-
Notifications
You must be signed in to change notification settings - Fork 523
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add minimumKubeletVersion #2059
add minimumKubeletVersion #2059
Conversation
Hello @haircommander! Some important instructions when contributing to openshift/api: |
Signed-off-by: Peter Hunt <[email protected]>
3786488
to
e76c711
Compare
Signed-off-by: Peter Hunt <[email protected]>
Signed-off-by: Peter Hunt <[email protected]>
/retest |
e76c711
to
0908b45
Compare
/retest |
eb53d96
to
68a03ec
Compare
905a012
to
6471c90
Compare
kubecontrolplane/v1/types.go
Outdated
@@ -62,6 +62,11 @@ type KubeAPIServerConfig struct { | |||
|
|||
// TODO this needs to be removed. | |||
APIServerArguments map[string]Arguments `json:"apiServerArguments"` | |||
|
|||
// MinimumKubeletVersion is the lowest version of a kubelet that can meaningfully join the cluster. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/can meaningfully join/is allowed to join/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it's allowed to join but it's blocked from doing anything meaningful in the cluster.
/retest |
// Specifically, the apiserver will deny (most) authorization requests of kubelets that are older | ||
// than the specified version. | ||
// +kubebuilder:validation:Pattern=`^[0-9]*\.[0-9]*\.[0-9]*$` | ||
// +openshift:enable:FeatureGate=MinimumKubeletVersion |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Since this field is not marked as immutable and it's optional, what happens if I change it to a version value higher than existing kubelets?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There's an admission plugin in the kube-apiserver that denies such changes https://github.com/openshift/kubernetes/pull/2104/files#diff-5c437405eeba0789e9c42802e3f36cf6bdafd59d6d5c5dbaa6b66a2e02948bd7R100-R125
something similar will be used in hypershift, but set a condition on the hosted cluster object, rather than block on admission
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ack. I think we should probably clarify somewhere that this validation on admission is by the nature of a distributed system only a best effort. Inflight operations might still result in older kubelet bypassing it if the right lucky timing takes place.
For hypershift yes the norm is signal via conditions. However for improving consumer UX we might also want to explore introducing VAP and let the current minimal kubelet be reported via vap parameter that is inferred from e.g. the HC.status.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah I can mention it in the library-go PR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
but set a condition on the hosted cluster object, rather than block on admission
Why can't we block on admission?
@enxebre there's also openshift/library-go#1831 and openshift/cluster-kube-apiserver-operator#1754 the overarching epic is https://issues.redhat.com/browse/OCPNODE-2506. Note a number of the cards tracking these PRs are closed because they were originally scoped to drafts for the work until I got feedback and could size the time to respond |
f2a585d
to
a329290
Compare
thanks @enxebre @JoelSpeed I've updated for your comments, PTAL 🙂 |
/retest |
// Specifically, the apiserver will deny most authorization requests of kubelets that are older | ||
// than the specified version, only allowing the kubelet to get and update its node object, and perform | ||
// subjectaccessreviews. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is interesting technical detail, but, what does this mean to an end user?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
good question, I added it from @enxebre 's review, I'm not feeling too opinionated on keeping it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think Alberto's question was fair, I'm just not sure we are adding the right context
What does it look like to an end user when the kubelet is having these various authzs fail?
Does it mean pods won't schedule there? Does it mean the node goes not ready? Is the node actually still functional?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how does
// minimumKubeletVersion is the lowest version of a kubelet that can join the cluster.
// Specifically, the apiserver will deny most authorization requests of kubelets that are older
// than the specified version, only allowing the kubelet to get and update its node object, and perform
// subjectaccessreviews.
// This means the kubelet won't be able to view API objects it's responsible for running,
// and will eventually be marked as NotReady.
work for you?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happens to a running pod if this version is changed to mean then that the kubelet no longer meets the requirements? Is that possible?
Does won't be able to view API objects it's responsible for running
mean that existing pods break, or, new pods won't be able to execute?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
that should be blocked at admission: https://github.com/openshift/kubernetes/pull/2104/files#diff-5c437405eeba0789e9c42802e3f36cf6bdafd59d6d5c5dbaa6b66a2e02948bd7R117-R122
So really this will only affect new kubelets that attempt to join the cluster after the min version is in place. those kubelets won't be able to run anything
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So perhaps then we take what you had above with a slight tweak?
// This means, any kubelet that attempts to join the cluster will not be able to run any assigned workloads, and will eventually be marked as not ready.
When you say will eventually be marked not ready, surely it will never get ready, since the CNI won't be able to initialise the network right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah unless it manages to upgrade itself which would require manual intervetion
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated to your suggestion
865cb02
to
85078a8
Compare
Signed-off-by: Peter Hunt <[email protected]>
85078a8
to
786be86
Compare
/retest @JoelSpeed @enxebre any other thoughts? |
e8e382b
to
75510c3
Compare
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Once we have this final test case, I'm good to merge, thank you
apiVersion: config.openshift.io/v1 | ||
kind: Node | ||
spec: | ||
minimumKubeletVersion: 1.30.0 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a test that shows the empty string passes validation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done!
Signed-off-by: Peter Hunt <[email protected]>
75510c3
to
808d881
Compare
/lgtm Thanks @haircommander |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: haircommander, JoelSpeed The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@haircommander: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
04eb3fd
into
openshift:master
[ART PR BUILD NOTIFIER] Distgit: ose-cluster-config-api |
Signed-off-by: Peter Hunt <[email protected]>
Signed-off-by: Peter Hunt <[email protected]>
Signed-off-by: Peter Hunt <[email protected]>
No description provided.