-
Notifications
You must be signed in to change notification settings - Fork 715
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
make components on control-plane nodes point to the local API server endpoint #2271
Comments
first PR is here: kubernetes/kubernetes#94398 |
we spoke about the kubelet.conf in the office hours today:
i'm going to experiment and see how it goes, but this cannot be backported to older releases as it is a breaking change to phase users. |
This breaks the rules, the |
can you clarify with examples? |
@jdef added a note that that some comments were left invalid after the recent change: this should be fixed in master. |
some else added a comment on kubernetes/kubernetes#94398
this validation should be turned into a warning instead of an error. then components would fail if they don't point to a valid API server, so the user would know. |
you could see this doc https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/high-availability/#steps-for-the-first-control-plane-node
|
i do know about that doc. are you saying that using "DNS-name:port" is completely broken now for you? what error output are you seeing? |
yes, please. this just bit us when testing a workaround in a pre-1.19.1 cluster whereby we tried manually updating |
yes, if you want to deploy a HA cluster, it is best to set |
what error are you getting? |
I add some code for the log print, this is the error
|
ok, so you have the same error as the user reporting above. we can fix this for 1.19.2 one workaround is:
|
Both kube-scheduler and kube-controller-manager can use localhost and loadblance to connect to kube-apiserver, but users cannot be forced to use localhost, and warnning can be used instead of error |
@neolit123 I'm +1 to relax the checks on the address in the existing kubeconfig file. |
@neolit123 here is the example. i just edit to add log print.
use method
|
i will send the PR in the next couple of days. |
fix for 1.19.2 is here: |
to further summarize what is happening. after the changes above, kubeadm will no longer error out if the server URL in custom provided kubeconfig files does not match the expected one. it will only show a warning. example:
|
1.19.2 is already out. So this fix will target 1.19.3, yes? |
Indeed, they pushed it out 2 days ago. Should be out with 1.19.3 then.
|
thanks for all the work on this @chrischdi we should probably talk more about it in the kubeadm office hours this week.
given a FG was suggested and given it's a complex change, that is 1) breaking for users that anticipate a certain kubeadm phase order, and also 2) needs tests - i guess we need a KEP. @pacoxu @SataQiu WDYT about this overall? my vote is +1, but i hope we don't break users in ways that cannot be recoverable. if we agree on a KEP and a way forward you can omit the PRR (prod readiness review) as it's a non-target for kubeadm. |
During joining a new control-plane node, in the step of new It sounds like doable. For upgrade progress, should we add logic for kubelet config to point to localhost? |
I think I lack context on what "hairpin mode LB" is :-)
Yes, in the targeted implementation, kubelet starts already, but cannot yet join the cluster (because the referenced kube-apiserver will not get healthy unless etcd is started and joined the cluster). |
i think the CAPZ and the Azure LB were affected: if we agree that this needs a KEP it can cover what problems we are trying to solve. |
Yup, Azure is the most affected here, where traffic outbound to a LB that points back to a host making the request will have the traffic dropped (looks like a hairpin). |
we spoke with @chrischdi about his proposal at the kubeadm meeting today (Wed 31st January 2024 - 9am PT) @SataQiu @pacoxu i proposed that we should have a new feature gate for this. also a KEP, so that we can decide on some of the implementation details. please, LMK if you think a KEP is not needed, or if you have other comments at this stage. |
A KEP would help to track it and FG is needed.
|
we haven't been tracking kubeadm KEPs with release team for a number of releases. https://github.com/kubernetes/sig-release/tree/master/releases/release-1.30 |
@chrischdi do you plan to promote this to beta in v1.32? |
If we agree on that, I'm happy to. We're already started using this feature gate in CAPI for v1.31 clusters because otherwise upgrades to v1.31 are broken due to violating the kubernetes version skew! |
+1 |
@neolit123 : if I am right: code-freeze would be at 8th November 2024. For graduating this to Beta the following was noted on the KEP as TODO:
Due to upcoming PTO, I'm not sure if I am able to make this work for code freeze so to be realistic we may need to move this to 1.33 instead. WDYT? |
Note: the feature itself already showed its value in CAPI and helps to not violate the version skew policy there! |
i will move it to 1.33 @chrischdi
this part is covered by CAPI since it enabled it by default, i guess. |
I'd say yes. |
in CAPI immutable upgrades we saw a problem where a 1.19 joining node cannot bootstrap, if a 1.19 KCM takes leadership and tries to send a CSR to a 1.18 API server on an existing Node. this happens because in 1.19 the CSR API graduated to v1 and a KCM is supposed to talk to a N or N+1 API server only.
a better explanation here:
https://kubernetes.slack.com/archives/C8TSNPY4T/p1598907959059100?thread_ts=1598899864.038100&cid=C8TSNPY4T
PR for 1.20: kubeadm: make the scheduler and KCM connect to the local API endpoint kubernetes#94398
PR for 1.19: Automated cherry pick of #94398: kubeadm: make the scheduler and KCM connect to local endpoint kubernetes#94442
make components on control-plane nodes point to the local API server endpoint #2271 (comment)
kubeadm: relax the validation of kubeconfig server URLs kubernetes#94816
optionally we should see if we can make the kubelet on control-plane Nodes bootstrap via the local API server instead of using the CPE. this might be a bit tricky and needs investigation. we could at least post-fix the kubelet.conf to point to the local API server after the bootstrap has finished.
see kubernetes/kubernetes#80774 for a related discussion
this change requires a more detailed plan, a feature gate and a KEP
1.31
KEP:
(adds the ControlPlaneKubeletLocalMode FG)
k/k PRs:
k/website PR:
e2e test:
1.32
TODO. Move the FG to beta?
The text was updated successfully, but these errors were encountered: