-
Notifications
You must be signed in to change notification settings - Fork 38.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
bootstrap: Start hostNetwork pods even if network plugin not ready #33347
Conversation
@k8s-ci-robot |
WIP so self-assigning for now |
This addresses (some of?) #32900 It is also fairly simple. I realize this is a hard sell for 1.4.0. But if we want to put it into 1.4 at all, maybe we can incorporate it with a flag? Then installation tools could opt-in instead of setting |
@@ -155,7 +155,7 @@ assemble_kubelet_flags() { | |||
if [ ! -z "${KUBELET_APISERVER:-}" ] && \ | |||
[ ! -z "${KUBELET_CERT:-}" ] && \ | |||
[ ! -z "${KUBELET_KEY:-}" ]; then | |||
KUBELET_CMD_FLAGS="${KUBELET_CMD_FLAGS} --api-servers=https://${KUBELET_APISERVER} --register-schedulable=false --reconcile-cidr=false --pod-cidr=10.123.45.0/29" | |||
KUBELET_CMD_FLAGS="${KUBELET_CMD_FLAGS} --api-servers=https://${KUBELET_APISERVER} --register-schedulable=false --reconcile-cidr=false" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If you drop pod-cidr
, that means you have to set reconcile-cidr
.
@roberthbailey Where does GKE take bootstrap parameter from? Bascially, we want to maintain the current setup for GKE, where pod-cidr was set on master. |
Can I get some feedback on this as fix? If so, I propose we're early enough in the cycle that we just merge it (once it is rebased and cleaned up and passes e2e), plenty of time to revert / fix any problems it uncovers. |
What about the comment regarding This is a good one. Let us get it in. |
Thanks @freehan . Yes, I was probably over-eager when expunging pod-cidr - I will fix it up properly :-) Just wanted to check that we liked the general approach first! |
Haven't read the code yet, but @justinsb I thought this was already the case? It certainly is for CNI plugins. Is this just a kubenet fix? |
@caseydavenport are you sure? We hit this pretty hard in 1.4, with the /30 -> /29 issue... Maybe other plugins aren't correctly reporting status? Or maybe the plugin is just ready immediately, and doesn't need to wait for a podcidr? Check out the kubelet changes - they are pretty small... |
Yeah, my experience was with the Calico plugin, which is ready immediately and doesn't need to wait for a pod CIDR. I think I understand this PR now - it's essentially handling the case where Sorry for the confusion! |
In the Calico case, it is using the cni network plugin right? I believe that one already separates hostnetwork and podnetwork. |
@@ -2197,6 +2197,15 @@ func (kl *Kubelet) rejectPod(pod *api.Pod, reason, message string) { | |||
// can be admitted, a brief single-word reason and a message explaining why | |||
// the pod cannot be admitted. | |||
func (kl *Kubelet) canAdmitPod(pods []*api.Pod, pod *api.Pod) (bool, string, string) { | |||
if rs := kl.runtimeState.networkErrors(); len(rs) != 0 { | |||
hostNetwork := false | |||
if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostNetwork { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how about instead:
if (!podUsesHostNetwork(pod)) {
return false, "NetworkNotReady", fmt.Sprintf(...)
}
We added podUsesHostNetwork() specifically to cut down on this repeated pattern :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks - will do
@caseydavenport almost right. Currently, if the network plugin reports an error from Status(), kubelet will block running HostNetwork=true pods that shouldn't depend on the network plugin at all. This PR removes that erroneous inter-dependency and allows HostNetwork pods to run even when the network plugin isn't ready, since the two shouldn't have anything to do with each other. So it's not really --configure-cbr0 specific, it's a problem for any network plugin that may report an error from Status(). But right now that's basically just kubenet, since CNI has no way to filter status back up to Kubernetes. |
The downside is that there is no feedback loop to prevent schedulers from assigning non-host network pods to the node. There may be a period of time after kubelet startup that it reports ready, but rejects all the (non-host network) pods. /cc @kubernetes/sig-node |
Is there any hope of seeing this in a near future in a point release? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change looks ok to me.
@@ -2197,6 +2197,15 @@ func (kl *Kubelet) rejectPod(pod *api.Pod, reason, message string) { | |||
// can be admitted, a brief single-word reason and a message explaining why | |||
// the pod cannot be admitted. | |||
func (kl *Kubelet) canAdmitPod(pods []*api.Pod, pod *api.Pod) (bool, string, string) { | |||
if rs := kl.runtimeState.networkErrors(); len(rs) != 0 { | |||
hostNetwork := false | |||
if pod.Spec.SecurityContext != nil && pod.Spec.SecurityContext.HostNetwork { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
The pkg/kubelet bits LGTM |
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue |
Is this something that will end up on the next 1.4.x or will we have to wait for 1.5? |
@edevil - if you want it in the 1.4 branch feel free to send a cherry pick pull request. |
Removing label |
Guys, I'm sorry for not being vocal, but this PR broke suites Logging doesn't work at all after this PR! To give you more details: Fluentd pod currently is in the node manifest. In kubelet logs you can see the following event
And no mentions of fluentd after that. |
@crassirostris I'll take a look. Is there an open issue? |
Thanks - looking now. |
FYI, this PR may have cause a lot of tests in serial suite to flake as well: #35519 |
I'd vote for reverting this first. |
I would be open to a cherrypick, but it needs to be careful On Mon, Oct 24, 2016 at 2:13 AM, André Cruz notifications@github.com
|
This change is![Reviewable](https://camo.githubusercontent.com/2d899f4291d07d3cd2fa4aaae1e3b243f164c23fce87d30a589ace0d496a444c/68747470733a2f2f72657669657761626c652e6b756265726e657465732e696f2f7265766965775f627574746f6e2e737667)