kubeadm: init kep for no cri socket annotation #3930
Conversation
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
kind/kep
| CRI or CNI may require updating that component before the kubelet. | ||
| --> | ||
|
|
||
| ## Production Readiness Review Questionnaire |
|
|
||
| - Update the CRI socket annotation on Node object to be the latest | ||
|
|
||
| ## Proposal |
There was a problem hiding this comment.
I add two proposals here.
- respect a list of configuration in local kubelet configuration, and in v1.27, CRI socket is the only one
- introduce a
/var/lib/kubelet/kubeadm-config.yamlto maintain node specific configuration
I add a feature gate for the proposal 2.
|
|
||
| - Remove the use of CRI socket annotation on Node object | ||
| - For node customized kubelet configuration, it can be saved locally on disk with file path | ||
| `/var/lib/kubelet/kubeadm-config.yaml` and we will prioritize respecting the local |
There was a problem hiding this comment.
it's one of the ways of doing it. we need to be careful and make sure this host / instance config does not cause issues for us in the future.
perhaps we can avoid it, and just parse the cri value from the existing config.yaml on upgrade. like i proposed on the linked issue.
There was a problem hiding this comment.
Yes, this may be safer for cri-socket only. Probably, I should use your proposal here as this KEP only covers the cri-socket.
I wondered if we need to add such a file for other node-customized kubelet configurations.
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
pacoxu
force-pushed
the
no-cri-socket-annotation
branch
from
ed6d2ea
to
c77f42d
Compare
pacoxu
changed the title
k8s-ci-robot
added
the
do-not-merge/work-in-progress
| "init upload-config" phase in Kubeadm. This annotation is used to specify the CRI | ||
| socket endpoint used by the kubelet on each node for communication with the container | ||
| runtime. Instead of relying on this annotation, the proposal suggests using a global | ||
| kubelet configuration with a CRI socket specified, as well as providing the ability to |
There was a problem hiding this comment.
Does the "global" kubelet config goes to a sub-struct of ClusterConfiguration? there is no such configmap when you bootstrap a cluster with kubeadm init...
There was a problem hiding this comment.
For the global kubelet config here, it means kubectl get cm -n kube-system kubelet-config. There is no global setting in ClusterConfiguration.
For init and join process
- The cri-socket can be set in
NodeRegistrationOptions.containerRuntimeEndpointinInitConfigurationorJoinConfiguration. - Or you can override it with
--cri-socket.
| socket endpoint used by the kubelet on each node for communication with the container | ||
| runtime. Instead of relying on this annotation, the proposal suggests using a global | ||
| kubelet configuration with a CRI socket specified, as well as providing the ability to | ||
| override this configuration during kubeadm join using the --config flag. This would |
There was a problem hiding this comment.
If this global config is something embedded in clusterCfg instead of configmap, how do you override this config? each node maintains one for itself? or you want to maintain a map in such global config to track different config for each node?
There was a problem hiding this comment.
If this global config is something embedded in clusterCfg instead of configmap, how do you override this config?
For upgradation, the global config is in kubelet-config configmap and will not be override by clusterCfg.
For init/join, it will respect (1) the cri-socket flag, (2) the NodeRegistrationOptions.containerRuntimeEndpoint in InitConfiguration or JoinConfiguration.
In kubelet-config configmap, there can be a global one. There are two proposals here.
- Proposal 1: If containerRuntimeEndpoint is in the node specific list, we will take it from node first and skip the global one. For this proposal, containerRuntimeEndpoint in global will not be used as the containerRuntimeEndpoint has default value and is always set during init or join.
- Proposal 2: We will take the one from /var/lib/kubelet/kubeadm-config.yaml at first, if there is no containerRuntimeEndpoint in /var/lib/kubelet/kubeadm-config.yaml, the global one will take effect.
each node maintains one for itself?
containerRuntimeEndpoint in kubelet configuration after v1.27 has a default value and is always set during init or join.
--container-runtime-endpoint string The endpoint of container runtime service. Unix Domain Sockets are supported on Linux, while npipe and tcp endpoints are supported on Windows. Examples:'unix:///path/to/runtime.sock', 'npipe:////./pipe/runtime' (default "unix:///run/containerd/containerd.sock") (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
The flag is like above.
or you want to maintain a map in such global config to track different config for each node?
No.
| kubeadm also download the kubelet configuration from configmap and replace the `containerRuntimeEndpoint` and | ||
| `imageServiceEndpoint`(This maybe empty and I prefer to respect it as well) with the local configuration. | ||
|
|
||
| A node-specific kubelet configuration list should be maintained in kubeadm code. |
There was a problem hiding this comment.
Can you pls elaborate a little bit? How the node-specific config maintained in the kubeadm code?
There was a problem hiding this comment.
I mean that we can maintain it in cmd/kubeadm/app/constants/constants.go or somewhere.
nodeSpecificKubeletConfigurations = map[string]string{
"containerRuntimeEndpoint": "the endpoint of container runtime service",
"imageServiceEndpoint": "the endpoint of container image service",
"providerID": "sets the unique ID of the instance that an external provider",
}
The list can be extended and I am not sure if the list should be modified by a user in a global config nodeSpecificKubeletConfiugrations, which means a new array in ClusterConfiguration. The default values can be containerRuntimeEndpoint and imageServiceEndpoint.
There was a problem hiding this comment.
i think we can take the patches approach - any locally stored config file can act as a patch over the config from kubelet-config cm. but we may only consider some fields from the kubeletconfiguration v1beta1. this becomes tricky when v1beta1 is replaced by e.g. v1
There was a problem hiding this comment.
any locally stored config file can act as a patch over the config from kubelet-config cm
this can also be tricky in some circumstances where we don't want to patch a field e.g. during upgrade, but hopefully it's not an issue
There was a problem hiding this comment.
If we use the --patches feature here to add a default patch dir on node, this can be done in this way.
However, if users want to specify a new patch dir, he has to merge the default patch files or content to the new one. That would be a little weird.
There was a problem hiding this comment.
i meant a generic patches approach where a local config file overrides the global config downloaded from the cm. not the --patches feature.
this local file must be stored somewhere. perhaps in the same dir as config.yaml, but called config-instance.yaml. IMO it has a number of tricky aspects that need to be covered in the design doc for init, join, upgrade.
|
|
||
| ### Proposal 1: respect a list of configuration in local kubelet configuration, and in v1.27, CRI socket is the only one | ||
|
|
||
| During `kubeadm ugprade`, kubeadm will read the local kubelet configuration in `/var/lib/kubelet/config.yaml`. |
There was a problem hiding this comment.
Does the config file here support to config the containerRuntimeEndpoint? I tried to bootstrap a cluster with --cri-socket option, but this config is not persistented in the /var/lib/kubelet/config.yaml. If the endpoint is already supported to config in kubelet config file, then this is the logic we should update.
There was a problem hiding this comment.
Does the config file here support to config the
containerRuntimeEndpoint? I tried to bootstrap a cluster with--cri-socketoption, but this config is not persistented in the/var/lib/kubelet/config.yaml. If the endpoint is already supported to config in kubelet config file, then this is the logic we should update.
containerRuntimeEndpoint is added in v1.27. In the past and also v1.27, we are using the --container-runtime-endpoint in /var/lib/kubelet/kubeadm-flags.env.
- Before v1.27, it cannot be added in the kubeletConfiguration.
- And also, we saved the cri-socket in the annotation, and that is why we don't have to read and parse
/var/lib/kubelet/kubeadm-flags.envhere.
If we start the process that not using cri-socket annotation in v1.28, we set it in the /var/lib/kubelet/config.yaml.
Then the flag in /var/lib/kubelet/kubeadm-flags.env can be cleaned. (This should be mentioned in this KEP. I will update it.)
pacoxu
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: pacoxu The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
size/L
pacoxu
force-pushed
the
no-cri-socket-annotation
branch
2 times, most recently
from
25d2632
to
65f4668
Compare
pacoxu
force-pushed
the
no-cri-socket-annotation
branch
from
65f4668
to
5d9d3dc
Compare
pacoxu
force-pushed
the
no-cri-socket-annotation
branch
from
4a59ebb
to
1ef87c8
Compare
pacoxu
force-pushed
the
no-cri-socket-annotation
branch
from
1ef87c8
to
1bb9613
Compare
There was a problem hiding this comment.
@pacoxu are there any blockers / concerns or can this KEP work proceed with an implementation POC PR?
if we have an alpha FG + tests we can establish if the change will work as expected. this feels like the safest route.
also, can we target .28?
i need to re-read the whole KEP again.
|
Of course, I will start to working on a demo PR this week or next. I think there is no blocker. |
ok, i didn't see a feature gate in the kep. imo, we should use it as the user controlled switch. e.g. NodeLocalCRISocket |
|
https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/3983-drop-in-configuration We may alter to use it then. #3983 is beta in v1.29. |
i am generally -1 (but we can discuss it), since it implies a mechanism for systemd like drop-ins. i believe i commented on that KEP, already. |
Yes. I must miss that 🤣
I still cannot decide on it. Is the new drop-in a better solution than the current kubeadm way? let's keep it as is until the direction is clear and beyond doubt. |
here are my comments on the KEP PR |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
k8s-ci-robot
added
the
lifecycle/stale
Above is @neolit123 your proposal in comment here https://github.com/kubernetes/enhancements/pull/3930/files#r1177682829. I prefer this solution. BTW, |
|
/close |
|
@neolit123: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/cc @neolit123 @SataQiu @chendave @RA489