Strict confinement #1382
Closed
Strict confinement #1382
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
- Moved to core18 - Added plugs for all apps - Updated build docs to include connections
Log: apparmor="DENIED" operation="capable" profile="snap.microk8s.daemon-apiserver-kicker" pid=23955 comm="ifconfig" capability=12 capname="net_admin" Capability: net_admin Suggestions: * adjust program to not require 'CAP_NET_ADMIN' (see 'man 7 capabilities') * add one of 'bluetooth-control, firewall-control, netlink-audit, netlink-connector, network-control' to 'plugs' * do nothing if using systemd utility (eg, timedatectl): https://forum.snapcraft.io/t/managing-time-date-and-timezone-in-ubuntu-core/408/44 * do nothing (https://launchpad.net/bugs/1465724)
There are other lock files that are used, such as
/etc/service/enabled/monitor-addresses/supervise/lock
/etc/service/enabled/allocate-tunnel-addrs/supervise/lock
It's probably a good idea to bind-mount the whole parent directory.
* Have gh tests running for strict and devmode * Have gh tests running on pull and push regardless the branch * More fixes on GH tests * Adding home-read-all interface * Remove CA_CERT references * Remove run_with_sudo references * Allow dbctl and helm to see your home * Adding some debug messages * Create an inspection tarball in case of failure * Style fixes * Enable and disable to read your home * Fix dbctl command denial * Try fixing helm and install hook ifconfig denials * Connect personal files in test * Connect kernel module control interface * Helm unde dot-kube * Connect interfaces in devmode * Fix the smoketest * Remove debugging output and upgrade tests * Clean helm and kube directories * Why do we exit 1 in a bash script? * Gather inspect reports from GH actions * Name the inspection reports placeholders correctly * Fix the test-cluster test * Fix style in cluster testing * Fixes in the inspect command * Adding two more interfaces * Move list of interfaces to connect under utils.py * Require connecting log-observe and login-session-observe * Make some more interfaces required * Tidying up Co-authored-by: Joe Borg <[email protected]>
…feature/jdb/strict
This addresses the following two denials:
[ 8007.018386] audit: type=1400 audit(1632740135.247:748): apparmor="DENIED" operation="capable" profile="snap.microk8s.hook.disconnect-plug-network-control" pid=399340 comm="ip" capability=16 capname="sys_module"
[ 8528.424346] audit: type=1400 audit(1632740656.640:2737): apparmor="DENIED" operation="capable" profile="snap.microk8s.hook.connect-plug-network-control" pid=404584 comm="ip" capability=16 capname="sys_module"
The `dmesg` command directly opens `/dev/kmsg`, whereas journalctl talks
to journald via a socket. Now, we currently have two AppArmor denials
(indentation added by me for improved readability):
[ 3150.199682] audit: type=1400 audit(1632434096.924:2083):
apparmor="DENIED" operation="open" profile="snap.microk8s.microk8s"
name="/bin/journalctl" pid=171631 comm="bash" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
[ 3150.238547] audit: type=1400 audit(1632434096.960:2084):
apparmor="DENIED" operation="open" profile="snap.microk8s.microk8s"
name="/dev/kmsg" pid=171646 comm="dmesg" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0
Since we are anyway using journalctl in scripts/inspect.sh a few lines
above, it makes sense to use it also to retrieve the kernel message.
We'll deal with the denial with running journalctl in another commit.
Merge master to strict
* Initial work on snap_microk8s group * Enforce sudo for service restarts * Update the group the callback_token is created in.
* Include ingress for addon status check * Add addon to expose dashboard over ingress (#906) * Add validator for dashboard-ingress (#906) * Add note and workaround for nip.io in tests * Force HTTPS redirect on dashboard ingress * Fix lint on validator changes at dashboard_ingress * Add config args to dashboard-ingress addon (#906) * fix unclosed monospace text on nip.io workaround * Move storage-dir argument to k8s-dqlite (#2672) * Move storage-dir argument to k8s-dqlite * Fix the config values * Remove empty line * Use Docker's own registry image (#2679) * Update k8s-dqlite to include the empty cluster.yaml fix (#2683) * Upgrade linkerd to version 2.11.1 * Fix yaml loading in tests (#2698) * Update EnVar plugin (#2704) * Installer 2.2.1 release (#2705) * Bump actions/checkout from 2.3.5 to 2.4.0 (#2706) Bumps [actions/checkout](https://github.com/actions/checkout) from 2.3.5 to 2.4.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v2.3.5...v2.4.0) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update inaccel add-on (#2681) * Set `kube-system` as the default namespace * Test mutating webhook features Signed-off-by: Elias Koromilas <[email protected]> * Inspect report to include basic dqlite info (#2688) * Update check-formatting.yml (#2721) Rename `build` to `check-formatting`. This helps when running locally with `act`. * Add clustering tests. Remove dead tests. (#2697) * Update GPU operator to v1.8.2 and fix its test (#2708) * updated portainer disable script (#2693) * Update default kube-apiserver arguments (#2731) - Disable profiling (--profiling=false) - Reduce event TTL to 5 minutes (--event-ttl=5m) * Bump ingress to v1.0.5 (#2732) * Bump actions/setup-python from 2.2.2 to 2.3.0 (#2738) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 2.2.2 to 2.3.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@v2.2.2...v2.3.0) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Use SafeLoader instead of FullLoader (#2726) * Pull inspection tarball out of the multipass VM (#2711) Co-authored-by: John P Lettman <[email protected]> Co-authored-by: Konstantinos Tsakalozos <[email protected]> Co-authored-by: Tobias Muehl <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Elias Koromilas <[email protected]> Co-authored-by: balasu <[email protected]> Co-authored-by: Angelos Kolaitis <[email protected]> Co-authored-by: Mohammad Faraz <[email protected]>
* Include ingress for addon status check * Add addon to expose dashboard over ingress (#906) * Add validator for dashboard-ingress (#906) * Add note and workaround for nip.io in tests * Force HTTPS redirect on dashboard ingress * Fix lint on validator changes at dashboard_ingress * Add config args to dashboard-ingress addon (#906) * fix unclosed monospace text on nip.io workaround * Move storage-dir argument to k8s-dqlite (#2672) * Move storage-dir argument to k8s-dqlite * Fix the config values * Remove empty line * Use Docker's own registry image (#2679) * Update k8s-dqlite to include the empty cluster.yaml fix (#2683) * Upgrade linkerd to version 2.11.1 * Fix yaml loading in tests (#2698) * Update EnVar plugin (#2704) * Installer 2.2.1 release (#2705) * Bump actions/checkout from 2.3.5 to 2.4.0 (#2706) Bumps [actions/checkout](https://github.com/actions/checkout) from 2.3.5 to 2.4.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v2.3.5...v2.4.0) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update inaccel add-on (#2681) * Set `kube-system` as the default namespace * Test mutating webhook features Signed-off-by: Elias Koromilas <[email protected]> * Inspect report to include basic dqlite info (#2688) * Update check-formatting.yml (#2721) Rename `build` to `check-formatting`. This helps when running locally with `act`. * Add clustering tests. Remove dead tests. (#2697) * Update GPU operator to v1.8.2 and fix its test (#2708) * updated portainer disable script (#2693) * Update default kube-apiserver arguments (#2731) - Disable profiling (--profiling=false) - Reduce event TTL to 5 minutes (--event-ttl=5m) * Bump ingress to v1.0.5 (#2732) * Bump actions/setup-python from 2.2.2 to 2.3.0 (#2738) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 2.2.2 to 2.3.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@v2.2.2...v2.3.0) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Use SafeLoader instead of FullLoader (#2726) * Pull inspection tarball out of the multipass VM (#2711) * upgrade keda to the latest version * upgrade jaeger operator * upgrade metrics server to v0.5.2 * Worker only node with dqlite (#2444) microk8s join command has an additional --worker option to add the node as a worker node not running the control plane. Kubelet and kube-proxy contact a Traefik loadbalancer running locally on port 16443 (same as the API server) and Traefik forwards the requests towards a set of configured API servers. Kubelet and kube-proxy are authenticated based on x509 certificates so it does not matter which master node they contact. Nodes running the control plane are labeled with node.kubernetes.io/microk8s-controlplane=microk8s-controlplane, worker nodes are labeled with node.kubernetes.io/microk8s-worker=microk8s-worker. Nodes labeled with node.kubernetes.io/microk8s-controlplane=microk8s-controlplane at the time of the joining operation will be added to the Traefik loadbalancer. The leave, join and reset operations were refactored to use click. * Fixed a typo * Improve handling for missing k8s-dqlite arguments file (#2753) * Fix typo in configure script (#2758) * Remove the --insecure-port argument (#2756) * Fix add-node output in etcd based clusters (#2760) * Warn rpi users they need extra modules (#2754) * Remove deprecated configuration from containerd-template.toml and adapt it as suggested by containerd documentation. (#2648) * Fix removal of callback tokens (#2759) Co-authored-by: Angelos Kolaitis <[email protected]> * Bump actions/setup-python from 2.3.0 to 2.3.1 (#2765) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@v2.3.0...v2.3.1) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Replace depreated call from net-tools to iproute2 (#2751) * Replace deprecated network tools in inspect script (#2657) Use networks tools from iproute2 (ip addr + ss) instead of net-tools (ifconfig, netstat) * Replacement of deprecated net-tools to iproute2 tools It removes the use of the deprecated ifconfig and netstat tools notably when performing enabling/disabling host-access action and inside common/utils functions * Print warning for docker iff docker daemon is installed (#2769) * Update the PATH containerd-shims has to find runc (#2772) * Build traefik from source for s390x (#2768) * Remove colon from localhost ctonatinerd configuration (#2781) * Allow kube-proxy to change nf_conntrack_max on lxc (#2777) * Allow kube-proxy to change nf_conntrack_max on lxc * If you detect we are on lxc do not try set any conntrack params * Prepare for v1.23 (#2787) * Remove insecure-port only from local config (#2789) * Runc now requires Go 1.16 minimum in order to go get (#2799) * Hotfix ElasticSearch for Log4Shell (#2802) * Return inspect to old command * Bump Multipass and default track (#2794) * fix ingress leader election when rbac is enabled (#2813) * fix ingress rbac so it can acquire lock * upgrade nginx ingress to v1.1.0 and update the rolebinding to use only resourceName * Bump carlosperate/download-file-action from 1.0.3 to 1.1.0 (#2808) Bumps [carlosperate/download-file-action](https://github.com/carlosperate/download-file-action) from 1.0.3 to 1.1.0. - [Release notes](https://github.com/carlosperate/download-file-action/releases) - [Commits](carlosperate/download-file-action@v1.0.3...v1.1.0) --- updated-dependencies: - dependency-name: carlosperate/download-file-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * upgrade dashboard to v2.3.0 to fix ingress API 404 (#2792) * Bump traefik version to 2.5 (#2809) Co-authored-by: Konstantinos Tsakalozos <[email protected]> * Fix inspect * Add helm interfaces to disable * Add kubernetes-support interface for helm and enable/disable Co-authored-by: John P Lettman <[email protected]> Co-authored-by: Konstantinos Tsakalozos <[email protected]> Co-authored-by: Tobias Muehl <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Elias Koromilas <[email protected]> Co-authored-by: balasu <[email protected]> Co-authored-by: Angelos Kolaitis <[email protected]> Co-authored-by: Mohammad Faraz <[email protected]> Co-authored-by: balchua <[email protected]> Co-authored-by: Stefano Palazzo <[email protected]> Co-authored-by: Babis K <[email protected]> Co-authored-by: odufourc <[email protected]> Co-authored-by: YanZheng <[email protected]> Co-authored-by: Miroslav Balaz <[email protected]> Co-authored-by: Konstantinos Tsakalozos <[email protected]>
* Include ingress for addon status check * Add addon to expose dashboard over ingress (#906) * Add validator for dashboard-ingress (#906) * Add note and workaround for nip.io in tests * Force HTTPS redirect on dashboard ingress * Fix lint on validator changes at dashboard_ingress * Add config args to dashboard-ingress addon (#906) * fix unclosed monospace text on nip.io workaround * Move storage-dir argument to k8s-dqlite (#2672) * Move storage-dir argument to k8s-dqlite * Fix the config values * Remove empty line * Use Docker's own registry image (#2679) * Update k8s-dqlite to include the empty cluster.yaml fix (#2683) * Upgrade linkerd to version 2.11.1 * Fix yaml loading in tests (#2698) * Update EnVar plugin (#2704) * Installer 2.2.1 release (#2705) * Bump actions/checkout from 2.3.5 to 2.4.0 (#2706) Bumps [actions/checkout](https://github.com/actions/checkout) from 2.3.5 to 2.4.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v2.3.5...v2.4.0) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update inaccel add-on (#2681) * Set `kube-system` as the default namespace * Test mutating webhook features Signed-off-by: Elias Koromilas <[email protected]> * Inspect report to include basic dqlite info (#2688) * Update check-formatting.yml (#2721) Rename `build` to `check-formatting`. This helps when running locally with `act`. * Add clustering tests. Remove dead tests. (#2697) * Update GPU operator to v1.8.2 and fix its test (#2708) * updated portainer disable script (#2693) * Update default kube-apiserver arguments (#2731) - Disable profiling (--profiling=false) - Reduce event TTL to 5 minutes (--event-ttl=5m) * Bump ingress to v1.0.5 (#2732) * Bump actions/setup-python from 2.2.2 to 2.3.0 (#2738) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 2.2.2 to 2.3.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@v2.2.2...v2.3.0) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Use SafeLoader instead of FullLoader (#2726) * Pull inspection tarball out of the multipass VM (#2711) * upgrade keda to the latest version * upgrade jaeger operator * upgrade metrics server to v0.5.2 * Worker only node with dqlite (#2444) microk8s join command has an additional --worker option to add the node as a worker node not running the control plane. Kubelet and kube-proxy contact a Traefik loadbalancer running locally on port 16443 (same as the API server) and Traefik forwards the requests towards a set of configured API servers. Kubelet and kube-proxy are authenticated based on x509 certificates so it does not matter which master node they contact. Nodes running the control plane are labeled with node.kubernetes.io/microk8s-controlplane=microk8s-controlplane, worker nodes are labeled with node.kubernetes.io/microk8s-worker=microk8s-worker. Nodes labeled with node.kubernetes.io/microk8s-controlplane=microk8s-controlplane at the time of the joining operation will be added to the Traefik loadbalancer. The leave, join and reset operations were refactored to use click. * Fixed a typo * Improve handling for missing k8s-dqlite arguments file (#2753) * Fix typo in configure script (#2758) * Remove the --insecure-port argument (#2756) * Fix add-node output in etcd based clusters (#2760) * Warn rpi users they need extra modules (#2754) * Remove deprecated configuration from containerd-template.toml and adapt it as suggested by containerd documentation. (#2648) * Fix removal of callback tokens (#2759) Co-authored-by: Angelos Kolaitis <[email protected]> * Bump actions/setup-python from 2.3.0 to 2.3.1 (#2765) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@v2.3.0...v2.3.1) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Replace depreated call from net-tools to iproute2 (#2751) * Replace deprecated network tools in inspect script (#2657) Use networks tools from iproute2 (ip addr + ss) instead of net-tools (ifconfig, netstat) * Replacement of deprecated net-tools to iproute2 tools It removes the use of the deprecated ifconfig and netstat tools notably when performing enabling/disabling host-access action and inside common/utils functions * Print warning for docker iff docker daemon is installed (#2769) * Update the PATH containerd-shims has to find runc (#2772) * Build traefik from source for s390x (#2768) * Remove colon from localhost ctonatinerd configuration (#2781) * Allow kube-proxy to change nf_conntrack_max on lxc (#2777) * Allow kube-proxy to change nf_conntrack_max on lxc * If you detect we are on lxc do not try set any conntrack params * Prepare for v1.23 (#2787) * Remove insecure-port only from local config (#2789) * Runc now requires Go 1.16 minimum in order to go get (#2799) * Hotfix ElasticSearch for Log4Shell (#2802) * Bump Multipass and default track (#2794) * fix ingress leader election when rbac is enabled (#2813) * fix ingress rbac so it can acquire lock * upgrade nginx ingress to v1.1.0 and update the rolebinding to use only resourceName * Bump carlosperate/download-file-action from 1.0.3 to 1.1.0 (#2808) Bumps [carlosperate/download-file-action](https://github.com/carlosperate/download-file-action) from 1.0.3 to 1.1.0. - [Release notes](https://github.com/carlosperate/download-file-action/releases) - [Commits](carlosperate/download-file-action@v1.0.3...v1.1.0) --- updated-dependencies: - dependency-name: carlosperate/download-file-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * upgrade dashboard to v2.3.0 to fix ingress API 404 (#2792) * Bump traefik version to 2.5 (#2809) Co-authored-by: Konstantinos Tsakalozos <[email protected]> * Refuse joining nodes when hostname does not resolve (#2838) * Add low-memory guard (#2828) * Deprecate storage addon (#2833) * Replace 'storage' with 'hostpath-storage' * Do not start traefik and k8s-dqlite until interfaces are connected (#2851) * Remove sudo * Add touch installed lock back in Co-authored-by: John P Lettman <[email protected]> Co-authored-by: Konstantinos Tsakalozos <[email protected]> Co-authored-by: Tobias Muehl <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Elias Koromilas <[email protected]> Co-authored-by: balasu <[email protected]> Co-authored-by: Angelos Kolaitis <[email protected]> Co-authored-by: Mohammad Faraz <[email protected]> Co-authored-by: balchua <[email protected]> Co-authored-by: Stefano Palazzo <[email protected]> Co-authored-by: Babis K <[email protected]> Co-authored-by: odufourc <[email protected]> Co-authored-by: YanZheng <[email protected]> Co-authored-by: Miroslav Balaz <[email protected]> Co-authored-by: Konstantinos Tsakalozos <[email protected]>
* Revert "snap: grant sys_module capability to network hooks (#2630)" This reverts commit cb5436f. * Revert "snap: add kernel-module-control plug to the apiserver (#2316)" This reverts commit f79c1ab. * snap: remove the kernel-module-control interface With the previous commits we removed the usage of the kernel-module-control interface, which is not needed (it was only added to avoid an apparmor denial message, but we have already prepared a solution in snapd for it - #10933). With this commit we clean up the tests and the CI workflows. * Remove kernel-module-control Co-authored-by: Alberto Mardegan <[email protected]>
* Include ingress for addon status check * Add addon to expose dashboard over ingress (#906) * Add validator for dashboard-ingress (#906) * Add note and workaround for nip.io in tests * Force HTTPS redirect on dashboard ingress * Fix lint on validator changes at dashboard_ingress * Add config args to dashboard-ingress addon (#906) * fix unclosed monospace text on nip.io workaround * Move storage-dir argument to k8s-dqlite (#2672) * Move storage-dir argument to k8s-dqlite * Fix the config values * Remove empty line * Use Docker's own registry image (#2679) * Update k8s-dqlite to include the empty cluster.yaml fix (#2683) * Upgrade linkerd to version 2.11.1 * Fix yaml loading in tests (#2698) * Update EnVar plugin (#2704) * Installer 2.2.1 release (#2705) * Bump actions/checkout from 2.3.5 to 2.4.0 (#2706) Bumps [actions/checkout](https://github.com/actions/checkout) from 2.3.5 to 2.4.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v2.3.5...v2.4.0) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update inaccel add-on (#2681) * Set `kube-system` as the default namespace * Test mutating webhook features Signed-off-by: Elias Koromilas <[email protected]> * Inspect report to include basic dqlite info (#2688) * Update check-formatting.yml (#2721) Rename `build` to `check-formatting`. This helps when running locally with `act`. * Add clustering tests. Remove dead tests. (#2697) * Update GPU operator to v1.8.2 and fix its test (#2708) * updated portainer disable script (#2693) * Update default kube-apiserver arguments (#2731) - Disable profiling (--profiling=false) - Reduce event TTL to 5 minutes (--event-ttl=5m) * Bump ingress to v1.0.5 (#2732) * Bump actions/setup-python from 2.2.2 to 2.3.0 (#2738) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 2.2.2 to 2.3.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@v2.2.2...v2.3.0) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Use SafeLoader instead of FullLoader (#2726) * Pull inspection tarball out of the multipass VM (#2711) * upgrade keda to the latest version * upgrade jaeger operator * upgrade metrics server to v0.5.2 * Worker only node with dqlite (#2444) microk8s join command has an additional --worker option to add the node as a worker node not running the control plane. Kubelet and kube-proxy contact a Traefik loadbalancer running locally on port 16443 (same as the API server) and Traefik forwards the requests towards a set of configured API servers. Kubelet and kube-proxy are authenticated based on x509 certificates so it does not matter which master node they contact. Nodes running the control plane are labeled with node.kubernetes.io/microk8s-controlplane=microk8s-controlplane, worker nodes are labeled with node.kubernetes.io/microk8s-worker=microk8s-worker. Nodes labeled with node.kubernetes.io/microk8s-controlplane=microk8s-controlplane at the time of the joining operation will be added to the Traefik loadbalancer. The leave, join and reset operations were refactored to use click. * Fixed a typo * Improve handling for missing k8s-dqlite arguments file (#2753) * Fix typo in configure script (#2758) * Remove the --insecure-port argument (#2756) * Fix add-node output in etcd based clusters (#2760) * Warn rpi users they need extra modules (#2754) * Remove deprecated configuration from containerd-template.toml and adapt it as suggested by containerd documentation. (#2648) * Fix removal of callback tokens (#2759) Co-authored-by: Angelos Kolaitis <[email protected]> * Bump actions/setup-python from 2.3.0 to 2.3.1 (#2765) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@v2.3.0...v2.3.1) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Replace depreated call from net-tools to iproute2 (#2751) * Replace deprecated network tools in inspect script (#2657) Use networks tools from iproute2 (ip addr + ss) instead of net-tools (ifconfig, netstat) * Replacement of deprecated net-tools to iproute2 tools It removes the use of the deprecated ifconfig and netstat tools notably when performing enabling/disabling host-access action and inside common/utils functions * Print warning for docker iff docker daemon is installed (#2769) * Update the PATH containerd-shims has to find runc (#2772) * Build traefik from source for s390x (#2768) * Remove colon from localhost ctonatinerd configuration (#2781) * Allow kube-proxy to change nf_conntrack_max on lxc (#2777) * Allow kube-proxy to change nf_conntrack_max on lxc * If you detect we are on lxc do not try set any conntrack params * Prepare for v1.23 (#2787) * Remove insecure-port only from local config (#2789) * Runc now requires Go 1.16 minimum in order to go get (#2799) * Hotfix ElasticSearch for Log4Shell (#2802) * Bump Multipass and default track (#2794) * fix ingress leader election when rbac is enabled (#2813) * fix ingress rbac so it can acquire lock * upgrade nginx ingress to v1.1.0 and update the rolebinding to use only resourceName * Bump carlosperate/download-file-action from 1.0.3 to 1.1.0 (#2808) Bumps [carlosperate/download-file-action](https://github.com/carlosperate/download-file-action) from 1.0.3 to 1.1.0. - [Release notes](https://github.com/carlosperate/download-file-action/releases) - [Commits](carlosperate/download-file-action@v1.0.3...v1.1.0) --- updated-dependencies: - dependency-name: carlosperate/download-file-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * upgrade dashboard to v2.3.0 to fix ingress API 404 (#2792) * Bump traefik version to 2.5 (#2809) Co-authored-by: Konstantinos Tsakalozos <[email protected]> * Refuse joining nodes when hostname does not resolve (#2838) * Add low-memory guard (#2828) * Deprecate storage addon (#2833) * Replace 'storage' with 'hostpath-storage' * Upgrade hostpath-provisioner (#2853) * Upgrade hostpath-provisioner image to 1.1.0 * Enable storage addon on s390x * Enable storage addon even if hostpath directory exists (#2857) * Drop RemoveSelfLink=false feature flag (#2870) * Drop RemoveSelfLink=false feature flag from kube-apiserver * Add inspect check for hostpath storage addon version * Remove the dqlite related argument from the API server when disabling HA (#2864) * Silence the hostpath-provisioner error if the provisioner is not installed (#2873) * Enable hostpath-storage addon for s390x (#2874) * Update k8s-dqlite build version (#2872) * Fix bad merge Co-authored-by: John P Lettman <[email protected]> Co-authored-by: Konstantinos Tsakalozos <[email protected]> Co-authored-by: Tobias Muehl <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Elias Koromilas <[email protected]> Co-authored-by: balasu <[email protected]> Co-authored-by: Angelos Kolaitis <[email protected]> Co-authored-by: Mohammad Faraz <[email protected]> Co-authored-by: balchua <[email protected]> Co-authored-by: Stefano Palazzo <[email protected]> Co-authored-by: Babis K <[email protected]> Co-authored-by: odufourc <[email protected]> Co-authored-by: YanZheng <[email protected]> Co-authored-by: Miroslav Balaz <[email protected]> Co-authored-by: Konstantinos Tsakalozos <[email protected]>
* Include ingress for addon status check * Add addon to expose dashboard over ingress (#906) * Add validator for dashboard-ingress (#906) * Add note and workaround for nip.io in tests * Force HTTPS redirect on dashboard ingress * Fix lint on validator changes at dashboard_ingress * Add config args to dashboard-ingress addon (#906) * fix unclosed monospace text on nip.io workaround * Move storage-dir argument to k8s-dqlite (#2672) * Move storage-dir argument to k8s-dqlite * Fix the config values * Remove empty line * Use Docker's own registry image (#2679) * Update k8s-dqlite to include the empty cluster.yaml fix (#2683) * Upgrade linkerd to version 2.11.1 * Fix yaml loading in tests (#2698) * Update EnVar plugin (#2704) * Installer 2.2.1 release (#2705) * Bump actions/checkout from 2.3.5 to 2.4.0 (#2706) Bumps [actions/checkout](https://github.com/actions/checkout) from 2.3.5 to 2.4.0. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@v2.3.5...v2.4.0) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Update inaccel add-on (#2681) * Set `kube-system` as the default namespace * Test mutating webhook features Signed-off-by: Elias Koromilas <[email protected]> * Inspect report to include basic dqlite info (#2688) * Update check-formatting.yml (#2721) Rename `build` to `check-formatting`. This helps when running locally with `act`. * Add clustering tests. Remove dead tests. (#2697) * Update GPU operator to v1.8.2 and fix its test (#2708) * updated portainer disable script (#2693) * Update default kube-apiserver arguments (#2731) - Disable profiling (--profiling=false) - Reduce event TTL to 5 minutes (--event-ttl=5m) * Bump ingress to v1.0.5 (#2732) * Bump actions/setup-python from 2.2.2 to 2.3.0 (#2738) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 2.2.2 to 2.3.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@v2.2.2...v2.3.0) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Use SafeLoader instead of FullLoader (#2726) * Pull inspection tarball out of the multipass VM (#2711) * upgrade keda to the latest version * upgrade jaeger operator * upgrade metrics server to v0.5.2 * Worker only node with dqlite (#2444) microk8s join command has an additional --worker option to add the node as a worker node not running the control plane. Kubelet and kube-proxy contact a Traefik loadbalancer running locally on port 16443 (same as the API server) and Traefik forwards the requests towards a set of configured API servers. Kubelet and kube-proxy are authenticated based on x509 certificates so it does not matter which master node they contact. Nodes running the control plane are labeled with node.kubernetes.io/microk8s-controlplane=microk8s-controlplane, worker nodes are labeled with node.kubernetes.io/microk8s-worker=microk8s-worker. Nodes labeled with node.kubernetes.io/microk8s-controlplane=microk8s-controlplane at the time of the joining operation will be added to the Traefik loadbalancer. The leave, join and reset operations were refactored to use click. * Fixed a typo * Improve handling for missing k8s-dqlite arguments file (#2753) * Fix typo in configure script (#2758) * Remove the --insecure-port argument (#2756) * Fix add-node output in etcd based clusters (#2760) * Warn rpi users they need extra modules (#2754) * Remove deprecated configuration from containerd-template.toml and adapt it as suggested by containerd documentation. (#2648) * Fix removal of callback tokens (#2759) Co-authored-by: Angelos Kolaitis <[email protected]> * Bump actions/setup-python from 2.3.0 to 2.3.1 (#2765) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 2.3.0 to 2.3.1. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@v2.3.0...v2.3.1) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Replace depreated call from net-tools to iproute2 (#2751) * Replace deprecated network tools in inspect script (#2657) Use networks tools from iproute2 (ip addr + ss) instead of net-tools (ifconfig, netstat) * Replacement of deprecated net-tools to iproute2 tools It removes the use of the deprecated ifconfig and netstat tools notably when performing enabling/disabling host-access action and inside common/utils functions * Print warning for docker iff docker daemon is installed (#2769) * Update the PATH containerd-shims has to find runc (#2772) * Build traefik from source for s390x (#2768) * Remove colon from localhost ctonatinerd configuration (#2781) * Allow kube-proxy to change nf_conntrack_max on lxc (#2777) * Allow kube-proxy to change nf_conntrack_max on lxc * If you detect we are on lxc do not try set any conntrack params * Prepare for v1.23 (#2787) * Remove insecure-port only from local config (#2789) * Runc now requires Go 1.16 minimum in order to go get (#2799) * Hotfix ElasticSearch for Log4Shell (#2802) * Bump Multipass and default track (#2794) * fix ingress leader election when rbac is enabled (#2813) * fix ingress rbac so it can acquire lock * upgrade nginx ingress to v1.1.0 and update the rolebinding to use only resourceName * Bump carlosperate/download-file-action from 1.0.3 to 1.1.0 (#2808) Bumps [carlosperate/download-file-action](https://github.com/carlosperate/download-file-action) from 1.0.3 to 1.1.0. - [Release notes](https://github.com/carlosperate/download-file-action/releases) - [Commits](carlosperate/download-file-action@v1.0.3...v1.1.0) --- updated-dependencies: - dependency-name: carlosperate/download-file-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * upgrade dashboard to v2.3.0 to fix ingress API 404 (#2792) * Bump traefik version to 2.5 (#2809) Co-authored-by: Konstantinos Tsakalozos <[email protected]> * Refuse joining nodes when hostname does not resolve (#2838) * Add low-memory guard (#2828) * Deprecate storage addon (#2833) * Replace 'storage' with 'hostpath-storage' * Upgrade hostpath-provisioner (#2853) * Upgrade hostpath-provisioner image to 1.1.0 * Enable storage addon on s390x * Enable storage addon even if hostpath directory exists (#2857) * Drop RemoveSelfLink=false feature flag (#2870) * Drop RemoveSelfLink=false feature flag from kube-apiserver * Add inspect check for hostpath storage addon version * Remove the dqlite related argument from the API server when disabling HA (#2864) * Silence the hostpath-provisioner error if the provisioner is not installed (#2873) * Enable hostpath-storage addon for s390x (#2874) * Update k8s-dqlite build version (#2872) * Fix RBAC rules for new hostpath-provisioner * Fix error retrieving resource lock (#2885) * Remove kubeflow and juju addons (#2869) * Remove kubeflow and juju addons * Upgrade containerd to 1.5.9 (#2899) * Bump actions/setup-python from 2.3.1 to 2.3.2 (#2904) Bumps [actions/setup-python](https://github.com/actions/setup-python) from 2.3.1 to 2.3.2. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@v2.3.1...v2.3.2) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> * Initial split of addon out of the main repository (#2892) * Remove replicated slots * Pin addons branch to strict * Delete addons dir if already created on previous build Co-authored-by: John P Lettman <[email protected]> Co-authored-by: Konstantinos Tsakalozos <[email protected]> Co-authored-by: Tobias Muehl <[email protected]> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Elias Koromilas <[email protected]> Co-authored-by: balasu <[email protected]> Co-authored-by: Angelos Kolaitis <[email protected]> Co-authored-by: Mohammad Faraz <[email protected]> Co-authored-by: balchua <[email protected]> Co-authored-by: Stefano Palazzo <[email protected]> Co-authored-by: Babis K <[email protected]> Co-authored-by: odufourc <[email protected]> Co-authored-by: YanZheng <[email protected]> Co-authored-by: Miroslav Balaz <[email protected]> Co-authored-by: Konstantinos Tsakalozos <[email protected]>
|
The PR #2996 is to be used from now on. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently WIP to create .snaps in GH action.