Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: add EnableSecureTLSBootstrapping to bootstrap config #3653

Merged
merged 3 commits into from
Sep 28, 2023
Merged

feat: add EnableSecureTLSBootstrapping to bootstrap config #3653

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
5612926
feat: add EnableSecureTLSBootstrapping to bootstrap config
Sep 28, 2023
f8e126a
chore: renaming TLS-bootstrap related funcs for clarity
Sep 28, 2023
8ca6d9b
chore: fix lint
Sep 28, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions parts/linux/cloud-init/artifacts/cse_cmd.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -114,6 +114,7 @@ HTTPS_PROXY_URLS="{{GetHTTPSProxy}}"
NO_PROXY_URLS="{{GetNoProxy}}"
PROXY_VARS="{{GetProxyVariables}}"
CLIENT_TLS_BOOTSTRAPPING_ENABLED="{{IsKubeletClientTLSBootstrappingEnabled}}"
ENABLE_SECURE_TLS_BOOTSTRAPPING="{{EnableSecureTLSBootstrapping}}"
DHCPV6_SERVICE_FILEPATH="{{GetDHCPv6ServiceCSEScriptFilepath}}"
DHCPV6_CONFIG_FILEPATH="{{GetDHCPv6ConfigCSEScriptFilepath}}"
THP_ENABLED="{{GetTransparentHugePageEnabled}}"
Expand Down
5 changes: 4 additions & 1 deletion pkg/agent/baker.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -379,7 +379,10 @@ func getContainerServiceFuncMap(config *datamodel.NodeBootstrappingConfiguration
return IsKubeletConfigFileEnabled(cs, profile, config.EnableKubeletConfigFile)
},
"IsKubeletClientTLSBootstrappingEnabled": func() bool {
return IsKubeletClientTLSBootstrappingEnabled(config.KubeletClientTLSBootstrapToken)
return config.EnableSecureTLSBootstrapping || IsKubeletClientTLSBootstrappingEnabled(config.KubeletClientTLSBootstrapToken)
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

since we're OR'ing, EnableSecureTLSBootstrapping being false won't affect the overall value

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

clueless question - whats the difference between config having EnableSecureTLSBootstrapping set to true and IsKubeletClientTLSBootstrappingEnabled returning true?

Copy link
Collaborator Author

@cameronmeissner cameronmeissner Sep 28, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

basically, EnableSecureTLSBootstrap will be true when we are doing TLS bootstrapping but we're NOT using a hard-coded token, IsKubeletClientTLSBootstrappingEnabled() will be true when the node bootstrapping config we get from RP includes a hard-coded token, also implying that we're doing TLS bootstrapping.

so IsKubeletClientTLSBootstrappingEnabled overall will return true when we're doing some form of TLS bootstrapping, whether that be the secure way or with a hard-coded token

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, makes sense - might be a good idea to add this as a comment somewhere maybe for the future reference?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

did some renaming to make this a bit more clear, also added comments :)

},
"EnableSecureTLSBootstrapping": func() bool {
return config.EnableSecureTLSBootstrapping
anujmaheshwari1 marked this conversation as resolved.
Show resolved Hide resolved
},
"GetTLSBootstrapTokenForKubeConfig": func() string {
return GetTLSBootstrapTokenForKubeConfig(config.KubeletClientTLSBootstrapToken)
Expand Down
7 changes: 7 additions & 0 deletions pkg/agent/baker_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -675,6 +675,13 @@ var _ = Describe("Assert generated customData and cseCmd", func() {
Expect(caCRT).NotTo(BeEmpty())
}),

Entry("AKSUbuntu2204 with secure TLS bootstrapping enabled", "AKSUbuntu2204+SecureTLSBoostrapping", "1.25.6",
func(config *datamodel.NodeBootstrappingConfiguration) {
config.EnableSecureTLSBootstrapping = true
}, func(o *nodeBootstrappingOutput) {
Expect(o.vars["ENABLE_SECURE_TLS_BOOTSTRAPPING"]).To(Equal("true"))
}),

Entry("AKSUbuntu1804 with DisableCustomData = true", "AKSUbuntu1804+DisableCustomData", "1.19.0",
func(config *datamodel.NodeBootstrappingConfiguration) {
config.ContainerService.Properties.AgentPoolProfiles[0].KubernetesConfig = &datamodel.KubernetesConfig{
Expand Down
30 changes: 17 additions & 13 deletions pkg/agent/datamodel/types.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1645,19 +1645,23 @@ type NodeBootstrappingConfiguration struct {
kubeconfig. */
// ref: https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet-tls-bootstrapping.
KubeletClientTLSBootstrapToken *string
FIPSEnabled bool
HTTPProxyConfig *HTTPProxyConfig
KubeletConfig map[string]string
KubeproxyConfig map[string]string
EnableRuncShimV2 bool
GPUInstanceProfile string
PrimaryScaleSetName string
SIGConfig SIGConfig
IsARM64 bool
CustomCATrustConfig *CustomCATrustConfig
DisableUnattendedUpgrades bool
SSHStatus SSHStatus
DisableCustomData bool
// EnableSecureTLSBootstraping - when this feature is enabled we don't hard-code TLS bootstrap tokens at all,
// instead we create a modified bootstrap kubeconfig which points towards the STLS bootstrap client-go
// credential plugin installed on the VHD, which will be responsible for generating TLS bootstrap tokens on the fly
EnableSecureTLSBootstrapping bool
Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this will be set to false until enabled on the RP-side

FIPSEnabled bool
HTTPProxyConfig *HTTPProxyConfig
KubeletConfig map[string]string
KubeproxyConfig map[string]string
EnableRuncShimV2 bool
GPUInstanceProfile string
PrimaryScaleSetName string
SIGConfig SIGConfig
IsARM64 bool
CustomCATrustConfig *CustomCATrustConfig
DisableUnattendedUpgrades bool
SSHStatus SSHStatus
DisableCustomData bool
}

type SSHStatus int
Expand Down
2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1604+Containerd/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1604+CustomKubeletConfig+CustomLinuxOSConfig/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1604+CustomKubeletConfig+DynamicKubeletConfig/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1604+Disable1804SystemdResolved=false/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1604+Disable1804SystemdResolved=true/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1604+Docker/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1604+DynamicKubeletConfig/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1604+EnablePrivateClusterHostsConfigAgent/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1604+GPUDedicatedVHD/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1604+K8S115/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1604+K8S117/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1604+K8S118/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1604+KubeletConfigFile/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1604+OSKubeletDisk/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1604+TempDisk+Containerd/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1604+TempDiskExplicit/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1604+TempDiskToggle/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804+Containerd++GPU+runcshimv2/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804+Containerd+Certsd/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804+Containerd+ContainerdVersion/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804+Containerd+IPAddress+FQDN/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804+Containerd+IPMasqAgent/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804+Containerd+Kubenet+Calico/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804+Containerd+Kubenet+FIPSEnabled/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804+Containerd+Kubenet/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804+Containerd+MIG+NoFabricManager/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804+Containerd+MIG/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804+Containerd+MotD/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804+Containerd+NSeriesSku/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804+Containerd+PrivateACR/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804+Containerd+Teleport/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804+Containerd+runcshimv2/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804+CustomCATrust/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804+Disable1804SystemdResolved=false/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804+Disable1804SystemdResolved=true/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804+DisableCustomData/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804+HTTPProxy/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804+KubeletClientTLSBootstrapping/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804+NoneCNI/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804+krustlet/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804ARM64Containerd+CustomKubeImageandBinaries/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804ARM64Containerd+NoCustomKubeImageandBinaries/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu1804Containerd+RuncVersion/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu2204+China/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu2204+Containerd+MIG/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu2204+CustomCloud/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu2204+CustomKubeletConfig+CustomLinuxOSConfig/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu2204+SSHStatusOff/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

2 changes: 1 addition & 1 deletion pkg/agent/testdata/AKSUbuntu2204+SSHStatusOn/CSECommand
View file
Open in desktop

Large diffs are not rendered by default.

1 change: 1 addition & 0 deletions pkg/agent/testdata/AKSUbuntu2204+SecureTLSBoostrapping/CSECommand
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
PROVISION_OUTPUT="/var/log/azure/cluster-provision-cse-output.log"; echo $(date),$(hostname) > ${PROVISION_OUTPUT}; cloud-init status --wait > /dev/null 2>&1; [ $? -ne 0 ] && echo 'cloud-init failed' >> ${PROVISION_OUTPUT} && exit 1; echo "cloud-init succeeded" >> ${PROVISION_OUTPUT}; ADMINUSER=azureuser MOBY_VERSION= TENANT_ID=tenantID KUBERNETES_VERSION=1.25.6 HYPERKUBE_URL=k8s.gcr.io/hyperkube-amd64:v1.25.6 KUBE_BINARY_URL= CUSTOM_KUBE_BINARY_URL= KUBEPROXY_URL= APISERVER_PUBLIC_KEY= SUBSCRIPTION_ID=subID RESOURCE_GROUP=resourceGroupName LOCATION=southcentralus VM_TYPE=vmss SUBNET=subnet1 NETWORK_SECURITY_GROUP=aks-agentpool-36873793-nsg VIRTUAL_NETWORK=aks-vnet-07752737 VIRTUAL_NETWORK_RESOURCE_GROUP=MC_rg ROUTE_TABLE=aks-agentpool-36873793-routetable PRIMARY_AVAILABILITY_SET= PRIMARY_SCALE_SET=aks-agent2-36873793-vmss SERVICE_PRINCIPAL_CLIENT_ID=ClientID NETWORK_PLUGIN= NETWORK_POLICY= VNET_CNI_PLUGINS_URL=https://acs-mirror.azureedge.net/azure-cni/v1.1.3/binaries/azure-vnet-cni-linux-amd64-v1.1.3.tgz CNI_PLUGINS_URL=https://acs-mirror.azureedge.net/cni/cni-plugins-amd64-v0.7.6.tgz CLOUDPROVIDER_BACKOFF=<nil> CLOUDPROVIDER_BACKOFF_MODE= CLOUDPROVIDER_BACKOFF_RETRIES=0 CLOUDPROVIDER_BACKOFF_EXPONENT=0 CLOUDPROVIDER_BACKOFF_DURATION=0 CLOUDPROVIDER_BACKOFF_JITTER=0 CLOUDPROVIDER_RATELIMIT=<nil> CLOUDPROVIDER_RATELIMIT_QPS=0 CLOUDPROVIDER_RATELIMIT_QPS_WRITE=0 CLOUDPROVIDER_RATELIMIT_BUCKET=0 CLOUDPROVIDER_RATELIMIT_BUCKET_WRITE=0 LOAD_BALANCER_DISABLE_OUTBOUND_SNAT=<nil> USE_MANAGED_IDENTITY_EXTENSION=false USE_INSTANCE_METADATA=false LOAD_BALANCER_SKU= EXCLUDE_MASTER_FROM_STANDARD_LB=true MAXIMUM_LOADBALANCER_RULE_COUNT=0 CONTAINER_RUNTIME= CLI_TOOL= CONTAINERD_DOWNLOAD_URL_BASE=https://storage.googleapis.com/cri-containerd-release/ NETWORK_MODE= KUBE_BINARY_URL= USER_ASSIGNED_IDENTITY_ID=userAssignedID API_SERVER_NAME= IS_VHD=true GPU_NODE=false SGX_NODE=false MIG_NODE=false CONFIG_GPU_DRIVER_IF_NEEDED=true ENABLE_GPU_DEVICE_PLUGIN_IF_NEEDED=false TELEPORTD_PLUGIN_DOWNLOAD_URL= CONTAINERD_VERSION= CONTAINERD_PACKAGE_URL= RUNC_VERSION= RUNC_PACKAGE_URL= ENABLE_HOSTS_CONFIG_AGENT="false" DISABLE_SSH="false" NEEDS_CONTAINERD="false" TELEPORT_ENABLED="false" SHOULD_CONFIGURE_HTTP_PROXY="false" SHOULD_CONFIGURE_HTTP_PROXY_CA="false" HTTP_PROXY_TRUSTED_CA="" SHOULD_CONFIGURE_CUSTOM_CA_TRUST="false" CUSTOM_CA_TRUST_COUNT="0" IS_KRUSTLET="false" GPU_NEEDS_FABRIC_MANAGER="false" NEEDS_DOCKER_LOGIN="false" IPV6_DUAL_STACK_ENABLED="false" OUTBOUND_COMMAND="curl -v --insecure --proxy-insecure https://mcr.microsoft.com/v2/" ENABLE_UNATTENDED_UPGRADES="true" ENSURE_NO_DUPE_PROMISCUOUS_BRIDGE="false" SHOULD_CONFIG_SWAP_FILE="false" SHOULD_CONFIG_TRANSPARENT_HUGE_PAGE="false" SHOULD_CONFIG_CONTAINERD_ULIMITS="false" CONTAINERD_ULIMITS="" TARGET_CLOUD="AzurePublicCloud" TARGET_ENVIRONMENT="AzurePublicCloud" CUSTOM_ENV_JSON="" IS_CUSTOM_CLOUD="false" CSE_HELPERS_FILEPATH="/opt/azure/containers/provision_source.sh" CSE_DISTRO_HELPERS_FILEPATH="/opt/azure/containers/provision_source_distro.sh" CSE_INSTALL_FILEPATH="/opt/azure/containers/provision_installs.sh" CSE_DISTRO_INSTALL_FILEPATH="/opt/azure/containers/provision_installs_distro.sh" CSE_CONFIG_FILEPATH="/opt/azure/containers/provision_configs.sh" AZURE_PRIVATE_REGISTRY_SERVER="" HAS_CUSTOM_SEARCH_DOMAIN="false" CUSTOM_SEARCH_DOMAIN_FILEPATH="/opt/azure/containers/setup-custom-search-domains.sh" HTTP_PROXY_URLS="" HTTPS_PROXY_URLS="" NO_PROXY_URLS="" PROXY_VARS="" CLIENT_TLS_BOOTSTRAPPING_ENABLED="true" ENABLE_SECURE_TLS_BOOTSTRAPPING="true" DHCPV6_SERVICE_FILEPATH="/etc/systemd/system/dhcpv6.service" DHCPV6_CONFIG_FILEPATH="/opt/azure/containers/enable-dhcpv6.sh" THP_ENABLED="" THP_DEFRAG="" SERVICE_PRINCIPAL_FILE_CONTENT="U2VjcmV0" KUBELET_CLIENT_CONTENT="" KUBELET_CLIENT_CERT_CONTENT="" KUBELET_CONFIG_FILE_ENABLED="false" KUBELET_CONFIG_FILE_CONTENT="ewogICAgImtpbmQiOiAiS3ViZWxldENvbmZpZ3VyYXRpb24iLAogICAgImFwaVZlcnNpb24iOiAia3ViZWxldC5jb25maWcuazhzLmlvL3YxYmV0YTEiLAogICAgInN0YXRpY1BvZFBhdGgiOiAiL2V0Yy9rdWJlcm5ldGVzL21hbmlmZXN0cyIsCiAgICAiYWRkcmVzcyI6ICIwLjAuMC4wIiwKICAgICJyZWFkT25seVBvcnQiOiAxMDI1NSwKICAgICJ0bHNDZXJ0RmlsZSI6ICIvZXRjL2t1YmVybmV0ZXMvY2VydHMva3ViZWxldHNlcnZlci5jcnQiLAogICAgInRsc1ByaXZhdGVLZXlGaWxlIjogIi9ldGMva3ViZXJuZXRlcy9jZXJ0cy9rdWJlbGV0c2VydmVyLmtleSIsCiAgICAidGxzQ2lwaGVyU3VpdGVzIjogWwogICAgICAgICJUTFNfRUNESEVfRUNEU0FfV0lUSF9BRVNfMTI4X0dDTV9TSEEyNTYiLAogICAgICAgICJUTFNfRUNESEVfUlNBX1dJVEhfQUVTXzEyOF9HQ01fU0hBMjU2IiwKICAgICAgICAiVExTX0VDREhFX0VDRFNBX1dJVEhfQ0hBQ0hBMjBfUE9MWTEzMDUiLAogICAgICAgICJUTFNfRUNESEVfUlNBX1dJVEhfQUVTXzI1Nl9HQ01fU0hBMzg0IiwKICAgICAgICAiVExTX0VDREhFX1JTQV9XSVRIX0NIQUNIQTIwX1BPTFkxMzA1IiwKICAgICAgICAiVExTX0VDREhFX0VDRFNBX1dJVEhfQUVTXzI1Nl9HQ01fU0hBMzg0IiwKICAgICAgICAiVExTX1JTQV9XSVRIX0FFU18yNTZfR0NNX1NIQTM4NCIsCiAgICAgICAgIlRMU19SU0FfV0lUSF9BRVNfMTI4X0dDTV9TSEEyNTYiCiAgICBdLAogICAgInJvdGF0ZUNlcnRpZmljYXRlcyI6IHRydWUsCiAgICAiYXV0aGVudGljYXRpb24iOiB7CiAgICAgICAgIng1MDkiOiB7CiAgICAgICAgICAgICJjbGllbnRDQUZpbGUiOiAiL2V0Yy9rdWJlcm5ldGVzL2NlcnRzL2NhLmNydCIKICAgICAgICB9LAogICAgICAgICJ3ZWJob29rIjogewogICAgICAgICAgICAiZW5hYmxlZCI6IHRydWUKICAgICAgICB9LAogICAgICAgICJhbm9ueW1vdXMiOiB7fQogICAgfSwKICAgICJhdXRob3JpemF0aW9uIjogewogICAgICAgICJtb2RlIjogIldlYmhvb2siLAogICAgICAgICJ3ZWJob29rIjoge30KICAgIH0sCiAgICAiZXZlbnRSZWNvcmRRUFMiOiAwLAogICAgImNsdXN0ZXJEb21haW4iOiAiY2x1c3Rlci5sb2NhbCIsCiAgICAiY2x1c3RlckROUyI6IFsKICAgICAgICAiMTAuMC4wLjEwIgogICAgXSwKICAgICJzdHJlYW1pbmdDb25uZWN0aW9uSWRsZVRpbWVvdXQiOiAiNGgwbTBzIiwKICAgICJub2RlU3RhdHVzVXBkYXRlRnJlcXVlbmN5IjogIjEwcyIsCiAgICAiaW1hZ2VHQ0hpZ2hUaHJlc2hvbGRQZXJjZW50IjogODUsCiAgICAiaW1hZ2VHQ0xvd1RocmVzaG9sZFBlcmNlbnQiOiA4MCwKICAgICJjZ3JvdXBzUGVyUU9TIjogdHJ1ZSwKICAgICJtYXhQb2RzIjogMTEwLAogICAgInBvZFBpZHNMaW1pdCI6IC0xLAogICAgInJlc29sdkNvbmYiOiAiL2V0Yy9yZXNvbHYuY29uZiIsCiAgICAiZXZpY3Rpb25IYXJkIjogewogICAgICAgICJtZW1vcnkuYXZhaWxhYmxlIjogIjc1ME1pIiwKICAgICAgICAibm9kZWZzLmF2YWlsYWJsZSI6ICIxMCUiLAogICAgICAgICJub2RlZnMuaW5vZGVzRnJlZSI6ICI1JSIKICAgIH0sCiAgICAicHJvdGVjdEtlcm5lbERlZmF1bHRzIjogdHJ1ZSwKICAgICJmZWF0dXJlR2F0ZXMiOiB7CiAgICAgICAgIlBvZFByaW9yaXR5IjogdHJ1ZSwKICAgICAgICAiUm90YXRlS3ViZWxldFNlcnZlckNlcnRpZmljYXRlIjogdHJ1ZSwKICAgICAgICAiYSI6IGZhbHNlLAogICAgICAgICJ4IjogZmFsc2UKICAgIH0sCiAgICAiY29udGFpbmVyTG9nTWF4U2l6ZSI6ICI1ME0iLAogICAgInN5c3RlbVJlc2VydmVkIjogewogICAgICAgICJjcHUiOiAiMiIsCiAgICAgICAgIm1lbW9yeSI6ICIxR2kiCiAgICB9LAogICAgImt1YmVSZXNlcnZlZCI6IHsKICAgICAgICAiY3B1IjogIjEwMG0iLAogICAgICAgICJtZW1vcnkiOiAiMTYzOE1pIgogICAgfSwKICAgICJlbmZvcmNlTm9kZUFsbG9jYXRhYmxlIjogWwogICAgICAgICJwb2RzIgogICAgXQp9" SWAP_FILE_SIZE_MB="0" GPU_DRIVER_VERSION="cuda-525.85.12" GPU_INSTANCE_PROFILE="" CUSTOM_SEARCH_DOMAIN_NAME="" CUSTOM_SEARCH_REALM_USER="" CUSTOM_SEARCH_REALM_PASSWORD="" MESSAGE_OF_THE_DAY="" HAS_KUBELET_DISK_TYPE="false" NEEDS_CGROUPV2="false" TLS_BOOTSTRAP_TOKEN="" KUBELET_FLAGS="--address=0.0.0.0 --anonymous-auth=false --authentication-token-webhook=true --authorization-mode=Webhook --azure-container-registry-config=/etc/kubernetes/azure.json --cgroups-per-qos=true --client-ca-file=/etc/kubernetes/certs/ca.crt --cloud-config=/etc/kubernetes/azure.json --cloud-provider=azure --cluster-dns=10.0.0.10 --cluster-domain=cluster.local --container-log-max-size=50M --enforce-node-allocatable=pods --event-qps=0 --eviction-hard=memory.available<750Mi,nodefs.available<10%,nodefs.inodesFree<5% --feature-gates=PodPriority=true,RotateKubeletServerCertificate=true,a=false,x=false --image-gc-high-threshold=85 --image-gc-low-threshold=80 --kube-reserved=cpu=100m,memory=1638Mi --max-pods=110 --node-status-update-frequency=10s --pod-manifest-path=/etc/kubernetes/manifests --pod-max-pids=-1 --protect-kernel-defaults=true --read-only-port=10255 --resolv-conf=/etc/resolv.conf --rotate-certificates=true --streaming-connection-idle-timeout=4h0m0s --system-reserved=cpu=2,memory=1Gi --tls-cert-file=/etc/kubernetes/certs/kubeletserver.crt --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 --tls-private-key-file=/etc/kubernetes/certs/kubeletserver.key " NETWORK_POLICY="" KUBELET_NODE_LABELS="agentpool=agent2,kubernetes.azure.com/agentpool=agent2" AZURE_ENVIRONMENT_FILEPATH="" KUBE_CA_CRT="" KUBENET_TEMPLATE="CnsKICAgICJjbmlWZXJzaW9uIjogIjAuMy4xIiwKICAgICJuYW1lIjogImt1YmVuZXQiLAogICAgInBsdWdpbnMiOiBbewogICAgInR5cGUiOiAiYnJpZGdlIiwKICAgICJicmlkZ2UiOiAiY2JyMCIsCiAgICAibXR1IjogMTUwMCwKICAgICJhZGRJZiI6ICJldGgwIiwKICAgICJpc0dhdGV3YXkiOiB0cnVlLAogICAgImlwTWFzcSI6IGZhbHNlLAogICAgInByb21pc2NNb2RlIjogdHJ1ZSwKICAgICJoYWlycGluTW9kZSI6IGZhbHNlLAogICAgImlwYW0iOiB7CiAgICAgICAgInR5cGUiOiAiaG9zdC1sb2NhbCIsCiAgICAgICAgInJhbmdlcyI6IFt7e3JhbmdlICRpLCAkcmFuZ2UgOj0gLlBvZENJRFJSYW5nZXN9fXt7aWYgJGl9fSwge3tlbmR9fVt7InN1Ym5ldCI6ICJ7eyRyYW5nZX19In1de3tlbmR9fV0sCiAgICAgICAgInJvdXRlcyI6IFt7e3JhbmdlICRpLCAkcm91dGUgOj0gLlJvdXRlc319e3tpZiAkaX19LCB7e2VuZH19eyJkc3QiOiAie3skcm91dGV9fSJ9e3tlbmR9fV0KICAgIH0KICAgIH0sCiAgICB7CiAgICAidHlwZSI6ICJwb3J0bWFwIiwKICAgICJjYXBhYmlsaXRpZXMiOiB7InBvcnRNYXBwaW5ncyI6IHRydWV9LAogICAgImV4dGVybmFsU2V0TWFya0NoYWluIjogIktVQkUtTUFSSy1NQVNRIgogICAgfV0KfQo=" CONTAINERD_CONFIG_CONTENT="dmVyc2lvbiA9IDIKb29tX3Njb3JlID0gMApbcGx1Z2lucy4iaW8uY29udGFpbmVyZC5ncnBjLnYxLmNyaSJdCiAgc2FuZGJveF9pbWFnZSA9ICIiCiAgW3BsdWdpbnMuImlvLmNvbnRhaW5lcmQuZ3JwYy52MS5jcmkiLmNvbnRhaW5lcmRdCiAgICBkZWZhdWx0X3J1bnRpbWVfbmFtZSA9ICJydW5jIgogICAgW3BsdWdpbnMuImlvLmNvbnRhaW5lcmQuZ3JwYy52MS5jcmkiLmNvbnRhaW5lcmQucnVudGltZXMucnVuY10KICAgICAgcnVudGltZV90eXBlID0gImlvLmNvbnRhaW5lcmQucnVuYy52MiIKICAgIFtwbHVnaW5zLiJpby5jb250YWluZXJkLmdycGMudjEuY3JpIi5jb250YWluZXJkLnJ1bnRpbWVzLnJ1bmMub3B0aW9uc10KICAgICAgQmluYXJ5TmFtZSA9ICIvdXNyL2Jpbi9ydW5jIgogICAgW3BsdWdpbnMuImlvLmNvbnRhaW5lcmQuZ3JwYy52MS5jcmkiLmNvbnRhaW5lcmQucnVudGltZXMudW50cnVzdGVkXQogICAgICBydW50aW1lX3R5cGUgPSAiaW8uY29udGFpbmVyZC5ydW5jLnYyIgogICAgW3BsdWdpbnMuImlvLmNvbnRhaW5lcmQuZ3JwYy52MS5jcmkiLmNvbnRhaW5lcmQucnVudGltZXMudW50cnVzdGVkLm9wdGlvbnNdCiAgICAgIEJpbmFyeU5hbWUgPSAiL3Vzci9iaW4vcnVuYyIKICBbcGx1Z2lucy4iaW8uY29udGFpbmVyZC5ncnBjLnYxLmNyaSIucmVnaXN0cnldCiAgICBjb25maWdfcGF0aCA9ICIvZXRjL2NvbnRhaW5lcmQvY2VydHMuZCIKICBbcGx1Z2lucy4iaW8uY29udGFpbmVyZC5ncnBjLnYxLmNyaSIucmVnaXN0cnkuaGVhZGVyc10KICAgIFgtTWV0YS1Tb3VyY2UtQ2xpZW50ID0gWyJhenVyZS9ha3MiXQpbbWV0cmljc10KICBhZGRyZXNzID0gIjAuMC4wLjA6MTAyNTciCg==" CONTAINERD_CONFIG_NO_GPU_CONTENT="dmVyc2lvbiA9IDIKb29tX3Njb3JlID0gMApbcGx1Z2lucy4iaW8uY29udGFpbmVyZC5ncnBjLnYxLmNyaSJdCiAgc2FuZGJveF9pbWFnZSA9ICIiCiAgW3BsdWdpbnMuImlvLmNvbnRhaW5lcmQuZ3JwYy52MS5jcmkiLmNvbnRhaW5lcmRdCiAgICBkZWZhdWx0X3J1bnRpbWVfbmFtZSA9ICJydW5jIgogICAgW3BsdWdpbnMuImlvLmNvbnRhaW5lcmQuZ3JwYy52MS5jcmkiLmNvbnRhaW5lcmQucnVudGltZXMucnVuY10KICAgICAgcnVudGltZV90eXBlID0gImlvLmNvbnRhaW5lcmQucnVuYy52MiIKICAgIFtwbHVnaW5zLiJpby5jb250YWluZXJkLmdycGMudjEuY3JpIi5jb250YWluZXJkLnJ1bnRpbWVzLnJ1bmMub3B0aW9uc10KICAgICAgQmluYXJ5TmFtZSA9ICIvdXNyL2Jpbi9ydW5jIgogICAgW3BsdWdpbnMuImlvLmNvbnRhaW5lcmQuZ3JwYy52MS5jcmkiLmNvbnRhaW5lcmQucnVudGltZXMudW50cnVzdGVkXQogICAgICBydW50aW1lX3R5cGUgPSAiaW8uY29udGFpbmVyZC5ydW5jLnYyIgogICAgW3BsdWdpbnMuImlvLmNvbnRhaW5lcmQuZ3JwYy52MS5jcmkiLmNvbnRhaW5lcmQucnVudGltZXMudW50cnVzdGVkLm9wdGlvbnNdCiAgICAgIEJpbmFyeU5hbWUgPSAiL3Vzci9iaW4vcnVuYyIKICBbcGx1Z2lucy4iaW8uY29udGFpbmVyZC5ncnBjLnYxLmNyaSIucmVnaXN0cnldCiAgICBjb25maWdfcGF0aCA9ICIvZXRjL2NvbnRhaW5lcmQvY2VydHMuZCIKICBbcGx1Z2lucy4iaW8uY29udGFpbmVyZC5ncnBjLnYxLmNyaSIucmVnaXN0cnkuaGVhZGVyc10KICAgIFgtTWV0YS1Tb3VyY2UtQ2xpZW50ID0gWyJhenVyZS9ha3MiXQpbbWV0cmljc10KICBhZGRyZXNzID0gIjAuMC4wLjA6MTAyNTciCg==" IS_KATA="false" SYSCTL_CONTENT="IyBUaGlzIGlzIGEgcGFydGlhbCB3b3JrYXJvdW5kIHRvIHRoaXMgdXBzdHJlYW0gS3ViZXJuZXRlcyBpc3N1ZToKIyBodHRwczovL2dpdGh1Yi5jb20va3ViZXJuZXRlcy9rdWJlcm5ldGVzL2lzc3Vlcy80MTkxNiNpc3N1ZWNvbW1lbnQtMzEyNDI4NzMxCm5ldC5pcHY0LnRjcF9yZXRyaWVzMj04Cm5ldC5jb3JlLm1lc3NhZ2VfYnVyc3Q9ODAKbmV0LmNvcmUubWVzc2FnZV9jb3N0PTQwCm5ldC5jb3JlLnNvbWF4Y29ubj0xNjM4NApuZXQuaXB2NC50Y3BfbWF4X3N5bl9iYWNrbG9nPTE2Mzg0Cm5ldC5pcHY0Lm5laWdoLmRlZmF1bHQuZ2NfdGhyZXNoMT00MDk2Cm5ldC5pcHY0Lm5laWdoLmRlZmF1bHQuZ2NfdGhyZXNoMj04MTkyCm5ldC5pcHY0Lm5laWdoLmRlZmF1bHQuZ2NfdGhyZXNoMz0xNjM4NAo=" PRIVATE_EGRESS_PROXY_ADDRESS="" /usr/bin/nohup /bin/bash -c "/bin/bash /opt/azure/containers/provision_start.sh"
Loading