KEP-5233: proposal for NodeReadinessGates

[ajaysundark]

• One-line PR description: adding new KEP

• Issue link: Node Readiness Gates #5233

• Other comments: Including feedback from API review to include probing mechanisms as a inherent part of the design.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: ajaysundark
Once this PR has been reviewed and has the lgtm label, please assign dchen1107 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• keps/sig-node/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ajaysundark]

This design has been discussed with more folks, and below is the summary of the key feedback:

1. The current design with a new, explicit API is likely not necessary for the identified use cases. The recommended path forward is to first explore a simpler design that does not require a new API. This decision can be revisited if there's a POC or use-cases that demonstrate that a simpler approach is impractical or introduces unforeseen complexities.
2. There was a strong preference for using a node-local probing mechanism to report readiness. This approach is favored for high-fidelity signals and a better security posture compared to granting nodes/status patch permissions to multiple external agents.
3. An alternate proposal based on global control (crd) for node readiness is undesirable due to the risk of large scale impact on misconfiguration.
4. Admins typically know readiness requirements before node provisioning, mutable readiness-gates are not necessary. The conditions themselves are what may change.
5. It is important to differentiate (at handling the readiness-states) between an agent being present and an agent failing.

[k8s-ci-robot]

@ajaysundark: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-enhancements-verify	1dfa3f8	link	true	/test pull-enhancements-verify

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[sanposhiho]

need to put sig-scheduling and reviewer/approver from us.

[lmktfy]

Overall, we have a lot of existing extension points to allow building something a lot like this, but out of tree.

We put in those extension points for a reason. So, I think we should:

• build this out of tree
• add our voices to calls for better add-on management

[lmktfy]

Suggested change

	### Initial Taints without a Central API
	This approach uses `--register-with-taints` to apply multiple readiness taints at startup. Each component is then responsible for removing its own taint. This is less flexible and discoverable than a formal, versioned API for defining the readiness requirements. In addition, due to operational complexity where every critical daemonset needs to be tolerating every other potential readiness taint possible. This is unmanageable in a practical scenario where the components could be managed by different teams / providers.
	### Initial taints (replaced), with out-of-tree controller
	This approach uses `--register-with-taints` to apply a single initial taint at startup. A controller then atomically sets a set of replacement taints (configured using a custom resource) and removes the initial taint.
	For each replacement taint, each component is then responsible for removing its own taint.
	This is easier to maintain (no in-tree code) but requires people to run an additional
	controller in their cluster.

[lmktfy]

Suggested change

	- type: "network.k8s.io/CalicoReady"
	- type: "vendor.example/NetworkReady"

[lmktfy]

Suggested change

	- type: "network.k8s.io/DRANetReady"
	- type: "vendor.example/LowLatencyInterconnectReady"

[lmktfy]

How about a CRD that defines a set of rules that map (custom) conditions to taints?

Yes, you can break your cluster with a single, misguided cluster-scoped policy, but we already have that in other places (eg ValidatingAdmissionPolicy).

[lmktfy]

Suggested change

	conditionType: "network.k8s.io/CalicoCNIReady"
	conditionType: "vendor.example/NetworkReady"

[lmktfy]

Suggested change

	- conditionType: "vendor.com/DeviceDriverReady"
	- conditionType: "network.k8s.io/CalicoCNIReady"
	- conditionType: "vendor.example.com/DeviceDriverReady"
	- conditionType: "vendor.example/NetworkReady"

[lmktfy]

We shouldn't make an assumption that network plugins use CNI.

[lmktfy]

Suggested change

	### User Stories (Optional)
	### User Stories

[lmktfy]

For autoscaling, cluster autoscalers can directly pay attention to the existing .status.conditions on nodes. I think that's a viable alternative and one we should list.

[lmktfy]

Mention NodeReadinessGates here