Merge pull request #1256 from etungsten/k8s-1.19

Add aws-k8s-1.19 variant with Kubernetes 1.19

.github/workflows/build.yml

@@ -8,7 +8,7 @@ jobs:
     continue-on-error: ${{ matrix.supported }}
     strategy:
       matrix:
-        variant: [aws-k8s-1.15, aws-k8s-1.16, aws-k8s-1.17, aws-k8s-1.18, aws-ecs-1]
+        variant: [aws-k8s-1.15, aws-k8s-1.16, aws-k8s-1.17, aws-k8s-1.18, aws-k8s-1.19, aws-ecs-1]
         arch: [x86_64, aarch64]
         supported: [true]
         include:

packages/Cargo.toml

@@ -31,6 +31,7 @@ members = [
     "kubernetes-1.16",
     "kubernetes-1.17",
     "kubernetes-1.18",
+    "kubernetes-1.19",
     "libacl",
     "libattr",
     "libaudit",

packages/kubernetes-1.19/0001-always-set-relevant-variables-for-cross-compiling.patch

@@ -0,0 +1,77 @@
+From 43460991812f41748d2ebbb846e3d956b40b26ae Mon Sep 17 00:00:00 2001
+From: Ben Cressey <[email protected]>
+Date: Sat, 18 May 2019 16:57:12 +0000
+Subject: [PATCH 1/4] always set relevant variables for cross compiling
+
+Signed-off-by: Ben Cressey <[email protected]>
+---
+ hack/lib/golang.sh | 52 ++++++++++++++++++++++++++--------------------
+ 1 file changed, 30 insertions(+), 22 deletions(-)
+
+diff --git a/hack/lib/golang.sh b/hack/lib/golang.sh
+index e9c3b066..14c15994 100755
+--- a/hack/lib/golang.sh
++++ b/hack/lib/golang.sh
+@@ -394,29 +394,37 @@ kube::golang::set_platform_envs() {
+   export GOOS=${platform%/*}
+   export GOARCH=${platform##*/}
+
+-  # Do not set CC when building natively on a platform, only if cross-compiling from linux/amd64
+-  if [[ $(kube::golang::host_platform) == "linux/amd64" ]]; then
+-    # Dynamic CGO linking for other server architectures than linux/amd64 goes here
+-    # If you want to include support for more server platforms than these, add arch-specific gcc names here
+-    case "${platform}" in
+-      "linux/arm")
+-        export CGO_ENABLED=1
+-        export CC=arm-linux-gnueabihf-gcc
+-        ;;
+-      "linux/arm64")
+-        export CGO_ENABLED=1
+-        export CC=aarch64-linux-gnu-gcc
+-        ;;
+-      "linux/ppc64le")
+-        export CGO_ENABLED=1
+-        export CC=powerpc64le-linux-gnu-gcc
+-        ;;
+-      "linux/s390x")
+-        export CGO_ENABLED=1
+-        export CC=s390x-linux-gnu-gcc
+-        ;;
+-    esac
++  # Apply standard values for CGO_ENABLED and CC unless KUBE_BUILD_PLATFORMS is set.
++  if [ -z "${KUBE_BUILD_PLATFORMS}" ] ; then
++      export CGO_ENABLED=0
++      export CC=gcc
++      return
+   fi
++
++  # Dynamic CGO linking for other server architectures goes here
++  # If you want to include support for more server platforms than these, add arch-specific gcc names here
++  case "${platform}" in
++    "linux/amd64")
++      export CGO_ENABLED=1
++      export CC=x86_64-bottlerocket-linux-gnu-gcc
++      ;;
++    "linux/arm")
++      export CGO_ENABLED=1
++      export CC=arm-bottlerocket-linux-gnueabihf-gcc
++      ;;
++    "linux/arm64")
++      export CGO_ENABLED=1
++      export CC=aarch64-bottlerocket-linux-gnu-gcc
++      ;;
++    "linux/ppc64le")
++      export CGO_ENABLED=1
++      export CC=powerpc64le-bottlerocket-linux-gnu-gcc
++      ;;
++    "linux/s390x")
++      export CGO_ENABLED=1
++      export CC=s390x-bottlerocket-linux-gnu-gcc
++      ;;
++  esac
+ }
+
+ kube::golang::unset_platform_envs() {
+-- 
+2.21.0
+

packages/kubernetes-1.19/0002-override-SELinux-label-for-kubelet-plugins.patch

@@ -0,0 +1,24 @@
+From 03c21553cbd554761302f49f4e3e5c1d78a209cc Mon Sep 17 00:00:00 2001
+From: Ben Cressey <[email protected]>
+Date: Tue, 17 Mar 2020 20:14:31 +0000
+Subject: [PATCH 4/4] override SELinux label for kubelet plugins
+
+Signed-off-by: Ben Cressey <[email protected]>
+---
+ pkg/kubelet/config/defaults.go | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/pkg/kubelet/config/defaults.go b/pkg/kubelet/config/defaults.go
+index 6c1e4ebf..1bce6b86 100644
+--- a/pkg/kubelet/config/defaults.go
++++ b/pkg/kubelet/config/defaults.go
+@@ -26,5 +26,5 @@ const (
+ 	DefaultKubeletContainersDirName          = "containers"
+ 	DefaultKubeletPluginContainersDirName    = "plugin-containers"
+ 	DefaultKubeletPodResourcesDirName        = "pod-resources"
+-	KubeletPluginsDirSELinuxLabel            = "system_u:object_r:container_file_t:s0"
++	KubeletPluginsDirSELinuxLabel            = "system_u:object_r:local_t:s0"
+ )
+-- 
+2.21.0
+

packages/kubernetes-1.19/Cargo.toml

@@ -0,0 +1,21 @@
+[package]
+# "." is not allowed in crate names, but we want a friendlier name for the
+# directory and spec file, so we override it below.
+name = "kubernetes-1_19"
+version = "0.1.0"
+edition = "2018"
+publish = false
+build = "build.rs"
+
+[package.metadata.build-package]
+package-name = "kubernetes-1.19"
+
+[lib]
+path = "pkg.rs"
+
+[[package.metadata.build-package.external-files]]
+url = "https://github.com/kubernetes/kubernetes/archive/v1.19.6/kubernetes-1.19.6.tar.gz"
+sha512 = "d7c6db2fa399b04a3acae792546fa0384e6b3a3e5eaa2c1ba6c49d656da0197f5be3d009756313436816f3839825c66ce23a06a1ec35c37f1c3fcfba79f9ac32"
+
+[build-dependencies]
+glibc = { path = "../glibc" }

packages/kubernetes-1.19/build.rs

@@ -0,0 +1,9 @@
+use std::process::{exit, Command};
+
+fn main() -> Result<(), std::io::Error> {
+    let ret = Command::new("buildsys").arg("build-package").status()?;
+    if !ret.success() {
+        exit(1);
+    }
+    Ok(())
+}

packages/kubernetes-1.19/clarify.toml

@@ -0,0 +1,55 @@
+[clarify."github.com/JeffAshton/win_pdh"]
+expression = "BSD-3-Clause"
+license-files = [
+    { path = "LICENSE", hash = 0xb221dcc9 },
+]
+
+[clarify."github.com/daviddengcn/go-colortext"]
+expression = "BSD-3-Clause AND MIT"
+license-files = [
+    { path = "LICENSE", hash = 0x9769fae1 },
+]
+
+[clarify."github.com/ghodss/yaml"]
+expression = "MIT AND BSD-3-Clause"
+license-files = [
+    { path = "LICENSE", hash = 0xcdf3ae00 },
+]
+
+[clarify."github.com/heketi/heketi"]
+# kubernetes only uses code that is under LGPLv3+/Apache 2.0, not the code that is GPLv2+/LGPLv3+
+expression = "LGPL-3.0-or-later OR Apache-2.0"
+license-files = [
+    { path = "LICENSE", hash = 0x3c4b96d1 },
+    { path = "LICENSE-APACHE2", hash = 0x438c8616 },
+    { path = "COPYING-LGPLV3", hash = 0xf0bccb3a },
+]
+skip-files = [ "COPYING-GPLV2" ]
+
+[clarify."github.com/go-bindata/go-bindata"]
+expression = "CC0-1.0"
+license-files = [
+    { path = "LICENSE", hash = 0x393fafd6 },
+]
+
+[clarify."github.com/miekg/dns"]
+expression = "BSD-3-Clause"
+license-files = [
+    { path = "COPYRIGHT", hash = 0xe41dd36c },
+    { path = "LICENSE", hash = 0xbd510d7b },
+]
+
+[clarify."sigs.k8s.io/yaml"]
+expression = "MIT AND BSD-3-Clause"
+license-files = [
+    { path = "LICENSE", hash = 0xcdf3ae00 },
+]
+
+[clarify."honnef.co/go/tools"]
+expression = "MIT AND BSD-3-Clause AND Apache-2.0"
+license-files = [
+    { path = "LICENSE", hash = 0xad378ed2 },
+    { path = "LICENSE-THIRD-PARTY", hash = 0x546425eb },
+    { path = "lint/LICENSE", hash = 0xc6b58232 },
+    { path = "ssa/LICENSE", hash = 0xe656fb62 },
+]

packages/kubernetes-1.19/kubelet-config

@@ -0,0 +1,35 @@
+---
+kind: KubeletConfiguration
+apiVersion: kubelet.config.k8s.io/v1beta1
+address: 0.0.0.0
+authentication:
+  anonymous:
+    enabled: false
+  webhook:
+    cacheTTL: 2m0s
+    enabled: true
+  x509:
+    clientCAFile: "/etc/kubernetes/pki/ca.crt"
+authorization:
+  mode: Webhook
+  webhook:
+    cacheAuthorizedTTL: 5m0s
+    cacheUnauthorizedTTL: 30s
+clusterDomain: {{settings.kubernetes.cluster-domain}}
+clusterDNS:
+- {{settings.kubernetes.cluster-dns-ip}}
+resolvConf: "/etc/resolv.conf"
+hairpinMode: hairpin-veth
+cgroupDriver: systemd
+cgroupRoot: "/"
+runtimeRequestTimeout: 15m
+featureGates:
+  RotateKubeletServerCertificate: true
+  CSIMigration: false
+serializeImagePulls: false
+serverTLSBootstrap: true
+configMapAndSecretChangeDetectionStrategy: Cache
+tlsCipherSuites:
+- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+volumePluginDir: "/var/lib/kubelet/plugins/volume/exec"
+maxPods: {{default 110 settings.kubernetes.max-pods}}

packages/kubernetes-1.19/kubelet-env

@@ -0,0 +1,4 @@
+NODE_IP={{settings.kubernetes.node-ip}}
+NODE_LABELS={{join_map "=" "," "no-fail-if-missing" settings.kubernetes.node-labels}}
+NODE_TAINTS={{join_map "=" "," "no-fail-if-missing" settings.kubernetes.node-taints}}
+POD_INFRA_CONTAINER_IMAGE={{settings.kubernetes.pod-infra-container-image}}

packages/kubernetes-1.19/kubelet-kubeconfig

@@ -0,0 +1,24 @@
+---
+apiVersion: v1
+kind: Config
+clusters:
+- cluster:
+    certificate-authority: "/etc/kubernetes/pki/ca.crt"
+    server: "{{settings.kubernetes.api-server}}"
+  name: kubernetes
+contexts:
+- context:
+    cluster: kubernetes
+    user: kubelet
+  name: kubelet
+current-context: kubelet
+users:
+- name: kubelet
+  user:
+    exec:
+      apiVersion: client.authentication.k8s.io/v1alpha1
+      command: "/usr/bin/aws-iam-authenticator"
+      args:
+      - token
+      - "-i"
+      - "{{settings.kubernetes.cluster-name}}"

packages/kubernetes-1.19/kubelet.service

@@ -0,0 +1,43 @@
+[Unit]
+Description=Kubelet
+Documentation=https://github.com/kubernetes/kubernetes
+After=containerd.service configured.target
+Wants=configured.target
+BindsTo=containerd.service
+
+[Service]
+Type=notify
+EnvironmentFile=/etc/kubernetes/kubelet/env
+ExecStartPre=/sbin/iptables -P FORWARD ACCEPT
+# Pull the pause container image before starting `kubelet` so `containerd/cri` wouldn't have to
+ExecStartPre=/usr/bin/host-ctr \
+    --containerd-socket=/run/dockershim.sock \
+    --namespace=k8s.io \
+    pull-image \
+    --source=${POD_INFRA_CONTAINER_IMAGE}
+ExecStart=/usr/bin/kubelet \
+    --cloud-provider aws \
+    --config /etc/kubernetes/kubelet/config \
+    --kubeconfig /etc/kubernetes/kubelet/kubeconfig \
+    --container-runtime=remote \
+    --container-runtime-endpoint=unix:///run/dockershim.sock \
+    --containerd=/run/dockershim.sock \
+    --network-plugin cni \
+    --root-dir /var/lib/kubelet \
+    --cert-dir /var/lib/kubelet/pki \
+    --node-ip ${NODE_IP} \
+    --node-labels "${NODE_LABELS}" \
+    --register-with-taints "${NODE_TAINTS}" \
+    --pod-infra-container-image ${POD_INFRA_CONTAINER_IMAGE}
+
+Restart=on-failure
+RestartForceExitStatus=SIGPIPE
+RestartSec=5
+Delegate=yes
+KillMode=process
+CPUAccounting=true
+MemoryAccounting=true
+
+[Install]
+WantedBy=multi-user.target
+RequiredBy=mark-successful-boot.service