Move of unreachable taint key out of alpha

[resouer]

What this PR does / why we need it:

Move of unreachable taint key out of alpha, which already happened in community doc.

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #54198

Special notes for your reviewer:
Please see #54198 for the context of this inconsistency.

Release note:

Move unreachable taint key out of alpha. 
Please note the existing pods with the alpha toleration should be updated by user himself to tolerate the GA taint.

[bsalamat]

/lgtm

I wait for Klaus to take a look as well before approving, just in case.

[k82cn]

Why not do this similar with not-ready? Add an new label, named DeprecateTaintNodeUnreachable.

[resouer]

@k82cn Not very sure about this actually, as unreachable seems to be internal used only.

@liggitt Do you think we need to address compatibility issue here, just like what we did for not-ready taint?

[k82cn]

@liggitt , any suggestion :).

[liggitt]

similar issue to the other taint name change... the node controller currently adds this taint, so I'd expect it to remove the alpha taint, otherwise you can end up with a node with a permanent taint added by a kubernetes component

also, the DefaultTolerationSeconds admission plugin currently adds tolerations for the alpha taint (and isn't documented to be alpha or subject to change). What's the plan for avoiding disrupting pods admitted with tolerations by that plugin?

[resouer]

The approach in #51266 should be able to fix the first concern, i.e. auto-replace old taint to new taint by controller.

Can we do the same operation for DefaultTolerationSeconds? let the admission plugin replace old toleration with new one. @liggitt WDYT?

[liggitt]

let the admission plugin replace old toleration with new one. @liggitt WDYT?

that doesn't update pods already in the system

[resouer]

So maybe add a admit plugin to fix pods tolerations? @liggitt

[liggitt]

I'm not sure the best course of action... @davidopp how did you envision updating system-added tolerations on existing pods when the system-added taint changes names.

[resouer]

kindly ping @davidopp , we are discussing the strategy to upgrade alpha taint keys without breaking existing user, and your advice would be highly valued here.

[k82cn]

/approve cancel

[k82cn]

/cc @liggitt

[k82cn]

/lgtm cancel

[k82cn]

Just to stop merge progress before we get agreement on the PR :).

[BenTheElder]

/retest

[BenTheElder]

/retest

[davidopp]

@gmarek

[davidopp]

I'll take a look at this in the next few days, but if @gmarek has a comment it would be useful too.

[resouer]

Thanks David! @davidopp

@gmarek As @liggitt pointed out, the DefaultTolerationSeconds admission plugin currently adds tolerations for the alpha taint. So the pods already in the system are tend be suffered from this update.

One possible approach I am thinking is adding a admit to fix pods toleration. Do you think it's reasonable?

[bsalamat]

@resouer Why don't you take a similar approach to notReady? Leave the alpha in place and mark it deprecated and add a new taint for non-alpha version.

[resouer]

@bsalamat The special problem here is the DefaultTolerationSeconds admission plugin currently adds tolerations for the alpha taint to Pods.

So I just proposed to adding a admit to fix pods tolerations. Does it sound good to you?

[bsalamat]

@resouer Your description is a bit brief. So, I am not sure if your solution will handle the following scenario correctly:

1. Assume that an existing replicaset is creating pods from an existing template which has toleration for the alpha taint.
2. Nodes get the GA taint.
3. A new pod for the replicaset is created with the old taint.

Will the new pod be scheduled?

[resouer]

@bsalamat I think that approach may solve the problem:

1. User replaces Kubernetes binary to upgrade.
2. The node controller replaces alpha taint to GA taint on node (like we did before).
3. Then we write an admission plugin, it will check if the pod has old taint key, and replace it with new one (also, update the pod template of its controllerRef).

So the system should work.

Am I missed something?

[liggitt]

we write an admission plugin, when it sees new pod comes in, it will check if the pod has old taint key, and replace it with new one

I don't think this is necessary... I'd only expect us to work to smoothly transition objects tainted/tolerated by in-tree components:

• switch the existing admission plugin to write the non-alpha toleration
• handle updating existing pods to swap the alpha toleration with a non-alpha toleration (or add the non-alpha toleration... I don't think existing tolerations can be removed)
• update nodes to remove the alpha taint and add the non-alpha taint

I think out of tree components are responsible for stopping their own usage of alpha tolerations

[bsalamat]

What @liggitt said makes sense. Given that this was an alpha taint, we don't need to avoid breaking external components that use the alpha taint in the future.

[resouer]

OK, so the scope is much clear now. I've already update the patch and amending unit tests now. Thank you for advice.

[bsalamat]

@resouer Can you please update the release note and mention that existing pods with the alpha toleration should be updated to tolerate the GA taint as well?

[resouer]

@bsalamat Updated. Will also mention this in google group if it's fine.

[bsalamat]

/lgtm

[bsalamat]

I think this PR requires "action required" label.

[dims]

/assign @deads2k

[k8s-github-robot]

[MILESTONENOTIFIER] Milestone Pull Request Current

@bsalamat @deads2k @k82cn @resouer

Pull Request Labels

• sig/scheduling: Pull Request will be escalated to these SIGs if needed.
• priority/important-longterm: Escalate to the pull request owners; move out of the milestone after 1 attempt.
• kind/cleanup: Adding tests, refactoring, fixing old bugs.

Help

• Additional instructions
• Commands for setting labels

[resouer]

@bsalamat I just updated the order of test cases to fix test failure after rebase, could you please apply label again?

I think this PR requires "action required" label.

@dims Do you know how to do that?

[resouer]

/test pull-kubernetes-unit

[bsalamat]

/lgtm

[dims]

/retest

[deads2k]

You probably want to address the migration concern here: #54208 (comment)

/approve

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bsalamat, deads2k, resouer

Associated issue: 54198

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• pkg/controller/node/OWNERS [deads2k]
• plugin/pkg/admission/OWNERS [deads2k]
• plugin/pkg/scheduler/OWNERS [bsalamat]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[fejta-bot]

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to @fejta).

Review the full test history for this PR.

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here.

[resouer]

@deads2k Yes, the current plan is Release Note + Announcement in kubernetes-dev