Skip to content

Commit

Permalink
Merge branch 'master' into maintenance/CaaS4.5
Browse files Browse the repository at this point in the history
  • Loading branch information
Markus Napp committed Dec 11, 2020
2 parents 79e4e9f + d075fb8 commit d9d63b4
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 8 deletions.
7 changes: 4 additions & 3 deletions adoc/admin-gpus.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,13 @@ Not every worker node in the cluster need have a GPU device present. On the node
----
# zypper addrepo --refresh https://download.nvidia.com/suse/sle15sp2/ nvidia
# zypper refresh
# zypper install x11-video-nvidiaG05
# zypper install nvidia-glG05 nvidia-computeG05
----

[NOTE]
====
For most modern {nvidia} GPUs, the G05 driver will support your device. Some older devices may require the x11-video-nvidiaG04 driver package instead. Check {nvidia}'s documentation for your GPU device model.
For most modern {nvidia} GPUs, the G05 driver will support your device.
Check {nvidia}'s documentation for your GPU device model.
====

=== Install the OCI hooks
Expand Down Expand Up @@ -77,7 +78,7 @@ The {kube} device plugin framework allows the kubelet to advertise system hardwa

[source,bash]
----
$ kubectl create -f https://raw.githubusercontent.com/{nvidia}/k8s-device-plugin/1.0.0-beta6/nvidia-device-plugin.yml
$ kubectl create -f https://raw.githubusercontent.com/NVIDIA/k8s-device-plugin/1.0.0-beta6/nvidia-device-plugin.yml
----

=== Taint GPU Workers
Expand Down
21 changes: 16 additions & 5 deletions adoc/admin-security-certificates.adoc
Original file line number Diff line number Diff line change
Expand Up @@ -1011,23 +1011,34 @@ You need to generate `kubelet` server certificate for all the nodes on one of co
The `kubelet` CA certificate key only exists on the control plane nodes.
Therefore, after generating re-signed `kubelet` server certificate/key for worker nodes, you have to copy each `kubelet` server certificate/key from the control plane node to the corresponding worker node.
====
. Backup the original `kubelet` certificates and keys.

. Backup the original `kubelet` certificates and keys on it's node.
+
[source,bash]
----
sudo cp -r /var/lib/kubelet/pki /var/lib/kubelet/pki.bak
----

. Get the O/OU/CN, run the command on it's node:
+
. Sign each node `kubelet` server certificate with the CA certificate/key `/var/lib/kubelet/pki/kubelet-ca.crt` and `/var/lib/kubelet/pki/kubelet-ca.key`, make sure that the signed server certificate SAN is the same as the origin.
To get the original SAN IP address(es) and DNS(s), run:
[source,bash]
----
openssl x509 -noout -subject -in /var/lib/kubelet/pki.bak/kubelet.crt
----

. Get the original SAN IP address(es) and DNS(s), run the command on it's node:
+
[source,bash]
----
openssl x509 -noout -text -in /var/lib/kubelet/pki.bak/kubelet.crt | grep -oP '(?<=IP Address:)[^,]+'
openssl x509 -noout -text -in /var/lib/kubelet/pki.bak/kubelet.crt | grep -oP '(?<=DNS:)[^,]+'
----
+
. Finally, update the `kubelet` server certificate and key file `/var/lib/kubelet/kubelet.crt` and `/var/lib/kubelet/kubelet.key` respectively, and restart `kubelet` service.

. At one of the control plane node, sign the corresponding node `kubelet` server certificate with the CA certificate/key `/var/lib/kubelt/pki/kubelet-ca.crt` and `/var/lib/kubelet/pki/kubelet-ca.key`, please refer to <<trusted-server-certificate>> on how to sign the trusted server certificate. The `server.conf` for O/OU/CN _recommends_ be the same as original one, for IP.1 is the original SAN IP address if present, DNS.1 is the original SAN DNS if present.

. Copy the signed certificate/key from one ofthe control plane node to the corresponding node.

. Finally, update the `kubelet` server certificate and key file `/var/lib/kubelet/kubelet.crt` and `/var/lib/kubelet/kubelet.key` respectively, and restart `kubelet` service on it's node.
+
[source,bash]
----
Expand Down

0 comments on commit d9d63b4

Please sign in to comment.