in pkg/api/defaults-kubelet.go [15:449]
func (cs *ContainerService) setKubeletConfig(isUpgrade bool) {
o := cs.Properties.OrchestratorProfile
staticLinuxKubeletConfig := map[string]string{
"--address": "0.0.0.0",
"--allow-privileged": "true",
"--anonymous-auth": "false",
"--authorization-mode": "Webhook",
"--client-ca-file": "/etc/kubernetes/certs/ca.crt",
"--pod-manifest-path": "/etc/kubernetes/manifests",
"--cluster-dns": o.KubernetesConfig.DNSServiceIP,
"--cgroups-per-qos": "true",
"--kubeconfig": "/var/lib/kubelet/kubeconfig",
"--keep-terminated-pod-volumes": "false",
"--tls-cert-file": "/etc/kubernetes/certs/kubeletserver.crt",
"--tls-private-key-file": "/etc/kubernetes/certs/kubeletserver.key",
"--v": "2",
"--volume-plugin-dir": "/etc/kubernetes/volumeplugins",
}
for key := range staticLinuxKubeletConfig {
switch key {
case "--anonymous-auth", "--client-ca-file":
if !to.Bool(o.KubernetesConfig.EnableSecureKubelet) { // Don't add if EnableSecureKubelet is disabled
delete(staticLinuxKubeletConfig, key)
}
}
}
// Start with copy of Linux config
staticWindowsKubeletConfig := make(map[string]string)
for key, val := range staticLinuxKubeletConfig {
switch key {
case "--pod-manifest-path", "--tls-cert-file", "--tls-private-key-file": // Don't add Linux-specific config
staticWindowsKubeletConfig[key] = ""
case "--anonymous-auth":
if !to.Bool(o.KubernetesConfig.EnableSecureKubelet) { // Don't add if EnableSecureKubelet is disabled
staticWindowsKubeletConfig[key] = ""
} else {
staticWindowsKubeletConfig[key] = val
}
case "--client-ca-file":
if !to.Bool(o.KubernetesConfig.EnableSecureKubelet) { // Don't add if EnableSecureKubelet is disabled
staticWindowsKubeletConfig[key] = ""
} else {
staticWindowsKubeletConfig[key] = "c:\\k\\ca.crt"
}
default:
staticWindowsKubeletConfig[key] = val
}
}
// Add Windows-specific overrides
// Eventually paths should not be hardcoded here. They should be relative to $global:KubeDir in the PowerShell script
staticWindowsKubeletConfig["--pod-infra-container-image"] = "kubletwin/pause"
staticWindowsKubeletConfig["--kubeconfig"] = "c:\\k\\config"
staticWindowsKubeletConfig["--cloud-config"] = "c:\\k\\azure.json"
staticWindowsKubeletConfig["--cgroups-per-qos"] = "false"
staticWindowsKubeletConfig["--enforce-node-allocatable"] = "\"\"\"\""
staticWindowsKubeletConfig["--system-reserved"] = "memory=2Gi"
staticWindowsKubeletConfig["--hairpin-mode"] = "promiscuous-bridge"
staticWindowsKubeletConfig["--image-pull-progress-deadline"] = "20m"
staticWindowsKubeletConfig["--resolv-conf"] = "\"\"\"\""
staticWindowsKubeletConfig["--eviction-hard"] = "\"\"\"\""
nodeStatusUpdateFrequency := GetK8sComponentsByVersionMap(o.KubernetesConfig)[o.OrchestratorVersion]["nodestatusfreq"]
if cs.Properties.IsAzureStackCloud() {
nodeStatusUpdateFrequency = DefaultAzureStackKubernetesNodeStatusUpdateFrequency
}
// Default Kubelet config
defaultKubeletConfig := map[string]string{
"--cluster-domain": "cluster.local",
"--network-plugin": "cni",
"--pod-infra-container-image": o.KubernetesConfig.MCRKubernetesImageBase + GetK8sComponentsByVersionMap(o.KubernetesConfig)[o.OrchestratorVersion][common.PauseComponentName],
"--max-pods": strconv.Itoa(DefaultKubernetesMaxPods),
"--eviction-hard": DefaultKubernetesHardEvictionThreshold,
"--node-status-update-frequency": nodeStatusUpdateFrequency,
"--image-gc-high-threshold": strconv.Itoa(DefaultKubernetesGCHighThreshold),
"--image-gc-low-threshold": strconv.Itoa(DefaultKubernetesGCLowThreshold),
"--non-masquerade-cidr": DefaultNonMasqueradeCIDR,
"--cloud-provider": "azure",
"--cloud-config": "/etc/kubernetes/azure.json",
"--event-qps": DefaultKubeletEventQPS,
"--cadvisor-port": DefaultKubeletCadvisorPort,
"--pod-max-pids": strconv.Itoa(DefaultKubeletPodMaxPIDs),
"--image-pull-progress-deadline": "30m",
"--enforce-node-allocatable": "pods",
"--streaming-connection-idle-timeout": "5m", // STIG Rule ID: SV-245541r879622_rule
"--tls-cipher-suites": TLSStrongCipherSuitesKubelet,
"--healthz-port": DefaultKubeletHealthzPort,
"--seccomp-default": "true",
}
// Set --non-masquerade-cidr if ip-masq-agent is disabled on AKS or
// explicitly disabled in kubernetes config
if cs.Properties.IsIPMasqAgentDisabled() {
defaultKubeletConfig["--non-masquerade-cidr"] = cs.Properties.OrchestratorProfile.KubernetesConfig.ClusterSubnet
}
// Apply Azure CNI-specific --max-pods value
if o.KubernetesConfig.NetworkPlugin == NetworkPluginAzure {
defaultKubeletConfig["--max-pods"] = strconv.Itoa(DefaultKubernetesMaxPodsVNETIntegrated)
}
minVersionRotateCerts := "1.11.9"
if common.IsKubernetesVersionGe(o.OrchestratorVersion, minVersionRotateCerts) {
defaultKubeletConfig["--rotate-certificates"] = "true"
}
if common.IsKubernetesVersionGe(o.OrchestratorVersion, "1.16.0") {
// for enabling metrics-server v0.3.0+
defaultKubeletConfig["--authentication-token-webhook"] = "true"
defaultKubeletConfig["--read-only-port"] = "0" // we only have metrics-server v0.3 support in 1.16.0 and above
}
if o.KubernetesConfig.NeedsContainerd() {
// Kubelet flag --container-runtime has been removed from k8s 1.27
// Reference: https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG/CHANGELOG-1.27.md#other-cleanup-or-flake
if !common.IsKubernetesVersionGe(o.OrchestratorVersion, "1.27.0") {
defaultKubeletConfig["--container-runtime"] = "remote"
}
defaultKubeletConfig["--runtime-request-timeout"] = "15m"
defaultKubeletConfig["--container-runtime-endpoint"] = "unix:///run/containerd/containerd.sock"
}
// If no user-configurable kubelet config values exists, use the defaults
setMissingKubeletValues(o.KubernetesConfig, defaultKubeletConfig)
if isUpgrade {
// if upgrade, force default "--pod-infra-container-image" value
o.KubernetesConfig.KubeletConfig["--pod-infra-container-image"] = defaultKubeletConfig["--pod-infra-container-image"]
}
addDefaultFeatureGates(o.KubernetesConfig.KubeletConfig, o.OrchestratorVersion, minVersionRotateCerts, "RotateKubeletServerCertificate=true")
addDefaultFeatureGates(o.KubernetesConfig.KubeletConfig, o.OrchestratorVersion, "1.20.0-rc.0", "ExecProbeTimeout=true")
// STIG Rule ID: SV-254801r879719_rule
addDefaultFeatureGates(o.KubernetesConfig.KubeletConfig, o.OrchestratorVersion, "1.25.0", "PodSecurity=true")
// Override default cloud-provider?
if to.Bool(o.KubernetesConfig.UseCloudControllerManager) {
staticLinuxKubeletConfig["--cloud-provider"] = "external"
}
// Override default --network-plugin?
if o.KubernetesConfig.NetworkPlugin == NetworkPluginKubenet {
if o.KubernetesConfig.NetworkPolicy != NetworkPolicyCalico {
o.KubernetesConfig.KubeletConfig["--network-plugin"] = NetworkPluginKubenet
}
}
// We don't support user-configurable values for the following,
// so any of the value assignments below will override user-provided values
for key, val := range staticLinuxKubeletConfig {
o.KubernetesConfig.KubeletConfig[key] = val
}
if isUpgrade && common.IsKubernetesVersionGe(o.OrchestratorVersion, "1.14.0") {
hasSupportPodPidsLimitFeatureGate := strings.Contains(o.KubernetesConfig.KubeletConfig["--feature-gates"], "SupportPodPidsLimit=true")
podMaxPids, err := strconv.Atoi(o.KubernetesConfig.KubeletConfig["--pod-max-pids"])
if err != nil {
o.KubernetesConfig.KubeletConfig["--pod-max-pids"] = strconv.Itoa(-1)
} else {
// If we don't have an explicit SupportPodPidsLimit=true, disable --pod-max-pids by setting to -1
// To prevent older clusters from inheriting SupportPodPidsLimit=true implicitly starting w/ 1.14.0
if !hasSupportPodPidsLimitFeatureGate || podMaxPids <= 0 {
o.KubernetesConfig.KubeletConfig["--pod-max-pids"] = strconv.Itoa(-1)
}
}
}
removeKubeletFlags(o.KubernetesConfig.KubeletConfig, o.OrchestratorVersion)
invalidFeatureGates := []string{}
// Remove --feature-gate VolumeSnapshotDataSource starting with 1.22
if common.IsKubernetesVersionGe(o.OrchestratorVersion, "1.22.0-alpha.1") {
invalidFeatureGates = append(invalidFeatureGates, "VolumeSnapshotDataSource")
}
if common.IsKubernetesVersionGe(o.OrchestratorVersion, "1.27.0") {
// Remove --feature-gate ControllerManagerLeaderMigration starting with 1.27
// Reference: https://github.com/kubernetes/kubernetes/pull/113534
invalidFeatureGates = append(invalidFeatureGates, "ControllerManagerLeaderMigration")
// Remove --feature-gate ExpandCSIVolumes, ExpandInUsePersistentVolumes, ExpandPersistentVolumes starting with 1.27
// Reference: https://github.com/kubernetes/kubernetes/pull/113942
invalidFeatureGates = append(invalidFeatureGates, "ExpandCSIVolumes", "ExpandInUsePersistentVolumes", "ExpandPersistentVolumes")
// Remove --feature-gate CSIInlineVolume, CSIMigration, CSIMigrationAzureDisk, DaemonSetUpdateSurge, EphemeralContainers, IdentifyPodOS, LocalStorageCapacityIsolation, NetworkPolicyEndPort, StatefulSetMinReadySeconds starting with 1.27
// Reference: https://github.com/kubernetes/kubernetes/pull/114410
invalidFeatureGates = append(invalidFeatureGates, "CSIInlineVolume", "CSIMigration", "CSIMigrationAzureDisk", "DaemonSetUpdateSurge", "EphemeralContainers", "IdentifyPodOS", "LocalStorageCapacityIsolation", "NetworkPolicyEndPort", "StatefulSetMinReadySeconds")
}
if common.IsKubernetesVersionGe(o.OrchestratorVersion, "1.28.0") {
// Remove --feature-gate AdvancedAuditing starting with 1.28
invalidFeatureGates = append(invalidFeatureGates, "AdvancedAuditing", "DisableAcceleratorUsageMetrics", "DryRun", "PodSecurity")
invalidFeatureGates = append(invalidFeatureGates, "NetworkPolicyStatus", "PodHasNetworkCondition", "UserNamespacesStatelessPodsSupport")
// Remove --feature-gate CSIMigrationGCE starting with 1.28
// Reference: https://github.com/kubernetes/kubernetes/pull/117055
invalidFeatureGates = append(invalidFeatureGates, "CSIMigrationGCE")
// Remove --feature-gate CSIStorageCapacity starting with 1.28
// Reference: https://github.com/kubernetes/kubernetes/pull/118018
invalidFeatureGates = append(invalidFeatureGates, "CSIStorageCapacity")
// Remove --feature-gate DelegateFSGroupToCSIDriver starting with 1.28
// Reference: https://github.com/kubernetes/kubernetes/pull/117655
invalidFeatureGates = append(invalidFeatureGates, "DelegateFSGroupToCSIDriver")
// Remove --feature-gate DevicePlugins starting with 1.28
// Reference: https://github.com/kubernetes/kubernetes/pull/117656
invalidFeatureGates = append(invalidFeatureGates, "DevicePlugins")
// Remove --feature-gate KubeletCredentialProviders starting with 1.28
// Reference: https://github.com/kubernetes/kubernetes/pull/116901
invalidFeatureGates = append(invalidFeatureGates, "KubeletCredentialProviders")
// Remove --feature-gate MixedProtocolLBService, ServiceInternalTrafficPolicy, ServiceIPStaticSubrange, EndpointSliceTerminatingCondition starting with 1.28
// Reference: https://github.com/kubernetes/kubernetes/pull/117237
invalidFeatureGates = append(invalidFeatureGates, "MixedProtocolLBService", "ServiceInternalTrafficPolicy", "ServiceIPStaticSubrange", "EndpointSliceTerminatingCondition")
// Remove --feature-gate WindowsHostProcessContainers starting with 1.28
// Reference: https://github.com/kubernetes/kubernetes/pull/117570
invalidFeatureGates = append(invalidFeatureGates, "WindowsHostProcessContainers")
}
if common.IsKubernetesVersionGe(o.OrchestratorVersion, "1.29.0") {
// Remove --feature-gate CSIMigrationvSphere starting with 1.29
// Reference: https://github.com/kubernetes/kubernetes/pull/121291
invalidFeatureGates = append(invalidFeatureGates, "CSIMigrationvSphere")
// Remove --feature-gate ProbeTerminationGracePeriod starting with 1.29
// Reference: https://github.com/kubernetes/kubernetes/pull/121257
invalidFeatureGates = append(invalidFeatureGates, "ProbeTerminationGracePeriod")
// Remove --feature-gate JobTrackingWithFinalizers starting with 1.29
// Reference: https://github.com/kubernetes/kubernetes/pull/119100
invalidFeatureGates = append(invalidFeatureGates, "JobTrackingWithFinalizers")
// Remove --feature-gate TopologyManager starting with 1.29
// Reference: https://github.com/kubernetes/kubernetes/pull/121252
invalidFeatureGates = append(invalidFeatureGates, "TopologyManager")
// Remove --feature-gate OpenAPIV3 starting with 1.29
// Reference: https://github.com/kubernetes/kubernetes/pull/121255
invalidFeatureGates = append(invalidFeatureGates, "OpenAPIV3")
// Remove --feature-gate SeccompDefault starting with 1.29
// Reference: https://github.com/kubernetes/kubernetes/pull/121246
invalidFeatureGates = append(invalidFeatureGates, "SeccompDefault")
// Remove --feature-gate CronJobTimeZone, JobMutableNodeSchedulingDirectives, LegacyServiceAccountTokenNoAutoGeneration starting with 1.29
// Reference: https://github.com/kubernetes/kubernetes/pull/120192
invalidFeatureGates = append(invalidFeatureGates, "CronJobTimeZone", "JobMutableNodeSchedulingDirectives", "LegacyServiceAccountTokenNoAutoGeneration")
// Remove --feature-gate DownwardAPIHugePages starting with 1.29
// Reference: https://github.com/kubernetes/kubernetes/pull/120249
invalidFeatureGates = append(invalidFeatureGates, "DownwardAPIHugePages")
// Remove --feature-gate GRPCContainerProbe starting with 1.29
// Reference: https://github.com/kubernetes/kubernetes/pull/120248
invalidFeatureGates = append(invalidFeatureGates, "GRPCContainerProbe")
// Remove --feature-gate RetroactiveDefaultStorageClass starting with 1.29
// Reference: https://github.com/kubernetes/kubernetes/pull/120861
invalidFeatureGates = append(invalidFeatureGates, "RetroactiveDefaultStorageClass")
}
if common.IsKubernetesVersionGe(o.OrchestratorVersion, "1.30.0") {
// Remove --feature-gate KubeletPodResources starting with 1.30
// Reference: https://github.com/kubernetes/kubernetes/pull/122139
invalidFeatureGates = append(invalidFeatureGates, "KubeletPodResources")
// Remove --feature-gate KubeletPodResourcesGetAllocatable starting with 1.30
// Reference: https://github.com/kubernetes/kubernetes/pull/122138
invalidFeatureGates = append(invalidFeatureGates, "KubeletPodResourcesGetAllocatable")
// Remove --feature-gate LegacyServiceAccountTokenTracking starting with 1.30
// Reference: https://github.com/kubernetes/kubernetes/pull/122409
invalidFeatureGates = append(invalidFeatureGates, "LegacyServiceAccountTokenTracking")
// Remove --feature-gate MinimizeIPTablesRestore starting with 1.30
// Reference: https://github.com/kubernetes/kubernetes/pull/122136
invalidFeatureGates = append(invalidFeatureGates, "MinimizeIPTablesRestore")
// Remove --feature-gate ProxyTerminatingEndpoints starting with 1.30
// Reference: https://github.com/kubernetes/kubernetes/pull/122134
invalidFeatureGates = append(invalidFeatureGates, "ProxyTerminatingEndpoints")
// Remove --feature-gate RemoveSelfLink starting with 1.30
// Reference: https://github.com/kubernetes/kubernetes/pull/122468
invalidFeatureGates = append(invalidFeatureGates, "RemoveSelfLink")
// Remove --feature-gate SecurityContextDeny starting with 1.30
// Reference: https://github.com/kubernetes/kubernetes/pull/122612
invalidFeatureGates = append(invalidFeatureGates, "SecurityContextDeny")
// Remove --feature-gate APISelfSubjectReview starting with 1.30
// Reference: https://github.com/kubernetes/kubernetes/pull/122032
invalidFeatureGates = append(invalidFeatureGates, "APISelfSubjectReview")
// Remove --feature-gate CSIMigrationAzureFile starting with 1.30
// Reference: https://github.com/kubernetes/kubernetes/pull/122576
invalidFeatureGates = append(invalidFeatureGates, "CSIMigrationAzureFile")
// Remove --feature-gate ExpandedDNSConfig starting with 1.30
// Reference: https://github.com/kubernetes/kubernetes/pull/122086
invalidFeatureGates = append(invalidFeatureGates, "ExpandedDNSConfig")
// Remove --feature-gate ExperimentalHostUserNamespaceDefaulting starting with 1.30
// Reference: https://github.com/kubernetes/kubernetes/pull/122088
invalidFeatureGates = append(invalidFeatureGates, "ExperimentalHostUserNamespaceDefaulting")
// Remove --feature-gate IPTablesOwnershipCleanup starting with 1.30
// Reference: https://github.com/kubernetes/kubernetes/pull/122137
invalidFeatureGates = append(invalidFeatureGates, "IPTablesOwnershipCleanup")
}
removeInvalidFeatureGates(o.KubernetesConfig.KubeletConfig, invalidFeatureGates)
// Master-specific kubelet config changes go here
if cs.Properties.MasterProfile != nil {
if cs.Properties.MasterProfile.KubernetesConfig == nil {
cs.Properties.MasterProfile.KubernetesConfig = &KubernetesConfig{}
}
if cs.Properties.MasterProfile.KubernetesConfig.KubeletConfig == nil {
cs.Properties.MasterProfile.KubernetesConfig.KubeletConfig = make(map[string]string)
}
if isUpgrade {
// if upgrade, force default "--pod-infra-container-image" value
cs.Properties.MasterProfile.KubernetesConfig.KubeletConfig["--pod-infra-container-image"] = o.KubernetesConfig.KubeletConfig["--pod-infra-container-image"]
}
//Ensure cloud-provider setting
if to.Bool(o.KubernetesConfig.UseCloudControllerManager) {
cs.Properties.MasterProfile.KubernetesConfig.KubeletConfig["--cloud-provider"] = "external"
}
setMissingKubeletValues(cs.Properties.MasterProfile.KubernetesConfig, o.KubernetesConfig.KubeletConfig)
addDefaultFeatureGates(cs.Properties.MasterProfile.KubernetesConfig.KubeletConfig, o.OrchestratorVersion, "", "")
if isUpgrade && common.IsKubernetesVersionGe(o.OrchestratorVersion, "1.14.0") {
hasSupportPodPidsLimitFeatureGate := strings.Contains(cs.Properties.MasterProfile.KubernetesConfig.KubeletConfig["--feature-gates"], "SupportPodPidsLimit=true")
podMaxPids, err := strconv.Atoi(cs.Properties.MasterProfile.KubernetesConfig.KubeletConfig["--pod-max-pids"])
if err != nil {
cs.Properties.MasterProfile.KubernetesConfig.KubeletConfig["--pod-max-pids"] = strconv.Itoa(-1)
} else {
// If we don't have an explicit SupportPodPidsLimit=true, disable --pod-max-pids by setting to -1
// To prevent older clusters from inheriting SupportPodPidsLimit=true implicitly starting w/ 1.14.0
if !hasSupportPodPidsLimitFeatureGate || podMaxPids <= 0 {
cs.Properties.MasterProfile.KubernetesConfig.KubeletConfig["--pod-max-pids"] = strconv.Itoa(-1)
}
}
}
// "--protect-kernel-defaults" is only true for VHD based VMs since the base Ubuntu distros don't have a /etc/sysctl.d/60-CIS.conf file.
if cs.Properties.MasterProfile.IsVHDDistro() {
if _, ok := cs.Properties.MasterProfile.KubernetesConfig.KubeletConfig["--protect-kernel-defaults"]; !ok {
cs.Properties.MasterProfile.KubernetesConfig.KubeletConfig["--protect-kernel-defaults"] = "true"
}
}
// Override the --resolv-conf kubelet config value for Ubuntu 18.04 after the distro value is set.
if cs.Properties.MasterProfile.IsUbuntu1804() || cs.Properties.MasterProfile.IsUbuntu2004() || cs.Properties.MasterProfile.IsUbuntu2204() {
cs.Properties.MasterProfile.KubernetesConfig.KubeletConfig["--resolv-conf"] = "/run/systemd/resolve/resolv.conf"
}
removeKubeletFlags(cs.Properties.MasterProfile.KubernetesConfig.KubeletConfig, o.OrchestratorVersion)
removeInvalidFeatureGates(cs.Properties.MasterProfile.KubernetesConfig.KubeletConfig, invalidFeatureGates)
if cs.Properties.AnyAgentIsLinux() {
if val, ok := cs.Properties.MasterProfile.KubernetesConfig.KubeletConfig["--register-with-taints"]; !ok {
cs.Properties.MasterProfile.KubernetesConfig.KubeletConfig["--register-with-taints"] = common.MasterNodeTaint
} else {
if !strings.Contains(val, common.MasterNodeTaint) {
cs.Properties.MasterProfile.KubernetesConfig.KubeletConfig["--register-with-taints"] += fmt.Sprintf(",%s", common.MasterNodeTaint)
}
}
}
}
// Agent-specific kubelet config changes go here
for _, profile := range cs.Properties.AgentPoolProfiles {
if profile.KubernetesConfig == nil {
profile.KubernetesConfig = &KubernetesConfig{}
}
if profile.KubernetesConfig.KubeletConfig == nil {
profile.KubernetesConfig.KubeletConfig = make(map[string]string)
}
if isUpgrade {
// if upgrade, force default "--pod-infra-container-image" value
profile.KubernetesConfig.KubeletConfig["--pod-infra-container-image"] = o.KubernetesConfig.KubeletConfig["--pod-infra-container-image"]
}
if profile.IsWindows() {
for key, val := range staticWindowsKubeletConfig {
profile.KubernetesConfig.KubeletConfig[key] = val
}
} else {
for key, val := range staticLinuxKubeletConfig {
profile.KubernetesConfig.KubeletConfig[key] = val
}
}
setMissingKubeletValues(profile.KubernetesConfig, o.KubernetesConfig.KubeletConfig)
if isUpgrade && common.IsKubernetesVersionGe(o.OrchestratorVersion, "1.14.0") {
hasSupportPodPidsLimitFeatureGate := strings.Contains(profile.KubernetesConfig.KubeletConfig["--feature-gates"], "SupportPodPidsLimit=true")
podMaxPids, err := strconv.Atoi(profile.KubernetesConfig.KubeletConfig["--pod-max-pids"])
if err != nil {
profile.KubernetesConfig.KubeletConfig["--pod-max-pids"] = strconv.Itoa(-1)
} else {
// If we don't have an explicit SupportPodPidsLimit=true, disable --pod-max-pids by setting to -1
// To prevent older clusters from inheriting SupportPodPidsLimit=true implicitly starting w/ 1.14.0
if !hasSupportPodPidsLimitFeatureGate || podMaxPids <= 0 {
profile.KubernetesConfig.KubeletConfig["--pod-max-pids"] = strconv.Itoa(-1)
}
}
}
// "--protect-kernel-defaults" is only true for VHD based VMs since the base Ubuntu distros don't have a /etc/sysctl.d/60-CIS.conf file.
if profile.IsVHDDistro() {
if _, ok := profile.KubernetesConfig.KubeletConfig["--protect-kernel-defaults"]; !ok {
profile.KubernetesConfig.KubeletConfig["--protect-kernel-defaults"] = "true"
}
}
// Override the --resolv-conf kubelet config value for Ubuntu 18.04 after the distro value is set.
if profile.IsUbuntu1804() || profile.IsUbuntu2004() || profile.IsUbuntu2204() {
profile.KubernetesConfig.KubeletConfig["--resolv-conf"] = "/run/systemd/resolve/resolv.conf"
}
removeKubeletFlags(profile.KubernetesConfig.KubeletConfig, o.OrchestratorVersion)
removeInvalidFeatureGates(profile.KubernetesConfig.KubeletConfig, invalidFeatureGates)
if cs.Properties.OrchestratorProfile.KubernetesConfig.IsAddonEnabled(common.AADPodIdentityAddonName) && !profile.IsWindows() {
if val, ok := profile.KubernetesConfig.KubeletConfig["--register-with-taints"]; !ok {
profile.KubernetesConfig.KubeletConfig["--register-with-taints"] = fmt.Sprintf("%s=true:NoSchedule", common.AADPodIdentityTaintKey)
} else {
if !strings.Contains(val, common.AADPodIdentityTaintKey) {
profile.KubernetesConfig.KubeletConfig["--register-with-taints"] += fmt.Sprintf(",%s=true:NoSchedule", common.AADPodIdentityTaintKey)
}
}
}
}
}