📖 Update KCP proposal with scale in

[jan-est]

Currently, KCP scale out during the upgrade, and no other method is available. However, this is a very restrictive implementation in environments where the amount of resources is limited and scale out might not be possible. The main motivation for this KCP proposal update is to be able to add scale in feature to KCP implementation when this PR is approved.

This proposal is discussed in google doc and in issue 3512

[k8s-ci-robot]

Hi @jan-est. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[jan-est]

/assign @fabriziopandini

[vincepri]

/ok-to-test
/milestone v0.4.0

[vincepri]

/kind proposal

[fabriziopandini]

How do we think to make it visible to the user the fact that the rollout can be performed due to this reason?

[jan-est]

I did a little rethinking with the logic here. I think we don't need to be worried about the replica counts at all. Since current implementation does not even support the deployment of KCP with even replica count and returns on error:

The KubeadmControlPlane "controlplane-name" is invalid: spec.replicas: Forbidden: cannot be an even number when using managed etcd

When using stacked etcd KCP does not upgrade if replica count is for example 2. So, we can rely on the fact that replica count should be uneven when user is trying to upgrade. So I would say we only make sure that we scale up when replica count is 1 and KubeadmControlPlane.Spec.UpgradeStrategy is set. Any thoughts?

[fabriziopandini]

IMO we should have an explicit rule checking that current replicas >=3.

The main reason for having this explicit rule is that even do it is not allowed to specify an even number desired replica count, then in the current KCP implementation the rollout logic takes precedence on creating the missing machines, and as a result, it could happen that:

• Set desired replica count = 3
• Create first machine (desired replicas = 3, current replicas =1)
• Change machine spec
• KCP start to rollout existing machines, stopping to provision the missing ones
• if UpgradeStrategy == scale-in, without the explicit rule above, the only existing replica will be deleted 😞

So the rule is ok for me, might be worth to specify current machines; it is only important to inform the user when this rule is preventing rollout to happen

[jan-est]

That is ok for me. Do we have any preferences how we should inform the user?

[jan-est]

Should we also prevent users to do initial deployment of the KCP with:

• UpgradeStrategy == scale-in
• replica count < 3

For this we could add something as follows into kubeadm_control_plane_webhook.go :

	if in.Spec.UpgradeStrategy.Type == "ScaleIn" && *in.Spec.Replicas < 3 {
		allErrs = append(
			allErrs,
			field.Forbidden(
				field.NewPath("spec", "replicas"),
				"cannot set scaleIn rollout stragegy with less than three initial replicas",
			),
		)
	} 

[fabriziopandini]

Do we have any preferences how we should inform the user?

We are converging on using conditions for all the user-facing messages, so this could a warning on the MachinesSpecUpToDate condition

[vincepri]

We should definitely opt for webhook validation in this case, which is immediate and informs the user before reconciliation starts

[fabriziopandini]

Another pass, I like how it is shaping out

[fabriziopandini]

last nits, otherwise lgtm for me

[fabriziopandini]

overall lgtm, few small nits not blocking

[vincepri]

/lgtm

/assign @detiber @CecileRobertMichon
for final approval

[detiber]

A few items that I think should be addressed as followup, but otherwise this lgtm.

/approve

[detiber]

I don't want to block progress on this, but as a followup can we refine this to avoid saying that it is recommended to use these settings, but rather that one could use these settings if they are operating in a resource constrained environment and do not have sufficient capacity to use a surge based rollout?

[CecileRobertMichon]

+1

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: detiber

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [detiber]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[CecileRobertMichon]

Does this mean the user's settings would be silently ignored? What if there is no available quota to scale up when the control plane count is 1, MaxUnavailable is 1, and MaxSurge is 0? Wouldn't it be better to avoid ever getting into this situation in the first place by validating the spec and rejecting this combination of values?

[jan-est]

@CecileRobertMichon I agree that using spec validation would make more sense than fallback to default rollout here.

[CecileRobertMichon]

+1

[CecileRobertMichon]

Let's make sure this validation is enforced when the proposal is implemented

[vincepri]

/lgtm

Over to @CecileRobertMichon to unhold

[CecileRobertMichon]

/lgtm
/hold cancel