameter for amiID 2. add support for all instance types supported by cni 3. formatted with rain(https://github.com/aws-cloudformation/rain) * add new CFN version 2019-09-17 * Add support for g4 instance family * Add G4DN instance family to node group template * Add change log for AMI Release v20190927 (#345) * Add 1.14 to the EKS Makefile and update older versions (#336) Add 1.14 to the list of Makefile targets. Remove 1.10 as it's no longer a supported version Update versions and build dates for older EKS versions * Add support for m5n/m5dn/r5n/r5dn instances * Remove snowflake for kubelet secret-polling config (#352) * Set a minimum evictionHard and kubeReserved * Output the autoscaling group name This name of the AutoScaling Group is useful for things like the Cluster Autoscaler so that it can manage automatic cluster scaling. * #361 - custom pause container image support (#362) * #361 - custom pause container image support * Set kubeReserved dynamically and evictionHard statically (#367) * Updating Docker version (#373) * Remove the ec2-net-utils package (#368) * Remove the ec2-net-utils package * Add code comment to describe the ec2-net-utils change * Make 'kube-bench' happy. Signed-off-by: Bruno Miguel Custódio * add support for c5d.12x/c5d.24x/c5d.metal * Adding new instance types (m6g) (#378) * Revert "Make 'kube-bench' happy." since there are changes being concerned (#381) This reverts commit 593691ee46b2df9e7d3fa17818fe63724a78ed59. * Fixed setting of DNS_CLUSTER_IP in bootstrap.sh (#226) * Replaced API calls for deciding DNS_CLUSTER_IP with arg * Bypass the metadata calls to avoid 404 errors * Fall back to MAC logic if --dns-cluster-ip is absent * Updated comment for --dns-cluster-ip * Support docker-in-docker by only returning the oldest dockerd process * TLS Ciphersuite: restrict to TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 See section 2.1.14 of the CIS benchmark: > [2.1.14] Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers > If using a Kubelet config file, edit the file to set TLSCipherSuites: to TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 > If using executable arguments, edit the kubelet service file /etc/systemd/system/kubelet.service on each worker node and set the below parameter. > --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 Note that this is a regression, this had been set previously in PR #276 but got lost in #352. * Script for collecting window and ubuntu worker logs (#354) * Script for collecting window worker logs * Ubuntu support and directory re-org * Collect files from EKS logs folder * Updates to kubelet svc and kubeconfig * Updated Readme for Windows * add ability to specify aws_region & binary_bucket_region & source_ami_owners (#396) * adding support for china regions (#398) * kubelet.service should wait for iptables lock (#401) This commit makes kubelet.service wait up to 5 seconds for an iptables lock in the `ExecStartPre` step, instead of failing immediately if something else is holding the lock. * fix tls suit to be recommended by cis bench (#403) * Fix retries in bootstrap.sh If `aws eks describe-cluster` fails the first time, the retries never work because the `rc` value is never able to be set back to zero * update binaries to use latest ones (#408) * validate_yum (#411) * add ability to use precreated security group (#412) * add scripts folder (#413) * Remove invalid target 1.11 (#421) Currently, AWS EKS is no longer support Kubernetes 1.11 * Update install-worker.sh and eks-worker-al2.json (#402) * Update install-worker.sh and eks-worker-al2.json * Update kubelet.service * added ability to share amis in builder * added ability to share amis in builder * Rebasing from master * Added remote_folder to cleanup_additional_repos.sh provisioner * Added remote_folder to install_additional_repos.sh provisioner * Added remote_folder to validate.sh provisioner * Remove mutating calls and ignore collection of unknown logs * Added 1.15 support and removed --allow-privileged flag from all EKS supported versions (1.12+). (#428) * Fix URL for 1.15 binaries (#429) * Fixed amazon-eks-nodegroup.yaml lint issues * Consistent Docker GID version in Image (#430) * Docker install across versions change GID for docker, this causes problems for consistency. This commit solves it by adding same GID to docker install * Docker install across versions change GID for docker, this causes problems for consistency. This commit solves it by adding same GID to docker install Co-authored-by: Janis Orlovs * Move compressed file to /var/log (#436) * Force create the group id (#437) "the -f is force, -o is overwrite, meaning if there is an existing group with number 1950, it will create a new one with the name docker" * Fix useradd to run with privileges * Removing dependency on Authenticator binary (#440) * Reducing memory allocated in kubeReserved (#419) * Revert "Removing dependency on Authenticator binary (#440)" (#446) This reverts commit 4e0e9164885e07851ed4a737461349ae6012765e. * Adding support to upgrade kernel while building AMI (#447) * fix(amazon-eks-nodegroup): add ec2 service principals for isolated regions * Add inf1 instance family in EKS AMI packer configuration * Removed AssociatePublicIpAddress setting from NodeLaunchCongig and added NodeSecurityGroup dependency to SG Ingress/Egress (#450) Co-authored-by: Vishal Gupta * Add a flag that allows CNI packages to be pulled from S3 instead of Github. (#457) The default behavior is unchanged and will still pull assets from Github. * update source AMI owner and ECR repo for govcloud (#458) * updated ipamd information files extension to json (#451) * updated ipamd data file extension to json * updated ipamd metrics file extension * Adding 1.16 to Makefile (#459) * downgrade * Add a new manifest containing the AMI name (#471) This commit adds a new manifest which contains AMI name in the manifest filename so that parallel builds can be triggered. Even though the new manifest is now generated along with the current one for backwards compatibility, eventually the old manifest (manifest.json) will be deprecated. * changelog updated * added udev setting * small updates * some fix * added udev again Co-authored-by: Nithish Co-authored-by: Hugo Ribeiro <33881233+huribeir@users.noreply.github.com> Co-authored-by: M00nF1sh Co-authored-by: Micah Hausler Co-authored-by: Matthew Wong Co-authored-by: Claes Mogren Co-authored-by: wong yan yee Co-authored-by: blakeroberts-wk Co-authored-by: josselin-c Co-authored-by: Bhagwat kumar Singh Co-authored-by: Jiaxin Shan Co-authored-by: Will Thames Co-authored-by: Shyam JVS Co-authored-by: Dwayne Bailey Co-authored-by: Andrew Johnstone Co-authored-by: natherz97 <55205932+natherz97@users.noreply.github.com> Co-authored-by: Kausheel Kumar Co-authored-by: Bruno Miguel Custódio Co-authored-by: ajayk Co-authored-by: sramabad1 <53882229+sramabad1@users.noreply.github.com> Co-authored-by: Cheng Pan Co-authored-by: Andrew Hemming Co-authored-by: Eric Webster Co-authored-by: Florent Delannoy Co-authored-by: Arun Bhagyanath <45223433+arun-amzn@users.noreply.github.com> Co-authored-by: Justin Owen Co-authored-by: Aaron Ackerman Co-authored-by: Tam Mach Co-authored-by: zadowsmash Co-authored-by: Abeer Sethi <38733827+abeer91@users.noreply.github.com> Co-authored-by: Will Thames Co-authored-by: Octavio Martin Co-authored-by: Jānis Orlovs Co-authored-by: Janis Orlovs Co-authored-by: Divyesh Khandeshi Co-authored-by: cmdallas Co-authored-by: gaogilb Co-authored-by: Vishal Gupta Co-authored-by: Vishal Gupta Co-authored-by: Bronson Mirafuentes Co-authored-by: Sai Teja Penugonda Co-authored-by: Shabir Ahmed Co-authored-by: Saurav Agarwalla --- .gitignore | 1 - Makefile | 20 +++++--- OG-CHANGELOG.md | 4 ++ eks-worker-al2.json | 9 +++- files/bootstrap.sh | 4 ++ .../linux/eks-log-collector.sh | 4 +- .../windows/eks-ssm-content.json | 1 - scripts/install-worker.sh | 48 ++++++++++++++----- scripts/upgrade_kernel.sh | 7 +-- 9 files changed, 72 insertions(+), 26 deletions(-) diff --git a/.gitignore b/.gitignore index 7bf7974e0..4915541fd 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,3 @@ manifest.json *.swp .idea - diff --git a/Makefile b/Makefile index 03ecceab3..e7e4a8a8f 100644 --- a/Makefile +++ b/Makefile @@ -1,5 +1,5 @@ PACKER_BINARY ?= packer -PACKER_VARIABLES := aws_region ami_name binary_bucket_name binary_bucket_region kubernetes_version kubernetes_build_date docker_version cni_version cni_plugin_version source_ami_id source_ami_owners arch instance_type security_group_id additional_yum_repos og_image_version ami_regions +PACKER_VARIABLES := aws_region ami_name binary_bucket_name binary_bucket_region kubernetes_version kubernetes_build_date docker_version cni_version cni_plugin_version source_ami_id source_ami_owners arch instance_type security_group_id additional_yum_repos pull_cni_from_github og_image_version ami_regions K8S_VERSION_PARTS := $(subst ., ,$(kubernetes_version)) K8S_VERSION_MINOR := $(word 1,${K8S_VERSION_PARTS}).$(word 2,${K8S_VERSION_PARTS}) @@ -18,6 +18,10 @@ ifeq ($(aws_region), cn-northwest-1) source_ami_owners ?= 141808717104 endif +ifeq ($(aws_region), us-gov-west-1) +source_ami_owners ?= 045324592363 +endif + T_RED := \e[0;31m T_GREEN := \e[0;32m T_YELLOW := \e[0;33m @@ -39,16 +43,20 @@ k8s: validate .PHONY: 1.12 1.12: - $(MAKE) k8s kubernetes_version=1.12.10 kubernetes_build_date=2020-01-22 + $(MAKE) k8s kubernetes_version=1.12.10 kubernetes_build_date=2020-04-17 pull_cni_from_github=true .PHONY: 1.13 1.13: - $(MAKE) k8s kubernetes_version=1.13.12 kubernetes_build_date=2020-01-22 + $(MAKE) k8s kubernetes_version=1.13.12 kubernetes_build_date=2020-04-16 pull_cni_from_github=true .PHONY: 1.14 1.14: - $(MAKE) k8s kubernetes_version=1.14.9 kubernetes_build_date=2020-04-16 - + $(MAKE) k8s kubernetes_version=1.14.9 kubernetes_build_date=2020-04-16 pull_cni_from_github=true + .PHONY: 1.15 1.15: - $(MAKE) k8s kubernetes_version=1.15.11 kkubernetes_build_date=2020-04-16 + $(MAKE) k8s kubernetes_version=1.15.11 kubernetes_build_date=2020-04-16 pull_cni_from_github=true + +.PHONY: 1.16 +1.16: + $(MAKE) k8s kubernetes_version=1.16.8 kubernetes_build_date=2020-04-16 pull_cni_from_github=true diff --git a/OG-CHANGELOG.md b/OG-CHANGELOG.md index 991ad9711..e3eb8ebdf 100644 --- a/OG-CHANGELOG.md +++ b/OG-CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +1.5.0 - 05/12/2020 +----------------------- +- Sync code with upstream + 1.4.2 - 05/06/2020 ----------------------- - downgraded docker version to 18.09.9ce-2.amzn2 diff --git a/eks-worker-al2.json b/eks-worker-al2.json index d59d1cfa0..f0cbe1a56 100644 --- a/eks-worker-al2.json +++ b/eks-worker-al2.json @@ -19,12 +19,13 @@ "cni_plugin_version": "v0.7.5", "og_image_version": "1.2.0", "ami_regions": "us-west-2,us-east-1", + "pull_cni_from_github": "true", "source_ami_id": "", "source_ami_owners": "137112412989", "source_ami_filter_name": "amzn2-ami-minimal-hvm-*", "arch": null, - "instance_type": "m4.large", + "instance_type": null, "ami_description": "EKS Kubernetes Worker AMI with AmazonLinux2 image", "ssh_interface": "", @@ -140,6 +141,7 @@ "DOCKER_VERSION={{user `docker_version`}}", "CNI_VERSION={{user `cni_version`}}", "CNI_PLUGIN_VERSION={{user `cni_plugin_version`}}", + "PULL_CNI_FROM_GITHUB={{user `pull_cni_from_github`}}", "AWS_ACCESS_KEY_ID={{user `aws_access_key_id`}}", "AWS_SECRET_ACCESS_KEY={{user `aws_secret_access_key`}}", "AWS_SESSION_TOKEN={{user `aws_session_token`}}" @@ -164,6 +166,11 @@ "type": "manifest", "output": "manifest.json", "strip_path": true + }, + { + "type": "manifest", + "output": "{{user `ami_name`}}-manifest.json", + "strip_path": true } ] } diff --git a/files/bootstrap.sh b/files/bootstrap.sh index 956800a5e..e2de9fb37 100755 --- a/files/bootstrap.sh +++ b/files/bootstrap.sh @@ -117,6 +117,10 @@ function get_pause_container_account_for_region () { echo "${PAUSE_CONTAINER_ACCOUNT:-918309763551}";; cn-northwest-1) echo "${PAUSE_CONTAINER_ACCOUNT:-961992271922}";; + us-gov-west-1) + echo "${PAUSE_CONTAINER_ACCOUNT:-013241004608}";; + us-gov-east-1) + echo "${PAUSE_CONTAINER_ACCOUNT:-151742754352}";; *) echo "${PAUSE_CONTAINER_ACCOUNT:-602401143452}";; esac diff --git a/log-collector-script/linux/eks-log-collector.sh b/log-collector-script/linux/eks-log-collector.sh index f41728c04..dcea6da54 100644 --- a/log-collector-script/linux/eks-log-collector.sh +++ b/log-collector-script/linux/eks-log-collector.sh @@ -408,7 +408,7 @@ get_ipamd_info() { if [[ "${ignore_introspection}" == "false" ]]; then try "collect L-IPAMD introspectioon information" for entry in ${IPAMD_DATA[*]}; do - curl --max-time 3 --silent http://localhost:61679/v1/"${entry}" >> "${COLLECT_DIR}"/ipamd/"${entry}".txt + curl --max-time 3 --silent http://localhost:61679/v1/"${entry}" >> "${COLLECT_DIR}"/ipamd/"${entry}".json done else echo "Ignoring IPAM introspection stats as mentioned"| tee -a "${COLLECT_DIR}"/ipamd/ipam_introspection_ignore.txt @@ -416,7 +416,7 @@ get_ipamd_info() { if [[ "${ignore_metrics}" == "false" ]]; then try "collect L-IPAMD prometheus metrics" - curl --max-time 3 --silent http://localhost:61678/metrics > "${COLLECT_DIR}"/ipamd/metrics.txt 2>&1 + curl --max-time 3 --silent http://localhost:61678/metrics > "${COLLECT_DIR}"/ipamd/metrics.json 2>&1 else echo "Ignoring Prometheus Metrics collection as mentioned"| tee -a "${COLLECT_DIR}"/ipamd/ipam_metrics_ignore.txt fi diff --git a/log-collector-script/windows/eks-ssm-content.json b/log-collector-script/windows/eks-ssm-content.json index 6cca6c12a..8d2b2df90 100644 --- a/log-collector-script/windows/eks-ssm-content.json +++ b/log-collector-script/windows/eks-ssm-content.json @@ -79,4 +79,3 @@ } ] } - diff --git a/scripts/install-worker.sh b/scripts/install-worker.sh index f995be888..85a626eb2 100644 --- a/scripts/install-worker.sh +++ b/scripts/install-worker.sh @@ -28,6 +28,7 @@ validate_env_set CNI_VERSION validate_env_set CNI_PLUGIN_VERSION validate_env_set KUBERNETES_VERSION validate_env_set KUBERNETES_BUILD_DATE +validate_env_set PULL_CNI_FROM_GITHUB ################################################################################ ### Machine Architecture ####################################################### @@ -158,18 +159,6 @@ sudo mkdir -p /var/lib/kubernetes sudo mkdir -p /var/lib/kubelet sudo mkdir -p /opt/cni/bin -wget https://github.com/containernetworking/cni/releases/download/${CNI_VERSION}/cni-${ARCH}-${CNI_VERSION}.tgz -wget https://github.com/containernetworking/cni/releases/download/${CNI_VERSION}/cni-${ARCH}-${CNI_VERSION}.tgz.sha512 -sudo sha512sum -c cni-${ARCH}-${CNI_VERSION}.tgz.sha512 -sudo tar -xvf cni-${ARCH}-${CNI_VERSION}.tgz -C /opt/cni/bin -rm cni-${ARCH}-${CNI_VERSION}.tgz cni-${ARCH}-${CNI_VERSION}.tgz.sha512 - -wget https://github.com/containernetworking/plugins/releases/download/${CNI_PLUGIN_VERSION}/cni-plugins-${ARCH}-${CNI_PLUGIN_VERSION}.tgz -wget https://github.com/containernetworking/plugins/releases/download/${CNI_PLUGIN_VERSION}/cni-plugins-${ARCH}-${CNI_PLUGIN_VERSION}.tgz.sha512 -sudo sha512sum -c cni-plugins-${ARCH}-${CNI_PLUGIN_VERSION}.tgz.sha512 -sudo tar -xvf cni-plugins-${ARCH}-${CNI_PLUGIN_VERSION}.tgz -C /opt/cni/bin -rm cni-plugins-${ARCH}-${CNI_PLUGIN_VERSION}.tgz cni-plugins-${ARCH}-${CNI_PLUGIN_VERSION}.tgz.sha512 - echo "Downloading binaries from: s3://$BINARY_BUCKET_NAME" S3_DOMAIN="amazonaws.com" if [ "$BINARY_BUCKET_REGION" = "cn-north-1" ] || [ "$BINARY_BUCKET_REGION" = "cn-northwest-1" ]; then @@ -196,6 +185,41 @@ for binary in ${BINARIES[*]} ; do sudo chmod +x $binary sudo mv $binary /usr/bin/ done + +if [ "$PULL_CNI_FROM_GITHUB" = "true" ]; then + echo "Downloading CNI assets from Github" + wget https://github.com/containernetworking/cni/releases/download/${CNI_VERSION}/cni-${ARCH}-${CNI_VERSION}.tgz + wget https://github.com/containernetworking/cni/releases/download/${CNI_VERSION}/cni-${ARCH}-${CNI_VERSION}.tgz.sha512 + + wget https://github.com/containernetworking/plugins/releases/download/${CNI_PLUGIN_VERSION}/cni-plugins-${ARCH}-${CNI_PLUGIN_VERSION}.tgz + wget https://github.com/containernetworking/plugins/releases/download/${CNI_PLUGIN_VERSION}/cni-plugins-${ARCH}-${CNI_PLUGIN_VERSION}.tgz.sha512 + sudo sha512sum -c cni-${ARCH}-${CNI_VERSION}.tgz.sha512 + sudo sha512sum -c cni-plugins-${ARCH}-${CNI_PLUGIN_VERSION}.tgz.sha512 + rm cni-${ARCH}-${CNI_VERSION}.tgz.sha512 + rm cni-plugins-${ARCH}-${CNI_PLUGIN_VERSION}.tgz.sha512 +else + CNI_BINARIES=( + cni-${ARCH}-${CNI_VERSION}.tgz + cni-plugins-${ARCH}-${CNI_PLUGIN_VERSION}.tgz + ) + for binary in ${CNI_BINARIES[*]} ; do + if [[ ! -z "$AWS_ACCESS_KEY_ID" ]]; then + echo "AWS cli present - using it to copy binaries from s3." + aws s3 cp --region $BINARY_BUCKET_REGION $S3_PATH/$binary . + aws s3 cp --region $BINARY_BUCKET_REGION $S3_PATH/$binary.sha256 . + sudo sha256sum -c $binary.sha256 + else + echo "AWS cli missing - using wget to fetch cni binaries from s3. Note: This won't work for private bucket." + sudo wget $S3_URL_BASE/$binary + sudo wget $S3_URL_BASE/$binary.sha256 + fi + done +fi +sudo tar -xvf cni-${ARCH}-${CNI_VERSION}.tgz -C /opt/cni/bin +sudo tar -xvf cni-plugins-${ARCH}-${CNI_PLUGIN_VERSION}.tgz -C /opt/cni/bin +rm cni-${ARCH}-${CNI_VERSION}.tgz +rm cni-plugins-${ARCH}-${CNI_PLUGIN_VERSION}.tgz + sudo rm *.sha256 KUBERNETES_MINOR_VERSION=${KUBERNETES_VERSION%.*} diff --git a/scripts/upgrade_kernel.sh b/scripts/upgrade_kernel.sh index 2962da004..4b7b64dd1 100644 --- a/scripts/upgrade_kernel.sh +++ b/scripts/upgrade_kernel.sh @@ -4,9 +4,10 @@ set -o pipefail set -o nounset set -o errexit -#sudo yum update -y kernel +sudo yum update -y kernel +sudo grubby --update-kernel=ALL --args=udev.event-timeout=300 #sudo amazon-linux-extras install kernel-ng -sudo yum -y install kernel-4.14.133-113.112.amzn2.x86_64 -sudo grubby --set-default /boot/vmlinuz-4.14.133-113.112.amzn2.x86_64 +#sudo yum -y install kernel-4.14.133-113.112.amzn2.x86_64 +#sudo grubby --set-default /boot/vmlinuz-4.14.133-113.112.amzn2.x86_64 --args="ro console=tty0 console=ttyS0,115200n8 net.ifnames=0 biosdevname=0 nvme_core.io_timeout=4294967295 rd.emergency=poweroff rd.shell=0 LANG=en_US.UTF-7 KEYTABLE=us udev.event-timeout=300" echo "rebooting... now" sudo reboot