Merge pull request kubernetes#10487 from satnam6502/sys-namespace

Move cluster level services to the kube-system namespace

cluster/addons/cluster-monitoring/google/heapster-controller.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: ReplicationController
 metadata:
   name: monitoring-heapster-v5
-  namespace: default
+  namespace: kube-system
   labels:
     k8s-app: heapster
     version: v5

cluster/addons/cluster-monitoring/google/heapster-service.yaml

@@ -2,6 +2,7 @@ kind: Service
 apiVersion: v1
 metadata: 
   name: monitoring-heapster
+  namespace: kube-system
   labels: 
     kubernetes.io/cluster-service: "true"
     kubernetes.io/name: "Heapster"

cluster/addons/cluster-monitoring/googleinfluxdb/heapster-controller-combined.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: ReplicationController
 metadata:
   name: monitoring-heapster-v5
-  namespace: default
+  namespace: kube-system
   labels:
     k8s-app: heapster
     version: v5

cluster/addons/cluster-monitoring/influxdb/grafana-service.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: monitoring-grafana
-  namespace: default 
+  namespace: kube-system
   labels: 
     kubernetes.io/cluster-service: "true"
     kubernetes.io/name: "Grafana"

cluster/addons/cluster-monitoring/influxdb/heapster-controller.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: ReplicationController
 metadata:
   name: monitoring-heapster-v5
-  namespace: default
+  namespace: kube-system
   labels:
     k8s-app: heapster
     version: v5

cluster/addons/cluster-monitoring/influxdb/heapster-service.yaml

@@ -1,8 +1,9 @@
 kind: Service
 apiVersion: v1
-metadata: 
+metadata:
   name: monitoring-heapster
-  labels: 
+  namespace: kube-system
+  labels:
     kubernetes.io/cluster-service: "true"
     kubernetes.io/name: "Heapster"
 spec: 

cluster/addons/cluster-monitoring/influxdb/influxdb-grafana-controller.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: ReplicationController
 metadata:
   name: monitoring-influx-grafana-v1
-  namespace: default 
+  namespace: kube-system
   labels: 
     k8s-app: influxGrafana
     version: v1
@@ -42,7 +42,7 @@ spec:
               memory: 100Mi
           env: 
             - name: INFLUXDB_EXTERNAL_URL
-              value: /api/v1/proxy/namespaces/default/services/monitoring-influxdb:api/db/
+              value: /api/v1/proxy/namespaces/kube-system/services/monitoring-influxdb:api/db/
             - name: INFLUXDB_HOST
               value: monitoring-influxdb
             - name: INFLUXDB_PORT

cluster/addons/cluster-monitoring/influxdb/influxdb-service.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: monitoring-influxdb
-  namespace: default 
+  namespace: kube-system
   labels: 
     kubernetes.io/cluster-service: "true"
     kubernetes.io/name: "InfluxDB"

cluster/addons/cluster-monitoring/standalone/heapster-controller.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: ReplicationController
 metadata:
   name: monitoring-heapster-v5
-  namespace: default
+  namespace: kube-system
   labels:
     k8s-app: heapster
     version: v5

cluster/addons/cluster-monitoring/standalone/heapster-service.yaml

@@ -2,6 +2,7 @@ kind: Service
 apiVersion: v1
 metadata: 
   name: monitoring-heapster
+  namespace: kube-system
   labels: 
     kubernetes.io/cluster-service: "true"
     kubernetes.io/name: "Heapster"

cluster/addons/dns/skydns-rc.yaml.in

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: ReplicationController
 metadata:
   name: kube-dns-v5
-  namespace: default
+  namespace: kube-system
   labels:
     k8s-app: kube-dns
     version: v5

cluster/addons/dns/skydns-svc.yaml.in

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: kube-dns
-  namespace: default
+  namespace: kube-system
   labels:
     k8s-app: kube-dns
     kubernetes.io/cluster-service: "true"

cluster/addons/fluentd-elasticsearch/es-controller.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: ReplicationController
 metadata:
   name: elasticsearch-logging-v1
-  namespace: default
+  namespace: kube-system
   labels:
     k8s-app: elasticsearch-logging
     version: v1
@@ -20,7 +20,7 @@ spec:
         kubernetes.io/cluster-service: "true"
     spec:
       containers:
-      - image: gcr.io/google_containers/elasticsearch:1.4
+      - image: gcr.io/google_containers/elasticsearch:1.5
         name: elasticsearch-logging         
         resources:
           limits:

cluster/addons/fluentd-elasticsearch/es-image/Makefile

@@ -1,7 +1,8 @@
 .PHONY:	elasticsearch_logging_discovery build push
 
-# Keep this one version ahead to help prevent accidental pushes.
-TAG = 1.4
+# The current value of the tag to be used for building and
+# pushing an image to gcr.io
+TAG = 1.5
 
 build:	elasticsearch_logging_discovery
 	docker build -t gcr.io/google_containers/elasticsearch:$(TAG) .

cluster/addons/fluentd-elasticsearch/es-image/elasticsearch_logging_discovery.go

@@ -50,7 +50,7 @@ func main() {
 	// Look for endpoints associated with the Elasticsearch loggging service.
 	// First wait for the service to become available.
 	for t := time.Now(); time.Since(t) < 5*time.Minute; time.Sleep(10 * time.Second) {
-		elasticsearch, err = c.Services(api.NamespaceDefault).Get("elasticsearch-logging")
+		elasticsearch, err = c.Services(api.NamespaceSystem).Get("elasticsearch-logging")
 		if err == nil {
 			break
 		}
@@ -67,7 +67,7 @@ func main() {
 	// Wait for some endpoints.
 	count := 0
 	for t := time.Now(); time.Since(t) < 5*time.Minute; time.Sleep(10 * time.Second) {
-		endpoints, err = c.Endpoints(api.NamespaceDefault).Get("elasticsearch-logging")
+		endpoints, err = c.Endpoints(api.NamespaceSystem).Get("elasticsearch-logging")
 		if err != nil {
 			continue
 		}

cluster/addons/fluentd-elasticsearch/es-service.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: elasticsearch-logging
-  namespace: default
+  namespace: kube-system
   labels:
     k8s-app: elasticsearch-logging
     kubernetes.io/cluster-service: "true"

cluster/addons/fluentd-elasticsearch/fluentd-es-image/td-agent.conf

@@ -19,7 +19,7 @@
 # The time_format specification below makes sure we properly
 # parse the time format produced by Docker. This will be
 # submitted to Elasticsearch and should appear like:
-# $ curl 'http://elasticsearch-logging.default:9200/_search?pretty'
+# $ curl 'http://elasticsearch-logging:9200/_search?pretty'
 # ...
 # {
 #      "_index" : "logstash-2014.09.25",
@@ -94,6 +94,21 @@
   tag docker
 </source>
 
+<match kubernetes.**>
+   type elasticsearch
+   log_level info
+   include_tag_key true
+   host elasticsearch-logging
+   port 9200
+   logstash_format true
+   flush_interval 5s
+   # Never wait longer than 5 minutes between retries.
+   max_retry_wait 300
+   # Disable the limit on the number of retries (retry forever).
+   disable_retry_limit
+</match>
+>>>>>>> Move things into a 'kube-system' namespace.
+
 <source>
   type tail
   format none

cluster/addons/fluentd-elasticsearch/kibana-controller.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: ReplicationController
 metadata:
   name: kibana-logging-v1
-  namespace: default
+  namespace: kube-system
   labels:
     k8s-app: kibana-logging
     version: v1

cluster/addons/fluentd-elasticsearch/kibana-service.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: kibana-logging
-  namespace: default
+  namespace: kube-system
   labels:
     k8s-app: kibana-logging
     kubernetes.io/cluster-service: "true"

cluster/addons/kube-ui/kube-ui-rc.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: ReplicationController
 metadata:
   name: kube-ui-v1
-  namespace: default
+  namespace: kube-system
   labels:
     k8s-app: kube-ui
     version: v1

cluster/addons/kube-ui/kube-ui-svc.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: kube-ui
-  namespace: default
+  namespace: kube-system
   labels:
     k8s-app: kube-ui
     kubernetes.io/cluster-service: "true"

cluster/saltbase/salt/fluentd-es/fluentd-es.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: fluentd-elasticsearch
+  namespace: kube-system
 spec:
   containers:
   - name: fluentd-elasticsearch

cluster/saltbase/salt/fluentd-gcp/fluentd-gcp.yaml

@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Pod
 metadata:
   name: fluentd-cloud-logging
+  namespace: kube-system
 spec:
   containers:
   - name: fluentd-cloud-logging

cluster/saltbase/salt/kube-addons/init.sls

@@ -11,6 +11,13 @@ addon-dir-create:
     - require:
         - file: addon-dir-delete
 
+/etc/kubernetes/addons/namespace.yaml:
+  file.managed:
+    - source: salt://kube-addons/namespace.yaml
+    - user: root
+    - group: root
+    - file_mode: 644
+
 {% if pillar.get('enable_cluster_monitoring', '').lower() == 'influxdb' %}
 /etc/kubernetes/addons/cluster-monitoring/influxdb:
   file.recurse:

cluster/saltbase/salt/kube-addons/kube-addons.sh

@@ -21,6 +21,8 @@ KUBECTL=${KUBECTL_BIN:-/usr/local/bin/kubectl}
 
 ADDON_CHECK_INTERVAL_SEC=${TEST_ADDON_CHECK_INTERVAL_SEC:-600}
 
+SYSTEM_NAMESPACE=kube-system
+
 function create-kubeconfig-secret() {
   local -r token=$1
   local -r username=$2
@@ -47,6 +49,7 @@ contexts:
 - context:
     cluster: local
     user: ${username}
+    namespace: ${SYSTEM_NAMESPACE} 
   name: service-account-context
 current-context: service-account-context
 EOF
@@ -67,6 +70,7 @@ contexts:
 - context:
     cluster: local
     user: ${username}
+    namespace: ${SYSTEM_NAMESPACE}
   name: service-account-context
 current-context: service-account-context
 EOF
@@ -82,36 +86,39 @@ metadata:
   name: token-${safe_username}
 type: Opaque
 EOF
-  create-resource-from-string "${secretyaml}" 100 10 "Secret-for-token-for-user-${username}" &
-# TODO: label the secrets with special label so kubectl does not show these?
+  create-resource-from-string "${secretyaml}" 100 10 "Secret-for-token-for-user-${username}" "${SYSTEM_NAMESPACE}" &
 }
 
 # $1 filename of addon to start.
 # $2 count of tries to start the addon.
 # $3 delay in seconds between two consecutive tries
+# $4 namespace
 function start_addon() {
   local -r addon_filename=$1;
   local -r tries=$2;
   local -r delay=$3;
+  local -r namespace=$4
 
-  create-resource-from-string "$(cat ${addon_filename})" "${tries}" "${delay}" "${addon_filename}"
+  create-resource-from-string "$(cat ${addon_filename})" "${tries}" "${delay}" "${addon_filename}" "${namespace}"
 }
 
 # $1 string with json or yaml.
 # $2 count of tries to start the addon.
 # $3 delay in seconds between two consecutive tries
-# $3 name of this object to use when logging about it.
+# $4 name of this object to use when logging about it.
+# $5 namespace for this object
 function create-resource-from-string() {
   local -r config_string=$1;
   local tries=$2;
   local -r delay=$3;
   local -r config_name=$4;
+  local -r namespace=$5;
   while [ ${tries} -gt 0 ]; do
-    echo "${config_string}" | ${KUBECTL} create -f - && \
-        echo "== Successfully started ${config_name} at $(date -Is)" && \
+    echo "${config_string}" | ${KUBECTL} --namespace="${namespace}" create -f - && \
+        echo "== Successfully started ${config_name} in namespace ${namespace} at $(date -Is)" && \
         return 0;
     let tries=tries-1;
-    echo "== Failed to start ${config_name} at $(date -Is). ${tries} tries remaining. =="
+    echo "== Failed to start ${config_name} in namespace ${namespace} at $(date -Is). ${tries} tries remaining. =="
     sleep ${delay};
   done
   return 1;
@@ -143,6 +150,8 @@ done
 
 echo "== default service account has token ${token_found} =="
 
+start_addon /etc/kubernetes/addons/namespace.yaml 100 10 "" &
+
 # Generate secrets for "internal service accounts".
 # TODO(etune): move to a completely yaml/object based
 # workflow so that service accounts can be created
@@ -162,15 +171,15 @@ while read line; do
   else
     # Set the server to https://kubernetes. Pods/components that
     # do not have DNS available will have to override the server.
-    create-kubeconfig-secret "${token}" "${username}" "https://kubernetes"
+    create-kubeconfig-secret "${token}" "${username}" "https://kubernetes.default"
   fi
 done < /srv/kubernetes/known_tokens.csv
 
 # Create admission_control objects if defined before any other addon services. If the limits
 # are defined in a namespace other than default, we should still create the limits for the
 # default namespace.
 for obj in $(find /etc/kubernetes/admission-controls \( -name \*.yaml -o -name \*.json \)); do
-  start_addon ${obj} 100 10 &
+  start_addon ${obj} 100 10 default &
   echo "++ obj ${obj} is created ++"
 done
 

cluster/saltbase/salt/kube-addons/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kube-system

cluster/saltbase/salt/kube-admission-controls/limit-range/limit-range.yaml

@@ -2,6 +2,7 @@ apiVersion: "v1"
 kind: "LimitRange"
 metadata:
   name: "limits"
+  namespace: default
 spec:
   limits:
     - type: "Container"

pkg/api/types.go

@@ -169,6 +169,8 @@ const (
 	NamespaceAll string = ""
 	// NamespaceNone is the argument for a context when there is no namespace.
 	NamespaceNone string = ""
+	// NamespaceSystem is the system namespace where we place system components.
+	NamespaceSystem string = "kube-system"
 	// TerminationMessagePathDefault means the default path to capture the application termination message running in a container
 	TerminationMessagePathDefault string = "/dev/termination-log"
 )