josselin-c/fix-kubelet.yaml

## fix-kubelet.yaml
# This serves as a stopgap fix for https://github.com/kubernetes/kops/issues/3891
kind: DaemonSet
apiVersion: extensions/v1beta1
metadata:
  namespace: kube-system
  name: fix-kubelet
  labels:
    app: fix-kubelet
spec:
  template:
    metadata:
      labels:
        app: fix-kubelet
    spec:
      tolerations:
      - key: node-role.kubernetes.io/master
        effect: NoSchedule
      hostPID: true
      containers:
        - name: fix-kubelet
          image: gcr.io/google-containers/startup-script:v1
          securityContext:
            privileged: true
          env:
          - name: STARTUP_SCRIPT
            value: |
              #!/bin/bash
              set -e

              export KUBECONFIG=/var/lib/kubelet/kubeconfig
              wget -O kubectl --quiet https://storage.googleapis.com/kubernetes-release/release/v1.7.8/bin/linux/amd64/kubectl
              chmod +x kubectl

              echo "" > /tmp/masters_prev

              iptables -N kubelet-filter || true
              iptables -F kubelet-filter
              iptables -D INPUT -j kubelet-filter || true

              # Just check we can communicate with the api server before setting iptables rules
              ./kubectl get nodes

              # Set rules and redirect INPUT trafic
              iptables -I kubelet-filter -p tcp -m tcp --dport 10250 -j REJECT --reject-with icmp-port-unreachable
              iptables -I INPUT -j kubelet-filter

              while :; do
                up=0
                ./kubectl get nodes -l kubernetes.io/role=master -o jsonpath='{range .items[*]}{.status.addresses[?(@.type=="InternalIP")].address}{"\n"}{end}' > /tmp/masters

                # Remove stale masters from acceptance set
                while read -r MASTER; do
                    if [ x"$MASTER" != "x" ]; then
                      iptables -D kubelet-filter -s $MASTER/32 -p tcp -m tcp --dport 10250 -j RETURN
                      up=1
                    fi
                done <<< "$(comm -23 /tmp/masters_prev /tmp/masters)"

                # Add new masters
                while read -r MASTER; do
                    if [ x"$MASTER" != "x" ]; then
                      iptables -I kubelet-filter -s $MASTER/32 -p tcp -m tcp --dport 10250 -j RETURN
                      up=1
                    fi
                done <<< "$(comm -13 /tmp/masters_prev /tmp/masters)"


                if [ "$up" -eq 1 ]; then
                  echo "iptables rules updated:"
                  iptables --list-rules
                fi

                cp /tmp/masters /tmp/masters_prev
                sleep 60
              done
	# This serves as a stopgap fix for https://github.com/kubernetes/kops/issues/3891
	kind: DaemonSet
	apiVersion: extensions/v1beta1
	metadata:
	namespace: kube-system
	name: fix-kubelet
	labels:
	app: fix-kubelet
	spec:
	template:
	metadata:
	labels:
	app: fix-kubelet
	spec:
	tolerations:
	- key: node-role.kubernetes.io/master
	effect: NoSchedule
	hostPID: true
	containers:
	- name: fix-kubelet
	image: gcr.io/google-containers/startup-script:v1
	securityContext:
	privileged: true
	env:
	- name: STARTUP_SCRIPT
	value: \|
	#!/bin/bash
	set -e

	export KUBECONFIG=/var/lib/kubelet/kubeconfig
	wget -O kubectl --quiet https://storage.googleapis.com/kubernetes-release/release/v1.7.8/bin/linux/amd64/kubectl
	chmod +x kubectl

	echo "" > /tmp/masters_prev

	iptables -N kubelet-filter \|\| true
	iptables -F kubelet-filter
	iptables -D INPUT -j kubelet-filter \|\| true

	# Just check we can communicate with the api server before setting iptables rules
	./kubectl get nodes

	# Set rules and redirect INPUT trafic
	iptables -I kubelet-filter -p tcp -m tcp --dport 10250 -j REJECT --reject-with icmp-port-unreachable
	iptables -I INPUT -j kubelet-filter

	while :; do
	up=0
	./kubectl get nodes -l kubernetes.io/role=master -o jsonpath='{range .items[*]}{.status.addresses[?(@.type=="InternalIP")].address}{"\n"}{end}' > /tmp/masters

	# Remove stale masters from acceptance set
	while read -r MASTER; do
	if [ x"$MASTER" != "x" ]; then
	iptables -D kubelet-filter -s $MASTER/32 -p tcp -m tcp --dport 10250 -j RETURN
	up=1
	fi
	done <<< "$(comm -23 /tmp/masters_prev /tmp/masters)"

	# Add new masters
	while read -r MASTER; do
	if [ x"$MASTER" != "x" ]; then
	iptables -I kubelet-filter -s $MASTER/32 -p tcp -m tcp --dport 10250 -j RETURN
	up=1
	fi
	done <<< "$(comm -13 /tmp/masters_prev /tmp/masters)"


	if [ "$up" -eq 1 ]; then
	echo "iptables rules updated:"
	iptables --list-rules
	fi

	cp /tmp/masters /tmp/masters_prev
	sleep 60
	done