Update windows.md to run as a windows service (in support of containerd) #1874
Conversation
Codecov Report
@@ Coverage Diff @@
## main #1874 +/- ##
=======================================
Coverage ? 65.00%
=======================================
Files ? 197
Lines ? 17507
Branches ? 0
=======================================
Hits ? 11380
Misses ? 4941
Partials ? 1186
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
@ruicao93 just a first draft of a patch for docs , |
jayunit100
changed the title
|
Fixes: #1889 @jayunit100 Thanks for your PR. Do you need me continue the PR if you have no time to address the comments? |
There was a problem hiding this comment.
Thanks Zhecheng.
- Have you tried the service installation method?
- Another thing we need to consider is that the agent config may need to be updated in some cases(e.g. new antrea-controller Pod is deployed). If the case happens, antrea-agent service will cannot start. [Windows] Always update agent configs on startup #1847
docs/windows.md
Outdated
|
|
||
| mv antrea-agent-windows-x86_64.exe c:/k/antrea/bin/antrea-agent.exe | ||
| Import-Module ./helper.psm1 | ||
| Install-AntreaAgent -KubernetesVersion "v1.20.2" -KubernetesHome "c:/k" -KubeConfig "C:/etc/kubernetes/kubelet.conf" -AntreaVersion "${TAG}" -AntreaHome "c:/k/antrea" |
There was a problem hiding this comment.
what's the requirement for the K8s version? And should we update the default K8s version in the existing powershell scripts? Maybe the scripts should use the value returned by https://storage.googleapis.com/kubernetes-release/release/stable.txt by default?
There was a problem hiding this comment.
KubeConfig is important here as well, we've prototyped with this being the kubelet.conf but by default the node doesn't have access to everything it needs, is there a way that we can allow the node config to do what it needs to or is that a security problem and can we think of a way around it (avoiding manually creating the kubeconfig)
There was a problem hiding this comment.
Thank you @antoninbas and @perithompson . I am investigating these issues. Yes, on my testbed, kubelet.conf is not enough to get secret in Install-AntreaAgent().
There was a problem hiding this comment.
Discussed with @ruicao93. As for the K8s version, there's no requirement. So here v1.20.4 is just an example, users should keep it consistent with K8s version on other nodes. I changed it to <KubernetesVersion> and users should fill it up.
As for kubeconfig, it is users' responsibility to provide a valid kubeconfig. Whether using admin.conf or a customed one, it's up to the user. I changed it to <KubeconfigPath> and users should fill it up.
There was a problem hiding this comment.
understood, it's just incredibly difficult to automate this at node creation time so I was wondering if there was a way around this to help? Either way, have we got a method of generating this kubeconfig, either on Linux or on Windows that we could add to this document as there is no explanation of where the kubeconfig comes from.
There was a problem hiding this comment.
I have mentioned that kubeconfig can be copied from /etc/kubernetes/admin.conf on ControlPlane node. I suppose it is enough for users.
There was a problem hiding this comment.
An alternative could be to provide a script to generate all the required kubeconfig files (2 for antrea-agent and 1 for kube-proxy) using the "admin" kubeconfig. This process would need to be done only once per cluster instead of on every Node. We could then use a DaemonSet to distribute and install the generated kubeconfig files to each Windows Node in the cluster. As a new Node joins the cluster, the files would be installed automatically. But maybe that's an overkill...
It seems that currently we recommend running kube-proxy with the "admin" kubeconfig (/etc/kubernetes/admin.conf copied from the control-plane mode), which seems like too many permissions.
There was a problem hiding this comment.
I agree it is an overkill. A simple script is enough to distribute kubeconfig to nodes. Then how about this? Admin kubeconfig is used to Install-AntreaAgent because such permission is required to get secret and kubelet one is used to install kube-proxy. I have updated this doc.
There was a problem hiding this comment.
In the context of capi, when you create a node, you only have control of actions that happen on the host as an administrator, so in theory I guess you could get it from another host from the cluster but securing that is a nightmare too!
lzhecheng
force-pushed
the
patch-14
branch
4 times, most recently
from
13830c1
to
362abd4
Compare
lzhecheng
force-pushed
the
patch-14
branch
2 times, most recently
from
fd52d61
to
803689e
Compare
docs/windows.md
Outdated
| New-KubeProxyServiceInterface | ||
|
|
||
| mkdir "${KubernetesHome}/antrea/logs" | ||
| nssm install kube-proxy "${KubernetesHome}/kube-proxy.exe" "--proxy-mode=userspace --kubeconfig=$KubeletKubeConfig --log-dir=c:/var/log/kube-proxy --logtostderr=false --alsologtostderr" |
There was a problem hiding this comment.
What about use config file like KubeProxyKubeConfig instead of KubeletKubeConfig. It means let user specify a kubeconfig file used by kube-proxy. The kubelet configfile contains too many permissions.
For example, user could generate the KubeProxyKubeConfig use the kube-proxy service account.
There was a problem hiding this comment.
@lzhecheng any thoughts on that, is there any upstream reference on running kube-proxy as a service?
There was a problem hiding this comment.
@antoninbas this doc uses sc.exe but nssm is similar here.
https://kubernetes.io/docs/setup/production-environment/windows/intro-windows-in-kubernetes/#troubleshooting
There was a problem hiding this comment.
KubeletKubeConfig is changed to KubeProxyKubeconfigPath.
docs/windows.md
Outdated
| New-KubeProxyServiceInterface | ||
|
|
||
| mkdir "${KubernetesHome}/antrea/logs" | ||
| nssm install kube-proxy "${KubernetesHome}/kube-proxy.exe" "--proxy-mode=userspace --kubeconfig=$KubeletKubeConfig --log-dir=c:/var/log/kube-proxy --logtostderr=false --alsologtostderr" |
There was a problem hiding this comment.
@lzhecheng any thoughts on that, is there any upstream reference on running kube-proxy as a service?
docs/windows.md
Outdated
|
|
||
| ### Installation via wins (docker based runtimes) | ||
|
|
||
| Installing Antrea as a wins service gives you a lot of flexibility to manage it as a Pod, but currently this only works |
There was a problem hiding this comment.
Installing Antrea using wins..
There was a problem hiding this comment.
I just feel "as wins service" might confuse people - thinking it means Windows service.
There was a problem hiding this comment.
I think @jayunit100 is referring to https://github.com/rancher/wins. Is it correct?
There was a problem hiding this comment.
I know. But not all readers understand what is a "wins service", so I suggest to rephrase the sentence as: "Installing Antrea using wins gives.."
There was a problem hiding this comment.
Got it. I updated the sentence and added a link to the repo.
Co-authored-by: Zhecheng Li <[email protected]>
|
/skip-all |
|
The "Verify docs and spelling" is failing because of an issue that has been fixed in "main". I will use admin privileges to merge. |
|
Thanks again @lzhecheng for picking up this PR! |
quick update for antrea, as a windows service