From 2e3176f87c582f53b635c5a5d6673c4e0c393752 Mon Sep 17 00:00:00 2001 From: Leonard Cohnen Date: Wed, 28 Sep 2022 10:49:13 +0200 Subject: [PATCH] enable konnectivity --- CHANGELOG.md | 1 + .../internal/kubernetes/k8sapi/kubeadm_config.go | 15 +++++++-------- .../kubernetes/k8sapi/resources/konnectivity.go | 10 +++++----- 3 files changed, 13 insertions(+), 13 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 75d542a5f..d6fcce1f3 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -27,6 +27,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Local cluster creation based on QEMU - Verification of Azure trusted launch attestation keys - Kubernetes version v1.25 is now fully supported. +- Enabled Konnectivity. ### Changed diff --git a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go index c824be957..4fa014ea2 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go +++ b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go @@ -66,14 +66,13 @@ func (c *CoreOSConfiguration) InitConfiguration(externalCloudProvider bool, k8sV APIServer: kubeadm.APIServer{ ControlPlaneComponent: kubeadm.ControlPlaneComponent{ ExtraArgs: map[string]string{ - "audit-policy-file": auditPolicyPath, - "audit-log-path": filepath.Join(auditLogDir, auditLogFile), // CIS benchmark - "audit-log-maxage": "30", // CIS benchmark - Default value of Rancher - "audit-log-maxbackup": "10", // CIS benchmark - Default value of Rancher - "audit-log-maxsize": "100", // CIS benchmark - Default value of Rancher - "profiling": "false", // CIS benchmark - // Disabled konnectivity until agents have stable connections - // "egress-selector-config-file": "/etc/kubernetes/egress-selector-configuration.yaml", + "audit-policy-file": auditPolicyPath, + "audit-log-path": filepath.Join(auditLogDir, auditLogFile), // CIS benchmark + "audit-log-maxage": "30", // CIS benchmark - Default value of Rancher + "audit-log-maxbackup": "10", // CIS benchmark - Default value of Rancher + "audit-log-maxsize": "100", // CIS benchmark - Default value of Rancher + "profiling": "false", // CIS benchmark + "egress-selector-config-file": "/etc/kubernetes/egress-selector-configuration.yaml", "kubelet-certificate-authority": filepath.Join( kubeconstants.KubernetesDir, kubeconstants.DefaultCertificateDir, diff --git a/bootstrapper/internal/kubernetes/k8sapi/resources/konnectivity.go b/bootstrapper/internal/kubernetes/k8sapi/resources/konnectivity.go index e43b42889..3198ee29a 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/resources/konnectivity.go +++ b/bootstrapper/internal/kubernetes/k8sapi/resources/konnectivity.go @@ -113,10 +113,10 @@ func NewKonnectivityAgents(konnectivityServerAddress string) *KonnectivityAgents // https://github.com/kubernetes-sigs/apiserver-network-proxy/issues/273 "--sync-forever=true", // Ensure stable connection to the konnectivity server. - "--keepalive-time=60s", - "--sync-interval=1s", - "--sync-interval-cap=3s", - "--probe-interval=1s", + "--keepalive-time=60m", + "--sync-interval=5s", + "--sync-interval-cap=30s", + "--probe-interval=5s", "--v=3", }, Env: []corev1.EnvVar{ @@ -253,7 +253,7 @@ func NewKonnectivityServerStaticPod() *KonnectivityServerStaticPod { "--agent-service-account=konnectivity-agent", "--kubeconfig=/etc/kubernetes/konnectivity-server.conf", "--authentication-audience=system:konnectivity-server", - "--proxy-strategies=destHost,default", + "--proxy-strategies=default", }, LivenessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{