Ignition support
- Feature status: Experimental
- Feature gate: BootstrapFormatIgnition=true
The default configuration engine for bootstrapping workload cluster machines is cloud-init. Ignition is an alternative engine used by Linux distributions such as Flatcar Container Linux and Fedora CoreOS and therefore should be used when choosing an Ignition-based distribution as the underlying OS for workload clusters.
This document explains how Ignition support works.
For more generic information, see Cluster API documentation on Ignition Bootstrap configuration.
Overview
By default machine controller stores EC2 instance user data using SSM to store it encrypted, which underneath use multi part mime types, which are unlikely to be supported by Ignition.
EC2 user data is also limited to 64 KB, which is often not enough to provision Kubernetes controlplane because of the size of required certificates and configuration files.
To address those limitations CAPA can create and use S3 Bucket to store encrypted user data, which will be then pulled by the instances during provisioning.
IAM Permissions
To manage S3 Buckets and objects inside them, CAPA controllers require additional IAM permissions.
If you use clusterawsadm for managing the IAM roles, you can use the configuration below to create S3-related
IAM permissions.
apiVersion: bootstrap.aws.infrastructure.cluster.x-k8s.io/v1beta1
kind: AWSIAMConfiguration
spec:
s3Buckets:
enable: true
See Using clusterawsadm to fulfill prerequisites for more details.
Enabling EXP_BOOTSTRAP_FORMAT_IGNITION feature gate
When deploying CAPA using clusterctl, make sure you set BOOTSTRAP_FORMAT_IGNITION=true and
EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION=true environment variables to enable experimental Ignition bootstrap
support.
# Enable the feature gates controlling Ignition bootstrap.
export EXP_KUBEADM_BOOTSTRAP_FORMAT_IGNITION=true # Used by the kubeadm bootstrap provider.
export EXP_BOOTSTRAP_FORMAT_IGNITION=true # Used by the AWS provider.
# Initialize the management cluster.
clusterctl init --infrastructure aws
Bucket and object management
When you want to use Ignition user data format for you machines, you need to configure your cluster to specify which S3 bucket to use. Controller will then make sure that the bucket exists and that required policies are in place.
See the configuration snippet below to learn how to configure AWSCluster to manage S3 bucket.
apiVersion: infrastructure.cluster.x-k8s.io/v1beta1
kind: AWSCluster
spec:
s3Bucket:
controlPlaneIAMInstanceProfile: control-plane.cluster-api-provider-aws.sigs.k8s.io
name: cluster-api-provider-aws-unique-suffix
nodesIAMInstanceProfiles:
- nodes.cluster-api-provider-aws.sigs.k8s.io
Buckets are safe to be reused between clusters.
After successful machine provisioning, bootstrap data is removed from the bucket.
During cluster removal, if S3 bucket is empty, it will be removed as well.
Bucket naming
Bucket naming must follow S3 Bucket naming rules.
In addition, by default clusterawsadm creates IAM roles to only allow interacting with buckets with
cluster-api-provider-aws- prefix to reduce the permissions of CAPA controller, so all bucket names should
use this prefix.
To change it, use spec.s3Buckets.namePrefix field in AWSIAMConfiguration.
apiVersion: bootstrap.aws.infrastructure.cluster.x-k8s.io/v1beta1
kind: AWSIAMConfiguration
spec:
s3Buckets:
namePrefix: my-custom-secure-bucket-prefix-
Supported bootstrap providers
At the moment only CABPK is known to support producing bootstrap data in Ignition format.
Trying it out
If you want to test Ignition support, use flatcar cluster flavor.
Other bootstrap providers
If you want to use Ignition support with custom bootstrap provider which supports producing Ignition bootstrap
data, ensure that bootstrap provider sets the format field in machine bootstrap secret to ignition. This
information is used by the machine controller to determine which user data format to use for the instances.