kubernetes worker #1

Supports: xenial bionic


Kubernetes is an open-source platform for deploying, scaling, and operations of application containers across a cluster of hosts. Kubernetes is portable in that it works with public, private, and hybrid clouds. Extensible through a pluggable infrastructure. Self healing in that it will automatically restart and place containers on healthy nodes if a node ever goes away.

Kubernetes Worker


This charm deploys a container runtime, and additionally stands up the Kubernetes worker applications: kubelet, and kube-proxy.

In order for this charm to be useful, it should be deployed with its companion charm kubernetes-master and linked with an SDN-Plugin.

This charm has also been bundled up for your convenience so you can skip the above steps, and deploy it with a single command:

juju deploy canonical-kubernetes

For more information about Canonical Kubernetes consult the bundle README.md file.

Scale out

To add additional compute capacity to your Kubernetes workers, you may juju add-unit scale the cluster of applications. They will automatically join any related kubernetes-master, and enlist themselves as ready once the deployment is complete.

Snap Configuration

The kubernetes resources used by this charm are snap packages. When not specified during deployment, these resources come from the public store. By default, the snapd daemon will refresh all snaps installed from the store four (4) times per day. A charm configuration option is provided for operators to control this refresh frequency.

NOTE: this is a global configuration option and will affect the refresh time for all snaps installed on a system.


## refresh kubernetes-worker snaps every tuesday
juju config kubernetes-worker snapd_refresh="tue"

## refresh snaps at 11pm on the last (5th) friday of the month
juju config kubernetes-worker snapd_refresh="fri5,23:00"

## delay the refresh as long as possible
juju config kubernetes-worker snapd_refresh="max"

## use the system default refresh timer
juju config kubernetes-worker snapd_refresh=""

For more information on the possible values for snapd_refresh, see the refresh.timer section in the system options documentation.

Operational actions

The kubernetes-worker charm supports the following Operational Actions:


Pausing the workload enables administrators to both drain and cordon a unit for maintenance.


Resuming the workload will uncordon a paused unit. Workloads will automatically migrate unless otherwise directed via their application declaration.

Private registry

With the "registry" action that is part for the kubernetes-worker charm, you can very easily create a private docker registry, with authentication, and available over TLS. Please note that the registry deployed with the action is not HA, and uses storage tied to the kubernetes node where the pod is running. So if the registry pod changes is migrated from one node to another for whatever reason, you will need to re-publish the images.

Example usage

Create the relevant authentication files. Let's say you want user userA to authenticate with the password passwordA. Then you'll do :

echo -n "userA:passwordA" > htpasswd-plain
htpasswd -c -b -B htpasswd userA passwordA

(the htpasswd program comes with the apache2-utils package)

Supposing your registry will be reachable at myregistry.company.com, and that you already have your TLS key in the registry.key file, and your TLS certificate (with myregistry.company.com as Common Name) in the registry.crt file, you would then run :

juju run-action kubernetes-worker/0 registry domain=myregistry.company.com htpasswd="$(base64 -w0 htpasswd)" htpasswd-plain="$(base64 -w0 htpasswd-plain)" tlscert="$(base64 -w0 registry.crt)" tlskey="$(base64 -w0 registry.key)" ingress=true

If you then decide that you want do delete the registry, just run :

juju run-action kubernetes-worker/0 registry delete=true ingress=true

Known Limitations

Kubernetes workers currently only support 'phaux' HA scenarios. Even when configured with an HA cluster string, they will only ever contact the first unit in the cluster map. To enable a proper HA story, kubernetes-worker units are encouraged to proxy through a kubeapi-load-balancer application. This enables a HA deployment without the need to re-render configuration and disrupt the worker services.

External access to pods must be performed through a Kubernetes Ingress Resource.

When using NodePort type networking, there is no automation in exposing the ports selected by kubernetes or chosen by the user. They will need to be opened manually and can be performed across an entire worker pool.

If your NodePort service port selected is 30510 you can open this across all members of a worker pool named kubernetes-worker like so:

juju run --application kubernetes-worker open-port 30510/tcp

Don't forget to expose the kubernetes-worker application if its not already exposed, as this can cause confusion once the port has been opened and the service is not reachable.

Note: When debugging connection issues with NodePort services, its important to first check the kube-proxy service on the worker units. If kube-proxy is not running, the associated port-mapping will not be configured in the iptables rulechains.

If you need to close the NodePort once a workload has been terminated, you can follow the same steps inversely.

juju run --application kubernetes-worker close-port 30510


(string) Allow privileged containers to run on worker nodes. Supported values are "true", "false", and "auto". If "true", kubelet will run in privileged mode by default. If "false", kubelet will never run in privileged mode. If "auto", kubelet will not run in privileged mode by default, but will switch to privileged mode if gpu hardware is detected. Pod security policies (PSP) should be used to restrict container privileges.
(string) APT Key Server
(string) Snap channel to install Kubernetes worker services from
(string) The cuda-repo package version to install.
(string) Docker image to use for the default backend. Auto will select an image based on architecture.
(string) The pined version of docker-ce package installed with nvidia-docker.
(string) Docker login credentials. Setting this config allows Kubelet to pull images from registries where auth is required. The value for this config must be a JSON array of credential objects, like this: [{"server": "my.registry", "username": "myUser", "password": "myPass"}]
(string) Extra options to pass to the docker daemon. e.g. --insecure-registry
(string) docker runtime to install valid values are "upstream" (docker PPA), "nvidia" (nvidia PPA), "apt" (ubuntu archive), or "auto" (nvidia PPA or ubuntu archive, based on your hardware)
(boolean) Enable GRUB cgroup overrides cgroup_enable=memory swapaccount=1. WARNING changing this option will reboot the host - use with caution on production services
(string) URL to use for HTTP_PROXY to be used by Docker. Only useful in closed environments where a proxy is the only option for routing to the registry to pull images
(string) URL to use for HTTPS_PROXY to be used by Docker. Only useful in closed environments where a proxy is the only option for routing to the registry to pull images
(boolean) Deploy the default http backend and ingress controller to handle ingress requests.
(boolean) Enable chain completion for TLS certificates used by the nginx ingress controller. Set this to true if you would like the ingress controller to attempt auto-retrieval of intermediate certificates. The default (false) is recommended for all production kubernetes installations, and any environment which does not have outbound Internet access.
(string) Space separated list of flags and key=value pairs that will be passed as arguments to kubelet. For example a value like this: runtime-config=batch/v2alpha1=true profiling=true will result in kube-apiserver being run with the following options: --runtime-config=batch/v2alpha1=true --profiling=true Note: As of Kubernetes 1.10.x, many of Kubelet's args have been deprecated, and can be set with kubelet-extra-config instead.
(string) Extra configuration to be passed to kubelet. Any values specified in this config will be merged into a KubeletConfiguration file that is passed to the kubelet service via the --config flag. This can be used to override values provided by the charm. Requires Kubernetes 1.10+. The value for this config must be a YAML mapping that can be safely merged with a KubeletConfiguration file. For example: {evictionHard: {memory.available: 200Mi}} For more information about KubeletConfiguration, see upstream docs: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/
(string) Labels can be used to organize and to select subsets of nodes in the cluster. Declare node labels in key=value format, separated by spaces.
(string) Used by the nrpe subordinate charms. A string that will be prepended to instance name to set the host name in nagios. So for instance the hostname would be something like: juju-myservice-0 If you're running multiple environments with the same services in them this allows you to differentiate between them.
(string) A comma-separated list of nagios servicegroups. If left empty, the nagios_context will be used as the servicegroup
(string) Docker image to use for the nginx ingress controller. Auto will select an image based on architecture.
(string) Comma-separated list of destinations (either domain names or IP addresses) that should be directly accessed, by opposition of going through the proxy defined above. Must be less than 2023 characters long
(string) The pined version of nvidia-container-runtime package.
(string) The pined version of nvidia-docker2 package.
(string) Space separated list of flags and key=value pairs that will be passed as arguments to kube-proxy. For example a value like this: runtime-config=batch/v2alpha1=true profiling=true will result in kube-apiserver being run with the following options: --runtime-config=batch/v2alpha1=true --profiling=true
(boolean) When true, worker services will not be upgraded until the user triggers it manually by running the upgrade action.
(string) HTTP/HTTPS web proxy for Snappy to use when accessing the snap store.
(string) The address of a Snap Store Proxy to use for snaps e.g. http://snap-proxy.example.com
(string) How often snapd handles updates for installed snaps. Setting an empty string will check 4x per day. Set to "max" to delay the refresh as long as possible. You may also set a custom string as described in the 'refresh.timer' section here: https://forum.snapcraft.io/t/system-options/87