hh/kubeadm-dind.org

Last active August 27, 2018 18:26

Star (1) You must be signed in to star a gist
Fork (2) You must be signed in to fork a gist

Learn more about clone URLs
Clone this repository at <script src="https://gist.github.com/hh/fd1e58f2d5e879dc8003fe288e09c58c.js"></script>
Save hh/fd1e58f2d5e879dc8003fe288e09c58c to your computer and use it in GitHub Desktop.

Download ZIP

Org mode with explorations for APISnoop

Raw

kubeadm-dind.org

Debugging kubeadm-dind-audit-logging

Branch Setup

https://github.com/ii/kubeadm-dind-cluster/tree/audit-policy

kubernetes-retired/kubeadm-dind-cluster#204

#git clone [email protected]:kubernetes-sigs/kubeadm-dind-cluster.git ~/dind
git clone [email protected]:ii/kubeadm-dind-cluster.git ~/dind
git checkout -b audit-policy origin/audit-policy

kubeadm-dind with k8s source

https://github.com/kubernetes-sigs/kubeadm-dind-cluster#using-with-kubernetes-source

docker rm -f $(docker ps -a -q)
docker rmi $(docker images -q)

cd ~/go/src/k8s.io/kubernetes
time ~/dind/dind-cluster.sh clean
cd ~/dind/
time ./build/build-local.sh

# cd ~/dind/ .
#/build/build-local.sh
cd ~/go/src/k8s.io/kubernetes
export DIND_IMAGE=mirantis/kubeadm-dind-cluster:local
export BUILD_KUBEADM=y
export BUILD_HYPERKUBE=y
time ~/dind/dind-cluster.sh up

Testing

cd ~/go/src/k8s.io/kubernetes
time ~/dind/dind-cluster.sh e2e
 #'[Conformance]'
# '[Slow]|[Serial]|[Disruptive]|[Flaky]|[Feature:.+]'

https://kubernetes.io/docs/reference/access-authn-authz/rbac/#permissive-rbac-permissions

[init] using Kubernetes version: v1.13.0
[preflight] running pre-flight checks
        [WARNING KubernetesVersion]: kubernetes version is greater than kubeadm version. Please consider to upgrade kubeadm. kubernetes version: 1.13.0. Kubeadm version: 1.12.x
        [WARNING FileContent--proc-sys-net-bridge-bridge-nf-call-iptables]: /proc/sys/net/bridge/bridge-nf-call-iptables does not exist
I0822 07:25:44.908039     669 kernel_validator.go:81] Validating kernel version
I0822 07:25:44.908172     669 kernel_validator.go:96] Validating kernel config
[preflight/images] Pulling images required for setting up a Kubernetes cluster
[preflight/images] This might take a minute or two, depending on the speed of your internet connection
[preflight/images] You can also perform this action in beforehand using 'kubeadm config images pull'
[kubelet] Writing kubelet environment file with flags to file "/var/lib/kubelet/kubeadm-flags.env"
[kubelet] Writing kubelet configuration to file "/var/lib/kubelet/config.yaml"
[preflight] Activating the kubelet service
[certificates] Generated ca certificate and key.
[certificates] Generated apiserver certificate and key.
[certificates] apiserver serving cert is signed for DNS names [kube-master kubernetes kubernetes.default kubernetes.default.svc kubernetes.default.svc.cluster.local] and IPs [10.96.0.1 172.18.0.2]
[certificates] Generated apiserver-kubelet-client certificate and key.
[certificates] Generated sa key and public key.
[certificates] Generated front-proxy-ca certificate and key.
[certificates] Generated front-proxy-client certificate and key.
[certificates] Generated etcd/ca certificate and key.
[certificates] Generated etcd/server certificate and key.
[certificates] etcd/server serving cert is signed for DNS names [kube-master localhost] and IPs [127.0.0.1 ::1]
[certificates] Generated etcd/peer certificate and key.
[certificates] etcd/peer serving cert is signed for DNS names [kube-master localhost] and IPs [172.18.0.2 127.0.0.1 ::1]
[certificates] Generated etcd/healthcheck-client certificate and key.
[certificates] Generated apiserver-etcd-client certificate and key.
[certificates] valid certificates and keys now exist in "/etc/kubernetes/pki"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/admin.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/kubelet.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/controller-manager.conf"
[kubeconfig] Wrote KubeConfig file to disk: "/etc/kubernetes/scheduler.conf"
[controlplane] Adding extra host path mount "audit-mount" to "kube-apiserver"
[controlplane] wrote Static Pod manifest for component kube-apiserver to "/etc/kubernetes/manifests/kube-apiserver.yaml"
[controlplane] wrote Static Pod manifest for component kube-controller-manager to "/etc/kubernetes/manifests/kube-controller-manager.yaml"
[controlplane] wrote Static Pod manifest for component kube-scheduler to "/etc/kubernetes/manifests/kube-scheduler.yaml"
[etcd] Wrote Static Pod manifest for a local etcd instance to "/etc/kubernetes/manifests/etcd.yaml"
[init] waiting for the kubelet to boot up the control plane as Static Pods from directory "/etc/kubernetes/manifests" 
[init] this might take a minute or longer if the control plane images have to be pulled
[apiclient] All control plane components are healthy after 20.002864 seconds
[uploadconfig] storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
[kubelet] Creating a ConfigMap "kubelet-config-1.13" in namespace kube-system with the configuration for the kubelets in the cluster
[markmaster] Marking the node kube-master as master by adding the label "node-role.kubernetes.io/master=''"
[markmaster] Marking the node kube-master as master by adding the taints [node-role.kubernetes.io/master:NoSchedule]
[patchnode] Uploading the CRI Socket information "/var/run/dockershim.sock" to the Node API object "kube-master" as an annotation
[bootstraptoken] using token: bz9yiz.0s2ofw0d6zhg00yq
[bootstraptoken] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials
[bootstraptoken] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token
[bootstraptoken] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster

*** 'kubeadm join --ignore-preflight-errors=all 172.18.0.2:6443 --token bz9yiz.0s2ofw0d6zhg00yq --discovery-token-ca-cert-hash sha256:608746551b2863ebfb865a4bc55d0305a99d3c614fbdf36fb81592242ff274a3' f
ailed, doing kubeadm reset ***
'/etc/cni' -> '/etc/cni.bak'
'/etc/cni/net.d' -> '/etc/cni.bak/net.d'
'/etc/cni/net.d/cni.conf' -> '/etc/cni.bak/net.d/cni.conf'
[preflight] running pre-flight checks
[reset] stopping the kubelet service
[reset] unmounting mounted directories in "/var/lib/kubelet"
[preflight] running pre-flight checks
[reset] stopping the kubelet service
[reset] no etcd manifest found in "/etc/kubernetes/manifests/etcd.yaml". Assuming external etcd
[reset] please manually reset etcd to prevent further issues
[reset] deleting contents of stateful directories: [/var/lib/kubelet /etc/cni/net.d /var/lib/dockershim /var/run/kubernetes]
[reset] deleting contents of config directories: [/etc/kubernetes/manifests /etc/kubernetes/pki]
[reset] deleting files: [/etc/kubernetes/admin.conf /etc/kubernetes/kubelet.conf /etc/kubernetes/bootstrap-kubelet.conf /etc/kubernetes/controller-manager.conf /etc/kubernetes/scheduler.conf]
[reset] unmounting mounted directories in "/var/lib/kubelet"
[reset] no etcd manifest found in "/etc/kubernetes/manifests/etcd.yaml". Assuming external etcd
[reset] please manually reset etcd to prevent further issues
[reset] deleting contents of stateful directories: [/var/lib/kubelet /etc/cni/net.d /var/lib/dockershim /var/run/kubernetes]
[reset] deleting contents of config directories: [/etc/kubernetes/manifests /etc/kubernetes/pki]
[reset] deleting files: [/etc/kubernetes/admin.conf /etc/kubernetes/kubelet.conf /etc/kubernetes/bootstrap-kubelet.conf /etc/kubernetes/controller-manager.conf /etc/kubernetes/scheduler.conf]
[preflight] running pre-flight checks
[preflight] running pre-flight checks
        [WARNING FileContent--proc-sys-net-bridge-bridge-nf-call-iptables]: /proc/sys/net/bridge/bridge-nf-call-iptables does not exist
I0822 07:28:20.286245    2856 kernel_validator.go:81] Validating kernel version
I0822 07:28:20.286365    2856 kernel_validator.go:96] Validating kernel config
        [WARNING FileContent--proc-sys-net-bridge-bridge-nf-call-iptables]: /proc/sys/net/bridge/bridge-nf-call-iptables does not exist
I0822 07:28:20.292405    2847 kernel_validator.go:81] Validating kernel version
I0822 07:28:20.292559    2847 kernel_validator.go:96] Validating kernel config
[discovery] Trying to connect to API Server "172.18.0.2:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://172.18.0.2:6443"
[discovery] Trying to connect to API Server "172.18.0.2:6443"
[discovery] Created cluster-info discovery client, requesting info from "https://172.18.0.2:6443"
[discovery] Requesting info from "https://172.18.0.2:6443" again to validate TLS against the pinned public key
[discovery] Requesting info from "https://172.18.0.2:6443" again to validate TLS against the pinned public key
[discovery] Cluster info signature and contents are valid and TLS certificate validates against pinned roots, will use API Server "172.18.0.2:6443"
[discovery] Successfully established connection with API Server "172.18.0.2:6443"
[discovery] Cluster info signature and contents are valid and TLS certificate validates against pinned roots, will use API Server "172.18.0.2:6443"
[discovery] Successfully established connection with API Server "172.18.0.2:6443"
[kubelet] Downloading configuration for the kubelet from the "kubelet-config-1.12" ConfigMap in the kube-system namespace
configmaps "kubelet-config-1.12" is forbidden: User "system:bootstrap:bz9yiz" cannot get resource "configmaps" in API group "" in the namespace "kube-system": no RBAC policy matched

Why does running e2e test with a focus on Conformance and skipping all the slow disruptive bits still run all 1032 specs?

*** Running e2e tests with args: --ginkgo.skip=\[Slow\]|\[Serial\]|\[Disruptive\]|\[Flaky\]|\[Feature:\.+\] --ginkgo.focus=\[Conformance\] --host=http://127.0.0.1:32882
+++ [0822 06:12:49] Verifying Prerequisites....
Cluster "dind" set.
Context "dind" created.
Switched to context "dind".
2018/08/22 06:12:51 e2e.go:158: Updating kubetest binary...
2018/08/22 06:13:27 e2e.go:79: Calling kubetest --verbose-commands=true --v 6 --test --check-version-skew=false --test_args=--ginkgo.noColor --num-nodes=2 --ginkgo.skip=\[Slow\]|\[Serial\]|\[Disruptive
\]|\[Flaky\]|\[Feature:\.+\] --ginkgo.focus=\[Conformance\] --host=http://127.0.0.1:32882...
2018/08/22 06:13:27 util.go:132: Please use kubetest --provider=dind (instead of deprecated KUBERNETES_PROVIDER=dind)
2018/08/22 06:13:27 main.go:1041: Please use kubetest --ginkgo-parallel (instead of deprecated GINKGO_PARALLEL=y)
2018/08/22 06:13:27 process.go:153: Running: ./hack/e2e-internal/e2e-status.sh
Skeleton Provider: prepare-e2e not implemented
Client Version: version.Info{Major:"1", Minor:"13+", GitVersion:"v1.13.0-alpha.0.383+229ecedac5084e", GitCommit:"229ecedac5084eba6e93973095cc7846893288da", GitTreeState:"clean", BuildDate:"2018-08-22T0
6:12:15Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"13+", GitVersion:"v1.13.0-alpha.0.383+229ecedac5084e", GitCommit:"229ecedac5084eba6e93973095cc7846893288da", GitTreeState:"clean", BuildDate:"2018-08-22T0
5:56:34Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}
2018/08/22 06:13:27 process.go:155: Step './hack/e2e-internal/e2e-status.sh' finished in 147.661919ms
2018/08/22 06:13:27 process.go:153: Running: ./cluster/kubectl.sh --match-server-version=false version
2018/08/22 06:13:27 process.go:155: Step './cluster/kubectl.sh --match-server-version=false version' finished in 134.763439ms
2018/08/22 06:13:27 process.go:153: Running: ./hack/ginkgo-e2e.sh --ginkgo.noColor --num-nodes=2 --ginkgo.skip=\[Slow\]|\[Serial\]|\[Disruptive\]|\[Flaky\]|\[Feature:\.+\] --ginkgo.focus=\[Conformance\] --host=http://127.0.0.1:32882
Conformance test: not doing test setup.
Running Suite: Kubernetes e2e suite
===================================
Random Seed: 1534918408 - Will randomize all specs
Will run 1032 specs

Running in parallel across 25 nodes

Ran 177 of 1032 Specs in 450.760 seconds
SUCCESS! -- 177 Passed | 0 Failed | 0 Pending | 855 Skipped 

Ginkgo ran 1 suite in 7m31.369138928s
Test Suite Passed
2018/08/22 06:20:59 process.go:155: Step './hack/ginkgo-e2e.sh --ginkgo.noColor --num-nodes=2 --ginkgo.skip=\[Slow\]|\[Serial\]|\[Disruptive\]|\[Flaky\]|\[Feature:\.+\] --ginkgo.focus=\[Conformance\] --host=http://127.0.0.1:32882' finished in 7m31.859376975s

Debugging

clean all docker containers and images

docker rm $(docker ps -a -q) ; docker rmi $(docker images)

tight loop

~/dind/dind-cluster.sh clean
cd ~/dind/
./build/build-local.sh
cd ~/go/src/k8s.io/kubernetes
~/dind/dind-cluster.sh up

understand what auditPolicy: in kubeadm.conf should do

It’s not doing what I would expect:

setup the apiserver args

setup the volumes

It might also make sense to embed the policy yaml as a sub thing within the kubeadm.yaml

making it just need an external file and not having to copy the policy file about.

other notes

kubekins - it’s possible to run tests - https://gist.github.com/dims/033cffa467107bcac8df21e7db72d528 (this uses local up cluster, but can run it without local up cluster too)

journalctl -xeu kubelet | grep kube-apiserver
Aug 21 20:31:24 kube-master hyperkube[3100]: I0821 20:31:24.197218    3100 file.go:200] Reading config file "/etc/kubernetes/manifests/kube-apiserver.yaml"
Aug 21 20:31:24 kube-master hyperkube[3100]: E0821 20:31:24.199095    3100 file.go:187] Can't process manifest file "/etc/kubernetes/manifests/kube-apiserver.yaml": invalid pod: [spec.volumes[5].name: Invalid value: "auditMount": a DNS-1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character (e.g. 'my-name',  or '123-abc', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?') spec.containers[0].volumeMounts[5].name: Not found: "auditMount"]
Aug 21 20:31:44 kube-master hyperkube[3100]: I0821 20:31:44.196965    3100 file.go:200] Reading config file "/etc/kubernetes/manifests/kube-apiserver.yaml"
Aug 21 20:31:44 kube-master hyperkube[3100]: E0821 20:31:44.199154    3100 file.go:187] Can't process manifest file "/etc/kubernetes/manifests/kube-apiserver.yaml": invalid pod: [spec.volumes[5].name: Invalid value: "auditMount": a DNS-1123 label must consist of lower case alphanumeric characters or '-', and must start and end with an alphanumeric character (e.g. 'my-name',  or '123-abc', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?') spec.containers[0].volumeMounts[5].name: Not found: "auditMount"]
kubeadm init --config /etc/kubeadm.conf --ignore-preflight-errors=FileContent--proc-sys-net-bridge-bridge-nf-call-iptables 
kubeadm reset && kubeadm init --config /etc/kubeadm.conf --ignore-preflight-errors=all

apiserver does not start after adding auditMount

docker exec kube-master cat /etc/kubernetes/manifests/kube-apiserver.yaml

docker exec kube-master docker ps -a

CONTAINER ID        IMAGE                  COMMAND                  CREATED             STATUS              PORTS               NAMES
b206593db042        b8df3b177be2           "etcd --advertise-..."   3 minutes ago       Up 3 minutes                            k8s_etcd_etcd-kube-master_kube-system_78263d83ff9d8e4fa24f4ff1b321f5b4_0
03b2a5e2b035        23b6e5d23516           "kube-controller-m..."   3 minutes ago       Up 3 minutes                            k8s_kube-controller-manager_kube-controller-manager-kube-master_kube-system_49c60401cce7c9fefaa5362cd4a90d56_0
de97d38fa194        23b6e5d23516           "kube-scheduler --..."   3 minutes ago       Up 3 minutes                            k8s_kube-scheduler_kube-scheduler-kube-master_kube-system_3b695f958ffb31926f9f96a9389c1ef2_0
30c6a51b746f        k8s.gcr.io/pause:3.1   "/pause"                 3 minutes ago       Up 3 minutes                            k8s_POD_kube-controller-manager-kube-master_kube-system_49c60401cce7c9fefaa5362cd4a90d56_0
a6b6b07e1239        k8s.gcr.io/pause:3.1   "/pause"                 3 minutes ago       Up 3 minutes                            k8s_POD_kube-scheduler-kube-master_kube-system_3b695f958ffb31926f9f96a9389c1ef2_0
aa40eb4b363e        k8s.gcr.io/pause:3.1   "/pause"                 3 minutes ago       Up 3 minutes                            k8s_POD_etcd-kube-master_kube-system_78263d83ff9d8e4fa24f4ff1b321f5b4_0

docker exec kube-master ps -auxwwwww

USER       PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root         1  0.1  0.0  56740  6604 ?        Ss   19:33   0:01 /sbin/dind_init systemd.setenv=CNI_PLUGIN=bridge systemd.setenv=IP_MODE=ipv4 systemd.setenv=POD_NET_PREFIX=10.244.1 systemd.setenv=POD_NET_SIZE=24 systemd.setenv=USE_HAIRPIN=false systemd.setenv=DNS_SVC_IP=10.96.0.10 systemd.setenv=DNS_SERVICE=kube-dns
root        19  0.6  0.0  87048 40424 ?        Ss   19:33   0:06 /lib/systemd/systemd-journald
root        54  0.0  0.0  18040  3056 ?        Ss   19:33   0:00 /bin/bash /usr/local/bin/dindnet
root       105  0.0  0.0  24560  3116 ?        S    19:33   0:00 socat udp4-recvfrom:53,reuseaddr,fork,bind=172.18.0.2 UDP:127.0.0.11:53
root       256  2.9  0.0 2286508 66824 ?       Ssl  19:33   0:30 /usr/bin/dockerd -H fd:// --storage-driver=overlay2 --storage-opt overlay2.override_kernel_check=true -g /dind/docker
root       279  0.2  0.0 1889144 15596 ?       Ssl  19:33   0:02 docker-containerd -l unix:///var/run/docker/libcontainerd/docker-containerd.sock --metrics-interval=0 --start-timeout 2m --state-dir /var/run/docker/libcontainerd/containerd --shim docker-containerd-shim --runtime docker-runc
root       230  0.0  0.0  18188  3112 ?        Ss   19:33   0:00 /bin/bash /usr/local/bin/wrapkubeadm init --config /etc/kubeadm.conf --ignore-preflight-errors=all
root      7930 23.2  0.0  45380 30428 ?        Sl   19:50   0:05 kubeadm init --config /etc/kubeadm.conf --ignore-preflight-errors=all
root      8403  1.1  0.0 10514488 16788 ?      Ssl  19:51   0:00 etcd --advertise-client-urls=https://127.0.0.1:2379 --cert-file=/etc/kubernetes/pki/etcd/server.crt --client-cert-auth=true --data-dir=/var/lib/etcd --initial-advertise-peer-urls=https://127.0.0.1:2380 --initial-cluster=kube-master=https://127.0.0.1:2380 --key-file=/etc/kubernetes/pki/etcd/server.key --listen-client-urls=https://127.0.0.1:2379 --listen-peer-urls=https://127.0.0.1:2380 --name=kube-master --peer-cert-file=/etc/kubernetes/pki/etcd/peer.crt --peer-client-cert-auth=true --peer-key-file=/etc/kubernetes/pki/etcd/peer.key --peer-trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt --snapshot-count=10000 --trusted-ca-file=/etc/kubernetes/pki/etcd/ca.crt
root      8194 10.0  0.0 2231064 104248 ?      Ssl  19:50   0:01 /k8s/hyperkube kubelet --kubeconfig=/etc/kubernetes/kubelet.conf --pod-manifest-path=/etc/kubernetes/manifests --allow-privileged=true --network-plugin=cni --cni-conf-dir=/etc/cni/net.d --cni-bin-dir=/opt/cni/bin --cluster-dns=10.96.0.10 --cluster-domain=cluster.local --eviction-hard=memory.available<100Mi,nodefs.available<100Mi,nodefs.inodesFree<1000 --fail-swap-on=false --bootstrap-kubeconfig=/etc/kubernetes/bootstrap-kubelet.conf --feature-gates=MountPropagation=true,DynamicKubeletConfig=true --v=4
root      8427  2.0  0.0 1064904 85836 ?       Ssl  19:51   0:00 kube-controller-manager --feature-gates=MountPropagation=true,AdvancedAuditing=true --address=127.0.0.1 --cluster-signing-cert-file=/etc/kubernetes/pki/ca.crt --cluster-signing-key-file=/etc/kubernetes/pki/ca.key --controllers=*,bootstrapsigner,tokencleaner --kubeconfig=/etc/kubernetes/controller-manager.conf --leader-elect=true --root-ca-file=/etc/kubernetes/pki/ca.crt --service-account-private-key-file=/etc/kubernetes/pki/sa.key --use-service-account-credentials=true
root      8451  3.0  0.0 1174336 85748 ?       Ssl  19:51   0:00 kube-scheduler --feature-gates=MountPropagation=true,AdvancedAuditing=true --address=127.0.0.1 --kubeconfig=/etc/kubernetes/scheduler.conf --leader-elect=true
root      8287  0.0  0.0 347840  3572 ?        Sl   19:51   0:00 docker-containerd-shim fed63ec2b0cd8d3b24c490c3145efe293347b77e46b6db33da589886a532b969 /var/run/docker/libcontainerd/fed63ec2b0cd8d3b24c490c3145efe293347b77e46b6db33da589886a532b969 docker-runc
root      8310  0.0  0.0 478912  3556 ?        Sl   19:51   0:00 docker-containerd-shim 1ae9336514f45307e6efb714a9fc661833791c5b4c76eb4f8d39cf63fa8d5651 /var/run/docker/libcontainerd/1ae9336514f45307e6efb714a9fc661833791c5b4c76eb4f8d39cf63fa8d5651 docker-runc
root      8320  0.0  0.0 282304  3680 ?        Sl   19:51   0:00 docker-containerd-shim b75d6981e4f3136943110497b8f3152007093791efa1482b779a60bb468e1b3d /var/run/docker/libcontainerd/b75d6981e4f3136943110497b8f3152007093791efa1482b779a60bb468e1b3d docker-runc
root      8386  0.0  0.0 413376  3620 ?        Sl   19:51   0:00 docker-containerd-shim e5a200824f3d7626c35e9542b676a36d40b91fe50ab02f23fef1329469d2aa73 /var/run/docker/libcontainerd/e5a200824f3d7626c35e9542b676a36d40b91fe50ab02f23fef1329469d2aa73 docker-runc
root      8409  0.0  0.0 282304  3808 ?        Sl   19:51   0:00 docker-containerd-shim 577a958ddf532c3fd61e96d078d1ad687d8e6db74699773a0b568e4b1f28d077 /var/run/docker/libcontainerd/577a958ddf532c3fd61e96d078d1ad687d8e6db74699773a0b568e4b1f28d077 docker-runc
root      8433  0.1  0.0 348096  3676 ?        Sl   19:51   0:00 docker-containerd-shim 2d26e9e4e0cecc62adb2c55362ce61449ce049847101b754a091236994a3cb5d /var/run/docker/libcontainerd/2d26e9e4e0cecc62adb2c55362ce61449ce049847101b754a091236994a3cb5d docker-runc
root      8304  0.0  0.0   1020     4 ?        Ss   19:51   0:00 /pause
root      8338  0.1  0.0   1020     4 ?        Ss   19:51   0:00 /pause
root      8352  0.0  0.0   1020     4 ?        Ss   19:51   0:00 /pause

kubeadm config view on kube-master

docker exec kube-master kubeadm config view --kubeconfig /etc/kubernetes/admin.conf

api:
  advertiseAddress: 172.18.0.2
  bindPort: 6443
  controlPlaneEndpoint: ""
apiServerExtraArgs:
  authorization-mode: Node,RBAC
  feature-gates: MountPropagation=true,AdvancedAuditing=true
  insecure-bind-address: 0.0.0.0
  insecure-port: "8080"
apiVersion: kubeadm.k8s.io/v1alpha3
auditPolicy:
  logDir: /etc/kubernetes/audit/
  logMaxAge: 2
  path: /etc/kubernetes/audit-policy.yaml
certificatesDir: /etc/kubernetes/pki
clusterName: kubernetes
controllerManagerExtraArgs:
  feature-gates: MountPropagation=true,AdvancedAuditing=true
etcd:
  local:
    dataDir: /var/lib/etcd
    image: ""
featureGates:
  CoreDNS: false
imageRepository: k8s.gcr.io
kind: InitConfiguration
kubernetesVersion: v1.13.0
networking:
  dnsDomain: cluster.local
  podSubnet: ""
  serviceSubnet: 10.96.0.0/12
nodeRegistration: {}
schedulerExtraArgs:
  feature-gates: MountPropagation=true,AdvancedAuditing=true
unifiedControlPlaneImage: mirantis/hypokube:final

arguments on APIServer container

APISERVER=$(docker exec kube-master \
  docker ps --format '{{.Names}}' \
  --filter label=io.kubernetes.container.name=kube-apiserver) 
docker exec kube-master \
  docker inspect $APISERVER \
    | jq .[0].Args

kubeadm config print-defaults

docker exec kube-master kubeadm config print-defaults

Shoutouts

#sig-cluster-lifecycle

Paul Michali [12:16 AM]

@hh You run build/build-local.sh and then set DIND_IMAGE to use that locally built docker image for k-d-c (export DIND_IMAGE=mirantis/kubeadm-dind-cluster:local).

Leigh Capili [7:16 AM]

Leigh Capili <[email protected]> @hh, use `apiServerExtraVolumes` for kubeadm section of the volume mounts it’s an array of HostPathMounts which you can specify as writeable: https://godoc.org/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm#HostPathMount logging some fixes:

add `pathType: DirectoryOrCreate` to the kubeadm config
change `name: auditMount` to `name: audit-mount` (kubelet journal shows volume was failing DNS name validation)

note: kubeadm config does not properly validate volume names – we should fix this

Footnotes

tmate debugging

docker exec -ti kube-master /bin/bash
export APISERVER=$(docker ps --filter label=io.kubernetes.container.name=kube-apiserver --format '{{.Names}}')
export PS1='# MASTER \$ '

export APISERVER=$(docker ps -a --filter label=io.kubernetes.container.name=kube-apiserver --format '{{.Names}}')
docker logs $APISERVER  
# cat /etc/kubeadm.conf
# #
journalctl -xeu kubelet | grep kube-apiserver
#docker ps | grep -v pause\\\|dns\\\|etcd
#docker inspect $APISERVER | jq .[0].Args

#MASTER=$(docker ps --filter label=mirantis.kubeadm_dind_cluster --format "{{.Names}}")
docker exec -ti kube-master /bin/bash
APISERVER=$(docker ps --filter label=io.kubernetes.container.name=kube-apiserver --format '{{.Names}}')
docker exec -ti $APISERVER /bin/bash
export PS1='# APISERVER \$ '
#docker logs $APISERVER

clear
ps axuwww | grep apiserver

# from docker logs on apiserver
invalid argument "MountPropagation=true,Auditing=true" for "--feature-gates" flag: unrecognized key: Auditing

Raw

kubetest-dind.org

Collecting e2e Test Coverage with User Agent

kubetest build and deploy via dind

Goals behind kubetest + dind + audit-logging.

Enable fast feedback look
Reuse framework used by CI / test-infra
Move away from provider specific cloud / test

Issues we ran into:

likely kubeadm regression with regards to audit-* arguments
kubeadm bootstrapping args / config file formats being alpha
kubeadm documentation
dind was not bringing up a working cni
User-Agent logging did not make it into APIServer until 1.12-0-alpha.1

@bentheelder is currently making kind, which I suspect will be a big improvement.

Latest version of this document is at https://gist.github.com/hh/fd1e58f2d5e879dc8003fe288e09c58c#kubetest-build-and-deploy-via-dind

```shell
  go get -u k8s.io/test-infra/kubetest
  cd ~/go/src/k8s.io/kubernetes/
  bazel build //cmd/kubeadm
  kubetest --build=dind
  kubetest --up --deployment=dind
  KUBECONFIG=$(ls -rt /tmp/k8s-dind-kubecfg-* | tail -1)
  kubectl get nodes
  DIND_DIR=$(ls -rdt /tmp/dind-k8s-* | tail -1)
  tail -F /tmp/$DIND_DIR/audit/audit.log
```

TLDR-delete+build+deploy+test

export KUBE_ROOT=$HOME/go/src/k8s.io/kubernetes/
export TOOL_ROOL=$HOME/go/src/k8s.io/test-infra/dind/
export KUBERNETES_PROVIDER=skeleton
export KUBERNETES_CONFORMANCE_TEST=y 
#export TEST_ARGS="--ginkgo.focus='\[Conformance\]' --ginkgo.seed=1436380640 --v=2 --provider=skeleton"
#unset KUBECONFIG
cd ~/go/src/k8s.io/kubernetes/
###### We can build with make:
#time make -j 8 GOGCFLAGS="-N -l -v" WHAT=test/e2e/e2e.test
#PREFIX=./_output/local/bin/linux/amd64
###### We can build with Bazel
time bazel build //test/e2e:e2e.test
PREFIX=./bazel-bin/test/e2e
export GINKO_PARALLEL=y
# Will run 179 of 1032 specs
time $PREFIX/e2e.test \
  --ginkgo.parallel.total=48 \
  --ginkgo.focus='\[Conformance\]' \
  --ginkgo.skip='\[Slow\]|\[Serial\]|\[Disruptive\]|\[Flaky\]|\[Feature:.+\]' \
  --ginkgo.seed=1436380640 \
  --v=2 \
  --provider=skeleton

time (
  export KUBE_ROOT=$HOME/go/src/k8s.io/kubernetes/
  export TOOL_ROOL=$HOME/go/src/k8s.io/test-infra/dind/
  export KUBERNETES_PROVIDER=skeleton
  export KUBERNETES_CONFORMANCE_TEST=y 
  #export TEST_ARGS="--ginkgo.focus='\[Conformance\]' --ginkgo.seed=1436380640 --v=2 --provider=skeleton"
  #unset KUBECONFIG
  cd ~/go/src/k8s.io/kubernetes/
  time go get -u k8s.io/test-infra/kubetest
  time kubetest --build=dind --up --deployment=dind
  ###### We can build with make:
  #time make -j 8 GOGCFLAGS="-N -l -v" WHAT=test/e2e/e2e.test
  #PREFIX=./_output/local/bin/linux/amd64
  ###### We can build with Bazel
  time bazel build //test/e2e:e2e.test
  PREFIX=./bazel-bin/test/e2e
  export KUBECONFIG=$(ls -rt /tmp/k8s-dind-kubecfg-* | tail -1)
  export DIND_K8S_DATA=$(ls -drt /tmp/dind-k8* | tail -1)
  export GINKO_PARALLEL=y
  # Will run 179 of 1032 specs
  time $PREFIX/e2e.test \
    --ginkgo.parallel.total=48 \
    --ginkgo.focus='\[Conformance\]' \
    --ginkgo.skip='\[Slow\]|\[Serial\]|\[Disruptive\]|\[Flaky\]|\[Feature:.+\]' \
    --ginkgo.seed=1436380640 \
    --v=2 \
    --provider=skeleton
  ##### maywe we should try ginkgo-e2e.sh ?
  time ./hack/ginkgo-e2e.sh \
    --ginkgo.parallel.total=48 \
    --ginkgo.focus='\[Conformance\]' \
    --ginkgo.skip='\[Slow\]|\[Serial\]|\[Disruptive\]|\[Flaky\]|\[Feature:.+\]' \
    --ginkgo.seed=1436380640 \
    --v=2 \
    --provider=skeleton \
    --report-dir=$DIND_K8S_DATA/report
  #  time ./_output/local/bin/linux/amd64/e2e.test --ginkgo.focus='\[Serial\]' --ginkgo.seed=1436380640 --v=2 --provider=skeleton
  # time ./_output/local/bin/linux/amd64/e2e.test --ginkgo.skip='\[Serial\]' --ginkgo.seed=1436380640 --v=2 --provider=skeleton
  cp $DIND_K8S_DATA/audit.log $HOME/apisnoop-e2e-conformance+$(date +%F+%T).log
  ##### Prefered way, that does not yet work
  # This gives a GingkTester: Kuberoot cannot be empty error
  # time kubetest --build=dind --up --deployment=dind --test --test_args="$TEST_ARGS"
)

export KUBECONFIG=$(ls -rt /tmp/k8s-dind-kubecfg-* | tail -1)
export DIND_K8S_DATA=$(ls -drt /tmp/dind-k8* | tail -1)
kubectl get nodes
kubectl describe node -l node-role.kubernetes.io/master
kubectl get pods --all-namespaces
kubectl describe pod -l k8s-app=calico-kube-controllers --namespace=kube-system
cd $DIND_K8S_DATA/audit
ls -la

DIND=$(docker ps --format "{{.Names}} {{.Image}}"  | grep dind-cluster-amd64 | awk '{print $1}')
KUBECONFIG=$(ls -rt /tmp/k8s-dind-kubecfg-* | tail -1)
DIND_DIR=$(ls -rdt /tmp/dind-k8s-* | tail -1)
# I'd like to ensure the above are set BEFORE we rm -rf directories
cat <<EOF >/tmp/delete
set -x
set -e
docker rm -f $DIND
sudo rm -rf $DIND_DIR
rm -f $KUBECONFIG
EOF
chmod +x /tmp/delete
# inspect and run this if you want
cat /tmp/delete

kubetest –build/–up/–test w/ dind error

2018/08/20 20:24:33 dind.go:364: All 4 nodes are now healthy.
2018/08/20 20:24:33 main.go:309: Something went wrong: encountered 1 errors: [configuration error in GinkgoTester: Kuberoot cannot be empty]

real    5m18.098s
user    0m3.632s
sys     0m11.520s

build

go get -u k8s.io/test-infra/kubetest
cd ~/go/src/k8s.io/test-infra
git remote add hh [email protected]:hh/test-infra.git 
git fetch -a hh
git checkout -b dind-audit-policy hh/dind-audit-policy

go get -u k8s.io/kubernetes
cd ~/go/src/k8s.io/kubernetes
git remote add ii [email protected]:ii/kubernetes.git
git fetch -a ii
git checkout -b e2e-user-agent ii/e2e-user-agent

cd ~/go/src/k8s.io/kubernetes/
# bazel build //cmd/kubeadm
go get -u k8s.io/test-infra/kubetest
kubetest --build=dind

deploy

cd ~/go/src/k8s.io/kubernetes/
kubetest --up --deployment=dind

test

export KUBERNETES_CONFORMANCE_TEST=y 
export KUBECONFIG=$(ls -rt /tmp/k8s-dind-kubecfg-* | tail -1)
export DIND_K8S_DATA=$(ls -drt /tmp/dind-k8* | tail -1)
# cp $DIND_KCS_DATA/audit/audit.log .
export TEST_ARGS="--ginkgo.focus='\[Conformance\]' --ginkgo.seed=1436380640 --v=2 --provider=skeleton"

cd ~/go/src/k8s.io/kubernetes/
# I think this should be rebuilt by now?
make -j 8 GOGCFLAGS="-N -l -v" WHAT=test/e2e/e2e.test

./_output/local/bin/linux/amd64/e2e.test --ginkgo.focus='\[Conformance\]' --ginkgo.seed=1436380640 --v=2 --provider=skeleton

dlv exec -- /zfs/home/chris/cncf/kubernetes/_output/bin/e2e.test $TEST_ARGS

dlv test k8s.io/kubernetes/test/e2e -- $TEST_ARGS

kubetest --test --test_args=$TEST_ARGS

go run ./hack/e2e.go -- --test --test_args=$TEST_ANGS

notes

2018/08/18 09:44:53 process.go:153: Running: ./hack/e2e-internal/e2e-status.sh
Skeleton Provider: prepare-e2e not implemented
Client Version: version.Info{Major:"1", Minor:"12+", GitVersion:"v1.12.0-alpha.1-dirty", GitCommit:"94c2c6c8423d722f436305cd67ef515a8800d723", GitTreeState:"dirty", BuildDate:"2018-08-17T17:11:29Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"12+", GitVersion:"v1.12.0-alpha.1-dirty", GitCommit:"94c2c6c8423d722f436305cd67ef515a8800d723", GitTreeState:"dirty", BuildDate:"2018-08-17T17:11:29Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}
2018/08/18 09:44:53 process.go:155: Step './hack/e2e-internal/e2e-status.sh' finished in 204.30616ms
2018/08/18 09:44:53 process.go:153: Running: ./cluster/kubectl.sh --match-server-version=false version
2018/08/18 09:44:53 process.go:155: Step './cluster/kubectl.sh --match-server-version=false version' finished in 199.443467ms
2018/08/18 09:44:53 process.go:153: Running: ./hack/ginkgo-e2e.sh --ginkgo.focus=\[Conformance\] --ginkgo.seed=1436380640 --v=4
Conformance test: not doing test setup.
Found no test suites
For usage instructions:
        ginkgo help
!!! Error in ./hack/ginkgo-e2e.sh:143
  Error in ./hack/ginkgo-e2e.sh:143. '"${ginkgo}" "${ginkgo_args[@]:+${ginkgo_args[@]}}" "${e2e_test}" -- "${auth_config[@]:+${auth_config[@]}}" --ginkgo.flakeAttempts="${FLAKE_ATTEMPTS}" --host="${KUBE_MASTER_URL}" --provider="${KUBERNETES_PROVIDER}" --gce-project="${PROJECT:-}" --gce-zone="${ZONE:-}" --gce-region="${REGION:-}" --gce-multizone="${MULTIZONE:-false}" --gke-cluster="${CLUSTER_NAME:-}" --kube-master="${KUBE_MASTER:-}" --cluster-tag="${CLUSTER_ID:-}" --cloud-config-file="${CLOUD_CONFIG:-}" --repo-root="${KUBE_ROOT}" --node-instance-group="${NODE_INSTANCE_GROUP:-}" --prefix="${KUBE_GCE_INSTANCE_PREFIX:-e2e}" --network="${KUBE_GCE_NETWORK:-${KUBE_GKE_NETWORK:-e2e}}" --node-tag="${NODE_TAG:-}" --master-tag="${MASTER_TAG:-}" --cluster-monitoring-mode="${KUBE_ENABLE_CLUSTER_MONITORING:-standalone}" --prometheus-monitoring="${KUBE_ENABLE_PROMETHEUS_MONITORING:-false}" ${KUBE_CONTAINER_RUNTIME:+"--container-runtime=${KUBE_CONTAINER_RUNTIME}"} ${MASTER_OS_DISTRIBUTION:+"--master-os-distro=${MASTER_OS_DISTRIBUTION}"} ${NODE_OS_DISTRIBUTION:+"--node-os-distro=${NODE_OS_DISTRIBUTION}"} ${NUM_NODES:+"--num-nodes=${NUM_NODES}"} ${E2E_REPORT_DIR:+"--report-dir=${E2E_REPORT_DIR}"} ${E2E_REPORT_PREFIX:+"--report-prefix=${E2E_REPORT_PREFIX}"} "${@:-}"' exited with status 1
Call stack:
  1: ./hack/ginkgo-e2e.sh:143 main(...)
Exiting with status 1
2018/08/18 09:44:55 process.go:155: Step './hack/ginkgo-e2e.sh --ginkgo.focus=\[Conformance\] --ginkgo.seed=1436380640 --v=4' finished in 2.131029505s
2018/08/18 09:44:55 main.go:309: Something went wrong: encountered 1 errors: [error during ./hack/ginkgo-e2e.sh --ginkgo.focus=\[Conformance\] --ginkgo.seed=1436380640 --v=4: exit status 1]
dd

# k8s.io/kubernetes/test/e2e/generated
test/e2e/generated/gobindata_util.go:27:20: undefined: Asset
test/e2e/generated/gobindata_util.go:30:48: undefined: AssetNames

Shells

dind

DIND=$(docker ps --format "{{.Names}} {{.Image}}"  | grep dind-cluster-amd64 | awk '{print $1}')
docker exec -ti $DIND /bin/bash
export PS1='\w DIND \$ '
docker ps

master

DIND=$(docker ps --format "{{.Names}} {{.Image}}"  | grep dind-cluster-amd64 | awk '{print $1}')
docker exec -ti $DIND /bin/bash
export PS1='\w DIND \$ '
MASTER=$(docker ps --format '{{.Names}} {{.Ports}}' | grep 443 | awk '{print $1}')
docker exec -ti $MASTER  /bin/bash
export PS1='\w MASTER \$ '
docker ps

minion

DIND=$(docker ps --format "{{.Names}} {{.Image}}"  | grep dind-cluster-amd64 | awk '{print $1}')
docker exec -ti $DIND /bin/bash
export PS1='\w DIND \$ '
A_MINION=$(docker ps --format '{{.Names}} {{.Ports}}' | grep -v 443 | awk '{print $1}'| tail -1)
docker exec -ti $A_MINION /bin/bash
export PS1='\w MINION \$ '
docker ps

apiserver

DIND=$(docker ps --format "{{.Names}} {{.Image}}"  | grep dind-cluster-amd64 | awk '{print $1}')
docker exec -ti $DIND /bin/bash
export PS1='\w DIND \$ '
MASTER=$(docker ps --format '{{.Names}} {{.Ports}}' | grep 443 | awk '{print $1}')
docker exec -ti $MASTER /bin/bash
export PS1='\w MASTER \$ '
APISERVER=$(docker ps --filter label=io.kubernetes.container.name=kube-apiserver --format '{{.Names}}')
docker exec -ti $APISERVER /bin/sh
export PS1='# APISERVER \$ '
ps ax

notes

[discovery] Created cluster-info discovery client, requesting info from "https://172.18.0.2:6443"
[discovery] Failed to connect to API Server "172.18.0.2:6443":
  token id "abcdef" is invalid for this cluster or it has expired.
  Use "kubeadm token create" on the master node to creating a new valid token

Logs

dind

DIND=$(docker ps --format "{{.Names}} {{.Image}}"  | grep dind-cluster-amd64 | awk '{print $1}')
docker logs -f $DIND

master

DIND=$(docker ps --format "{{.Names}} {{.Image}}"  | grep dind-cluster-amd64 | awk '{print $1}')
docker exec -ti $DIND /bin/bash
export PS1='\w DIND \$ '
MASTER=$(docker ps --format '{{.Names}} {{.Ports}}' | grep 443 | awk '{print $1}')
docker logs -f $MASTER

APISnoop injection stacktrace

[init] waiting for the kubelet to boot up the control plane as Static Pods from directory "/etc/kubernetes/manifests" 
[init] this might take a minute or longer if the control plane images have to be pulled
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x80 pc=0xe88bb2]

goroutine 91 [running]:
k8s.io/kubernetes/vendor/github.com/onsi/ginkgo/internal/specrunner.(*SpecRunner).CurrentSpecSummary(0x0, 0x100c4204b5848, 0x150)
        vendor/github.com/onsi/ginkgo/internal/specrunner/spec_runner.go:209 +0x22
k8s.io/kubernetes/vendor/github.com/onsi/ginkgo/internal/suite.(*Suite).CurrentRunningSpecSummary(0xc4203a6190, 0xc420553000, 0x1)
        vendor/github.com/onsi/ginkgo/internal/suite/suite.go:105 +0x2f
k8s.io/kubernetes/vendor/github.com/onsi/ginkgo.CurrentGinkgoTestDescription(0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
        vendor/github.com/onsi/ginkgo/ginkgo_dsl.go:157 +0x64
k8s.io/kubernetes/vendor/k8s.io/client-go/rest.NewRequest(0x1865560, 0xc4207563f0, 0x170efbf, 0x3, 0xc42074e500, 0xc42074613e, 0x1, 0x0, 0x0, 0x171d54e, ...)
        staging/src/k8s.io/client-go/rest/request.go:143 +0x2a9
k8s.io/kubernetes/vendor/k8s.io/client-go/rest.(*RESTClient).Verb(0xc420744480, 0x170efbf, 0x3, 0x0)
        staging/src/k8s.io/client-go/rest/client.go:227 +0x1a7
k8s.io/kubernetes/vendor/k8s.io/client-go/rest.(*RESTClient).Get(0xc420744480, 0x18930c0)
        staging/src/k8s.io/client-go/rest/client.go:247 +0x40
k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient.(*KubeWaiter).WaitForAPI.func1(0xc4204c06d8, 0x10fb38d, 0x15b11a0)
        cmd/kubeadm/app/util/apiclient/wait.go:77 +0x80
k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait.pollImmediateInternal(0xc420748100, 0xc420756480, 0xc420748100, 0xc420756480)
        staging/src/k8s.io/apimachinery/pkg/util/wait/wait.go:245 +0x2b
k8s.io/kubernetes/vendor/k8s.io/apimachinery/pkg/util/wait.PollImmediate(0x1dcd6500, 0x37e11d6000, 0xc420756480, 0x6289ad, 0x82)
        staging/src/k8s.io/apimachinery/pkg/util/wait/wait.go:241 +0x4d
k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient.(*KubeWaiter).WaitForAPI(0xc420756450, 0x3d3000001e9, 0x3d300000041)
        cmd/kubeadm/app/util/apiclient/wait.go:75 +0xbd
k8s.io/kubernetes/cmd/kubeadm/app/util/apiclient.(Waiter).WaitForAPI-fm(0x0, 0x0)
        cmd/kubeadm/app/cmd/init.go:385 +0x2f
k8s.io/kubernetes/cmd/kubeadm/app/cmd.waitForKubeletAndFunc.func2(0xc4207404c0, 0xc4204c2360, 0x18912c0, 0xc420756450)
        cmd/kubeadm/app/cmd/init.go:621 +0x27
created by k8s.io/kubernetes/cmd/kubeadm/app/cmd.waitForKubeletAndFunc
        cmd/kubeadm/app/cmd/init.go:618 +0xb0
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x80 pc=0x886ea2]
goroutine 1 [running]:                                                                                                                               [39/227]
k8s.io/kubernetes/vendor/github.com/onsi/ginkgo/internal/specrunner.(*SpecRunner).CurrentSpecSummary(0x0, 0xc420871400, 0x150)
        vendor/github.com/onsi/ginkgo/internal/specrunner/spec_runner.go:209 +0x22
k8s.io/kubernetes/vendor/github.com/onsi/ginkgo/internal/suite.(*Suite).CurrentRunningSpecSummary(0xc4200beaa0, 0x24a7a00, 0x1)
        vendor/github.com/onsi/ginkgo/internal/suite/suite.go:105 +0x2f
k8s.io/kubernetes/vendor/github.com/onsi/ginkgo.CurrentGinkgoTestDescription(0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
        vendor/github.com/onsi/ginkgo/ginkgo_dsl.go:157 +0x64
k8s.io/kubernetes/vendor/k8s.io/client-go/rest.NewRequest(0x191b560, 0xc420951260, 0x17a98e1, 0x3, 0xc420255980, 0xc42003ecda, 0x1, 0x0, 0x0, 0x17b87de, ...)
        staging/src/k8s.io/client-go/rest/request.go:143 +0x2a9
k8s.io/kubernetes/vendor/k8s.io/client-go/rest.(*RESTClient).Verb(0xc4200f3080, 0x17a98e1, 0x3, 0x0)
        staging/src/k8s.io/client-go/rest/client.go:227 +0x1a7
k8s.io/kubernetes/vendor/k8s.io/client-go/rest.(*RESTClient).Get(0xc4200f3080, 0x0)
        staging/src/k8s.io/client-go/rest/client.go:247 +0x40
k8s.io/kubernetes/vendor/k8s.io/client-go/discovery.(*DiscoveryClient).OpenAPISchema(0xc42095c800, 0xc420044070, 0xc420044000, 0xc4200d2018)
        staging/src/k8s.io/client-go/discovery/discovery_client.go:387 +0x4b
k8s.io/kubernetes/vendor/k8s.io/client-go/discovery.(*CachedDiscoveryClient).OpenAPISchema(0xc4203cd900, 0x428079, 0xc4200d2070, 0xc420871b20)
        staging/src/k8s.io/client-go/discovery/cached_discovery.go:222 +0x33
k8s.io/kubernetes/pkg/kubectl/cmd/util/openapi.(*synchronizedOpenAPIGetter).Get.func1()
        pkg/kubectl/cmd/util/openapi/openapi_getter.go:54 +0x3c
sync.(*Once).Do(0xc4203cd940, 0xc420871b58)
        GOROOT/src/sync/once.go:44 +0xbe
k8s.io/kubernetes/pkg/kubectl/cmd/util/openapi.(*synchronizedOpenAPIGetter).Get(0xc4203cd940, 0xc420871ba0, 0xc4203cd900, 0x0, 0x0)
        pkg/kubectl/cmd/util/openapi/openapi_getter.go:53 +0x48
k8s.io/kubernetes/pkg/kubectl/cmd/util.(*factoryImpl).OpenAPISchema(0xc4206fc5d0, 0x191ad00, 0xc4204a0900, 0x191b8e0, 0xc4200bc000)
        pkg/kubectl/cmd/util/factory_client_access.go:179 +0xc3
k8s.io/kubernetes/pkg/kubectl/cmd.(*ApplyOptions).Complete(0xc420102a00, 0x194e6e0, 0xc4206fc5d0, 0xc4208ddb80, 0xc420871c28, 0x0)
        pkg/kubectl/cmd/apply.go:213 +0x1af
k8s.io/kubernetes/pkg/kubectl/cmd.NewCmdApply.func1(0xc4208ddb80, 0xc4209084b0, 0x0, 0x3)
        pkg/kubectl/cmd/apply.go:155 +0x4f
k8s.io/kubernetes/vendor/github.com/spf13/cobra.(*Command).execute(0xc4208ddb80, 0xc420908420, 0x3, 0x3, 0xc4208ddb80, 0xc420908420)
        vendor/github.com/spf13/cobra/command.go:760 +0x2c1
k8s.io/kubernetes/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0xc420600c80, 0xc420426b40, 0x12a05f200, 0xc420871ee8)
        vendor/github.com/spf13/cobra/command.go:846 +0x30a
k8s.io/kubernetes/vendor/github.com/spf13/cobra.(*Command).Execute(0xc420600c80, 0x18676b0, 0x24a67a0)
        vendor/github.com/spf13/cobra/command.go:794 +0x2b
main.main()
        cmd/kubectl/kubectl.go:50 +0x196
panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x80 pc=0x886ea2]

goroutine 1 [running]:
k8s.io/kubernetes/vendor/github.com/onsi/ginkgo/internal/specrunner.(*SpecRunner).CurrentSpecSummary(0x0, 0xc420669400, 0x150)
        vendor/github.com/onsi/ginkgo/internal/specrunner/spec_runner.go:209 +0x22
k8s.io/kubernetes/vendor/github.com/onsi/ginkgo/internal/suite.(*Suite).CurrentRunningSpecSummary(0xc4200b8aa0, 0xc420068c00, 0x1)
        vendor/github.com/onsi/ginkgo/internal/suite/suite.go:105 +0x2f
k8s.io/kubernetes/vendor/github.com/onsi/ginkgo.CurrentGinkgoTestDescription(0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, ...)
        vendor/github.com/onsi/ginkgo/ginkgo_dsl.go:157 +0x64
k8s.io/kubernetes/vendor/k8s.io/client-go/rest.NewRequest(0x191b560, 0xc42094b230, 0x17a98e1, 0x3, 0xc420256280, 0xc42003eb2a, 0x1, 0x0, 0x0, 0x17b87de, ...)
        staging/src/k8s.io/client-go/rest/request.go:143 +0x2a9
k8s.io/kubernetes/vendor/k8s.io/client-go/rest.(*RESTClient).Verb(0xc4200fbbc0, 0x17a98e1, 0x3, 0x0)
        staging/src/k8s.io/client-go/rest/client.go:227 +0x1a7
k8s.io/kubernetes/vendor/k8s.io/client-go/rest.(*RESTClient).Get(0xc4200fbbc0, 0x0)
        staging/src/k8s.io/client-go/rest/client.go:247 +0x40
k8s.io/kubernetes/vendor/k8s.io/client-go/discovery.(*DiscoveryClient).OpenAPISchema(0xc420956580, 0xc420044070, 0xc420044000, 0xc4200d8018)
        staging/src/k8s.io/client-go/discovery/discovery_client.go:387 +0x4b
k8s.io/kubernetes/vendor/k8s.io/client-go/discovery.(*CachedDiscoveryClient).OpenAPISchema(0xc4205af280, 0x428079, 0xc4200d8070, 0xc420669b20)
        staging/src/k8s.io/client-go/discovery/cached_discovery.go:222 +0x33
k8s.io/kubernetes/pkg/kubectl/cmd/util/openapi.(*synchronizedOpenAPIGetter).Get.func1()
        pkg/kubectl/cmd/util/openapi/openapi_getter.go:54 +0x3c
sync.(*Once).Do(0xc4205af2c0, 0xc420669b58)
        GOROOT/src/sync/once.go:44 +0xbe
k8s.io/kubernetes/pkg/kubectl/cmd/util/openapi.(*synchronizedOpenAPIGetter).Get(0xc4205af2c0, 0xc420669ba0, 0xc4205af280, 0x0, 0x0)
        pkg/kubectl/cmd/util/openapi/openapi_getter.go:53 +0x48
k8s.io/kubernetes/pkg/kubectl/cmd/util.(*factoryImpl).OpenAPISchema(0xc42067d5f0, 0x191ad00, 0xc4200b6b00, 0x191b8e0, 0xc4200b6000)
        pkg/kubectl/cmd/util/factory_client_access.go:179 +0xc3
k8s.io/kubernetes/pkg/kubectl/cmd.(*ApplyOptions).Complete(0xc42010a780, 0x194e6e0, 0xc42067d5f0, 0xc4208ddb80, 0xc420669c28, 0x0)
        pkg/kubectl/cmd/apply.go:213 +0x1af
k8s.io/kubernetes/pkg/kubectl/cmd.NewCmdApply.func1(0xc4208ddb80, 0xc420908480, 0x0, 0x3)
        pkg/kubectl/cmd/apply.go:155 +0x4f
k8s.io/kubernetes/vendor/github.com/spf13/cobra.(*Command).execute(0xc4208ddb80, 0xc4209083f0, 0x3, 0x3, 0xc4208ddb80, 0xc4209083f0)
        vendor/github.com/spf13/cobra/command.go:760 +0x2c1
k8s.io/kubernetes/vendor/github.com/spf13/cobra.(*Command).ExecuteC(0xc420794c80, 0xc4200aeed0, 0x12a05f200, 0xc420669ee8)
        vendor/github.com/spf13/cobra/command.go:846 +0x30a
k8s.io/kubernetes/vendor/github.com/spf13/cobra.(*Command).Execute(0xc420794c80, 0x18676b0, 0x24a67a0)
        vendor/github.com/spf13/cobra/command.go:794 +0x2b
main.main()
        cmd/kubectl/kubectl.go:50 +0x196

kubelet not ready.... cri network plugin not init

runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message: docker: network plugin is not ready: cni config uninitialized

kubectl describe node a90c6304bcb0
...
Taints:             node-role.kubernetes.io/master:NoSchedule
                    node.kubernetes.io/not-ready:NoSchedule
Unschedulable:      false
Conditions:
  Type             Status  LastHeartbeatTime                 LastTransitionTime                Reason                       Message
  ----             ------  -----------------                 ------------------                ------                       -------
  OutOfDisk        False   Fri, 17 Aug 2018 08:24:46 +1200   Fri, 17 Aug 2018 08:20:45 +1200   KubeletHasSufficientDisk     kubelet has sufficient disk space available
  MemoryPressure   False   Fri, 17 Aug 2018 08:24:46 +1200   Fri, 17 Aug 2018 08:20:45 +1200   KubeletHasSufficientMemory   kubelet has sufficient memory available
  DiskPressure     False   Fri, 17 Aug 2018 08:24:46 +1200   Fri, 17 Aug 2018 08:20:45 +1200   KubeletHasNoDiskPressure     kubelet has no disk pressure
  PIDPressure      False   Fri, 17 Aug 2018 08:24:46 +1200   Fri, 17 Aug 2018 08:20:45 +1200   KubeletHasSufficientPID      kubelet has sufficient PID available
  Ready            False   Fri, 17 Aug 2018 08:24:46 +1200   Fri, 17 Aug 2018 08:20:45 +1200   KubeletNotReady              runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized

kubeadm command line args VS config file

can not mix '--config' with arguments [token]

kubeadm token differences

When we lay down kubeadm config in dind-start.sh it seems to match:

kubeadm join 172.18.0.2:6443 –token abcdef.abcdefghijklmnop –discovery-token-ca-cert-hash sha256:008789ee5ec6758715f39fda15406615c0d7150eb386e5b794cdd066640d46a2

I0816 19:48:00.302199     394 loader.go:359] Config loaded from file /etc/kubernetes/admin.conf

Your Kubernetes master has initialized successfully!

To start using your cluster, you need to run the following as a regular user:

  mkdir -p $HOME/.kube
  sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
  sudo chown $(id -u):$(id -g) $HOME/.kube/config

You should now deploy a pod network to the cluster.
Run "kubectl apply -f [podnetwork].yaml" with one of the options listed at:
  https://kubernetes.io/docs/concepts/cluster-administration/addons/

You can now join any number of machines by running the following on each node
as root:

  kubeadm join 172.18.0.2:6443 --token chjhdc.t64bu80l2u0rex1u --discovery-token-ca-cert-hash sha256:3db5f1b23fefdd7d84aa9a243b529f15cd1b6752b38dbb4d9c12ac4912610d62

I’m unsure where the chjhdc.* token is coming from

minion

DIND=$(docker ps --format "{{.Names}} {{.Image}}"  | grep dind-cluster-amd64 | awk '{print $1}')
docker exec -ti $DIND /bin/bash
export PS1='\w DIND \$ '
A_MINION=$(docker ps --format '{{.Names}} {{.Ports}}' | grep -v 443 | awk '{print $1}'| tail -1)
docker logs -f $A_MINION

token issues

[discovery] Created cluster-info discovery client, requesting info from "https://172.18.0.2:6443"
[discovery] Failed to connect to API Server "172.18.0.2:6443":
  token id "abcdef" is invalid for this cluster or it has expired.
  Use "kubeadm token create" on the master node to creating a new valid token
[discovery] abort connecting to API servers after timeout of 5m0s
  couldn't validate the identity of the API Server:
  abort connecting to API servers after timeout of 5m0s

apiserver

DIND=$(docker ps --format "{{.Names}} {{.Image}}"  | grep dind-cluster-amd64 | awk '{print $1}')
docker exec -ti $DIND /bin/bash
export PS1='\w DIND \$ '
MASTER=$(docker ps --format '{{.Names}} {{.Ports}}' | grep 443 | awk '{print $1}')
docker exec -ti $MASTER  /bin/bash
APISERVER=$(docker ps --filter label=io.kubernetes.container.name=kube-apiserver --format '{{.Names}}')
docker logs -f $APISERVER

tls errors

E0816 20:56:504.688997       1 controller.go:111] loading OpenAPI spec for "v1beta1.metrics.k8s.io" failed with: failed to retrieve openAPI spec, http error: ResponseCode: 503, Body: service unavailable
, Header: map[X-Content-Type-Options:[nosniff] Content-Type:[text/plain; charset=utf-8]]
I0816 20:56:04.689024       1 controller.go:119] OpenAPI AggregationController: action for item v1beta1.metrics.k8s.io: Rate Limited Requeue.
I0816 20:56:11.339507       1 logs.go:49] http: TLS handshake error from 172.17.0.1:39960: remote error: tls: bad certificate
E0816 20:56:20.536085       1 memcache.go:134] couldn't get resource list for metrics.k8s.io/v1beta1: the server is currently unable to handle the request
I0816 20:56:21.340036       1 logs.go:49] http: TLS handshake error from 172.17.0.1:39970: remote error: tls: bad certificate

Debugging

dlv / gud

;; set this dynamically at some point to the most recent dind
(setenv "KUBECONFIG" "/tmp/k8s-dind-kubecfg-538244971" )
;; (setenv "KUBECONFIG" "/home/hh/.kube/config")
(dlv "dlv test k8s.io/kubernetes/test/e2e -- --provider=skeleton --ginkgo.seed=1436380640 --ginkgo.focus=\\[Conformance\\] -v=6")
;; (sit-for 1) ;; waiting for it to start
;; (display-buffer-other-frame "*gud-test*")

(gud-call "break BeforeEach k8s.io/kubernetes/test/e2e/framework.(*Framework).BeforeEach:11")
(gud-call "on BeforeEach p config")
(gud-call "on BeforeEach p userAgent")
(gud-call "c")

kubectl

export KUBECONFIG=$(ls -rt /tmp/k8s-dind-kubecfg-* | tail -1)
export DIND_K8S_DATA=$(ls -drt /tmp/dind-k8* | tail -1)
kubectl get nodes
kubectl describe node -l node-role.kubernetes.io/master
kubectl get pods --all-namespaces
kubectl describe pod -l k8s-app=calico-kube-controllers --namespace=kube-system
cd $DIND_K8S_DATA/audit
ls -la

kubectl get pods --all-namespaces

debug networking

kubectl --kubeconfig=/etc/kubernetes/admin.conf apply -f /addons/metrics-server/

kubectl delete -f https://docs.projectcalico.org/v3.2/getting-started/kubernetes/installation/rbac.yaml
kubectl delete -f https://docs.projectcalico.org/v3.2/getting-started/kubernetes/installation/hosted/calico.yaml
kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')"

journalctl -u kubelet -f

kubectl describe pod calico-kube-controllers-84fd4db7cd-s5prn  --namespace=kube-system
Tolerations:     CriticalAddonsOnly
                 node-role.kubernetes.io/master:NoSchedule
                 node.kubernetes.io/not-ready:NoExecute for 300s
                 node.kubernetes.io/unreachable:NoExecute for 300s

Aug 19 23:23:23 1b5d88580161 kubelet[511]: I0819 23:23:23.449151     511 cni.go:161] Using CNI configuration file /etc/cni/net.d/10-weave.conf
Aug 19 23:23:23 1b5d88580161 kubelet[511]: I0819 23:23:23.449405     511 kubelet.go:2094] Container runtime status: Runtime Conditions: RuntimeReady=true reason: message:, NetworkReady=true reason: message:
Aug 19 23:23:24 1b5d88580161 kubelet[511]: I0819 23:23:24.592610     511 kubelet.go:1903] SyncLoop (housekeeping)
Aug 19 23:23:25 1b5d88580161 kubelet[511]: I0819 23:23:25.143391     511 worker.go:177] Probe target container not found: coredns-78fcdf6894-vmdpj_kube-system(59eb9c00-a405-11e8-b49a-02422c0a92c5) - coredns
Aug 19 23:23:26 1b5d88580161 kubelet[511]: I0819 23:23:26.589545     511 kubelet.go:1880] SyncLoop (SYNC): 1 pods; kube-proxy-w9k6c_kube-system(5b387c5b-a405-11e8-b49a-02422c0a92c5)
Aug 19 23:23:26 1b5d88580161 kubelet[511]: I0819 23:23:26.593553     511 kubelet_pods.go:1327] Generating status for "kube-proxy-w9k6c_kube-system(5b387c5b-a405-11e8-b49a-02422c0a92c5)"
Aug 19 23:23:26 1b5d88580161 kubelet[511]: I0819 23:23:26.594395     511 kubelet.go:1903] SyncLoop (housekeeping)
Aug 19 23:23:26 1b5d88580161 kubelet[511]: I0819 23:23:26.594397     511 status_manager.go:361] Ignoring same status for pod "kube-proxy-w9k6c_kube-system(5b387c5b-a405-11e8-b49a-02422c0a92c5)", status: {Phase:Running Conditions:[{Type:Initialized Status:True LastProbeTime:0001-01-01 00:00:00 +0000 UTC LastTransitionTime:2018-08-19 23:12:34 +0000 UTC Reason: Message:} {Type:Ready Status:True LastProbeTime:0001-01-01 00:00:00 +0000 UTC LastTransitionTime:2018-08-19 23:12:40 +0000 UTC Reason: Message:} {Type:ContainersReady Status:True LastProbeTime:0001-01-01 00:00:00 +0000 UTC LastTransitionTime:0001-01-01 00:00:00 +0000 UTC Reason: Message:} {Type:PodScheduled Status:True LastProbeTime:0001-01-01 00:00:00 +0000 UTC LastTransitionTime:2018-08-19 23:12:34 +0000 UTC Reason: Message:}] Message: Reason: NominatedNodeName: HostIP:172.18.0.3 PodIP:172.18.0.3 StartTime:2018-08-19 23:12:34 +0000 UTC InitContainerStatuses:[] ContainerStatuses:[{Name:kube-proxy State:{Waiting:nil Running:&ContainerStateRunning{StartedAt:2018-08-19 23:12:40 +0000 UTC,} Terminated:nil} LastTerminationState:{Waiting:nil Running:nil Terminated:nil} Ready:true RestartCount:0 Image:gcr.io/google_containers/kube-proxy:v1.13.0-alpha.0.293_0ff2c8974b074c-dirty ImageID:docker://sha256:792ee91ecaea81b4e4252d5f29d47d6281c78226b5e20ca985717a65f23ed79f ContainerID:docker://67f670ceddd8b660de61c9f81c700d113cb83b6312bbf2099596a38730af2f45}] QOSClass:BestEffort}
Aug 19 23:23:26 1b5d88580161 kubelet[511]: I0819 23:23:26.594729     511 volume_manager.go:350] Waiting for volumes to attach and mount for pod "kube-proxy-w9k6c_kube-system(5b387c5b-a405-11e8-b49a-02422c0a92c5)"
Aug 19 23:23:26 1b5d88580161 kubelet[511]: I0819 23:23:26.594773     511 volume_manager.go:383] All volumes are attached and mounted for pod "kube-proxy-w9k6c_kube-system(5b387c5b-a405-11e8-b49a-02422c0a92c5)"
Aug 19 23:23:26 1b5d88580161 kubelet[511]: I0819 23:23:26.594885     511 kuberuntime_manager.go:570] computePodActions got {KillPod:false CreateSandbox:false SandboxID:364db2e34fe1715f7cdc2fe09d49723987de4522dcbc5c0102651a5d3183fc53 Attempt:0 NextInitContainerToStart:nil ContainersToStart:[] ContainersToKill:map[]} for pod "kube-proxy-w9k6c_kube-system(5b387c5b-a405-11e8-b49a-02422c0a92c5)"
Aug 19 23:23:26 1b5d88580161 kubelet[511]: I0819 23:23:26.656422     511 desired_state_of_world_populator.go:318] Added volume "kube-proxy" (volSpec="kube-proxy") for pod "5b387c5b-a405-11e8-b49a-02422c0a92c5" to desired state.
Aug 19 23:23:26 1b5d88580161 kubelet[511]: I0819 23:23:26.656517     511 desired_state_of_world_populator.go:318] Added volume "xtables-lock" (volSpec="xtables-lock") for pod "5b387c5b-a405-11e8-b49a-02422c0a92c5" to desired state.
Aug 19 23:23:26 1b5d88580161 kubelet[511]: I0819 23:23:26.656565     511 desired_state_of_world_populator.go:318] Added volume "lib-modules" (volSpec="lib-modules") for pod "5b387c5b-a405-11e8-b49a-02422c0a92c5" to desired state.
Aug 19 23:23:26 1b5d88580161 kubelet[511]: I0819 23:23:26.656611     511 desired_state_of_world_populator.go:318] Added volume "kube-proxy-token-dtbzn" (volSpec="kube-proxy-token-dtbzn") for pod "5b387c5b-a405-11e8-b49a-02422c0a92c5" to desired state.
Aug 19 23:23:26 1b5d88580161 kubelet[511]: I0819 23:23:26.685339     511 eviction_manager.go:226] eviction manager: synchronize housekeeping
Aug 19 23:23:26 1b5d88580161 kubelet[511]: E0819 23:23:26.716133     511 summary.go:102] Failed to get system container stats for "/docker/1b5d885801615259db2d61d6318cfd5a8202da4e3f6ce072b9c13672c67edc3d/docker/1b5d885801615259db2d61d6318cfd5a8202da4e3f6ce072b9c13672c67edc3d/system.slice/kubelet.service": failed to get cgroup stats for "/docker/1b5d885801615259db2d61d6318cfd5a8202da4e3f6ce072b9c13672c67edc3d/docker/1b5d885801615259db2d61d6318cfd5a8202da4e3f6ce072b9c13672c67edc3d/system.slice/kubelet.service": failed to get container info for "/docker/1b5d885801615259db2d61d6318cfd5a8202da4e3f6ce072b9c13672c67edc3d/docker/1b5d885801615259db2d61d6318cfd5a8202da4e3f6ce072b9c13672c67edc3d/system.slice/kubelet.service": unknown container "/docker/1b5d885801615259db2d61d6318cfd5a8202da4e3f6ce072b9c13672c67edc3d/docker/1b5d885801615259db2d61d6318cfd5a8202da4e3f6ce072b9c13672c67edc3d/system.slice/kubelet.service"
Aug 19 23:23:26 1b5d88580161 kubelet[511]: E0819 23:23:26.716177     511 summary.go:102] Failed to get system container stats for "/docker/1b5d885801615259db2d61d6318cfd5a8202da4e3f6ce072b9c13672c67edc3d/docker/1b5d885801615259db2d61d6318cfd5a8202da4e3f6ce072b9c13672c67edc3d/system.slice/docker.service": failed to get cgroup stats for "/docker/1b5d885801615259db2d61d6318cfd5a8202da4e3f6ce072b9c13672c67edc3d/docker/1b5d885801615259db2d61d6318cfd5a8202da4e3f6ce072b9c13672c67edc3d/system.slice/docker.service": failed to get container info for "/docker/1b5d885801615259db2d61d6318cfd5a8202da4e3f6ce072b9c13672c67edc3d/docker/1b5d885801615259db2d61d6318cfd5a8202da4e3f6ce072b9c13672c67edc3d/system.slice/docker.service": unknown container "/docker/1b5d885801615259db2d61d6318cfd5a8202da4e3f6ce072b9c13672c67edc3d/docker/1b5d885801615259db2d61d6318cfd5a8202da4e3f6ce072b9c13672c67edc3d/system.slice/docker.service"

kubectl delete -f "https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')"
kubectl apply -f https://docs.projectcalico.org/v3.2/getting-started/kubernetes/installation/rbac.yaml
kubectl apply -f https://docs.projectcalico.org/v3.2/getting-started/kubernetes/installation/hosted/calico.yaml

other

K8S_CONTROLLER_MANAGER=$(docker ps --format "{{.Names}}" -f label=io.kubernetes.container.name=kube-controller-manager)
K8S_APISERVER=$(docker ps --format "{{.Names}}" -f label=io.kubernetes.container.name=kube-apiserver)
kubectl --kubeconfig=/etc/kubernetes/admin.conf apply -f /addons/metrics-server/
  # kubectl logs kube-controller-manager-744ab16bec5e --namespace=kube-system

docker logs -f $K8S_CONTROLLER_MANAGER

moby/moby#24000

kube-proxy, 9bfe955f825d DOCKER RESTART NEEDED (docker issue #24000): /sys is read-only: cannot modify conntrack limits, problems may arise later.

Aug 19 20:07:18 ab8afb8aff4e kubelet[169]: F0819 20:07:18.938066     169 server.go:188] failed to load Kubelet config file /var/lib/kubelet/config.yaml, error failed to read kubelet config file "/var/lib/kubelet/config.yaml", error: open /var/lib/kubelet/config.yaml: no such file or directory
Aug 19 20:07:28 ab8afb8aff4e systemd[1]: kubelet.service: Service hold-off time over, scheduling restart.
Aug 19 20:07:28 ab8afb8aff4e systemd[1]: Stopped kubelet: The Kubernetes Node Agent.
Aug 19 20:07:28 ab8afb8aff4e systemd[1]: Started kubelet: The Kubernetes Node Agent.
Aug 19 20:07:29 ab8afb8aff4e kubelet[296]: Flag --fail-swap-on has been deprecated, This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.
Aug 19 20:07:29 ab8afb8aff4e kubelet[296]: I0819 20:07:29.114210     296 flags.go:27] FLAG: --address="0.0.0.0"

Aug 19 21:00:10 ab8afb8aff4e kubelet[741]: W0819 21:00:10.584762     741 cni.go:188] Unable to update cni config: No networks found in /etc/cni/net.d
Aug 19 21:00:10 ab8afb8aff4e kubelet[741]: I0819 21:00:10.585013     741 kubelet.go:2094] Container runtime status: Runtime Conditions: RuntimeReady=true reason: message:, NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized
Aug 19 21:00:10 ab8afb8aff4e kubelet[741]: E0819 21:00:10.585058     741 kubelet.go:2097] Container runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized
Aug 19 21:00:11 ab8afb8aff4e kubelet[741]: I0819 21:00:11.328020     741 kubelet.go:1903] SyncLoop (housekeeping)

Events:
  Type     Reason                   Age                From                      Message
  ----     ------                   ----               ----                      -------
  Normal   Starting                 43m                kubelet, 9bfe955f825d     Starting kubelet.
  Normal   NodeHasSufficientDisk    43m (x6 over 43m)  kubelet, 9bfe955f825d     Node 9bfe955f825d status is now: NodeHasSufficientDisk
  Normal   NodeHasSufficientMemory  43m (x6 over 43m)  kubelet, 9bfe955f825d     Node 9bfe955f825d status is now: NodeHasSufficientMemory
  Normal   NodeHasNoDiskPressure    43m (x6 over 43m)  kubelet, 9bfe955f825d     Node 9bfe955f825d status is now: NodeHasNoDiskPressure
  Normal   NodeHasSufficientPID     43m (x5 over 43m)  kubelet, 9bfe955f825d     Node 9bfe955f825d status is now: NodeHasSufficientPID
  Normal   NodeAllocatableEnforced  43m                kubelet, 9bfe955f825d     Updated Node Allocatable limit across pods
  Warning  readOnlySysFS            43m                kube-proxy, 9bfe955f825d  DOCKER RESTART NEEDED (docker issue #24000): /sys is read-only: cannot modify conntrack limits, problems may arise later.
  Normal   Starting                 43m                kube-proxy, 9bfe955f825d  Starting kube-proxy.

E0819 22:25:54.940285       1 resource_quota_controller.go:430] unable to retrieve the complete list of server APIs: metrics.k8s.io/v1beta1: the server is currently unable to handle the request
W0819 22:26:00.641928       1 garbagecollector.go:647] failed to discover some groups: map[metrics.k8s.io/v1beta1:the server is currently unable to handle the request]
E0819 22:26:05.560679       1 memcache.go:134] couldn't get resource list for metrics.k8s.io/v1beta1: the server is currently unable to handle the request
E0819 22:26:24.972716       1 resource_quota_controller.go:430] unable to retrieve the complete list of server APIs: metrics.k8s.io/v1beta1: the server is currently unable to handle the request
W0819 22:26:32.148227       1 garbagecollector.go:647] failed to discover some groups: map[metrics.k8s.io/v1beta1:the server is currently unable to handle the request]
E0819 22:26:35.644535       1 memcache.go:134] couldn't get resource list for metrics.k8s.io/v1beta1: the server is currently unable to handle the request

kubectl describe pod -l k8s-app=kube-dns --namespace=kube-system

Events:
  Type     Reason                  Age              From                   Message
  ----     ------                  ----             ----                   -------
  Warning  FailedScheduling        7m (x4 over 7m)  default-scheduler      0/1 nodes are available: 1 node(s) had taints that the pod didn't tolerate.
  Normal   Scheduled               7m               default-scheduler      Successfully assigned kube-system/coredns-78fcdf6894-k9ghv to ceec70d7c995
  Warning  NetworkNotReady         6m (x3 over 7m)  kubelet, ceec70d7c995  network is not ready: [runtime network not ready: NetworkReady=false reason:NetworkPluginNotReady message:docker: network plugin is not ready: cni config uninitialized]
  Warning  FailedCreatePodSandBox  2m               kubelet, ceec70d7c995  Failed create pod sandbox: rpc error: code = DeadlineExceeded desc = context deadline exceeded
  Normal   SandboxChanged          2m               kubelet, ceec70d7c995  Pod sandbox changed, it will be killed and re-created.

Deleting containers

current

DIND=$(docker ps --format "{{.Names}} {{.Image}}"  | grep dind-cluster-amd64 | awk '{print $1}')
KUBECONFIG=$(ls -rt /tmp/k8s-dind-kubecfg-* | tail -1)
DIND_DIR=$(ls -rdt /tmp/dind-k8s-* | tail -1)
# I'd like to ensure the above are set BEFORE we rm -rf directories
cat <<EOF >/tmp/delete
set -x
set -e
docker rm -f $DIND
sudo rm -rf $DIND_DIR
rm -f $KUBECONFIG
EOF
chmod +x /tmp/delete
# inspect and run this if you want
cat /tmp/delete

all

docker ps -a --filter=exited=137 --format "{{.Names}}" | xargs docker rm --volumes
docker ps -a --filter=exited=137 --format "{{.Names}}" | xargs docker rm --volumes
docker ps -a --filter=exited=0 --format "{{.Names}}" | xargs docker rm --volumes
docker ps -a --filter=exited=1 --format "{{.Names}}" | xargs docker rm --volumes
docker ps -a --filter=exited=2 --format "{{.Names}}" | xargs docker rm --volumes
docker ps --format "{{.Names}}" --filter "ancestor=k8s.gcr.io/dind-cluster-amd64:v1.12.0-alpha.1" | xargs docker rm --force --volumes
docker ps --format "{{.Names}}" --filter "ancestor=k8s.gcr.io/dind-cluster-amd64:v1.12.0-alpha.1-dirty" | xargs docker rm --force --volumes
# delete all our dind configs and logs 
# Mounts: ... /tmp/dind-k8s-XXXXX => /var/kubernetes
sudo rm -rf /tmp/dind-k8s-*
# Outer KUBECONFIG
sudo rm -f /tmp/k8s-dind-kubecfg-*

*** Exploring build/deploy/provider options with kubetest

export PROJECT=ii-coop
export KUBERNETES_PROVIDER=gce
export KUBERNETES_CONFORMANCE_PROVIDER=gce
export BUILD_FLAG=bazel #(use: bazel, dind, e2e, host-go, quick, release)

kubetest --build=$BUILD_FLAG

kubetest --up=$BUILD_FLAG --provider=$KUBERNETES_PROVIDER

kubetest --stage=gcp://i
  --provider=$KUBERNETES_PROVIDER \
  --gcp-project=$PROJECT

emc .

kubeadm config migrate –new-config kubeadm.conf –old-config kubeadm.conf.orig

2018/08/14 12:26:04 main.go:239: deployment=bash 2018/08/14 12:26:04 process.go:153: Running: ./hack/e2e-internal/e2e-down.sh

Footnotes

Raw

kubetest-gke.org

Kubetest w/ GKE

kubetest build and deploy via gke

The oneliner to build, up, and test on gke

cd ~/go/src/k8s.io/kubernetes
kubetest --build=bazel --up --test --provider=gce --gcp-project=ii-coop --test_args="--ginkgo.focus=\[Conformance\] --ginkgo.seed=1436380640 --v=6"

Just make the binaries

kubetest --up --provider=gce --gcp-project=ii-coop
go run hack/e2e.go -- --provider=skeleton --test --test_args="--ginkgo.focus=\[Conformance\]"

run the hack/e2e.go wrapper for kubetest

go run hack/e2e.go -- --provider=skeleton --test --test_args="--ginkgo.focus=\[Conformance\]"

Run kubetest to test against gke

kubetest --test --provider=skeleton --test_args="--ginkgo.focus=\[Conformance\] --ginkgo.seedyy=1436380640 --v=6"

Some errors when trying to run on gke

2018/08/18 05:35:06 process.go:153: Running: ./hack/e2e-internal/e2e-status.sh
Skeleton Provider: prepare-e2e not implemented
Client Version: version.Info{Major:"1", Minor:"12+", GitVersion:"v1.12.0-alpha.1-dirty", GitCommit:"94c2c6c8423d722f436305cd67ef515a8800d723", GitTreeState:"dirty", BuildDate:"2018-08-17T17:11:29Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"12+", GitVersion:"v1.12.0-alpha.1-dirty", GitCommit:"94c2c6c8423d722f436305cd67ef515a8800d723", GitTreeState:"dirty", BuildDate:"2018-08-17T17:11:29Z", GoVersion:"go1.10.3", Compiler:"gc", Platform:"linux/amd64"}
2018/08/18 05:35:08 process.go:155: Step './hack/e2e-internal/e2e-status.sh' finished in 1.186797969s
2018/08/18 05:35:08 process.go:153: Running: ./cluster/kubectl.sh --match-server-version=false version
2018/08/18 05:35:09 process.go:155: Step './cluster/kubectl.sh --match-server-version=false version' finished in 957.767828ms
2018/08/18 05:35:09 process.go:153: Running: ./hack/ginkgo-e2e.sh --ginkgo.focus=\[Conformance\] --ginkgo.seed=1436380640 --v=6
Setting up for KUBERNETES_PROVIDER="skeleton".
Skeleton Provider: prepare-e2e not implemented
/home/hh/go/src/k8s.io/kubernetes/cluster/../cluster/skeleton/util.sh: line 22: KUBE_MASTER_IP: unbound variable
2018/08/18 05:35:10 process.go:155: Step './hack/ginkgo-e2e.sh --ginkgo.focus=\[Conformance\] --ginkgo.seed=1436380640 --v=6' finished in 1.392696657s
2018/08/18 05:35:10 main.go:309: Something went  wrong: encountered 1 errors: [error during ./hack/ginkgo-e2e.sh --ginkgo.focus=\[Conformance\] --ginkgo.seed=1436380640 --v=6: exit status 1]

Footnotes

Raw

machine-setup.org

Setting up an ii-pairing style machine

Configure a Debian / Ubuntu box

We assume the session is aready sshed in as root.

apt-install some Software

apt-get update
apt-get -y upgrade
apt-get install -y \
 apt-file \
 apt-transport-https \
 aptitude \
 autoconf \
 build-essential \
 ca-certificates \
 curl \
 gcc \
 git \
 gnupg2 \
 jq \
 libgnutls28-dev \
 libncurses5-dev \
 libtinfo-dev \
 libxml2-dev \
 liblz4-tool \
 make \
 mtr \
 openjdk-8-jdk \
 python3-dev \
 silversearcher-ag \
 software-properties-common \
 strace \
 sudo \
 texinfo \
 tmux \
 unzip \
 whois \
 whowatch \
 zip

Install Docker

# https://docs.docker.com/install/linux/docker-ce/debian/#set-up-the-repository
curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add -
add-apt-repository \
   "deb [arch=amd64] https://download.docker.com/linux/debian \
   $(lsb_release -cs) \
   stable"
apt-get update
apt-get install -y docker-ce
systemctl start docker
systemctl enable docker

Install K8s client bins

#+NAME install k8s client bins

cat <<EOF >/etc/apt/sources.list.d/kubernetes.list
deb http://apt.kubernetes.io/ kubernetes-xenial main
EOF
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
apt-get update
apt-get install -y kubelet kubeadm kubectl

Install Google Cloud SDK

export CLOUD_SDK_REPO="cloud-sdk-$(lsb_release -c -s)"
echo "deb https://packages.cloud.google.com/apt $CLOUD_SDK_REPO main" | sudo tee -a /etc/apt/sources.list.d/google-cloud-sdk.list
curl https://packages.cloud.google.com/apt/doc/apt-key.gpg | sudo apt-key add -
sudo apt-get update && sudo apt-get install -y google-cloud-sdk
#rsync -av .config/gcloud [email protected]:.config/gcloud
#rsync -av .ssh/google_compute_engine [email protected]:.ssh/
#rsync -av .ssh/google_compute_engine.pub [email protected]:.ssh/

Install Go

# https://golang.org/doc/install#install
curl -L https://dl.google.com/go/go1.10.3.linux-amd64.tar.gz | tar -C /usr/local -xzf -
echo 'export PATH=$PATH:/usr/local/go/bin' > /etc/profile.d/usr-local-go-path.sh
echo 'export PATH=$PATH:$HOME/go/bin' > /etc/profile.d/homedir-go-path.sh

go get gocode

If you get an emacs/spacemacs error: (file-missing “Searching for program” “No such file or directory” “gocode”) You’ll need to install gocode.

go get -u github.com/nsf/gocode

go get gron

If you get an emacs/spacemacs error: (file-missing “Searching for program” “No such file or directory” “gocode”) You’ll need to install gocode.

go get -u github.com/tomnomnom/gron
echo "alias norg='gron --ungron'" > /etc/profile.d/gron-alias.sh
echo "alias ungron='gron --ungron'" > /etc/profile.d/gron-alias.sh

Install Node

curl https://nodejs.org/dist/v8.11.4/node-v8.11.4-linux-x64.tar.xz | xzcat | tar xvfC - /usr/local
echo 'export PATH=$PATH:/usr/local/node-v8.11.4-linux-x64/bin' > /etc/profile.d/usr-local-node-path.sh
. /etc/profile.d/usr-local-node-path.sh

Install Tern

npm install -g tern

Install Bazel

curl -L https://github.com/bazelbuild/bazel/releases/download/0.16.1/bazel-0.16.1-linux-x86_64 > /usr/local/bin/bazel
chmod +x /usr/local/bin/bazel

Install Emacs

# possibly look into shallow or specific tag clone
#git clone git clone https://git.savannah.gnu.org/git/emacs.git /usr/local/src/emacs
# https://golang.org/doc/install#install
cd /usr/local/src/emacs
./autogen
./configure --with-x-toolkit=no --with-xpm=no --with-jpeg=no --with-png=no --with-gif=no --with-tiff=no
# find the command to use correct number of jobs... should equal number of (virtual) cores
make -j 48 install

Install Spacemacs Customizations

git clone https://github.com/ii/spacemacs ~/.emacs.d
ln -s ~/.emacs.d/private/local/.spacemacs ~/.spacemacs
git clone https://github.com/ii/ob-tmux ~/.emacs.d/private/local/ob-tmux.el/
git clone https://github.com/benma/go-dlv.el ~/.emacs.d/private/local/go-dlv.el/
echo "alias emc='emacsclient -t '" > /etc/profile.d/emc-alias.sh

Install tmate

curl -L https://github.com/tmate-io/tmate/releases/download/2.2.1/tmate-2.2.1-static-linux-amd64.tar.gz \
  | tar  -f - -C /usr/local/bin -xvz --strip-components=1

Configure tmate

# tmate -S /tmp/ii-tmate.socket new-session -A -c /root -s ii-k8s -n main
cat <<EOF > ~/.tmate.conf
set-option -g set-clipboard on
set-option -g mouse on
set-option -g history-limit 50000
# ii tmate -- pair.ii.coop
# set -g tmate-server-host pair.ii.coop
# set -g tmate-server-port 22
# set -g tmate-server-rsa-fingerprint   "f9:af:d5:f2:47:8b:33:53:7b:fb:ba:81:ba:37:d3:b9"
# set -g tmate-server-ecdsa-fingerprint   "32:44:b3:bb:b3:0a:b8:20:05:32:73:f4:9a:fd:ee:a8"
set -g tmate-identity ""
set -s escape-time 0
EOF

Configure git

cat <<EOF > ~/.gitconfig
[user]
        email = [email protected]
        name = Hippie Hacker
[alias]
        lol = log --graph --decorate --pretty=oneline --abbrev-commit --all
        create-pull-request = !sh -c 'stash pull-request $0'
        lg = log --color --graph --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an>%Creset' --abbrev-commit
EOF

Footnotes

swapoff -a / comment out /etc/fstab swap

.bash_profile / bash completion for docker in all dind containers

tmate show-messages is BLANK -pain-

Python virtualenv setup

export PATH=$HOME/.local/bin:$PATH
pip install virtualenv
virtualenv .pyenv
source .pyenv/bin/activate
pip install -r requirements.txt

bazel build //cmd/kubeadm
./_output/dockerized/bin/linux/amd64/kubeadm config print-defaul

usr/bin/kubeadm init –token=abcdef.abcdefghijklmnop –ignore-preflight-errors=all –kubernetes-version=$(cat source_version | sed ‘s/^./’) –pod-network-cidr=192.168.0.0/16 –apiserver-cert-extra-sans $1 2>&1
/usr/bin/kubeadm -v 999 init –ignore-preflight-errors=all –config /etc/kubernetes/kubeadm.conf 2>&1

Kubernetes is failing to come up because to the certs are not signed correctly, the cause of this is using a kubeadm –config-file, because it disables all flags including the required –apiserver-cert-extra-sans flag, atleast this optioncan be set in the config file, see kubernetes/kubernetes#55566

tmate stuff

tmate -S /tmp/ii-tmate.sock new-session -A -s k8s -c ~/go/src/kubernetes

#RUN cd /root ; git clone https://github.com/nviennot/tmate ; cd tmate ; ./autogen.sh && ./configure && make install ; ssh-keygen -t rsa -f /root/.ssh/id_rsa -N ''
#RUN cat /proc/cpuinfo ;  uname -a ; free -m ; df -H ; ip addr ; ip route
#RUN tmate -S /tmp/tmate.sock new-session -d ; \
# tmate -S /tmp/tmate.sock wait tmate-ready ; \
# tmate -S /tmp/tmate.sock display -p '#{tmate_ssh}' ; \
# cat /dev/random