KEP-3983: Add support for a drop-in kubelet configuration directory #4031
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
the
kind/kep
k8s-ci-robot
added
the
sig/node
|
Welcome @yuqi-zhang! |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @yuqi-zhang. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
size/L
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
yuqi-zhang
force-pushed
the
3893-kubelet-dropin
branch
from
c8c6c97
to
dc98aac
Compare
|
/cc |
|
|
||
|
|
||
| 1. If no other configuration for the subfield(s) exist, append to the base configuration | ||
| 2. If the subfield(s) exists in the base configuration at `/etc/kubernetes/kubelet.conf` file or another file in `/etc/kubernetes/kubelet.conf.d` with lesser alphanumeric ordering, overwrite it |
There was a problem hiding this comment.
Are you planning to add a --config-dir or similar flag to specify the directory? Also, AFAIU there currently is no default kubelet config file path like /etc/kubernetes/kubelet.conf, are you planning to specify a default for that (changing the current default behavior)?
There was a problem hiding this comment.
I would say the behavior should mirror that of the configuration file, which looks like there's no flag for it, but there is a default
There was a problem hiding this comment.
oop, I seem to have missed the glaringly obvious --config option, so yeah there should be a --config-dir option I think
There was a problem hiding this comment.
There is --config for specifying the kubelet config file but that's empty by default IIRC
There was a problem hiding this comment.
Thanks for the discussion! So as far as I understand, there's:
- the kubelet.conf file generated with default configuration: https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/kubelet-integration/
- the additional customizations you can make with a kubeletconfig file, passed via the flag: https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/
So in the base case with no additional specifications (which this enhancement wouldn't change) you would end up with the configurations in /etc/kubernetes/kubelet.conf
I can update the enhancement to allow specification of a configuration directory. One question I would have is, if you were to specify both config-dir and config flags, should those have a priority order?
Let me know if my assumptions are wrong anywhere, thanks!
There was a problem hiding this comment.
I think the --config and --config-dir options would be a drop-in replacement for the priority of the defaults. for instance, if --config-dir is specified, the order goes:
default config -> --config-dir files
if --config is specified, then
--config -> default config dir files
| 1. If no other configuration for the subfield(s) exist, append to the base configuration | ||
| 2. If the subfield(s) exists in the base configuration at `/etc/kubernetes/kubelet.conf` file or another file in `/etc/kubernetes/kubelet.conf.d` with lesser alphanumeric ordering, overwrite it | ||
|
|
||
| * If the subfield(s) exist as a list, overwrite instead of attempting to merge. This makes it easier to delete items from lists defined in the base kubelet.conf or other drop-ins without having to modify other files. |
There was a problem hiding this comment.
What are considered as subfields?
E.g. consider the following config snippet, what and how would the drop-in config able to modify?
authentication:
anonymous:
enabled: false
webhook:
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.crtThere was a problem hiding this comment.
I would say a drop in should be able to modify any individual member:
authentication:
x509
clientCAFile: file
and not specify the rest.
There was a problem hiding this comment.
i.e: any leaf of the configuration struct and the parent structures above should be modifiable
There was a problem hiding this comment.
Would it be better to talk about merging the configs instead of overwriting then?
And in the case above all other possible sub-fields under x509 would be unmodified(?)
There was a problem hiding this comment.
I suppose so, though merging implies we concatonate slices which is what this point is about. I am not so sure how to describe succinctly: merging structures but overwriting leaf fields?
There was a problem hiding this comment.
Yes, so, I think the proposed outcome would be, if you already had:
authentication:
anonymous:
enabled: false
webhook:
enabled: true
x509:
clientCAFile: /etc/kubernetes/pki/ca.crt
and then a dropin to specify
authentication:
x509
clientCAFile: /some/new/location
We would end up with
authentication:
anonymous:
enabled: false
webhook:
enabled: true
x509:
clientCAFile: some/new/location
and keep the other bits unchanged
There was a problem hiding this comment.
for the record, kubeadm implements a high level node specific kubelet configuration via patches:
https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/control-plane-flags/#kubelet
it uses the approach of a global kubeletconfiguration that is patched incrementally with a directory of alpha numeric patches per node.
if the feature of this kep lands and if kubeadm users configure --config-dir there will a precedence of:
global --config file, --patches files, --config-dir files
effectively, kubeadm users will not need this additional layer, but they can opt in, in case they prefer the inbound merging methods.
another major difference would be that the kubelet --config-dir can contain files managed by different processes like the kep mentions and potentially reconfiguring the kubelet more dynamically, while kubeadm does a patching mutation over a single --config file per kubeadm invocation.
long term, what would you think about kubeadm moving from patching the one file to adding drop-in files? I could see it as a way to reduce the code kubeadm maintains and simplify the flow of configuration management |
| * Extend API machinery code to reconcile multiple configuration files. | ||
| * Define Kubernetes best-practices for configuration definitions, similarly to [API conventions](https://github.com/kubernetes/community/blob/master/contributors/devel/sig-architecture/api-conventions.md). | ||
|
|
||
| ### Non-Goals |
There was a problem hiding this comment.
is it a goal or non-goal to dynamically reconfig a running kubelet if the contents of --config-dir change? that comes with some interesting complications.
the drop in pattern normally requires a service restart, afaik. maybe this should be stated in the kep (i may have missed it).
There was a problem hiding this comment.
non-goal I'd say, I think we're generally moving away from dynamic kubelet config
There was a problem hiding this comment.
We did consider some cases in sig-node for dynamically supporting changes but it can be done in a follow on KEP for explicit specific knobs separate from this.
the patching boiler plate in kubeadm is already in place for allowing node instance specific control plane component options. this is stated as a non goal for this kep. effectively the cost of the kubeadm kubeletconfiguration patch target is fairly minimal, yet it's already widely used. i don't see any harm allowing this next to --config-dir, but users must know how to track where option foo is coming from. i see --config-dir as the more flexible alternative for non kubeadm clusters. |
|
Based on the discussion, made some changes to:
The changes were made as a separate commit for reading convenience, will squash if the changes are ok cc @haircommander |
| @@ -63,7 +63,7 @@ Items marked with (R) are required *prior to targeting to a milestone / release* | |||
|
|
|||
| ## Summary | |||
|
|
|||
| Add support for a drop-in configuration directory for the Kubelet. This directory will be in `/etc/kubernetes/kubelet.conf.d` and configuration files will be processed in alphanumeric order. Establishment of conventions for configuration processing will be done, and further work can be done to add this support for other components. | |||
| Add support for a drop-in configuration directory for the Kubelet. This directory can be specified via a "--config-dir" flag, and configuration files will be processed in alphanumeric order. Establishment of conventions for configuration processing will be done, and further work can be done to add this support for other components. | |||
There was a problem hiding this comment.
nit: somewhere we should establish the default for the flag will be /etc/kubernetes/kubelet.conf.d
There was a problem hiding this comment.
Or do we want to follow the same convention as for --config (empty by default) so that if --config-dir is not specified drop-in support is disabled?
There was a problem hiding this comment.
ah good point, then we should mention that
There was a problem hiding this comment.
Or do we want to follow the same convention as for
--config(empty by default) so that if--config-diris not specified drop-in support is disabled?
+1 to align with --config defaults
yuqi-zhang
force-pushed
the
3893-kubelet-dropin
branch
2 times, most recently
from
dd75e42
to
14a2686
Compare
k8s-ci-robot
removed
the
lgtm
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/approve |
| # of http://git.k8s.io/enhancements/OWNERS_ALIASES | ||
| kep-number: 3983 | ||
| alpha: | ||
| approver: "@deads2k" |
There was a problem hiding this comment.
@johnbelamaric if you have the time.
yuqi-zhang
force-pushed
the
3893-kubelet-dropin
branch
from
f9b00c1
to
975b6bc
Compare
k8s-ci-robot
removed
the
lgtm
|
Added @johnbelamaric as PRR approver, and snuck in the goals fix alongside |
|
|
||
| ###### How can this feature be enabled / disabled in a live cluster? | ||
|
|
||
| There will be no feature gate. On a live cluster, admins can disable by removing the flag. |
There was a problem hiding this comment.
This isn't really sufficient. We should have a feature gate. I know that sounds crazy. But requiring the user to enable a feature gate in addition to the flag forces them to acknowledge that they know they are using an alpha feature. In other words, it prevents accidental use of an alpha feature.
| # of http://git.k8s.io/enhancements/OWNERS_ALIASES | ||
| kep-number: 3983 | ||
| alpha: | ||
| approver: "@deads2k" |
|
|
||
| ###### How can an operator determine if the feature is in use by workloads? | ||
|
|
||
| Kubelet version |
There was a problem hiding this comment.
A better answer would be:
Workloads do not directly consume this feature, it is for cluster admins during kubelet configuration.
On the other hand, is there a metric or flag that would tell a cluster operator whether kubelet has this flag enabled anywhere? I believe @logicalhan added an automatic metric for feature gates, not sure if it works on each component but I think so. That would be sufficient (once you implement the feature gate).
|
|
||
| ###### How can someone using this feature know that it is working for their instance? | ||
|
|
||
| Kubelet version gathered from API server |
There was a problem hiding this comment.
That doesn't tell anyone anything other than that the kubelet installed has the feature. It doesn't say if it is in use, or working. Is there a log entry or something that says where the config was read from?
yuqi-zhang
force-pushed
the
3893-kubelet-dropin
branch
from
975b6bc
to
296e9c0
Compare
|
Thanks for the feedback! Added a featuregate to the KEP on top of the CLI flag. Also assigned to you @johnbelamaric Edit: oh whoops wrong file, sorry, updated |
yuqi-zhang
force-pushed
the
3893-kubelet-dropin
branch
from
296e9c0
to
483c11b
Compare
|
|
||
| ###### How can this feature be enabled / disabled in a live cluster? | ||
|
|
||
| - [ ] Feature gate |
|
|
||
| ###### Can the feature be disabled once it has been enabled (i.e. can we roll back the enablement)? | ||
|
|
||
| Yes. Roll back and remove the `--config-dir` flag from the kubelet's CLI. |
|
|
||
| ###### What happens if we reenable the feature if it was previously rolled back? | ||
|
|
||
| This feature will be re-enabled via adding back the `--config-dir` flag to the CLI, as mentioned above. |
|
|
||
| ###### Were upgrade and rollback tested? Was the upgrade->downgrade->upgrade path tested? | ||
|
|
||
| Not specifically |
There was a problem hiding this comment.
I would say something like: "The feature does not persist any data and so the upgrade->downgrade->upgrade path is not special."
|
|
||
| ###### How can an operator determine if the feature is in use by workloads? | ||
|
|
||
| Workloads do not directly consume this feature, it is for cluster admins during kubelet configuration. |
There was a problem hiding this comment.
However, administrators can check the kubelet feature flag metric xxxx to see if it is enabled on a node.
You'll have to look up what that is called...
There was a problem hiding this comment.
I think you're referring to https://kubernetes.io/docs/reference/instrumentation/metrics/#list-of-alpha-kubernetes-metrics ->
kubernetes_feature_enabled | ALPHA | Gauge | This metric records the data about the stage and enablement of a k8s feature.
The flag itself is in alpha, does that affect anything?
There was a problem hiding this comment.
I don't think so. I think that is more for users to know the deprecation lifecycle of the metric. @logicalhan ?
There was a problem hiding this comment.
We're going to promote this soon.
yuqi-zhang
force-pushed
the
3893-kubelet-dropin
branch
from
483c11b
to
8069da5
Compare
|
Updated all the points. Added a question above regarding the metric |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: johnbelamaric, mrunalp, yuqi-zhang The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/lgtm |
1 similar comment
|
/lgtm |
k8s-ci-robot
added
the
lgtm
One-line PR description: Initial KEP for adding support for a drop-in kubelet configuration directory
Issue link: Add support for a drop-in kubelet configuration directory #3983
Other comments: