-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kubeadm: disable the kube-proxy DaemonSet on non-Linux nodes #76327
kubeadm: disable the kube-proxy DaemonSet on non-Linux nodes #76327
Conversation
Windows worker nodes run kube-proxy as a Windows service. In the future the kube-proxy DaemonSet might run on Windows nodes too, but for now a temporary measure is needed to disable it. Add a linux node selector in the kube-proxy manifest spec.
/sig windows |
LGTM |
My question is how we are going to replace the DaemonSet? I know that the answer is a Windows service ATM. However, do we expect, that users do their own kube-proxy provisioning or should kubeadm do it instead? It looks good to me, but I want to know if we should be providing some replacement. |
the plan is for kubeadm to not manage kube-proxy on Windows workers until the DaemonSet works. |
Now this sounds horrible, unfortunately the alternative is to have an optional add-on per-node that deploys kube-proxy as a service on Windows nodes and this is even worse. /lgtm |
Can't say I'm a fan of the approach, but at the same time I don't have a better alternative, so a hesitant +1 from me. |
I'm ok with this PR, but I'm not sure about
On Linux, systemd service creation is not a kubeadm task, but it is something delegated to OS specific packages (deb or rpm); kubeadm task usually is limited to service configuration/start. My first reaction is that Iwe should follow the same approach also on windows/for kube-proxy. But TBH I didn't investigated this in detail, so might be I'm missing something 😅 |
WIndows nodes are blocked on privileged containers at the moment. one day kube-proxy will be able to run as a DaemonSet on Windows too, until then we are heavily leaning towards the wrapper approach so that we don't maintain such code in kubeadm. also i wanted to explain the Windows / kubeadm discussions i had recently with SIG Windows, but i won't be able to attend this week's kubeadm office hours. |
@@ -112,5 +112,7 @@ spec: | |||
- key: CriticalAddonsOnly | |||
operator: Exists | |||
- operator: Exists | |||
nodeSelector: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not familiar with windows deployments, but how does service routing work on window then?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it works somehow, this is more of a question for the SIG Window folk.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
kube-proxy still runs and handles service routing, it's just that it needs to run on the host directly and can't be run from inside a privileged container.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
? below
let's hold this PR regardless, so that we can get the KEP in place that answers the questions. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
/hold cancel
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: timothysc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest Review the full test history for this PR. Silence the bot with an |
1 similar comment
/retest Review the full test history for this PR. Silence the bot with an |
What this PR does / why we need it:
Windows worker nodes run kube-proxy as a Windows service.
In the future the kube-proxy DaemonSet might run on Windows nodes
too, but for now a temporary measure is needed to disable it.
Add a linux node selector in the kube-proxy manifest spec.
Similar was done already for CoreDNS.
Which issue(s) this PR fixes:
xref kubernetes/kubeadm#1393
Special notes for your reviewer:
NONE
Does this PR introduce a user-facing change?:
/kind cleanup
/priority important-longterm
@kubernetes/sig-cluster-lifecycle-pr-reviews
/assign @timothysc @fabriziopandini
cc @PatrickLang