From 8bb045ed19b67b1bf6982733d17945c839822462 Mon Sep 17 00:00:00 2001 From: Quirin Vetterl <140174674+qrnvttrl@users.noreply.github.com> Date: Wed, 2 Oct 2024 14:57:49 +0200 Subject: [PATCH] Add `--kubelet-pod-pid-limit` flag to cluster command (#320) --- cmd/cluster.go | 19 +++++++++++++++++++ go.mod | 2 +- go.sum | 4 ++-- 3 files changed, 22 insertions(+), 3 deletions(-) diff --git a/cmd/cluster.go b/cmd/cluster.go index 0565793..23f2e3e 100644 --- a/cmd/cluster.go +++ b/cmd/cluster.go @@ -247,6 +247,7 @@ func newClusterCmd(c *config) *cobra.Command { clusterCreateCmd.Flags().Bool("enable-kube-apiserver-acl", false, "restricts access from outside to the kube-apiserver to the source ip addresses set by --kube-apiserver-acl-allowed-cidrs [optional].") clusterCreateCmd.Flags().String("network-isolation", "", "defines restrictions to external network communication for the cluster, can be one of baseline|restricted|isolated. baseline sets no special restrictions to external networks, restricted by default only allows external traffic to explicitly allowed destinations, forbidden disallows communication with external networks except for a limited set of networks. Please consult the documentation for detailed descriptions of the individual modes as these cannot be altered anymore after creation. [optional]") clusterCreateCmd.Flags().Bool("high-availability-control-plane", false, "enables a high availability control plane for the cluster, cannot be disabled again") + clusterCreateCmd.Flags().Int64("kubelet-pod-pid-limit", 0, "controls the maximum number of process IDs per pod allowed by the kubelet") genericcli.Must(clusterCreateCmd.MarkFlagRequired("name")) genericcli.Must(clusterCreateCmd.MarkFlagRequired("project")) @@ -338,6 +339,7 @@ func newClusterCmd(c *config) *cobra.Command { clusterUpdateCmd.Flags().StringSlice("kube-apiserver-acl-remove-from-allowed-cidrs", []string{}, "comma-separated list of external CIDRs to be removed from the allowed CIDRs to connect to the kube-apiserver (e.g. \"212.34.68.0/24,212.34.89.0/27\")") clusterUpdateCmd.Flags().Bool("enable-kube-apiserver-acl", false, "restricts access from outside to the kube-apiserver to the source ip addresses set by --kube-apiserver-acl-* [optional].") clusterUpdateCmd.Flags().Bool("high-availability-control-plane", false, "enables a high availability control plane for the cluster, cannot be disabled again") + clusterUpdateCmd.Flags().Int64("kubelet-pod-pid-limit", 0, "controls the maximum number of process IDs per pod allowed by the kubelet") genericcli.Must(clusterUpdateCmd.RegisterFlagCompletionFunc("version", c.comp.VersionListCompletion)) genericcli.Must(clusterUpdateCmd.RegisterFlagCompletionFunc("workerversion", c.comp.VersionListCompletion)) @@ -450,6 +452,7 @@ func (c *config) clusterCreate() error { enableNodeLocalDNS := viper.GetBool("enable-node-local-dns") disableForwardToUpstreamDNS := viper.GetBool("disable-forwarding-to-upstream-dns") highAvailability := strconv.FormatBool(viper.GetBool("high-availability-control-plane")) + podpidLimit := viper.GetInt64("kubelet-pod-pid-limit") var cni string if viper.IsSet("cni") { @@ -689,6 +692,13 @@ WARNING: You are going to create a cluster that has no default internet access w } } + if viper.IsSet("kubelet-pod-pid-limit") { + if !viper.GetBool("yes-i-really-mean-it") { + return fmt.Errorf("--kubelet-pod-pid-limit can only be changed in combination with --yes-i-really-mean-it because this change can lead to pods not starting anymore in the cluster") + } + scr.Kubernetes.PodPIDsLimit = &podpidLimit + } + egressRules := makeEgressRules(egress) if len(egressRules) > 0 { scr.EgressRules = egressRules @@ -926,6 +936,8 @@ func (c *config) updateCluster(args []string) error { encryptedStorageClasses := strconv.FormatBool(viper.GetBool("encrypted-storage-classes")) highAvailability := strconv.FormatBool(viper.GetBool("high-availability-control-plane")) + podpidLimit := viper.GetInt64("kubelet-pod-pid-limit") + workerlabels, err := helper.LabelsToMap(workerlabelslice) if err != nil { return err @@ -1291,6 +1303,13 @@ func (c *config) updateCluster(args []string) error { k8s.DefaultPodSecurityStandard = pointer.Pointer(viper.GetString("default-pod-security-standard")) } + if viper.IsSet("kubelet-pod-pid-limit") { + if !viper.GetBool("yes-i-really-mean-it") { + return fmt.Errorf("--kubelet-pod-pid-limit can only be changed in combination with --yes-i-really-mean-it because this change can lead to pods not starting anymore in the cluster") + } + k8s.PodPIDsLimit = &podpidLimit + } + cur.Kubernetes = k8s cur.EgressRules = makeEgressRules(egress) diff --git a/go.mod b/go.mod index 2f2a232..1a22795 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/dustin/go-humanize v1.0.1 github.com/fatih/color v1.17.0 github.com/fi-ts/accounting-go v0.10.0 - github.com/fi-ts/cloud-go v0.28.2 + github.com/fi-ts/cloud-go v0.29.0 github.com/gardener/gardener v1.91.0 github.com/gardener/machine-controller-manager v0.53.1 github.com/go-openapi/runtime v0.28.0 diff --git a/go.sum b/go.sum index 15ea927..049ed2c 100644 --- a/go.sum +++ b/go.sum @@ -90,8 +90,8 @@ github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4= github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI= github.com/fi-ts/accounting-go v0.10.0 h1:vbPgTWq1iicyBWFRajX0bawZ1ADbhKGuJyNEtXjpr08= github.com/fi-ts/accounting-go v0.10.0/go.mod h1:ARKouuFYUV44xUKytAlczpzoti/S+o+PnXCN5BQA6nQ= -github.com/fi-ts/cloud-go v0.28.2 h1:t+HTHxx7J0d46hbI1E3rL1DKcAO4b4knC6JITEB2n6k= -github.com/fi-ts/cloud-go v0.28.2/go.mod h1:R7JMkC92eGvxkkMO1oP6lEevBH86DFiO9H9mo7YD5Sw= +github.com/fi-ts/cloud-go v0.29.0 h1:0MSgs4BiBBcCDWEXTwg3h15r0yRf1mGV/17XQ/LGSec= +github.com/fi-ts/cloud-go v0.29.0/go.mod h1:pcGGl+M2OmtvwyuTEOimqSHrZngDotG69lmBzEbx6cc= github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=