diff --git a/pkg/collector/collect.go b/pkg/collector/collect.go index a118faf..4df4813 100644 --- a/pkg/collector/collect.go +++ b/pkg/collector/collect.go @@ -19,10 +19,14 @@ var configMapper = map[string]string{ "kubeletClientCaFileArgumentSet": "authentication.x509.clientCAFile", "kubeletReadOnlyPortArgumentSet": "readOnlyPort", "kubeletStreamingConnectionIdleTimeoutArgumentSet": "streamingConnectionIdleTimeout", - "kubeletProtectKernelDefaultsArgumentSet": "kernelMemcgNotification", + "kubeletProtectKernelDefaultsArgumentSet": "protectKernelDefaults", "kubeletMakeIptablesUtilChainsArgumentSet": "makeIPTablesUtilChains", "kubeletEventQpsArgumentSet": "eventRecordQPS", "kubeletRotateKubeletServerCertificateArgumentSet": "featureGates.RotateKubeletServerCertificate", + "kubeletRotateCertificatesArgumentSet": "rotateCertificates", + "kubeletTlsCertFileTlsArgumentSet": "tlsCertFile", + "kubeletTlsPrivateKeyFileArgumentSet": "tlsPrivateKeyFile", + "kubeletOnlyUseStrongCryptographic": "tlsCipherSuites", } type SpecVersion struct { @@ -69,7 +73,7 @@ func CollectData(cmd *cobra.Command, target string) error { specVersion := cmd.Flag("version").Value.String() sv := SpecVersion{Name: specName, Version: specVersion} if len(sv.Name) == 0 || len(sv.Version) == 0 { - sv = specByPlatfromVersion(p.Name, p.Version) + sv = specByPlatfromVersion(p.Name) } for _, infoCollector := range infoCollectorMap { nodeInfo := make(map[string]*Info) @@ -126,7 +130,7 @@ func loadNodeConfig(ctx context.Context, cluster Cluster, nodeName string) (map[ return nodeConfig, nil } -func specByPlatfromVersion(platfrom string, version string) SpecVersion { +func specByPlatfromVersion(platfrom string) SpecVersion { return platfromSpec[fmt.Sprintf("%s-%s", platfrom, platfrom)] } @@ -150,6 +154,8 @@ func getValuesFromkubeletConfig(nodeConfig map[string]interface{}) (map[string]* switch r := p.(type) { case bool: overrideConfig[k] = &Info{Values: []interface{}{strconv.FormatBool(r)}} + case []interface{}: + overrideConfig[k] = &Info{Values: r} default: overrideConfig[k] = &Info{Values: []interface{}{r}} } diff --git a/pkg/collector/collect_test.go b/pkg/collector/collect_test.go index bf91f73..5f4da55 100644 --- a/pkg/collector/collect_test.go +++ b/pkg/collector/collect_test.go @@ -25,10 +25,10 @@ func TestParseNodeConfig(t *testing.T) { Values: []interface{}{"Webhook"}, }, "kubeletClientCaFileArgumentSet": { - Values: []interface{}{"/etc/kubernetes/pki/ca.crt"}, + Values: []interface{}{"/etc/kubernetes/certs/ca.crt"}, }, "kubeletEventQpsArgumentSet": { - Values: []interface{}{5.0}, + Values: []interface{}{0.0}, }, "kubeletMakeIptablesUtilChainsArgumentSet": { Values: []interface{}{"true"}, @@ -36,6 +36,16 @@ func TestParseNodeConfig(t *testing.T) { "kubeletStreamingConnectionIdleTimeoutArgumentSet": { Values: []interface{}{"4h0m0s"}, }, + "kubeletOnlyUseStrongCryptographic": { + Values: []interface{}{"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_AES_128_GCM_SHA256"}, + }, }}, } @@ -49,7 +59,9 @@ func TestParseNodeConfig(t *testing.T) { m, err := getValuesFromkubeletConfig(nodeConfig) assert.NoError(t, err) for k, v := range m { - assert.Equal(t, v, tt.expextedNodeConfigFile[k]) + if _, ok := tt.expextedNodeConfigFile[k]; ok { + assert.Equal(t, v, tt.expextedNodeConfigFile[k]) + } } }) } diff --git a/pkg/collector/testdata/fixture/node_config.json b/pkg/collector/testdata/fixture/node_config.json index 173283b..a5ea046 100644 --- a/pkg/collector/testdata/fixture/node_config.json +++ b/pkg/collector/testdata/fixture/node_config.json @@ -7,12 +7,22 @@ "httpCheckFrequency": "20s", "address": "0.0.0.0", "port": 10250, - "tlsCertFile": "/var/lib/kubelet/pki/kubelet.crt", - "tlsPrivateKeyFile": "/var/lib/kubelet/pki/kubelet.key", + "tlsCertFile": "/etc/kubernetes/certs/kubeletserver.crt", + "tlsPrivateKeyFile": "/etc/kubernetes/certs/kubeletserver.key", + "tlsCipherSuites": [ + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_AES_128_GCM_SHA256" + ], "rotateCertificates": true, "authentication": { "x509": { - "clientCAFile": "/etc/kubernetes/pki/ca.crt" + "clientCAFile": "/etc/kubernetes/certs/ca.crt" }, "webhook": { "enabled": true, @@ -31,35 +41,34 @@ }, "registryPullQPS": 5, "registryBurst": 10, - "eventRecordQPS": 5, - "eventBurst": 10, + "eventRecordQPS": 0, + "eventBurst": 100, "enableDebuggingHandlers": true, "healthzPort": 10248, "healthzBindAddress": "127.0.0.1", "oomScoreAdj": -999, "clusterDomain": "cluster.local", "clusterDNS": [ - "10.96.0.10" + "10.0.0.10" ], "streamingConnectionIdleTimeout": "4h0m0s", "nodeStatusUpdateFrequency": "10s", "nodeStatusReportFrequency": "5m0s", "nodeLeaseDurationSeconds": 40, "imageMinimumGCAge": "2m0s", - "imageGCHighThresholdPercent": 100, + "imageGCHighThresholdPercent": 85, "imageGCLowThresholdPercent": 80, "volumeStatsAggPeriod": "1m0s", - "cgroupRoot": "/kubelet", "cgroupsPerQOS": true, - "cgroupDriver": "cgroupfs", + "cgroupDriver": "systemd", "cpuManagerPolicy": "none", "cpuManagerReconcilePeriod": "10s", "memoryManagerPolicy": "None", "topologyManagerPolicy": "none", "topologyManagerScope": "container", - "runtimeRequestTimeout": "2m0s", + "runtimeRequestTimeout": "15m0s", "hairpinMode": "promiscuous-bridge", - "maxPods": 110, + "maxPods": 30, "podPidsLimit": -1, "resolvConf": "/etc/resolv.conf", "cpuCFSQuota": true, @@ -67,35 +76,59 @@ "nodeStatusMaxImages": 50, "maxOpenFiles": 1000000, "contentType": "application/vnd.kubernetes.protobuf", - "kubeAPIQPS": 5, - "kubeAPIBurst": 10, + "kubeAPIQPS": 50, + "kubeAPIBurst": 100, "serializeImagePulls": true, "evictionHard": { - "imagefs.available": "0%", - "nodefs.available": "0%", - "nodefs.inodesFree": "0%" + "memory.available": "750Mi", + "nodefs.available": "10%", + "nodefs.inodesFree": "5%", + "pid.available": "2000" }, "evictionPressureTransitionPeriod": "5m0s", "enableControllerAttachDetach": true, + "protectKernelDefaults": true, "makeIPTablesUtilChains": true, "iptablesMasqueradeBit": 14, "iptablesDropBit": 15, - "failSwapOn": false, - "containerLogMaxSize": "10Mi", + "featureGates": { + "CSIMigrationAzureFile": true, + "DelegateFSGroupToCSIDriver": true + }, + "failSwapOn": true, + "memorySwap": {}, + "containerLogMaxSize": "50M", "containerLogMaxFiles": 5, "configMapAndSecretChangeDetectionStrategy": "Watch", + "kubeReserved": { + "cpu": "100m", + "memory": "1843Mi", + "pid": "1000" + }, "enforceNodeAllocatable": [ "pods" ], - "volumePluginDir": "/usr/libexec/kubernetes/kubelet-plugins/volume/exec/", - "providerID": "kind://docker/kind/kind-control-plane", + "volumePluginDir": "/etc/kubernetes/volumeplugins", "logging": { - "format": "text" + "format": "text", + "flushFrequency": 5000000000, + "verbosity": 2, + "options": { + "json": { + "infoBufferSize": "0" + } + } }, "enableSystemLogHandler": true, + "enableSystemLogQuery": false, "shutdownGracePeriod": "0s", "shutdownGracePeriodCriticalPods": "0s", "enableProfilingHandler": true, - "enableDebugFlagsHandler": true + "enableDebugFlagsHandler": true, + "seccompDefault": false, + "memoryThrottlingFactor": 0.9, + "registerNode": true, + "localStorageCapacityIsolation": true, + "containerRuntimeEndpoint": "unix:///run/containerd/containerd.sock" } } \ No newline at end of file