Make Kuryr CNI and controller installable via kubeadm

Registered by Antoni Segura Puimedon

Following Kubernetes Kubeadm linux installation guide[0], the step to install pod networking consists on doing:

    kubectl apply -f kuryr.yaml

It would be very helpful if Kuryr could be installed this way. The blueprint would be broken down to:

- Kuryr CNI as daemon sets
- Kuryr Controller as a Pod (and maybe service)
- Service accounts[1]

In order to make this work, we would benefit from having the token support blueprint [2] and patch [3] merged so that we can just use the secret that gets mounted by kubelet to the kuryr pods.

Another issue is that for the daemonset CNI to work, we may need the split. If we want to use the serviceaccount token, that is, otherwise we may just use the kubelet credentials. The reason for this is that the way it would work is that the daemonset mounts the kuryr CNI exec into the host, where the kubelet executes it. So the execution does not happen in the namespace of the daemonset, but the host one. This means that the mounted bearer token won't be available. The end integration, when the CNI split is a reality, would be:

Kubelet (host space) -> kuryr-cni exec (host space) -> socket file -> kuryr-cni daemon (container space) -> netlink (container space) + k8s api

While the CNI split is not a thing, the main goal of the kuryr CNI daemon set is to perform kuryr executable and configuration installation like it can be seen in this example from flannel [4]. The main container will just be no-op, since there is nothing to do there before the split.

Additionally, both the configuration of the kuryr controller pod and of the daemonsets (kuryr.conf) should be attained with different Kubernetes ConfigMap objects.

The controller and the post-split CNI should present an API endpoint /health [5] that is able to let kubernetes know the health of the controller or cni. Possibly with multiple endpoints.

[0] https://kubernetes.io/docs/getting-started-guides/kubeadm/
[1] https://docs.google.com/document/d/1NNshMAk4k8slEo3SDXUOqnMhAZfGDnRXkutoiTe9BqA/edit?usp=sharing
[2] https://blueprints.launchpad.net/openstack/?searchtext=token-auth-support
[3] https://review.openstack.org/#/c/463814/
[4] https://github.com/coreos/flannel/blob/master/Documentation/kube-flannel.yml
[5] https://blueprints.launchpad.net/kuryr-kubernetes/+spec/controller-readiness-liveness-probes

Blueprint information

Status:
Complete
Approver:
Irena Berezovsky
Priority:
Medium
Drafter:
Antoni Segura Puimedon
Direction:
Approved
Assignee:
Michal Dulko
Definition:
Approved
Series goal:
Accepted for pike
Implementation:
Implemented
Milestone target:
milestone icon pike-3
Started by
Irena Berezovsky
Completed by
Antoni Segura Puimedon

Related branches

Sprints

Whiteboard

Gerrit topic: https://review.openstack.org/#q,topic:bp/kubeadminstallable,n,z

Addressed by: https://review.openstack.org/466675
    Add support to install Kuryr as a network addon

Addressed by: https://review.openstack.org/474478
    Add support to install Kuryr as a network addon

Addressed by: https://review.openstack.org/490377
    CNI container: parametrize and clean up

Addressed by: https://review.openstack.org/490378
    [WIP] devstack: optionally run kuryr containerized

Gerrit topic: https://review.openstack.org/#q,topic:bp/kubeadmininstallable,n,z

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.