diff --git a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go index 06d01fb80..affa106fd 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go +++ b/bootstrapper/internal/kubernetes/k8sapi/kubeadm_config.go @@ -73,7 +73,7 @@ func (c *CoreOSConfiguration) InitConfiguration(externalCloudProvider bool, k8sV "audit-log-maxsize": "100", // CIS benchmark - Default value of Rancher "profiling": "false", // CIS benchmark // Disabled konnectivity until agents have stable connections - // "egress-selector-config-file": "/etc/kubernetes/egress-selector-configuration.yaml", + "egress-selector-config-file": "/etc/kubernetes/egress-selector-configuration.yaml", "kubelet-certificate-authority": filepath.Join( kubeconstants.KubernetesDir, kubeconstants.DefaultCertificateDir, diff --git a/bootstrapper/internal/kubernetes/k8sapi/resources/konnectivity.go b/bootstrapper/internal/kubernetes/k8sapi/resources/konnectivity.go index f18c9aed0..63e8ae41c 100644 --- a/bootstrapper/internal/kubernetes/k8sapi/resources/konnectivity.go +++ b/bootstrapper/internal/kubernetes/k8sapi/resources/konnectivity.go @@ -113,10 +113,9 @@ func NewKonnectivityAgents(konnectivityServerAddress string) *konnectivityAgents // https://github.com/kubernetes-sigs/apiserver-network-proxy/issues/273 "--sync-forever=true", // Ensure stable connection to the konnectivity server. - "--keepalive-time=60s", - "--sync-interval=1s", - "--sync-interval-cap=3s", - "--probe-interval=1s", + "--sync-interval=1s", // GKE: 5s + "--sync-interval-cap=3s", // GKE: 30s + "--probe-interval=1s", // GKE: 5s "--v=3", }, Env: []corev1.EnvVar{ @@ -253,9 +252,8 @@ func NewKonnectivityServerStaticPod(nodeCIDR string) *konnectivityServerStaticPo "--agent-service-account=konnectivity-agent", "--kubeconfig=/etc/kubernetes/konnectivity-server.conf", "--authentication-audience=system:konnectivity-server", - // "--proxy-strategies=destHost,default", - "--proxy-strategies=destHost,defaultRoute", - "--node-cidr=" + nodeCIDR, //"--node-cidr=10.9.0.0/16", + "--proxy-strategies=destHost,default", + "--node-cidr=" + nodeCIDR, //--node-cidr=10.9.0.0/16, }, LivenessProbe: &corev1.Probe{ ProbeHandler: corev1.ProbeHandler{ diff --git a/internal/versions/versions.go b/internal/versions/versions.go index 3afcba8b6..d7b4c54d1 100644 --- a/internal/versions/versions.go +++ b/internal/versions/versions.go @@ -45,8 +45,8 @@ const ( // These images are built in a way that they support all versions currently listed in VersionConfigs. KonnectivityAgentImage = "us.gcr.io/k8s-artifacts-prod/kas-network-proxy/proxy-agent:v0.0.32" // TODO: switch back to official image once cilium node2node encryption is enabled. - // KonnectivityServerImage = "registry.k8s.io/kas-network-proxy/proxy-server:v0.0.32". - KonnectivityServerImage = "ghcr.io/3u13r/constellation-konnectivity-server:v0.0.33-edgeless@sha256:bf5748999b20576c7c97f25d2762408d705df5ae20640494bcb4cac5d648b583" + // KonnectivityServerImage = "registry.k8s.io/kas-network-proxy/proxy-server:v0.0.32". + KonnectivityServerImage = "ghcr.io/3u13r/constellation-konnectivity-server:v0.0.33-edgeless" JoinImage = "ghcr.io/edgelesssys/constellation/join-service:v2.0.0" AccessManagerImage = "ghcr.io/edgelesssys/constellation/access-manager:v2.0.0" KmsImage = "ghcr.io/edgelesssys/constellation/kmsserver:v2.0.0"