kube_proxy_and_dns: add role that runs standalone kube-proxy and DNS#9621
Conversation
openshift-ci-robot
added
the
size/L
dcbw
force-pushed
the
3.10-standalone-kube-proxy
branch
from
dc7c79e to
0fe2381
Compare
|
This PR (and fixes from #9435) seem to fix Calico on 3.11. Could you resubmit it for master as well? |
@vrutkovs Yes, I can do that as well. The immediate issue we had was lack of kube-proxy in 3.10 due to the daemonset requirements, hence the 3.10 submission as the first pass. I'd like to get some comments on it too, are you able to test this PR out and verify that it correctly starts the kube-proxy daemonset on calico nodes? |
|
@dcbw yep, kube-proxy daemonset started and calico worked fine (with several fixes from #9435 - would be great if you could have a look at those if possible). Haven't tried other custom SDNs. Ansible part looks great, lets have another lgtm about the approach and we'll merge this. I wonder if running kube-proxy in a daemonset would change the metrics fix in #9592? |
spuranam
left a comment
spuranam
left a comment
There was a problem hiding this comment.
Its best not to hardcode version instead something like this should do the trick s/v3.10/${version}/
| apiVersion: image.openshift.io/v1 | ||
| kind: ImageStreamTag | ||
| metadata: | ||
| name: node:v3.10 |
There was a problem hiding this comment.
Its best not to hardcode version instead something like this should do the trick s/v3.10/${version}/
There was a problem hiding this comment.
This is a name of the imagestream, it needs to be hardcoded so that an upgraded cluster would have several imagestreams for major versions
There was a problem hiding this comment.
Yeah, for a PR against 'git master' I would expect the tag to be different, but I was just copying what some of the existing ImageStream tags already were thus "v3.10"
| reference: true | ||
| from: | ||
| kind: DockerImage | ||
| name: openshift/node:v3.10.0 |
There was a problem hiding this comment.
Its best not to hardcode version instead something like this should do the trick s/v3.10/${version}/
There was a problem hiding this comment.
| This daemonset launches kube-proxy. | ||
| image.openshift.io/triggers: | | ||
| [ | ||
| {"from":{"kind":"ImageStreamTag","name":"node:v3.10"},"fieldPath":"spec.template.spec.containers[?(@.name==\"proxy\")].image"} |
There was a problem hiding this comment.
Its best not to hardcode version instead something like this should do the trick s/v3.10/${version}/
|
Should this use the |
|
Standalone is probably better, since this is a workaround until we ship 4.0
…On Fri, Aug 17, 2018 at 8:25 AM Casey Callendrello ***@***.***> wrote:
Should this use the openshift binary or the hyperkube binary? My
preference would be for hyperkube.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#9621 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ABG_p5IKRaku7gt_zNVP4CEBiYECYWMeks5uRrZAgaJpZM4V_IZN>
.
|
| oc config --config=/tmp/kubeconfig set-credentials sa "--token=$( cat /var/run/secrets/kubernetes.io/serviceaccount/token )" | ||
| oc config --config=/tmp/kubeconfig set-context "$( oc config --config=/tmp/kubeconfig current-context )" --user=sa | ||
| # Launch the kube-proxy process | ||
| exec openshift start network --disable=dns,plugins --enable=proxy --config=/etc/origin/node/node-config.yaml --kubeconfig=/tmp/kubeconfig --loglevel=${DEBUG_LOGLEVEL:-2} |
There was a problem hiding this comment.
You might want to "--enable=dns", otherwise cluster internal service lookups may not work.
There was a problem hiding this comment.
@kprabhak yes good point, which brings up the questions does everyone who would use a standalone kube-proxy role also use the DNS, and if not, should it be individually selectable from kube-proxy.
There was a problem hiding this comment.
For what it is worth, I had:
exec openshift start network --disable=plugins --enable=proxy,dns --config=/etc/origin/node/node-config.yaml --kubeconfig=/tmp/kubeconfig --loglevel=${DEBUG_LOGLEVEL:-2}Just work for me in a install.
roles/calico/meta/main.yml
Outdated
| dependencies: | ||
| - role: openshift_facts | ||
| - role: container_runtime | ||
| - role: kube_proxy |
There was a problem hiding this comment.
In the release-3.10 branch, this role dependency should go in the calico_master role. If this is still a thing going forward, we should leave this in the calico role (we will rename the roles going forward as per #9435). I made a PR for the appropriate calico fixes in the release-3.10 branch here: #9657 but this means that this role will need to be a dependency of the calico_master role instead of the calico role.
There was a problem hiding this comment.
exactly what @mgleung , for the 3.10 release branch this should be under calico_master role.
And depend on that role in Calico.
dcbw
force-pushed
the
3.10-standalone-kube-proxy
branch
from
0fe2381 to
67e911f
Compare
dcbw
changed the title
|
/retest |
|
Looks like one pr previously merged into 3.9 but left behind in the new kube-proxy structure in 3.10 is #8099 Without this, nodePorts only work in cases where the endpoint happens to be on the same node. In 3.10, the location for roles/openshift_node/templates/node.yaml.v1.j2 appears to have changed to roles/openshift_node_group/templates/node-config.yaml.j2 I think @mgleung is working on a separate PR for this - I can confirm that nodePorts work correctly from all nodes once the following lines are added to roles/openshift_node_group/templates/node-config.yaml.j2: |
|
Ansible code looks fine to me. Just need to make sure to forward port this. |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dcbw, sdodson The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci-robot
added
the
approved
kube_proxy_and_dns: add role that runs standalone kube-proxy and DNS
|
/cherrypick master |
|
@vrutkovs: new pull request created: #9878 DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
12 participants
And depend on that role in Calico.
@smarterclayton @sdodson @knobunc @squeed 3rd party plugins might depend on kube-proxy, which as of 3.10 is part of the SDN daemonset which those 3rd party plugins probably don't want to select/run. Including an ansible role for it is one option; another would be to request that each 3rd party plugin that needs kube-proxy add a container for it to their pod definition in their daemonset. Thoughts?
(also my Ansible is weak, I have no idea if this is the correct way to do it)