kubeadm: disable the kube-proxy DaemonSet on non-Linux nodes #76327
Conversation
Windows worker nodes run kube-proxy as a Windows service. In the future the kube-proxy DaemonSet might run on Windows nodes too, but for now a temporary measure is needed to disable it. Add a linux node selector in the kube-proxy manifest spec.
k8s-ci-robot
added
release-note
|
/sig windows |
k8s-ci-robot
added
sig/windows
|
LGTM |
|
My question is how we are going to replace the DaemonSet? I know that the answer is a Windows service ATM. However, do we expect, that users do their own kube-proxy provisioning or should kubeadm do it instead? It looks good to me, but I want to know if we should be providing some replacement. |
the plan is for kubeadm to not manage kube-proxy on Windows workers until the DaemonSet works. |
Now this sounds horrible, unfortunately the alternative is to have an optional add-on per-node that deploys kube-proxy as a service on Windows nodes and this is even worse. /lgtm |
k8s-ci-robot
added
do-not-merge/hold
|
Can't say I'm a fan of the approach, but at the same time I don't have a better alternative, so a hesitant +1 from me. |
|
I'm ok with this PR, but I'm not sure about
On Linux, systemd service creation is not a kubeadm task, but it is something delegated to OS specific packages (deb or rpm); kubeadm task usually is limited to service configuration/start. My first reaction is that Iwe should follow the same approach also on windows/for kube-proxy. But TBH I didn't investigated this in detail, so might be I'm missing something 😅 |
WIndows nodes are blocked on privileged containers at the moment. one day kube-proxy will be able to run as a DaemonSet on Windows too, until then we are heavily leaning towards the wrapper approach so that we don't maintain such code in kubeadm. also i wanted to explain the Windows / kubeadm discussions i had recently with SIG Windows, but i won't be able to attend this week's kubeadm office hours. |
| @@ -112,5 +112,7 @@ spec: | |||
| - key: CriticalAddonsOnly | |||
| operator: Exists | |||
| - operator: Exists | |||
| nodeSelector: | |||
There was a problem hiding this comment.
I'm not familiar with windows deployments, but how does service routing work on window then?
There was a problem hiding this comment.
it works somehow, this is more of a question for the SIG Window folk.
There was a problem hiding this comment.
kube-proxy still runs and handles service routing, it's just that it needs to run on the host directly and can't be run from inside a privileged container.
|
let's hold this PR regardless, so that we can get the KEP in place that answers the questions. |
k8s-ci-robot
removed
the
approved
k8s-ci-robot
removed
the
do-not-merge/hold
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: timothysc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/retest Review the full test history for this PR. Silence the bot with an |
1 similar comment
|
/retest Review the full test history for this PR. Silence the bot with an |
What this PR does / why we need it:
Windows worker nodes run kube-proxy as a Windows service.
In the future the kube-proxy DaemonSet might run on Windows nodes
too, but for now a temporary measure is needed to disable it.
Add a linux node selector in the kube-proxy manifest spec.
Similar was done already for CoreDNS.
Which issue(s) this PR fixes:
xref kubernetes/kubeadm#1393
Special notes for your reviewer:
NONE
Does this PR introduce a user-facing change?:
/kind cleanup
/priority important-longterm
@kubernetes/sig-cluster-lifecycle-pr-reviews
/assign @timothysc @fabriziopandini
cc @PatrickLang