From a31e7b5e849517bac9be07485b0c7b5c1d7a8b1c Mon Sep 17 00:00:00 2001 From: Quirin Vetterl Date: Thu, 26 Sep 2024 13:57:34 +0200 Subject: [PATCH 1/2] conrol pod pids limit --- cmd/cluster.go | 13 +++++++++++++ go.mod | 2 +- go.sum | 2 ++ 3 files changed, 16 insertions(+), 1 deletion(-) diff --git a/cmd/cluster.go b/cmd/cluster.go index 0565793..e3f14c8 100644 --- a/cmd/cluster.go +++ b/cmd/cluster.go @@ -247,6 +247,7 @@ func newClusterCmd(c *config) *cobra.Command { clusterCreateCmd.Flags().Bool("enable-kube-apiserver-acl", false, "restricts access from outside to the kube-apiserver to the source ip addresses set by --kube-apiserver-acl-allowed-cidrs [optional].") clusterCreateCmd.Flags().String("network-isolation", "", "defines restrictions to external network communication for the cluster, can be one of baseline|restricted|isolated. baseline sets no special restrictions to external networks, restricted by default only allows external traffic to explicitly allowed destinations, forbidden disallows communication with external networks except for a limited set of networks. Please consult the documentation for detailed descriptions of the individual modes as these cannot be altered anymore after creation. [optional]") clusterCreateCmd.Flags().Bool("high-availability-control-plane", false, "enables a high availability control plane for the cluster, cannot be disabled again") + clusterCreateCmd.Flags().Int64("pod-PID-limit", 1000, "controls the maximum number of process IDs per pod allowed by the kubelet") genericcli.Must(clusterCreateCmd.MarkFlagRequired("name")) genericcli.Must(clusterCreateCmd.MarkFlagRequired("project")) @@ -338,6 +339,7 @@ func newClusterCmd(c *config) *cobra.Command { clusterUpdateCmd.Flags().StringSlice("kube-apiserver-acl-remove-from-allowed-cidrs", []string{}, "comma-separated list of external CIDRs to be removed from the allowed CIDRs to connect to the kube-apiserver (e.g. \"212.34.68.0/24,212.34.89.0/27\")") clusterUpdateCmd.Flags().Bool("enable-kube-apiserver-acl", false, "restricts access from outside to the kube-apiserver to the source ip addresses set by --kube-apiserver-acl-* [optional].") clusterUpdateCmd.Flags().Bool("high-availability-control-plane", false, "enables a high availability control plane for the cluster, cannot be disabled again") + clusterUpdateCmd.Flags().Int64("pod-PID-limit", 1000, "controls the maximum number of process IDs per pod allowed by the kubelet") genericcli.Must(clusterUpdateCmd.RegisterFlagCompletionFunc("version", c.comp.VersionListCompletion)) genericcli.Must(clusterUpdateCmd.RegisterFlagCompletionFunc("workerversion", c.comp.VersionListCompletion)) @@ -450,6 +452,7 @@ func (c *config) clusterCreate() error { enableNodeLocalDNS := viper.GetBool("enable-node-local-dns") disableForwardToUpstreamDNS := viper.GetBool("disable-forwarding-to-upstream-dns") highAvailability := strconv.FormatBool(viper.GetBool("high-availability-control-plane")) + podPIDLimit := viper.GetInt64("pod-PID-limit") var cni string if viper.IsSet("cni") { @@ -689,6 +692,10 @@ WARNING: You are going to create a cluster that has no default internet access w } } + if viper.IsSet("pod-PID-limit") { + scr.Kubernetes.PodPIDsLimit = &podPIDLimit + } + egressRules := makeEgressRules(egress) if len(egressRules) > 0 { scr.EgressRules = egressRules @@ -926,6 +933,8 @@ func (c *config) updateCluster(args []string) error { encryptedStorageClasses := strconv.FormatBool(viper.GetBool("encrypted-storage-classes")) highAvailability := strconv.FormatBool(viper.GetBool("high-availability-control-plane")) + podPIDLimit := viper.GetInt64("pod-PID-limit") + workerlabels, err := helper.LabelsToMap(workerlabelslice) if err != nil { return err @@ -1291,6 +1300,10 @@ func (c *config) updateCluster(args []string) error { k8s.DefaultPodSecurityStandard = pointer.Pointer(viper.GetString("default-pod-security-standard")) } + if viper.IsSet("pod-PID-limit") { + k8s.PodPIDsLimit = &podPIDLimit + } + cur.Kubernetes = k8s cur.EgressRules = makeEgressRules(egress) diff --git a/go.mod b/go.mod index 2f2a232..5a02b30 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/dustin/go-humanize v1.0.1 github.com/fatih/color v1.17.0 github.com/fi-ts/accounting-go v0.10.0 - github.com/fi-ts/cloud-go v0.28.2 + github.com/fi-ts/cloud-go v0.28.3-0.20240926113006-d907634423a3 github.com/gardener/gardener v1.91.0 github.com/gardener/machine-controller-manager v0.53.1 github.com/go-openapi/runtime v0.28.0 diff --git a/go.sum b/go.sum index 15ea927..ff6e868 100644 --- a/go.sum +++ b/go.sum @@ -92,6 +92,8 @@ github.com/fi-ts/accounting-go v0.10.0 h1:vbPgTWq1iicyBWFRajX0bawZ1ADbhKGuJyNEtX github.com/fi-ts/accounting-go v0.10.0/go.mod h1:ARKouuFYUV44xUKytAlczpzoti/S+o+PnXCN5BQA6nQ= github.com/fi-ts/cloud-go v0.28.2 h1:t+HTHxx7J0d46hbI1E3rL1DKcAO4b4knC6JITEB2n6k= github.com/fi-ts/cloud-go v0.28.2/go.mod h1:R7JMkC92eGvxkkMO1oP6lEevBH86DFiO9H9mo7YD5Sw= +github.com/fi-ts/cloud-go v0.28.3-0.20240926113006-d907634423a3 h1:eh7PD5bmbHaRwA3LHY3sr3Drp/odYulPXlqoYggraMs= +github.com/fi-ts/cloud-go v0.28.3-0.20240926113006-d907634423a3/go.mod h1:R7JMkC92eGvxkkMO1oP6lEevBH86DFiO9H9mo7YD5Sw= github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= From da2e0e6179fae5db4e6e0a065247b24fd0cb76bf Mon Sep 17 00:00:00 2001 From: Gerrit Date: Wed, 2 Oct 2024 14:34:31 +0200 Subject: [PATCH 2/2] Pin. --- cmd/cluster.go | 22 ++++++++++++++-------- go.mod | 2 +- go.sum | 6 ++---- 3 files changed, 17 insertions(+), 13 deletions(-) diff --git a/cmd/cluster.go b/cmd/cluster.go index e3f14c8..23f2e3e 100644 --- a/cmd/cluster.go +++ b/cmd/cluster.go @@ -247,7 +247,7 @@ func newClusterCmd(c *config) *cobra.Command { clusterCreateCmd.Flags().Bool("enable-kube-apiserver-acl", false, "restricts access from outside to the kube-apiserver to the source ip addresses set by --kube-apiserver-acl-allowed-cidrs [optional].") clusterCreateCmd.Flags().String("network-isolation", "", "defines restrictions to external network communication for the cluster, can be one of baseline|restricted|isolated. baseline sets no special restrictions to external networks, restricted by default only allows external traffic to explicitly allowed destinations, forbidden disallows communication with external networks except for a limited set of networks. Please consult the documentation for detailed descriptions of the individual modes as these cannot be altered anymore after creation. [optional]") clusterCreateCmd.Flags().Bool("high-availability-control-plane", false, "enables a high availability control plane for the cluster, cannot be disabled again") - clusterCreateCmd.Flags().Int64("pod-PID-limit", 1000, "controls the maximum number of process IDs per pod allowed by the kubelet") + clusterCreateCmd.Flags().Int64("kubelet-pod-pid-limit", 0, "controls the maximum number of process IDs per pod allowed by the kubelet") genericcli.Must(clusterCreateCmd.MarkFlagRequired("name")) genericcli.Must(clusterCreateCmd.MarkFlagRequired("project")) @@ -339,7 +339,7 @@ func newClusterCmd(c *config) *cobra.Command { clusterUpdateCmd.Flags().StringSlice("kube-apiserver-acl-remove-from-allowed-cidrs", []string{}, "comma-separated list of external CIDRs to be removed from the allowed CIDRs to connect to the kube-apiserver (e.g. \"212.34.68.0/24,212.34.89.0/27\")") clusterUpdateCmd.Flags().Bool("enable-kube-apiserver-acl", false, "restricts access from outside to the kube-apiserver to the source ip addresses set by --kube-apiserver-acl-* [optional].") clusterUpdateCmd.Flags().Bool("high-availability-control-plane", false, "enables a high availability control plane for the cluster, cannot be disabled again") - clusterUpdateCmd.Flags().Int64("pod-PID-limit", 1000, "controls the maximum number of process IDs per pod allowed by the kubelet") + clusterUpdateCmd.Flags().Int64("kubelet-pod-pid-limit", 0, "controls the maximum number of process IDs per pod allowed by the kubelet") genericcli.Must(clusterUpdateCmd.RegisterFlagCompletionFunc("version", c.comp.VersionListCompletion)) genericcli.Must(clusterUpdateCmd.RegisterFlagCompletionFunc("workerversion", c.comp.VersionListCompletion)) @@ -452,7 +452,7 @@ func (c *config) clusterCreate() error { enableNodeLocalDNS := viper.GetBool("enable-node-local-dns") disableForwardToUpstreamDNS := viper.GetBool("disable-forwarding-to-upstream-dns") highAvailability := strconv.FormatBool(viper.GetBool("high-availability-control-plane")) - podPIDLimit := viper.GetInt64("pod-PID-limit") + podpidLimit := viper.GetInt64("kubelet-pod-pid-limit") var cni string if viper.IsSet("cni") { @@ -692,8 +692,11 @@ WARNING: You are going to create a cluster that has no default internet access w } } - if viper.IsSet("pod-PID-limit") { - scr.Kubernetes.PodPIDsLimit = &podPIDLimit + if viper.IsSet("kubelet-pod-pid-limit") { + if !viper.GetBool("yes-i-really-mean-it") { + return fmt.Errorf("--kubelet-pod-pid-limit can only be changed in combination with --yes-i-really-mean-it because this change can lead to pods not starting anymore in the cluster") + } + scr.Kubernetes.PodPIDsLimit = &podpidLimit } egressRules := makeEgressRules(egress) @@ -933,7 +936,7 @@ func (c *config) updateCluster(args []string) error { encryptedStorageClasses := strconv.FormatBool(viper.GetBool("encrypted-storage-classes")) highAvailability := strconv.FormatBool(viper.GetBool("high-availability-control-plane")) - podPIDLimit := viper.GetInt64("pod-PID-limit") + podpidLimit := viper.GetInt64("kubelet-pod-pid-limit") workerlabels, err := helper.LabelsToMap(workerlabelslice) if err != nil { @@ -1300,8 +1303,11 @@ func (c *config) updateCluster(args []string) error { k8s.DefaultPodSecurityStandard = pointer.Pointer(viper.GetString("default-pod-security-standard")) } - if viper.IsSet("pod-PID-limit") { - k8s.PodPIDsLimit = &podPIDLimit + if viper.IsSet("kubelet-pod-pid-limit") { + if !viper.GetBool("yes-i-really-mean-it") { + return fmt.Errorf("--kubelet-pod-pid-limit can only be changed in combination with --yes-i-really-mean-it because this change can lead to pods not starting anymore in the cluster") + } + k8s.PodPIDsLimit = &podpidLimit } cur.Kubernetes = k8s diff --git a/go.mod b/go.mod index 5a02b30..1a22795 100644 --- a/go.mod +++ b/go.mod @@ -8,7 +8,7 @@ require ( github.com/dustin/go-humanize v1.0.1 github.com/fatih/color v1.17.0 github.com/fi-ts/accounting-go v0.10.0 - github.com/fi-ts/cloud-go v0.28.3-0.20240926113006-d907634423a3 + github.com/fi-ts/cloud-go v0.29.0 github.com/gardener/gardener v1.91.0 github.com/gardener/machine-controller-manager v0.53.1 github.com/go-openapi/runtime v0.28.0 diff --git a/go.sum b/go.sum index ff6e868..049ed2c 100644 --- a/go.sum +++ b/go.sum @@ -90,10 +90,8 @@ github.com/fatih/color v1.17.0 h1:GlRw1BRJxkpqUCBKzKOw098ed57fEsKeNjpTe3cSjK4= github.com/fatih/color v1.17.0/go.mod h1:YZ7TlrGPkiz6ku9fK3TLD/pl3CpsiFyu8N92HLgmosI= github.com/fi-ts/accounting-go v0.10.0 h1:vbPgTWq1iicyBWFRajX0bawZ1ADbhKGuJyNEtXjpr08= github.com/fi-ts/accounting-go v0.10.0/go.mod h1:ARKouuFYUV44xUKytAlczpzoti/S+o+PnXCN5BQA6nQ= -github.com/fi-ts/cloud-go v0.28.2 h1:t+HTHxx7J0d46hbI1E3rL1DKcAO4b4knC6JITEB2n6k= -github.com/fi-ts/cloud-go v0.28.2/go.mod h1:R7JMkC92eGvxkkMO1oP6lEevBH86DFiO9H9mo7YD5Sw= -github.com/fi-ts/cloud-go v0.28.3-0.20240926113006-d907634423a3 h1:eh7PD5bmbHaRwA3LHY3sr3Drp/odYulPXlqoYggraMs= -github.com/fi-ts/cloud-go v0.28.3-0.20240926113006-d907634423a3/go.mod h1:R7JMkC92eGvxkkMO1oP6lEevBH86DFiO9H9mo7YD5Sw= +github.com/fi-ts/cloud-go v0.29.0 h1:0MSgs4BiBBcCDWEXTwg3h15r0yRf1mGV/17XQ/LGSec= +github.com/fi-ts/cloud-go v0.29.0/go.mod h1:pcGGl+M2OmtvwyuTEOimqSHrZngDotG69lmBzEbx6cc= github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA=