1
0
Fork 0
mirror of https://github.com/kubernetes-sigs/node-feature-discovery.git synced 2024-12-14 11:57:51 +00:00

Merge pull request #1942 from marquiz/devel/drop-grpc

nfd-master: drop stale unreachable deprecation notices
This commit is contained in:
Kubernetes Prow Robot 2024-11-04 10:15:30 +00:00 committed by Carlos Eduardo Arango Gutierrez
commit b997ade5b3
No known key found for this signature in database
GPG key ID: 42D9CB42F300A852
11 changed files with 4 additions and 433 deletions

View file

@ -59,10 +59,6 @@ func main() {
// Check deprecated flags
flags.Visit(func(f *flag.Flag) {
switch f.Name {
case "featurerules-controller":
klog.InfoS("-featurerules-controller is deprecated, use '-crd-controller' flag instead")
case "crd-controller":
klog.InfoS("-crd-controller is deprecated, will be removed in a future release along with the deprecated gRPC API")
case "extra-label-ns":
args.Overrides.ExtraLabelNs = overrides.ExtraLabelNs
case "deny-label-ns":

View file

@ -158,10 +158,6 @@ Chart parameters are available.
| `imagePullSecrets` | array | [] | ImagePullSecrets is an optional list of references to secrets in the same namespace to use for pulling any of the images used by this PodSpec. [More info](https://kubernetes.io/docs/concepts/containers/images#specifying-imagepullsecrets-on-a-pod). |
| `nameOverride` | string | | Override the name of the chart |
| `fullnameOverride` | string | | Override a default fully qualified app name |
| `tls.enable` | bool | false | Specifies whether to use TLS for communications between components. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release. |
| `tls.certManager` | bool | false | If enabled, requires [cert-manager](https://cert-manager.io/docs/) to be installed and will automatically create the required TLS certificates. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release |
| `tls.certManager.certManagerCertificate.issuerName` | string | | If specified, it will use a pre-existing issuer instead for the required TLS certificates. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release. |
| `tls.certManager.certManagerCertificate.issuerKind` | string | | Specifies on what kind of issuer is used, can be either ClusterIssuer or Issuer (default). Requires `tls.certManager.certManagerCertificate.issuerName` to be set. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release |
| `featureGates.NodeFeatureAPI` | bool | true | Enable the [NodeFeature](../usage/custom-resources.md#nodefeature) CRD API for communicating node features. This will automatically disable the gRPC communication. |
| `featureGates.NodeFeatureGroupAPI` | bool | false | Enable the [NodeFeatureGroup](../usage/custom-resources.md#nodefeaturegroup) CRD API. |
| `featureGates.DisableAutoPrefix` | bool | false | Enable [DisableAutoPrefix](../reference/feature-gates.md#disableautoprefix) feature gate. Disables automatic prefixing of unprefixed labels, annotations and extended resources. |
@ -181,7 +177,6 @@ API's you need to install the prometheus operator in your cluster.
| `master.*` | dict | | NFD master deployment configuration |
| `master.enable` | bool | true | Specifies whether nfd-master should be deployed |
| `master.hostNetwork` | bool | false | Specifies whether to enable or disable running the container in the host's network namespace |
| `master.port` | integer | | Specifies the TCP port that nfd-master listens for incoming requests. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release |
| `master.metricsPort` | integer | 8081 | Port on which to expose metrics from components to prometheus operator |
| `master.healthPort` | integer | 8082 | Port on which to expose the grpc health endpoint, will be also used for the probes |
| `master.instance` | string | | Instance name. Used to separate annotation namespaces for multiple parallel deployments |
@ -189,8 +184,6 @@ API's you need to install the prometheus operator in your cluster.
| `master.extraLabelNs` | array | [] | List of allowed extra label namespaces |
| `master.resourceLabels` | array | [] | List of labels to be registered as extended resources |
| `master.enableTaints` | bool | false | Specifies whether to enable or disable node tainting |
| `master.crdController` | bool | null | Specifies whether the NFD CRD API controller is enabled. If not set, controller will be enabled if `master.instance` is empty. |
| `master.featureRulesController` | bool | null | DEPRECATED: use `master.crdController` instead |
| `master.replicaCount` | integer | 1 | Number of desired pods. This is a pointer to distinguish between explicit zero and not specified |
| `master.podSecurityContext` | dict | {} | [PodSecurityContext](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod) holds pod-level security attributes and common container settings |
| `master.securityContext` | dict | {} | Container [security settings](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container) |
@ -198,8 +191,6 @@ API's you need to install the prometheus operator in your cluster.
| `master.serviceAccount.annotations` | dict | {} | Annotations to add to the service account |
| `master.serviceAccount.name` | string | | The name of the service account to use. If not set and create is true, a name is generated using the fullname template |
| `master.rbac.create` | bool | true | Specifies whether to create [RBAC][rbac] configuration for nfd-master |
| `master.service.type` | string | ClusterIP | NFD master service type. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release |
| `master.service.port` | integer | 8080 | NFD master service port. **NOTE**: this parameter is related to the deprecated gRPC API and will be removed with it in a future release |
| `master.resources.limits` | dict | {memory: 4Gi} | NFD master pod [resources limits](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits) |
| `master.resources.requests` | dict | {cpu: 100m, memory: 128Mi} | NFD master pod [resources requests](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits). See `[0]` for more info |
| `master.tolerations` | dict | _Schedule to control-plane node_ | NFD master pod [tolerations](https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/) |

View file

@ -59,11 +59,6 @@ scenarios under
- [`prune`](https://github.com/kubernetes-sigs/node-feature-discovery/blob/{{site.release}}/deployment/overlays/prune):
clean up the cluster after uninstallation, see
[Removing feature labels](uninstallation.md#removing-feature-labels)
- [`samples/cert-manager`](https://github.com/kubernetes-sigs/node-feature-discovery/blob/{{site.release}}/deployment/overlays/samples/cert-manager):
an example for supplementing the default deployment with cert-manager for TLS
authentication, see
[Automated TLS certificate management using cert-manager](tls.md)
for details
- [`samples/custom-rules`](https://github.com/kubernetes-sigs/node-feature-discovery/blob/{{site.release}}/deployment/overlays/samples/custom-rules):
an example for spicing up the default deployment with a separately managed
configmap of custom labeling rules, see

View file

@ -1,7 +1,7 @@
---
title: "Metrics"
layout: default
sort: 7
sort: 6
---
# Metrics

View file

@ -1,181 +0,0 @@
---
title: "TLS authentication"
layout: default
sort: 5
---
# Communication security with TLS
{: .no_toc}
## Table of contents
{: .no_toc .text-delta}
1. TOC
{:toc}
---
> **DEPRECATED**: this section only applies when the gRPC API is used, i.e.
> when the NodeFeature API is disabled (via the `-feature-gates
> NodeFeatureAPI=false` flag) on both nfd-master and nfd-worker. The gRPC API
> is deprecated and will be removed in a future release.
NFD supports mutual TLS authentication between the nfd-master and nfd-worker
instances. That is, nfd-worker and nfd-master both verify that the other end
presents a valid certificate.
TLS authentication is enabled by specifying `-ca-file`, `-key-file` and
`-cert-file` args, on both the nfd-master and nfd-worker instances. The
template specs provided with NFD contain (commented out) example configuration
for enabling TLS authentication.
The Common Name (CN) of the nfd-master certificate must match the DNS name of
the nfd-master Service of the cluster. By default, nfd-master only check that
the nfd-worker has been signed by the specified root certificate (-ca-file).
Additional hardening can be enabled by specifying `-verify-node-name` in
nfd-master args, in which case nfd-master verifies that the NodeName presented
by nfd-worker matches the Common Name (CN) or a Subject Alternative Name (SAN)
of its certificate.
## Automated TLS certificate management using cert-manager
[cert-manager](https://cert-manager.io/) can be used to automate certificate
management between nfd-master and the nfd-worker pods.
The NFD source code repository contains an example kustomize overlay and helm
chart that can be used to deploy NFD with cert-manager supplied certificates
enabled.
To install `cert-manager` itself, you can run:
```bash
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.yaml
```
Alternatively, you can refer to cert-manager documentation for other
installation methods such as the Helm chart they provide.
When using the Helm chart to deploy NFD, override `values.yaml` to enable both the
`tls.enabled` and `tls.certManager` options. Note that if you do not enable
`tls.certManager`, helm will successfully install the application, but
deployment will wait until certificates are manually created, as demonstrated
below.
See the sample installation commands in the Helm [Deployment](helm.md#deployment)
and [Configuration](helm.md#configuration) sections above for how to either override
individual values, or provide a yaml file with which to override default
values.
## Manual TLS certificate management
If you do not with to make use of cert-manager, the certificates can be
manually created and stored as secrets within the NFD namespace.
Create a CA certificate
```bash
openssl req -x509 -newkey rsa:4096 -keyout ca.key -nodes \
-subj "/CN=nfd-ca" -days 10000 -out ca.crt
```
Create a common openssl config file.
```bash
cat <<EOF > nfd-common.conf
[ req ]
default_bits = 4096
prompt = no
default_md = sha256
req_extensions = req_ext
distinguished_name = dn
[ dn ]
C = XX
ST = some-state
L = some-city
O = some-company
OU = node-feature-discovery
[ req_ext ]
subjectAltName = @alt_names
[ v3_ext ]
authorityKeyIdentifier=keyid,issuer:always
basicConstraints=CA:FALSE
keyUsage=keyEncipherment,dataEncipherment
extendedKeyUsage=serverAuth,clientAuth
subjectAltName=@alt_names
EOF
```
Now, create the nfd-master certificate.
```bash
cat <<EOF > nfd-master.conf
.include nfd-common.conf
[ dn ]
CN = nfd-master
[ alt_names ]
DNS.1 = nfd-master
DNS.2 = nfd-master.node-feature-discovery.svc.cluster.local
DNS.3 = localhost
EOF
openssl req -new -newkey rsa:4096 -keyout nfd-master.key -nodes -out nfd-master.csr -config nfd-master.conf
```
Create certificates for nfd-worker and nfd-topology-updater
```bash
cat <<EOF > nfd-worker.conf
.include nfd-common.conf
[ dn ]
CN = nfd-worker
[ alt_names ]
DNS.1 = nfd-worker
DNS.2 = nfd-worker.node-feature-discovery.svc.cluster.local
EOF
# Config for topology updater is identical except for the DN and alt_names
sed -e 's/worker/topology-updater/g' < nfd-worker.conf > nfd-topology-updater.conf
openssl req -new -newkey rsa:4096 -keyout nfd-worker.key -nodes -out nfd-worker.csr -config nfd-worker.conf
openssl req -new -newkey rsa:4096 -keyout nfd-topology-updater.key -nodes -out nfd-topology-updater.csr -config nfd-topology-updater.conf
```
Now, sign the certificates with the CA created earlier.
```bash
for cert in nfd-master nfd-worker nfd-topology-updater; do
echo signing $cert
openssl x509 -req -in $cert.csr -CA ca.crt -CAkey ca.key \
-CAcreateserial -out $cert.crt -days 10000 \
-extensions v3_ext -extfile $cert.conf
done
```
Finally, turn these certificates into secrets.
```bash
for cert in nfd-master nfd-worker nfd-topology-updater; do
echo creating secret for $cert in node-feature-discovery namespace
cat <<EOF | kubectl create -n node-feature-discovery -f -
---
apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
name: ${cert}-cert
data:
ca.crt: $( cat ca.crt | base64 -w 0 )
tls.crt: $( cat $cert.crt | base64 -w 0 )
tls.key: $( cat $cert.key | base64 -w 0 )
EOF
done
```

View file

@ -1,7 +1,7 @@
---
title: "Uninstallation"
layout: default
sort: 6
sort: 5
---
# Uninstallation

View file

@ -171,29 +171,15 @@ e2e-tests:
| E2E_GINKGO_LABEL_FILTER | Ginkgo label filter to use for running e2e tests | *empty* |
| OPENSHIFT | Non-empty value enables OpenShift specific support (only affects e2e tests) | *empty* |
## Running locally
> ****DEPRECATED**: Running NFD locally is deprecated and will be removed in a
> future release. It depends on the gRPC API which is deprecated and will be
> removed in a future release. To run NFD locally, disable the NodeFeature API
> with `-feature-gates NodeFeatureAPI=false` flag.
You can run NFD locally, either directly on your host OS or in containers for
testing and development purposes. This may be useful e.g. for checking
features-detection.
### NFD-Master
When running as a standalone container labeling is expected to fail because
Kubernetes API is not available. Thus, it is recommended to use `-no-publish`
Also specify `-crd-controller=false` and `-feature-gates NodeFeatureAPI=false`
command line flags to disable CRD controller and enable gRPC. E.g.
Kubernetes API is not available. Thus, it is recommended to use `-no-publish`.
```bash
$ export NFD_CONTAINER_IMAGE={{ site.container_image }}
$ docker run --rm --name=nfd-test ${NFD_CONTAINER_IMAGE} nfd-master -no-publish -crd-controller=false -feature-gates NodeFeatureAPI=false
2019/02/01 14:48:21 Node Feature Discovery Master <NFD_VERSION>
2019/02/01 14:48:21 gRPC server serving on port: 8080
```
### NFD-Worker

View file

@ -47,18 +47,6 @@ The `-prune` flag is a sub-command like option for cleaning up the cluster. It
causes nfd-master to remove all NFD related labels, annotations and extended
resources from all Node objects of the cluster and exit.
### -port
The `-port` flag specifies the TCP port that nfd-master listens for incoming requests.
Default: 8080
Example:
```bash
nfd-master -port=443
```
### -metrics
The `-metrics` flag specifies the port on which to expose
@ -89,91 +77,6 @@ Example:
nfd-master -instance=network
```
### -ca-file
> **NOTE** the gRPC API is deprecated and will be removed in a future release.
> and this flag will be removed as well.
The `-ca-file` is one of the three flags (together with `-cert-file` and
`-key-file`) controlling master-worker mutual TLS authentication on the
nfd-master side. This flag specifies the TLS root certificate that is used for
authenticating incoming connections. NFD-Worker side needs to have matching key
and cert files configured for the incoming requests to be accepted.
Default: *empty*
> **NOTE:** Must be specified together with `-cert-file` and `-key-file`
Example:
```bash
nfd-master -ca-file=/opt/nfd/ca.crt -cert-file=/opt/nfd/master.crt -key-file=/opt/nfd/master.key
```
### -cert-file
> **NOTE** the gRPC API is deprecated and will be removed in a future release.
> and this flag will be removed as well.
The `-cert-file` is one of the three flags (together with `-ca-file` and
`-key-file`) controlling master-worker mutual TLS authentication on the
nfd-master side. This flag specifies the TLS certificate presented for
authenticating outgoing traffic towards nfd-worker.
Default: *empty*
> **NOTE:** Must be specified together with `-ca-file` and `-key-file`
Example:
```bash
nfd-master -cert-file=/opt/nfd/master.crt -key-file=/opt/nfd/master.key -ca-file=/opt/nfd/ca.crt
```
### -key-file
> **NOTE** the gRPC API is deprecated and will be removed in a future release.
> and this flag will be removed as well.
The `-key-file` is one of the three flags (together with `-ca-file` and
`-cert-file`) controlling master-worker mutual TLS authentication on the
nfd-master side. This flag specifies the private key corresponding the given
certificate file (`-cert-file`) that is used for authenticating outgoing
traffic.
Default: *empty*
> **NOTE:** Must be specified together with `-cert-file` and `-ca-file`
Example:
```bash
nfd-master -key-file=/opt/nfd/master.key -cert-file=/opt/nfd/master.crt -ca-file=/opt/nfd/ca.crt
```
### -verify-node-name
> **NOTE** the gRPC API is deprecated and will be removed in a future release.
> and this flag will be removed as well.
The `-verify-node-name` flag controls the NodeName based authorization of
incoming requests and only has effect when mTLS authentication has been enabled
(with `-ca-file`, `-cert-file` and `-key-file`). If enabled, the worker node
name of the incoming must match with the CN or a SAN in its TLS certificate. Thus,
workers are only able to label the node they are running on (or the node whose
certificate they present).
Node Name based authorization is disabled by default.
Default: *false*
Example:
```bash
nfd-master -verify-node-name -ca-file=/opt/nfd/ca.crt \
-cert-file=/opt/nfd/master.crt -key-file=/opt/nfd/master.key
```
### -enable-leader-election
The `-enable-leader-election` flag enables leader election for NFD-Master.
@ -212,28 +115,6 @@ Example:
nfd-master -no-publish
```
### -crd-controller
> **NOTE** This flag will be removed in a future release at the same time with
> the deprecated gRPC API.
The `-crd-controller` flag specifies whether the NFD CRD API controller is
enabled or not. The controller is responsible for processing
[NodeFeature](../usage/custom-resources.md#nodefeature) and
[NodeFeatureRule](../usage/custom-resources.md#nodefeaturerule) objects.
Default: *true*
Example:
```bash
nfd-master -crd-controller=false
```
### -featurerules-controller
**DEPRECATED**: use [`-crd-controller`](#-crd-controller) instead.
### -label-whitelist
The `-label-whitelist` specifies a regular expression for filtering feature

View file

@ -69,82 +69,6 @@ Example:
nfd-worker -options='{"sources":{"cpu":{"cpuid":{"attributeWhitelist":["AVX","AVX2"]}}}}'
```
### -server
> **NOTE** the gRPC API is deprecated and will be removed in a future release.
> and this flag will be removed as well.
The `-server` flag specifies the address of the nfd-master endpoint where to
connect to.
Default: localhost:8080
Example:
```bash
nfd-worker -server=nfd-master.nfd.svc.cluster.local:443
```
### -ca-file
> **NOTE** the gRPC API is deprecated and will be removed in a future release.
> and this flag will be removed as well.
The `-ca-file` is one of the three flags (together with `-cert-file` and
`-key-file`) controlling the mutual TLS authentication on the worker side.
This flag specifies the TLS root certificate that is used for verifying the
authenticity of nfd-master.
Default: *empty*
> **NOTE:** Must be specified together with `-cert-file` and `-key-file`
Example:
```bash
nfd-worker -ca-file=/opt/nfd/ca.crt -cert-file=/opt/nfd/worker.crt -key-file=/opt/nfd/worker.key
```
### -cert-file
> **NOTE** the gRPC API is deprecated and will be removed in a future release.
> and this flag will be removed as well.
The `-cert-file` is one of the three flags (together with `-ca-file` and
`-key-file`) controlling mutual TLS authentication on the worker side. This
flag specifies the TLS certificate presented for authenticating outgoing
requests.
Default: *empty*
> **NOTE:** Must be specified together with `-ca-file` and `-key-file`
Example:
```bash
nfd-workerr -cert-file=/opt/nfd/worker.crt -key-file=/opt/nfd/worker.key -ca-file=/opt/nfd/ca.crt
```
### -key-file
> **NOTE** the gRPC API is deprecated and will be removed in a future release.
> and this flag will be removed as well.
The `-key-file` is one of the three flags (together with `-ca-file` and
`-cert-file`) controlling the mutual TLS authentication on the worker side.
This flag specifies the private key corresponding the given certificate file
(`-cert-file`) that is used for authenticating outgoing requests.
Default: *empty*
> **NOTE:** Must be specified together with `-cert-file` and `-ca-file`
Example:
```bash
nfd-worker -key-file=/opt/nfd/worker.key -cert-file=/opt/nfd/worker.crt -ca-file=/opt/nfd/ca.crt
```
### -kubeconfig
The `-kubeconfig` flag specifies the kubeconfig to use for connecting to the
@ -160,23 +84,6 @@ Example:
nfd-worker -kubeconfig ${HOME}/.kube/config
```
### -server-name-override
> **NOTE** the gRPC API is deprecated and will be removed in a future release.
> and this flag will be removed as well.
The `-server-name-override` flag specifies the common name (CN) which to
expect from the nfd-master TLS certificate. This flag is mostly intended for
development and debugging purposes.
Default: *empty*
Example:
```bash
nfd-worker -server-name-override=localhost
```
### -feature-sources
The `-feature-sources` flag specifies a comma-separated list of enabled feature

View file

@ -141,21 +141,18 @@ func newNfdController(config *restclient.Config, nfdApiControllerOptions nfdApiC
if !nfdApiControllerOptions.DisableNodeFeature {
c.updateAllNodes()
}
// else: rules will be processed only when gRPC requests are received
},
UpdateFunc: func(oldObject, newObject interface{}) {
klog.V(2).InfoS("NodeFeatureRule updated", "nodefeaturerule", klog.KObj(newObject.(metav1.Object)))
if !nfdApiControllerOptions.DisableNodeFeature {
c.updateAllNodes()
}
// else: rules will be processed only when gRPC requests are received
},
DeleteFunc: func(object interface{}) {
klog.V(2).InfoS("NodeFeatureRule deleted", "nodefeaturerule", klog.KObj(object.(metav1.Object)))
if !nfdApiControllerOptions.DisableNodeFeature {
c.updateAllNodes()
}
// else: rules will be processed only when gRPC requests are received
},
}); err != nil {
return nil, err

View file

@ -273,8 +273,7 @@ func createClusterRoleTopologyUpdater(ctx context.Context, cs clientset.Interfac
Name: "nfd-topology-updater-e2e",
},
// the Topology Updater doesn't need to access any kube object:
// it reads from the podresources socket and it sends updates to the
// nfd-master using the gRPC interface.
// it reads from the podresources socket and it updates the noderesourcetopologies
Rules: []rbacv1.PolicyRule{
{
APIGroups: []string{""},