From 12b621e298d10c5c5b72ac1649b783a1316fe14a Mon Sep 17 00:00:00 2001 From: Samuel Vijaykumar M Date: Mon, 2 Jan 2023 22:46:56 +0530 Subject: [PATCH 01/15] Custom changes --- eks-worker-al2-variables.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/eks-worker-al2-variables.json b/eks-worker-al2-variables.json index 59d69ba28..f910f29ea 100644 --- a/eks-worker-al2-variables.json +++ b/eks-worker-al2-variables.json @@ -5,11 +5,11 @@ "ami_users": "", "associate_public_ip_address": "", "aws_access_key_id": "{{env `AWS_ACCESS_KEY_ID`}}", - "aws_region": "us-west-2", + "aws_region": "us-east-1", "aws_secret_access_key": "{{env `AWS_SECRET_ACCESS_KEY`}}", "aws_session_token": "{{env `AWS_SESSION_TOKEN`}}", "binary_bucket_name": "amazon-eks", - "binary_bucket_region": "us-west-2", + "binary_bucket_region": "us-east-1", "cache_container_images": "false", "cni_plugin_version": "v0.8.6", "containerd_version": "1.6.6-1.amzn2.0.2", @@ -32,5 +32,5 @@ "ssh_username": "ec2-user", "subnet_id": "", "temporary_security_group_source_cidrs": "", - "volume_type": "gp2" + "volume_type": "gp3" } From 0720c733bcdaec153fded9f870d37cf395cee467 Mon Sep 17 00:00:00 2001 From: Samuel Vijaykumar M Date: Mon, 2 Jan 2023 23:09:39 +0530 Subject: [PATCH 02/15] Make some variable changes --- eks-worker-al2-variables.json | 8 ++++---- eks-worker-al2.json | 2 ++ 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/eks-worker-al2-variables.json b/eks-worker-al2-variables.json index f910f29ea..aa1e396a6 100644 --- a/eks-worker-al2-variables.json +++ b/eks-worker-al2-variables.json @@ -16,7 +16,7 @@ "creator": "{{env `USER`}}", "docker_version": "20.10.17-1.amzn2.0.1", "encrypted": "false", - "kernel_version": "", + "kernel_version": "5.10", "kms_key_id": "", "launch_block_device_mappings_volume_size": "8", "pause_container_version": "3.5", @@ -30,7 +30,7 @@ "source_ami_owners": "137112412989", "ssh_interface": "", "ssh_username": "ec2-user", - "subnet_id": "", - "temporary_security_group_source_cidrs": "", - "volume_type": "gp3" + "subnet_id": "subnet-061fd55369909b950", + "volume_type": "gp3", + "temporary_security_group_source_cidrs": "10.102.8.0/21" } diff --git a/eks-worker-al2.json b/eks-worker-al2.json index 020758d36..de0d2a2ea 100644 --- a/eks-worker-al2.json +++ b/eks-worker-al2.json @@ -85,6 +85,8 @@ "ami_regions": "{{user `ami_regions`}}", "ssh_username": "{{user `ssh_username`}}", "ssh_interface": "{{user `ssh_interface`}}", + "ssh_keypair_name": "supreme-prod-eks-eks-node-key", + "ssh_private_key_file": "~/.ssh/id_rsa", "temporary_security_group_source_cidrs": "{{user `temporary_security_group_source_cidrs`}}", "security_group_id": "{{user `security_group_id`}}", "associate_public_ip_address": "{{user `associate_public_ip_address`}}", From 089a9f1377f42ccef87a3e7d68c170843739f990 Mon Sep 17 00:00:00 2001 From: Samuel Vijaykumar M Date: Mon, 2 Jan 2023 23:28:55 +0530 Subject: [PATCH 03/15] Adding psi kernel cmdline --- Makefile | 4 ++-- eks-worker-al2-variables.json | 2 +- eks-worker-al2.json | 7 +++++++ scripts/add_psi.sh | 9 +++++++++ 4 files changed, 19 insertions(+), 3 deletions(-) create mode 100644 scripts/add_psi.sh diff --git a/Makefile b/Makefile index 71c410343..c18ceb2ab 100644 --- a/Makefile +++ b/Makefile @@ -9,10 +9,10 @@ MAKEFILE_DIR := $(shell dirname $(realpath $(firstword $(MAKEFILE_LIST)))) arch ?= x86_64 ifeq ($(arch), arm64) instance_type ?= m6g.large -ami_name ?= amazon-eks-arm64-node-$(K8S_VERSION_MINOR)-v$(shell date +'%Y%m%d') +ami_name ?= fw-eks-arm64-node-$(K8S_VERSION_MINOR)-v$(shell date +'%Y%m%d') else instance_type ?= m4.large -ami_name ?= amazon-eks-node-$(K8S_VERSION_MINOR)-v$(shell date +'%Y%m%d') +ami_name ?= fw-eks-node-$(K8S_VERSION_MINOR)-v$(shell date +'%Y%m%d') endif ifeq ($(aws_region), cn-northwest-1) diff --git a/eks-worker-al2-variables.json b/eks-worker-al2-variables.json index aa1e396a6..372fe66cf 100644 --- a/eks-worker-al2-variables.json +++ b/eks-worker-al2-variables.json @@ -9,7 +9,7 @@ "aws_secret_access_key": "{{env `AWS_SECRET_ACCESS_KEY`}}", "aws_session_token": "{{env `AWS_SESSION_TOKEN`}}", "binary_bucket_name": "amazon-eks", - "binary_bucket_region": "us-east-1", + "binary_bucket_region": "us-west-2", "cache_container_images": "false", "cni_plugin_version": "v0.8.6", "containerd_version": "1.6.6-1.amzn2.0.2", diff --git a/eks-worker-al2.json b/eks-worker-al2.json index de0d2a2ea..123a6f946 100644 --- a/eks-worker-al2.json +++ b/eks-worker-al2.json @@ -131,6 +131,13 @@ "KERNEL_VERSION={{user `kernel_version`}}" ] }, + { + "type": "shell", + "pause_before": "90s", + "remote_folder": "{{ user `remote_folder`}}", + "expect_disconnect": true, + "script": "{{template_dir}}/scripts/add_psi.sh", + }, { "type": "shell", "pause_before": "90s", diff --git a/scripts/add_psi.sh b/scripts/add_psi.sh new file mode 100644 index 000000000..a5c95d192 --- /dev/null +++ b/scripts/add_psi.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +set -o pipefail +set -o nounset +set -o errexit + +sudo grubby --args="psi=1" --update-kernel /boot/vmlinuz-$(uname -r) + +sudo reboot \ No newline at end of file From f283f59d3159d2147c3aec3dd273a9b5b32e1270 Mon Sep 17 00:00:00 2001 From: Samuel Vijaykumar M Date: Mon, 2 Jan 2023 23:29:52 +0530 Subject: [PATCH 04/15] Missed to remove a trailing comma --- eks-worker-al2.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eks-worker-al2.json b/eks-worker-al2.json index 123a6f946..d7a00b9c4 100644 --- a/eks-worker-al2.json +++ b/eks-worker-al2.json @@ -136,7 +136,7 @@ "pause_before": "90s", "remote_folder": "{{ user `remote_folder`}}", "expect_disconnect": true, - "script": "{{template_dir}}/scripts/add_psi.sh", + "script": "{{template_dir}}/scripts/add_psi.sh" }, { "type": "shell", From 2222a740404c7657494309f548fd9d18f0cbdfff Mon Sep 17 00:00:00 2001 From: Samuel Vijaykumar M Date: Tue, 3 Jan 2023 00:14:01 +0530 Subject: [PATCH 05/15] Add validation and install falco --- eks-worker-al2.json | 5 +++++ scripts/install_falco.sh | 10 ++++++++++ scripts/validate.sh | 13 +++++++++++++ 3 files changed, 28 insertions(+) create mode 100644 scripts/install_falco.sh diff --git a/eks-worker-al2.json b/eks-worker-al2.json index d7a00b9c4..881d7efca 100644 --- a/eks-worker-al2.json +++ b/eks-worker-al2.json @@ -142,6 +142,11 @@ "type": "shell", "pause_before": "90s", "remote_folder": "{{ user `remote_folder`}}", + "script": "{{template_dir}}/scripts/install_falco.sh", + }, + { + "type": "shell", + "remote_folder": "{{ user `remote_folder`}}", "inline": [ "mkdir -p /tmp/worker/log-collector-script/" ] diff --git a/scripts/install_falco.sh b/scripts/install_falco.sh new file mode 100644 index 000000000..c62e32eba --- /dev/null +++ b/scripts/install_falco.sh @@ -0,0 +1,10 @@ +#!/usr/bin/env bash + +set -o pipefail +set -o nounset +set -o errexit + +sudo rpm --import https://falco.org/repo/falcosecurity-3672BA8F.asc +sudo curl -s -o /etc/yum.repos.d/falcosecurity.repo https://falco.org/repo/falcosecurity-rpm.repo +sudo yum install -y kernel-devel-$(uname -r) +sudo yum install -y falco \ No newline at end of file diff --git a/scripts/validate.sh b/scripts/validate.sh index 01297dfdd..afbab5c64 100644 --- a/scripts/validate.sh +++ b/scripts/validate.sh @@ -44,3 +44,16 @@ else echo "Kernel does not match expected version." exit 1 fi + +cmdline=$(cat /proc/cmdline) +echo "Verifying if psi kernel cmdline arg is set" + +if [[ $cmdline =~ "psi=1" ]]; then + echo "psi is set" +else + echo "psi is not set" + exit 1 +fi + +echo "Verifying is falco driver is loaded" +sudo lsmod | grep -i falco \ No newline at end of file From b8d62bbcb1fc9c1daf0e868c1da96401e6fa5ae0 Mon Sep 17 00:00:00 2001 From: Samuel Vijaykumar M Date: Mon, 6 Feb 2023 09:51:52 +0530 Subject: [PATCH 06/15] disable falco service --- scripts/install_falco.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/scripts/install_falco.sh b/scripts/install_falco.sh index c62e32eba..892813c7c 100644 --- a/scripts/install_falco.sh +++ b/scripts/install_falco.sh @@ -7,4 +7,5 @@ set -o errexit sudo rpm --import https://falco.org/repo/falcosecurity-3672BA8F.asc sudo curl -s -o /etc/yum.repos.d/falcosecurity.repo https://falco.org/repo/falcosecurity-rpm.repo sudo yum install -y kernel-devel-$(uname -r) -sudo yum install -y falco \ No newline at end of file +sudo yum install -y falco +sudo systemctl disable falco From 0766bf6d30d08347f41fd780db1cf7bf312112fd Mon Sep 17 00:00:00 2001 From: Samuel Vijaykumar M Date: Mon, 6 Feb 2023 12:37:59 +0530 Subject: [PATCH 07/15] Missing a comma --- eks-worker-al2.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eks-worker-al2.json b/eks-worker-al2.json index 881d7efca..e08852541 100644 --- a/eks-worker-al2.json +++ b/eks-worker-al2.json @@ -142,7 +142,7 @@ "type": "shell", "pause_before": "90s", "remote_folder": "{{ user `remote_folder`}}", - "script": "{{template_dir}}/scripts/install_falco.sh", + "script": "{{template_dir}}/scripts/install_falco.sh" }, { "type": "shell", From a2e7bcd762e36e0425ac60f58a32f521f908e735 Mon Sep 17 00:00:00 2001 From: Samuel Vijaykumar M Date: Wed, 8 Mar 2023 17:43:13 +0530 Subject: [PATCH 08/15] Remove the installation of falco --- eks-worker-al2.json | 5 ----- scripts/validate.sh | 4 ++-- 2 files changed, 2 insertions(+), 7 deletions(-) diff --git a/eks-worker-al2.json b/eks-worker-al2.json index cbc560c63..a3e6e5324 100644 --- a/eks-worker-al2.json +++ b/eks-worker-al2.json @@ -143,11 +143,6 @@ "type": "shell", "pause_before": "90s", "remote_folder": "{{ user `remote_folder`}}", - "script": "{{template_dir}}/scripts/install_falco.sh" - }, - { - "type": "shell", - "remote_folder": "{{ user `remote_folder`}}", "inline": [ "mkdir -p /tmp/worker/log-collector-script/" ] diff --git a/scripts/validate.sh b/scripts/validate.sh index 247696bf9..948700f81 100644 --- a/scripts/validate.sh +++ b/scripts/validate.sh @@ -55,8 +55,8 @@ else exit 1 fi -echo "Verifying is falco driver is loaded" -sudo lsmod | grep -i falco +# echo "Verifying is falco driver is loaded" +# sudo lsmod | grep -i falco echo "Verifying that the package versionlocks are correct..." function versionlock-entries() { From 0f14c12ac6ee9ea8a8936b73163599b6432e9217 Mon Sep 17 00:00:00 2001 From: M Samuel Vijaykumar Date: Mon, 8 May 2023 15:29:54 +0530 Subject: [PATCH 09/15] Changes to use temporary keypairs --- eks-worker-al2.json | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/eks-worker-al2.json b/eks-worker-al2.json index a3e6e5324..6d205c8e4 100644 --- a/eks-worker-al2.json +++ b/eks-worker-al2.json @@ -86,8 +86,7 @@ "ami_regions": "{{user `ami_regions`}}", "ssh_username": "{{user `ssh_username`}}", "ssh_interface": "{{user `ssh_interface`}}", - "ssh_keypair_name": "supreme-prod-eks-eks-node-key", - "ssh_private_key_file": "~/.ssh/id_rsa", + "temporary_key_pair_type": "rsa", "temporary_security_group_source_cidrs": "{{user `temporary_security_group_source_cidrs`}}", "security_group_id": "{{user `security_group_id`}}", "associate_public_ip_address": "{{user `associate_public_ip_address`}}", From 3f559a91170b68cf8d477b2dbdf715127b93c1c0 Mon Sep 17 00:00:00 2001 From: M Samuel Vijaykumar Date: Mon, 8 May 2023 15:59:49 +0530 Subject: [PATCH 10/15] Undo temp keys --- eks-worker-al2.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/eks-worker-al2.json b/eks-worker-al2.json index a3e6e5324..433af603a 100644 --- a/eks-worker-al2.json +++ b/eks-worker-al2.json @@ -86,7 +86,7 @@ "ami_regions": "{{user `ami_regions`}}", "ssh_username": "{{user `ssh_username`}}", "ssh_interface": "{{user `ssh_interface`}}", - "ssh_keypair_name": "supreme-prod-eks-eks-node-key", + "ssh_keypair_name": "packer-key", "ssh_private_key_file": "~/.ssh/id_rsa", "temporary_security_group_source_cidrs": "{{user `temporary_security_group_source_cidrs`}}", "security_group_id": "{{user `security_group_id`}}", From 59f583756b7ffd0364f13f401823ce3606c0a57a Mon Sep 17 00:00:00 2001 From: M Samuel Vijaykumar Date: Mon, 22 May 2023 16:36:25 +0530 Subject: [PATCH 11/15] Add the shell for the disabling auto upgrade --- eks-worker-al2.json | 5 +++++ scripts/disable_auto_upgrade.sh | 6 ++++++ 2 files changed, 11 insertions(+) create mode 100644 scripts/disable_auto_upgrade.sh diff --git a/eks-worker-al2.json b/eks-worker-al2.json index 433af603a..7c6926635 100644 --- a/eks-worker-al2.json +++ b/eks-worker-al2.json @@ -218,6 +218,11 @@ "KERNEL_VERSION={{user `kernel_version`}}" ] }, + { + "type": "shell", + "remote_folder": "{{ user `remote_folder`}}", + "script": "{{template_dir}}/scripts/disable_auto_upgrade.sh" + }, { "type": "shell", "remote_folder": "{{ user `remote_folder`}}", diff --git a/scripts/disable_auto_upgrade.sh b/scripts/disable_auto_upgrade.sh new file mode 100644 index 000000000..305366234 --- /dev/null +++ b/scripts/disable_auto_upgrade.sh @@ -0,0 +1,6 @@ +#!/bin/bash + +# This script is used to disable auto-upgrade on the Amazon Linux 2 AMI. +# It is run as part of the AMI build process. + +sed -i 's/^repo_upgrade: .*/repo_upgrade: none/' /etc/cloud/cloud.cfg \ No newline at end of file From 29c9ae60d0236f676f42086fb1671a636621b0ae Mon Sep 17 00:00:00 2001 From: M Samuel Vijaykumar Date: Mon, 22 May 2023 16:55:35 +0530 Subject: [PATCH 12/15] Adding sed --- scripts/disable_auto_upgrade.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/disable_auto_upgrade.sh b/scripts/disable_auto_upgrade.sh index 305366234..6f34215ad 100644 --- a/scripts/disable_auto_upgrade.sh +++ b/scripts/disable_auto_upgrade.sh @@ -3,4 +3,4 @@ # This script is used to disable auto-upgrade on the Amazon Linux 2 AMI. # It is run as part of the AMI build process. -sed -i 's/^repo_upgrade: .*/repo_upgrade: none/' /etc/cloud/cloud.cfg \ No newline at end of file +sudo sed -i 's/^repo_upgrade: .*/repo_upgrade: none/' /etc/cloud/cloud.cfg \ No newline at end of file From e6a51e4ec23b1e1bc86c070db3b65fd31698ad8e Mon Sep 17 00:00:00 2001 From: M Samuel Vijaykumar Date: Thu, 24 Aug 2023 11:55:03 +0530 Subject: [PATCH 13/15] Changes for sysctl and kubelet config --- files/kubelet-config.json | 29 ++++++++++++++++++++++++++++- scripts/install-worker.sh | 3 +++ 2 files changed, 31 insertions(+), 1 deletion(-) diff --git a/files/kubelet-config.json b/files/kubelet-config.json index 666350e2b..14c047b04 100644 --- a/files/kubelet-config.json +++ b/files/kubelet-config.json @@ -33,5 +33,32 @@ "protectKernelDefaults": true, "serializeImagePulls": false, "serverTLSBootstrap": true, - "tlsCipherSuites": ["TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_256_GCM_SHA384", "TLS_RSA_WITH_AES_128_GCM_SHA256"] + "tlsCipherSuites": [ + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256", + "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305", + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384", + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_AES_256_GCM_SHA384", + "TLS_RSA_WITH_AES_128_GCM_SHA256" + ], + "kubeAPIBurst": 50, + "kubeAPIQPS": 50, + "eventRecordQPS": 50, + "eventBurst": 50, + "registryPullQPS": 100, + "registryBurst": 100, + "runtimeRequestTimeout": "15s", + "allowedUnsafeSysctls": [ + "net.core.somaxconn", + "net.ipv4.tcp_keepalive_*", + "net.core.rmem_max", + "net.core.wmem_max", + "net.core.rmem_default", + "net.core.wmem_default", + "net.core.optmem_max", + "net.ipv4.tcp_rmem", + "net.ipv4.tcp_wmem" + ] } diff --git a/scripts/install-worker.sh b/scripts/install-worker.sh index 398858df9..8ed4711d0 100644 --- a/scripts/install-worker.sh +++ b/scripts/install-worker.sh @@ -506,6 +506,9 @@ EOF echo fs.inotify.max_user_watches=524288 | sudo tee -a /etc/sysctl.conf echo fs.inotify.max_user_instances=8192 | sudo tee -a /etc/sysctl.conf echo vm.max_map_count=524288 | sudo tee -a /etc/sysctl.conf +echo net.netfilter.nf_conntrack_tcp_timeout_time_wait=65 | sudo tee -a /etc/sysctl.conf +echo net.core.somaxconn=65535 | sudo tee -a /etc/sysctl.conf +echo "@reboot /bin/bash -l -c '/sbin/modprobe nf_conntrack; /usr/sbin/sysctl -p'" | sudo crontab - ################################################################################ ### adding log-collector-script ################################################ From 42e47fd619242fe7b4b017ba21f78fa59a65ef5a Mon Sep 17 00:00:00 2001 From: M Samuel Vijaykumar Date: Fri, 25 Aug 2023 15:11:31 +0530 Subject: [PATCH 14/15] adding garbage collect changes --- files/kubelet-config.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/files/kubelet-config.json b/files/kubelet-config.json index 663ede73d..46b99de51 100644 --- a/files/kubelet-config.json +++ b/files/kubelet-config.json @@ -59,5 +59,7 @@ "net.core.optmem_max", "net.ipv4.tcp_rmem", "net.ipv4.tcp_wmem" - ] + ], + "imageGCHighThresholdPercent": 70, + "imageGCLowThresholdPercent": 50 } From 1743f1f668a575fc7807659c7b82bad11abc18af Mon Sep 17 00:00:00 2001 From: M Samuel Vijaykumar Date: Wed, 15 Nov 2023 09:39:15 +0530 Subject: [PATCH 15/15] Adding the shutdownGracePeriods by default --- files/kubelet-config.json | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/files/kubelet-config.json b/files/kubelet-config.json index 46b99de51..abe3ed674 100644 --- a/files/kubelet-config.json +++ b/files/kubelet-config.json @@ -61,5 +61,7 @@ "net.ipv4.tcp_wmem" ], "imageGCHighThresholdPercent": 70, - "imageGCLowThresholdPercent": 50 + "imageGCLowThresholdPercent": 50, + "shutdownGracePeriodCriticalPods": "360s", + "shutdownGracePeriod": "420s" }