Adapt flags of control plane components

[erkanerol]

Towards giantswarm/roadmap#687

This PR tries to adapt the configuration of api-server, kubelet, controller-manager, etcd, scheduler and kube-proxy for CAPO to keep it consistent with other providers such as AWS and KVM.

Upgrade

While developing this PR, I noticed that changes in KubeadmConfigTemplate don't trigger any rollout for worker nodes. Then I found these:

• Make KubeadmConfig and the KubeadmConfigTemplate immutable kubernetes-sigs/cluster-api#4910
• https://github.com/kubernetes-sigs/cluster-api/pull/5027/files

Then added kubeAdmConfigTemplateRevision as suffix to KubeadmConfigTemplate to trigger upgrades. Unfortunately, we are not allowed to delete old templates since capi controllers cannot finish the upgrade without them. We are going to use https://github.com/giantswarm/deletion-blocker-operator to block the deletion of templates.

The invisible decisions in this PR:

api-server

• PodSecurityPolicy is not added to --feature-gates. It will be handled with another PR. See Support PodSecurityPolicies in CAPO roadmap#1148
• RemoveSelfLink is not added to --feature-gates.
• --authorization-mode is Node,RBAC by default in CAPO. When Node is removed, pods in kube-system cannot be listed. Didn't touch this flag.
• --requestheader-allowed-names was front-proxy-client before this PR but it is updated as in the PR.
• --tls-cipher-suites is updated as it is in https://github.com/giantswarm/giantnetes-terraform/pull/585/files
• --anonymous-auth is false in vintage clusters but setting it false breaks kubeadm and nodes cannot join the cluster in CAPI clusters.

etcd

• Flags of etcd in CAPO are almost the same as in other environments.
• The only diff is --snapshot-count=10000. Didn't touch that flag.

kubelet

• Eviction policies are copied from vintage clusters's kubelet configuration.
• Some flags are not set explicitly in this PR and in our current kubelet configuration but they are overridden by the configuration file /var/lib/kubelet/config.yaml in our image.
  • --anonymous-auth is already true by default but I saw it is set as false in /var/lib/kubelet/config.yaml in our image. It is better to set it explicitly.
  • --cgroup-driver is systemd in /var/lib/kubelet/config.yaml in our image whereas it is cgroupfs by default in kubelet. Didn't touch it.
  • --resolv-conf is /run/systemd/resolve/resolv.conf in /var/lib/kubelet/config.yaml whereas it is /etc/resolv.conf by default. Didn't touch it.
• kernelMemcgNotification is true in vintage AWS but it is going to be deleted in 1.24. Therefore, didn't add to this PR.
• I found these configuration in vintage AWS but I don't see any reason to set them for CAPO by default:
  • serializeImagePulls=false
  • registryBurst=3
  • registryPullQPS=2
  • maxPods=32

controller-manager

• CAPO has startupProbe. Others don't. Didn't change.
• AWS has a memory request. Others don't. Didn't add.
• --controllers is *,bootstrapsigner,tokencleaner for CAPO. My understanding is that those are necessary for kubeadm. https://kubernetes.io/docs/reference/access-authn-authz/bootstrap-tokens/
• AWS has --terminated-pod-gc-threshold=10 flag but didn't see any particular reason to decrease this value for CAPO.
• CAPO has --port=0. It is OK. See kubeadm: add --port=0 for kube-controller-manager and kube-scheduler kubernetes/kubernetes#92720
• AWS has --v=2 but I think it is OK to go with the default value.

scheduler

• Scheduler pod in AWS has a memory request. The one in KVM doesn't. Now, we don't have it for OpenStack as well. It is the single diff in scheduler configuration.

kube-proxy

• Everything is the same.

Testing

• Fresh install works.
• Upgrade from previous version works.

Checklist

• Update changelog in CHANGELOG.md.
• Make sure values.yaml and values.schema.json are valid.

[tityosbot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[pipo02mix]

I asked for more config options

[bavarianbidi]

is the future idea that cluster-api-cleaner-openstack removes the finalizer once the kubeadmconfigtemplate isn't needed anymore?

[erkanerol]

yes

[bavarianbidi]

Q1: should we rethink the scope of cluster-api-cleaner-openstack sometime again?

A helper operator for CAPO to delete resources created by apps in workload clusters.

Q2: does it make sense to let cluster-api-cleaner-openstack set the finalizer as well? Most controllers i've seen so far are adding/removing the finalizers by their own.

[fiunchinho]

Will this be needed in other providers as well? Would it make sense to solve it for all instead of using cluster-api-cleaner-openstack?

[erkanerol]

In the kaas-sync yesterday, we decided to implement a CAPI generic operator for this issue. I am going to implement it and then merge this PR.

[pipo02mix]

LGMT when Jose is happy

[fiunchinho]

I believe PodSecurityPolicies are missing from the feature flags.

[erkanerol]

I believe PodSecurityPolicies are missing from the feature flags.

Yeah. I mentioned it in the PR description.

PodSecurityPolicy is not added to --feature-gates. It will be handled with another PR. See giantswarm/roadmap#1148

[fiunchinho]

I believe PodSecurityPolicies are missing from the feature flags.

Yeah. I mentioned it in the PR description.

PodSecurityPolicy is not added to --feature-gates. It will be handled with another PR. See giantswarm/roadmap#1148

Sorry, I missed that.

[kopiczko]

Why not inline?

[erkanerol]

Isn't it better to have those flags in a separate valid yaml file instead of embedding a shitty templating code?