Create an untainted control plane with KCP #7149
Comments
k8s-ci-robot
added
kind/feature
|
@killianmuldoon: This issue is currently awaiting triage. If CAPI contributors determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@d8660091 does this summarize your issue correctly? |
|
nit: I assume the intention is to avoid both the old and the new control plane taint? (kubeadm 1.24 sets both) |
|
@killianmuldoon Perfect! Thank you for creating this issue, we'll keep a close eye on it. BTW, created a playground snippet earlier trying to explain the bug: https://go.dev/play/p/TikiIjMYXlM |
|
cc @anusha94 and @randomvariable However, the fact that taints will be overridden by KubeadmConfig is tricky e.g. for upgrades when we are fixing up taints to accommodate kubeadm changes. |
|
Another consideration, this could impact addons relying on the taints existance |
|
addons shouldn't "rely" on taints. Reliance on a control plane for a selector or affinity rule should be based on labels instead. We can defer that problem to the addon IMO. |
I assume kind is doing something here? |
|
had a look at kind, unfortunately: // if we are only provisioning one node, remove the master taint
// https://kubernetes.io/docs/setup/independent/create-cluster-kubeadm/#master-isolation
if len(allNodes) == 1 {
if err := node.Command(
"kubectl", "--kubeconfig=/etc/kubernetes/admin.conf",
"taint", "nodes", "--all", "node-role.kubernetes.io/master-",
).Run(); err != nil {
return errors.Wrap(err, "failed to remove master taint")
}
} |
|
In terms of what we do about scale up, I think we will need to make this explicit. As in we don't care about doing anything like setting the taints back on if worker nodes suddenly appear. The user must explicitly opt out of removing the control plane taint. Especially in the case where the worker nodes are only Windows ones, the user may still want to not have the control plane taint so all the Linux pods get scheduled. |
|
@neolit123 , is there any support for not setting the taints on the kubeadm side? i struggled to find a relevant issue in k/kubeadm. |
|
@fabriziopandini My impression was that the "taint changes" over the last few releases have all been "implemented" by the kubeadm binary itself (essentially when adding a new node with a new kubeadm/Kubernetes version the new "taint behavior" was used). I couldn't find anything in KCP where we are modifying the taints, but maybe I missed it |
@d8660091 What did you mean with it makes taints "required"? |
|
@sbueringer After I removed "omitempty" from taints, although taints can be passed from cluster-API to kubeadm, the e2e test is broken. It's broken because when "taints: In this sense, I cannot omit taints in the yaml, so I called it "required", which like you see, is not accurate. If we can find some way to encode Reference: |
|
Related: golang/go#22480. "omit only nil slice", not "omit both nil and [] slice" |
|
Just took a closer look. With the current API type
After dropping omitempty
I know it's basically the same you wrote, I though I'll add just a bit of details about the webhook implementation I think - assuming we want to - we could customize the JSON marshalling behavior by implementing a |
|
I do remember this conversation in kubeadm, and we decided that to change the way kubeadm handles this would be a breaking API change. |
|
I think kubeadm handles it correctly at the moment. They dropped omitempty btw between v1beta2 and v1beta3 APIs |
|
Implemented a quick hack on #7161 to show that it's possible. I think the change from a user point of view is that when an empty slice is set it is not just dropped and ignored. This could be considered a bug fix. (Based on my local test this would work to produce control plane nodes without control plane taints) |
@sbueringer : wondering if this then also works with topology controller. Did you try that? |
|
I would expect it to work but I didn't try it. If the empty slice is coming from patches it's very very likely as we're just working with the JSON in the controller. |
|
Maybe a workaround to consider until a fix for this was implemented: Set a taint which has effect taints:
- effect: PreferNoSchedule
key: NoTaintWorkaround
value: true |
Cluster-api needs to pass [] taints to Kubeadm so that kubeadm will not taint the control plane. However, a [] taints will be omitted by cluster-api during Marshing, thus kubeadm gets a nil instead of []. For more info: kubernetes-sigs#7149
Cluster-api needs to pass [] taints to Kubeadm so that kubeadm will not taint the control plane. However, a [] taints will be omitted by cluster-api during Marshing, thus kubeadm gets a nil instead of []. For more info: kubernetes-sigs#7149
User Story
As an operator I would like to create a control plane without the
node-role.kubernetes.io/master:NoScheduletaint.Detailed Description
When creating a cluster I would like my control plane to be a scheduling target for all workloads. Setting the initConfiguration of KubeadmControlPlane NodeRegistration taints to empty results in a nil field which means the taints are applied as default.
Initial conversation on this happened here: #7133
/kind feature
The text was updated successfully, but these errors were encountered: