Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move kubelet flag generation from the node to the client #60020

Merged
merged 1 commit into from
Feb 27, 2018

Conversation

roberthbailey
Copy link
Contributor

@roberthbailey roberthbailey commented Feb 18, 2018

Pass the kubelet flags through a new variable in kube-env (KUBELET_ARGS).

Remove vars from kube-env that were only used for kubelet flags.

This will make it simpler to gradually migrate to dynamic kubelet
config, because we can gradually replace flags with config file
options in a single place without worrying about the plumbing to
move variables from the client onto the node.

/cc @verult (re: #58171)

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

Special notes for your reviewer:

Release note:

action required: [GCP kube-up.sh] Some variables that were part of kube-env are no longer being set (ones only used for kubelet flags) and are being replaced by a more portable mechanism (kubelet configuration file). The individual variables in the kube-env metadata entry were never meant to be a stable interface and this release note only applies if you are depending on them.

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Feb 18, 2018
@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Feb 18, 2018
@roberthbailey
Copy link
Contributor Author

/hold

holding this PR while I prepare the corresponding changes in GKE. But wanted to get it out so that the reviewers could verify the approach.

Here are the contents of the /etc/default/kubelet on the masters and nodes at head and in this patch:

$ cat head-master.txt
KUBELET_OPTS="--v=2  --allow-privileged=true --cgroup-root=/ --cloud-provider=gce --cluster-dns=10.0.0.10 --cluster-domain=cluster.local --pod-manifest-path=/etc/kubernetes/manifests --experimental-mounter-path=/home/kubernetes/containerized_mounter/mounter --experimental-check-node-capabilities-before-mount=true --cert-dir=/var/lib/kubelet/pki/  --enable-debugging-handlers=false --hairpin-mode=none --kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig --register-schedulable=false --cni-bin-dir=/home/kubernetes/bin --network-plugin=kubenet --non-masquerade-cidr=0.0.0.0/0 --volume-plugin-dir=/etc/srv/kubernetes/kubelet-plugins/volume/exec --node-labels=beta.kubernetes.io/fluentd-ds-ready=true --eviction-hard=memory.available<250Mi,nodefs.available<10%,nodefs.inodesFree<5% --feature-gates=ExperimentalCriticalPodAnnotation=true --container-runtime=docker"
$ cat patched-master.txt
KUBELET_OPTS="--v=2 --allow-privileged=true --cgroup-root=/ --cloud-provider=gce --cluster-dns=10.0.0.10 --cluster-domain=cluster.local --pod-manifest-path=/etc/kubernetes/manifests --experimental-mounter-path=/home/kubernetes/containerized_mounter/mounter --experimental-check-node-capabilities-before-mount=true --cert-dir=/var/lib/kubelet/pki/ --enable-debugging-handlers=false --hairpin-mode=none --kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig --register-schedulable=false --cni-bin-dir=/home/kubernetes/bin --network-plugin=kubenet --non-masquerade-cidr=0.0.0.0/0 --volume-plugin-dir=/etc/srv/kubernetes/kubelet-plugins/volume/exec --node-labels=beta.kubernetes.io/fluentd-ds-ready=true --eviction-hard=memory.available<250Mi,nodefs.available<10%,nodefs.inodesFree<5% --feature-gates=ExperimentalCriticalPodAnnotation=true --container-runtime=docker"
$ cat head-node.txt 
KUBELET_OPTS="--v=2  --allow-privileged=true --cgroup-root=/ --cloud-provider=gce --cluster-dns=10.0.0.10 --cluster-domain=cluster.local --pod-manifest-path=/etc/kubernetes/manifests --experimental-mounter-path=/home/kubernetes/containerized_mounter/mounter --experimental-check-node-capabilities-before-mount=true --cert-dir=/var/lib/kubelet/pki/  --enable-debugging-handlers=true --bootstrap-kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig --kubeconfig=/var/lib/kubelet/kubeconfig --hairpin-mode=promiscuous-bridge --anonymous-auth=false --authorization-mode=Webhook --client-ca-file=/etc/srv/kubernetes/pki/ca-certificates.crt --cni-bin-dir=/home/kubernetes/bin --network-plugin=kubenet --non-masquerade-cidr=0.0.0.0/0 --volume-plugin-dir=/etc/srv/kubernetes/kubelet-plugins/volume/exec --node-labels=beta.kubernetes.io/fluentd-ds-ready=true --eviction-hard=memory.available<250Mi,nodefs.available<10%,nodefs.inodesFree<5% --feature-gates=ExperimentalCriticalPodAnnotation=true --container-runtime=docker"
$ cat patched-node.txt
KUBELET_OPTS="--v=2 --allow-privileged=true --cgroup-root=/ --cloud-provider=gce --cluster-dns=10.0.0.10 --cluster-domain=cluster.local --pod-manifest-path=/etc/kubernetes/manifests --experimental-mounter-path=/home/kubernetes/containerized_mounter/mounter --experimental-check-node-capabilities-before-mount=true --cert-dir=/var/lib/kubelet/pki/ --enable-debugging-handlers=true --bootstrap-kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig --kubeconfig=/var/lib/kubelet/kubeconfig --hairpin-mode=promiscuous-bridge --anonymous-auth=false --authorization-mode=Webhook --client-ca-file=/etc/srv/kubernetes/pki/ca-certificates.crt --cni-bin-dir=/home/kubernetes/bin --network-plugin=kubenet --non-masquerade-cidr=0.0.0.0/0 --volume-plugin-dir=/etc/srv/kubernetes/kubelet-plugins/volume/exec --node-labels=beta.kubernetes.io/fluentd-ds-ready=true --eviction-hard=memory.available<250Mi,nodefs.available<10%,nodefs.inodesFree<5% --feature-gates=ExperimentalCriticalPodAnnotation=true --container-runtime=docker"

The contents at head have a few extra spaces between arguments, but a diff -w shows no differences.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 18, 2018
@roberthbailey
Copy link
Contributor Author

/test pull-kubernetes-e2e-kops-aws

@mtaufen
Copy link
Contributor

mtaufen commented Feb 19, 2018

KUBELET_OPTS

how many names does it take us to configure a single thing lol

Copy link
Contributor

@mtaufen mtaufen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had a few comments so far, but I'm wondering if it wouldn't be easier to just provide a toggle for generating the flags in cluster/gce/gci/configure-helper.sh. Then GKE can just pass GENERATE_KUBELET_ARGS=false and KUBELET_ARGS=args,args,args, and we don't have as much risk of breaking folks.

One thing I'm really not clear on is what guarantees we, as OSS maintainers, are supposed to provide around these scripts, with regard to third parties that may have built on top of them. Should we be afraid of breaking anyone who has built custom init scripts for their custom os image that they run in a custom GCE cluster on top of the idea that they'll get a stable kube-env across Kubernetes versions?

@@ -1090,8 +1090,8 @@ EOF
function start-kubelet {
echo "Start kubelet"

local -r kubelet_cert_dir="/var/lib/kubelet/pki/"
mkdir -p "${kubelet_cert_dir}"
# TODO(mtaufen): The kubelet should create the cert-dir directory if it doesn't exist
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

better to file an issue and include the issue number in the TODO, e.g. # TODO(#issuenum): text

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sgtm. #60123

local -r kubelet_cert_dir="/var/lib/kubelet/pki/"
mkdir -p "${kubelet_cert_dir}"
# TODO(mtaufen): The kubelet should create the cert-dir directory if it doesn't exist
mkdir -p /var/lib/kubelet/pki/
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice simplification

flags+=" --experimental-mounter-path=/home/kubernetes/containerized_mounter/mounter"
flags+=" --experimental-check-node-capabilities-before-mount=true"
# Keep in sync with the mkdir command in configure-helper.sh (until the TODO is resolved)
flags+=" --cert-dir=/var/lib/kubelet/pki/"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

flags+=" --cluster-dns=${DNS_SERVER_IP}"
flags+=" --cluster-domain=${DNS_DOMAIN}"
flags+=" --pod-manifest-path=/etc/kubernetes/manifests"
# Keep in sync with CONTAINERIZED_MOUNTER_HOME in configure-helper.sh
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do we have a concept like KUBE_HOME in scope that we could use to compute CONTAINERIZED_MOUNTER_HOME?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

configure-helper.sh defines $KUBE_HOME statically as /home/kubernetes. It isn't dynamically configurable, so there's no variable here that gets passed via the kube-env onto the kubelet to instruct the startup script to put the mounter into a configurable location.

# Keep in sync with the mkdir command in configure-helper.sh (until the TODO is resolved)
flags+=" --cert-dir=/var/lib/kubelet/pki/"

# TODO(mtaufen): KUBELET_PORT looks unused; delete it?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What calls into test/kubemark/resources/start-kubemark-master.sh?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like the startup script for kubemark on GCE:

--metadata-from-file startup-script="${KUBE_ROOT}/test/kubemark/resources/start-kubemark-master.sh"

But I can't see anywhere that the var gets changed there either. Maybe it can be removed from both places?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It should be fine to remove. I didn't find any occurrences of KUBELET_PORT in test-infra either, so I don't think any test jobs are configuring it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

removed.

flags+=" --kubeconfig=/var/lib/kubelet/bootstrap-kubeconfig"
flags+=" --register-schedulable=false"
else
# Note: Standalone mode is used by GKE
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice update to this comment

flags+=" --hairpin-mode=${HAIRPIN_MODE}"
fi
# Keep client-ca-file in sync with CA_CERT_BUNDLE_PATH in configure-helper.sh
flags+=" --anonymous-auth=false --authorization-mode=Webhook --client-ca-file=/etc/srv/kubernetes/pki/ca-certificates.crt"
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All this path hardcoding, when it was previously computed on the node, makes me a little nervous.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Most of it wasn't "computed" in the sense that it was dynamic. It was concatenated based on fixed strings. The notes here are to make sure we keep the fixed strings in sync between the flags and the on-node file.

As you move us to dynamic kubelet config, we should be trying to get rid of as much of the start up script as we can (e.g. the create-dir mkdir call) and make the kubelet more self sufficient. That should reduce the duplication of constants between the files.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sounds good

@roberthbailey
Copy link
Contributor Author

kube-env was never meant to be a stable interface. It's a way to plumb some state into the nodes to parameterize the startup script, which is primarily used because we wanted to run e2e tests in a wide variety of configurations.

If you are concerned about compatibility we can add a release note to the PR to warn folks that may have been depending on the values in kube-env that they are going to be slightly reduced in 1.10 (although if we go this route I hope we have the same release note in every version going forward until kube-env no longer exists, since we should be replacing it with portable configuration mechanisms rather than proliferating a GCP/GKE bespoke solution).

@mtaufen
Copy link
Contributor

mtaufen commented Feb 22, 2018

I'd like a release note to communicate that this was never supposed to be a stable interface, and that it's going away in favor of more portable mechanisms. I agree that we should have this release note on every release until kube-env is gone.

@mtaufen
Copy link
Contributor

mtaufen commented Feb 22, 2018

/retest

@k8s-ci-robot k8s-ci-robot added release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Feb 22, 2018
@roberthbailey
Copy link
Contributor Author

I've added a release note; ptal.

@mtaufen
Copy link
Contributor

mtaufen commented Feb 22, 2018

In the release note, swap dynamic kubelet configuration for kubelet configuration file, they are not the same thing (the former includes the Node.Spec.ConfigSource API, and related machinery).

@roberthbailey roberthbailey force-pushed the kubelet-flags branch 2 times, most recently from fea538c to bc4b178 Compare February 23, 2018 23:12
@verult
Copy link
Contributor

verult commented Feb 25, 2018

Volume plugin dir changes LGTM

pass the kubelet flags through a new variable in kube-env
(KUBELET_ARGS).

Remove vars from kube-env that were only used for kubelet flags.

This will make it simpler to gradually migrate to dynamic kubelet
config, because we can gradually replace flags with config file
options in a single place without worrying about the plumbing to
move variables from the client onto the node.
@mtaufen
Copy link
Contributor

mtaufen commented Feb 26, 2018

/retest

@mtaufen
Copy link
Contributor

mtaufen commented Feb 26, 2018

/lgtm
remove the hold when the GKE changes merge

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Feb 26, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mtaufen, roberthbailey

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@mtaufen
Copy link
Contributor

mtaufen commented Feb 26, 2018

GKE test for this PR should start passing around 7:30pm, when GKE-side changes are picked up.

@roberthbailey
Copy link
Contributor Author

/test pull-kubernetes-e2e-gke

@roberthbailey
Copy link
Contributor Author

/unhold

@roberthbailey
Copy link
Contributor Author

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Feb 27, 2018
@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 59310, 60424, 60308, 60436, 60020). If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit 44c166c into kubernetes:master Feb 27, 2018
@aleksandra-malinowska
Copy link
Contributor

cc @MaciekPytel

mtaufen added a commit to mtaufen/autoscaler that referenced this pull request Mar 13, 2018
This is the second part of the fix in kubernetes/kubernetes#61119

This provides a temporary way for the cluster autoscaler to get at
values that were removed from kube-env in kubernetes/kubernetes#60020.
Ideally this information will eventually be available via e.g. the Cluster API,
because kube-env is an internal interface that carries no stability
guarantees.
mtaufen added a commit to mtaufen/autoscaler that referenced this pull request Mar 13, 2018
This is the second part of the fix in kubernetes/kubernetes#61119

This provides a temporary way for the cluster autoscaler to get at
values that were removed from kube-env in kubernetes/kubernetes#60020.
Ideally this information will eventually be available via e.g. the Cluster API,
because kube-env is an internal interface that carries no stability
guarantees.
mtaufen added a commit to mtaufen/autoscaler that referenced this pull request Mar 15, 2018
This is the second part of the fix in kubernetes/kubernetes#61119

This provides a temporary way for the cluster autoscaler to get at
values that were removed from kube-env in kubernetes/kubernetes#60020.
Ideally this information will eventually be available via e.g. the Cluster API,
because kube-env is an internal interface that carries no stability
guarantees.
mtaufen added a commit to mtaufen/kubernetes that referenced this pull request Mar 16, 2018
This provides a temporary way for the cluster autoscaler to get at
values that were removed from kube-env in kubernetes#60020. Ideally this
information will eventually be available via e.g. the Cluster API,
because kube-env is an internal interface that carries no stability
guarantees.
mtaufen added a commit to mtaufen/autoscaler that referenced this pull request Mar 16, 2018
This is the second part of the fix in kubernetes/kubernetes#61119

This provides a temporary way for the cluster autoscaler to get at
values that were removed from kube-env in kubernetes/kubernetes#60020.
Ideally this information will eventually be available via e.g. the Cluster API,
because kube-env is an internal interface that carries no stability
guarantees.
mtaufen added a commit to mtaufen/autoscaler that referenced this pull request Mar 16, 2018
This is the second part of the fix in kubernetes/kubernetes#61119

This provides a temporary way for the cluster autoscaler to get at
values that were removed from kube-env in kubernetes/kubernetes#60020.
Ideally this information will eventually be available via e.g. the Cluster API,
because kube-env is an internal interface that carries no stability
guarantees.
dims pushed a commit to dims/kubernetes that referenced this pull request Mar 16, 2018
Automatic merge from submit-queue (batch tested with PRs 61284, 61119, 61201). If you want to cherry-pick this change to another branch, please follow the instructions <a href="/~https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Add AUTOSCALER_ENV_VARS to kube-env to hotfix cluster autoscaler

This provides a temporary way for the cluster autoscaler to get at
values that were removed from kube-env in kubernetes#60020. Ideally this
information will eventually be available via e.g. the Cluster API,
because kube-env is an internal interface that carries no stability
guarantees.

This is the first half of the fix; the other half is that cluster autoscaler
needs to be modified to read from AUTOSCALER_ENV_VARS, if it is
available.

Since cluster autoscaler was also reading KUBELET_TEST_ARGS for the
kube-reserved flag, and we don't want to resurrect KUBELET_TEST_ARGS in kube-env,
we opted to create AUTOSCALER_ENV_VARS instead of just adding back
the old env vars. This also makes it clear that we have an ugly dependency
on kube-env.

```release-note
NONE
```
prameshj pushed a commit to prameshj/kubernetes that referenced this pull request Jun 1, 2018
This provides a temporary way for the cluster autoscaler to get at
values that were removed from kube-env in kubernetes#60020. Ideally this
information will eventually be available via e.g. the Cluster API,
because kube-env is an internal interface that carries no stability
guarantees.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants