-
Notifications
You must be signed in to change notification settings - Fork 40.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move kubelet flag generation from the node to the client #60020
Move kubelet flag generation from the node to the client #60020
Conversation
/hold holding this PR while I prepare the corresponding changes in GKE. But wanted to get it out so that the reviewers could verify the approach. Here are the contents of the
The contents at head have a few extra spaces between arguments, but a |
/test pull-kubernetes-e2e-kops-aws |
3b09e6d
to
62a74c7
Compare
how many names does it take us to configure a single thing lol |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I had a few comments so far, but I'm wondering if it wouldn't be easier to just provide a toggle for generating the flags in cluster/gce/gci/configure-helper.sh
. Then GKE can just pass GENERATE_KUBELET_ARGS=false
and KUBELET_ARGS=args,args,args
, and we don't have as much risk of breaking folks.
One thing I'm really not clear on is what guarantees we, as OSS maintainers, are supposed to provide around these scripts, with regard to third parties that may have built on top of them. Should we be afraid of breaking anyone who has built custom init scripts for their custom os image that they run in a custom GCE cluster on top of the idea that they'll get a stable kube-env across Kubernetes versions?
cluster/gce/gci/configure-helper.sh
Outdated
@@ -1090,8 +1090,8 @@ EOF | |||
function start-kubelet { | |||
echo "Start kubelet" | |||
|
|||
local -r kubelet_cert_dir="/var/lib/kubelet/pki/" | |||
mkdir -p "${kubelet_cert_dir}" | |||
# TODO(mtaufen): The kubelet should create the cert-dir directory if it doesn't exist |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
better to file an issue and include the issue number in the TODO, e.g. # TODO(#issuenum): text
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sgtm. #60123
cluster/gce/gci/configure-helper.sh
Outdated
local -r kubelet_cert_dir="/var/lib/kubelet/pki/" | ||
mkdir -p "${kubelet_cert_dir}" | ||
# TODO(mtaufen): The kubelet should create the cert-dir directory if it doesn't exist | ||
mkdir -p /var/lib/kubelet/pki/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice simplification
flags+=" --experimental-mounter-path=/home/kubernetes/containerized_mounter/mounter" | ||
flags+=" --experimental-check-node-capabilities-before-mount=true" | ||
# Keep in sync with the mkdir command in configure-helper.sh (until the TODO is resolved) | ||
flags+=" --cert-dir=/var/lib/kubelet/pki/" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍
flags+=" --cluster-dns=${DNS_SERVER_IP}" | ||
flags+=" --cluster-domain=${DNS_DOMAIN}" | ||
flags+=" --pod-manifest-path=/etc/kubernetes/manifests" | ||
# Keep in sync with CONTAINERIZED_MOUNTER_HOME in configure-helper.sh |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we have a concept like KUBE_HOME in scope that we could use to compute CONTAINERIZED_MOUNTER_HOME?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
configure-helper.sh defines $KUBE_HOME
statically as /home/kubernetes
. It isn't dynamically configurable, so there's no variable here that gets passed via the kube-env onto the kubelet to instruct the startup script to put the mounter into a configurable location.
cluster/gce/util.sh
Outdated
# Keep in sync with the mkdir command in configure-helper.sh (until the TODO is resolved) | ||
flags+=" --cert-dir=/var/lib/kubelet/pki/" | ||
|
||
# TODO(mtaufen): KUBELET_PORT looks unused; delete it? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What calls into test/kubemark/resources/start-kubemark-master.sh
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like the startup script for kubemark on GCE:
kubernetes/test/kubemark/gce/util.sh
Line 71 in 4a6fec7
--metadata-from-file startup-script="${KUBE_ROOT}/test/kubemark/resources/start-kubemark-master.sh" |
But I can't see anywhere that the var gets changed there either. Maybe it can be removed from both places?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It should be fine to remove. I didn't find any occurrences of KUBELET_PORT
in test-infra either, so I don't think any test jobs are configuring it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
removed.
flags+=" --kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig" | ||
flags+=" --register-schedulable=false" | ||
else | ||
# Note: Standalone mode is used by GKE |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nice update to this comment
flags+=" --hairpin-mode=${HAIRPIN_MODE}" | ||
fi | ||
# Keep client-ca-file in sync with CA_CERT_BUNDLE_PATH in configure-helper.sh | ||
flags+=" --anonymous-auth=false --authorization-mode=Webhook --client-ca-file=/etc/srv/kubernetes/pki/ca-certificates.crt" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
All this path hardcoding, when it was previously computed on the node, makes me a little nervous.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Most of it wasn't "computed" in the sense that it was dynamic. It was concatenated based on fixed strings. The notes here are to make sure we keep the fixed strings in sync between the flags and the on-node file.
As you move us to dynamic kubelet config, we should be trying to get rid of as much of the start up script as we can (e.g. the create-dir mkdir call) and make the kubelet more self sufficient. That should reduce the duplication of constants between the files.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
sounds good
62a74c7
to
2265d18
Compare
kube-env was never meant to be a stable interface. It's a way to plumb some state into the nodes to parameterize the startup script, which is primarily used because we wanted to run e2e tests in a wide variety of configurations. If you are concerned about compatibility we can add a release note to the PR to warn folks that may have been depending on the values in kube-env that they are going to be slightly reduced in 1.10 (although if we go this route I hope we have the same release note in every version going forward until kube-env no longer exists, since we should be replacing it with portable configuration mechanisms rather than proliferating a GCP/GKE bespoke solution). |
I'd like a release note to communicate that this was never supposed to be a stable interface, and that it's going away in favor of more portable mechanisms. I agree that we should have this release note on every release until kube-env is gone. |
/retest |
I've added a release note; ptal. |
In the release note, swap |
fea538c
to
bc4b178
Compare
Volume plugin dir changes LGTM |
pass the kubelet flags through a new variable in kube-env (KUBELET_ARGS). Remove vars from kube-env that were only used for kubelet flags. This will make it simpler to gradually migrate to dynamic kubelet config, because we can gradually replace flags with config file options in a single place without worrying about the plumbing to move variables from the client onto the node.
bc4b178
to
fe10c27
Compare
/retest |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mtaufen, roberthbailey The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
GKE test for this PR should start passing around 7:30pm, when GKE-side changes are picked up. |
/test pull-kubernetes-e2e-gke |
/unhold |
/hold cancel |
Automatic merge from submit-queue (batch tested with PRs 59310, 60424, 60308, 60436, 60020). If you want to cherry-pick this change to another branch, please follow the instructions here. |
cc @MaciekPytel |
This is the second part of the fix in kubernetes/kubernetes#61119 This provides a temporary way for the cluster autoscaler to get at values that were removed from kube-env in kubernetes/kubernetes#60020. Ideally this information will eventually be available via e.g. the Cluster API, because kube-env is an internal interface that carries no stability guarantees.
This is the second part of the fix in kubernetes/kubernetes#61119 This provides a temporary way for the cluster autoscaler to get at values that were removed from kube-env in kubernetes/kubernetes#60020. Ideally this information will eventually be available via e.g. the Cluster API, because kube-env is an internal interface that carries no stability guarantees.
This is the second part of the fix in kubernetes/kubernetes#61119 This provides a temporary way for the cluster autoscaler to get at values that were removed from kube-env in kubernetes/kubernetes#60020. Ideally this information will eventually be available via e.g. the Cluster API, because kube-env is an internal interface that carries no stability guarantees.
This provides a temporary way for the cluster autoscaler to get at values that were removed from kube-env in kubernetes#60020. Ideally this information will eventually be available via e.g. the Cluster API, because kube-env is an internal interface that carries no stability guarantees.
This is the second part of the fix in kubernetes/kubernetes#61119 This provides a temporary way for the cluster autoscaler to get at values that were removed from kube-env in kubernetes/kubernetes#60020. Ideally this information will eventually be available via e.g. the Cluster API, because kube-env is an internal interface that carries no stability guarantees.
This is the second part of the fix in kubernetes/kubernetes#61119 This provides a temporary way for the cluster autoscaler to get at values that were removed from kube-env in kubernetes/kubernetes#60020. Ideally this information will eventually be available via e.g. the Cluster API, because kube-env is an internal interface that carries no stability guarantees.
Automatic merge from submit-queue (batch tested with PRs 61284, 61119, 61201). If you want to cherry-pick this change to another branch, please follow the instructions <a href="/~https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Add AUTOSCALER_ENV_VARS to kube-env to hotfix cluster autoscaler This provides a temporary way for the cluster autoscaler to get at values that were removed from kube-env in kubernetes#60020. Ideally this information will eventually be available via e.g. the Cluster API, because kube-env is an internal interface that carries no stability guarantees. This is the first half of the fix; the other half is that cluster autoscaler needs to be modified to read from AUTOSCALER_ENV_VARS, if it is available. Since cluster autoscaler was also reading KUBELET_TEST_ARGS for the kube-reserved flag, and we don't want to resurrect KUBELET_TEST_ARGS in kube-env, we opted to create AUTOSCALER_ENV_VARS instead of just adding back the old env vars. This also makes it clear that we have an ugly dependency on kube-env. ```release-note NONE ```
This provides a temporary way for the cluster autoscaler to get at values that were removed from kube-env in kubernetes#60020. Ideally this information will eventually be available via e.g. the Cluster API, because kube-env is an internal interface that carries no stability guarantees.
Pass the kubelet flags through a new variable in kube-env (KUBELET_ARGS).
Remove vars from kube-env that were only used for kubelet flags.
This will make it simpler to gradually migrate to dynamic kubelet
config, because we can gradually replace flags with config file
options in a single place without worrying about the plumbing to
move variables from the client onto the node.
/cc @verult (re: #58171)
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Release note: