Adding Alternative Node Naming Convention #61878
Conversation
Currently node names in aws are derived from the private-dns entry of the ec2 instance. This PR offers administrators, who might have differing dns toplogies in their VPCs, the option to manually configure their node names. This PR also directly addresses a bug in K8s that prevents the Node Admission Controller from working properly when the AWS cloud provider is selected.
k8s-ci-robot
added
do-not-merge/work-in-progress
k8s-ci-robot
added
needs-ok-to-test
|
@liggitt is this part of the work you mentioned #54482 (comment) ? |
|
I hadn't seen this PR in particular, but this type of change is what I was anticipating (though I didn't know whether @kubernetes/sig-aws-misc wanted to drive this while the cloudprovider was still in-tree) |
nathanjsweet
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
|
Okay, I can confirm this is working now. It took me a while to get to testing it end-to-end. |
|
Oh yeah the cloud config looks like this: |
| } | ||
| } | ||
| glog.Infof("Tag %s not found for instance %s", TagNameKubernetesNodeNamePrefix, aws.StringValue(i.InstanceId)) | ||
| } | ||
| return types.NodeName(aws.StringValue(i.PrivateDnsName)) |
There was a problem hiding this comment.
I assume a custom tag value is mutable on an instance. If so, changing the value of the custom tag after a node has been added to the cluster will cause problems... docs should make that clear
There was a problem hiding this comment.
Can you point me to where the docs are?
There was a problem hiding this comment.
I meant the docs to be added around this new option should call out the sharp edges :)
| if len(value) > 0 { | ||
| return types.NodeName(aws.StringValue(tag.Value)) | ||
| } | ||
| glog.Infof("Tag %s was found for instance %s, but had no value", TagNameKubernetesNodeNamePrefix, aws.StringValue(i.InstanceId)) |
There was a problem hiding this comment.
will silently falling back to the private dns name lead to scenarios where there's a race to apply the custom tag before the kubelet starts on up on the node and registers itself using the private dns name?
There was a problem hiding this comment.
Enabling this feature and not having the tags in place will cause problems, but I think if you decide to enable this feature it's on you to make sure you don't mess up the names. This is already the case with the cloud-provider flag which requires the node-name and hostname to match (something that is undocumented).
There was a problem hiding this comment.
Also, my guess is that kubelet doesn't register if this happens.
There was a problem hiding this comment.
This is already the case with the cloud-provider flag which requires the node-name and hostname to match
in that case, the names aren't mutable... the race between kubelet start and tag addition is my main concern
my guess is that kubelet doesn't register if this happens
if it's the first startup in a tls-bootstrapping setup, the kublet will use the private dns name to get it's initial credential and register, then start failing as soon as the tag appears and it's idea of who it is changes
There was a problem hiding this comment.
Enabling this feature and not having the tags in place will cause problems
This must be clearly documented. And IMO kubelet should exit when it starts on a node with ExplicitNodeNames enabled and without the right tag on the node.
There was a problem hiding this comment.
And IMO kubelet should exit when it starts on a node with ExplicitNodeNames enabled
Yeah, okay. I'll make that change.
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
Yes! I could not find any documentation about AWS cloud.conf format and keys/values. I am afraid it's you who's supposed to create one. It belongs here: https://kubernetes.io/docs/concepts/cluster-administration/cloud-providers/#aws |
|
@jsafrane okay I gave |
|
Does this PR resolve #52241 ? |
|
@liggitt Yes it would. |
| func mapInstanceToNodeName(i *ec2.Instance) types.NodeName { | ||
| return types.NodeName(aws.StringValue(i.PrivateDnsName)) | ||
| func mapInstanceToNodeName(i *ec2.Instance, explicitNames bool) (types.NodeName, error) { | ||
| if explicitNames { |
There was a problem hiding this comment.
I like the tags idea, but rather than differentiating between the old way (private DNS name) and the new way (tagged name) via a config option, I'd prefer if we can allow the new behavior in a backwards compatible way, without the need for a new config option. I.e., default to private DNS name but use a tagged name if present on the node.
| return types.NodeName(aws.StringValue(i.PrivateDnsName)) | ||
| func mapInstanceToNodeName(i *ec2.Instance, explicitNames bool) (types.NodeName, error) { | ||
| if explicitNames { | ||
| for _, tag := range i.Tags { |
There was a problem hiding this comment.
I.e. check to see if a tag exists that matches kubernetes.io/nodeName, and if not, we fall back to private DNS instead of erroring.
| filters := []*ec2.Filter{ | ||
| newEc2Filter("private-dns-name", privateDNSName), | ||
| newEc2Filter(nodeFilter, privateDNSName), |
There was a problem hiding this comment.
Here we would have to attempt with the tag filter, check to see if any instances were returned, then try private DNS.
switching a node name after the fact is disruptive enough that it doesn't seem great to infer and fallback this way. see discussion (now hidden) #61878 (comment) of the race conditions between adding tags and kubelet startup that falling back to the dns name can cause |
|
Sorry for the bombardment, I accidentally rebased higher up the tree than I should have. |
|
I can no longer carry this PR forward, as I have left Datica Inc. Datica has signed the CNCF agreement though, so I don't know if that means a maintainer can fork this and carry it forward. Sorry for the inconvenience. |
| @@ -141,7 +141,10 @@ func (c *Cloud) checkIfAttachedToNode(diskName KubernetesVolumeID, nodeName type | |||
| } | |||
|
|
|||
| awsDiskInfo.ec2Instance = instanceInfo | |||
| awsDiskInfo.nodeName = mapInstanceToNodeName(instanceInfo) | |||
| awsDiskInfo.nodeName, err = mapInstanceToNodeName(instanceInfo, c.cfg.Global.ExplicitNodeNames) | |||
There was a problem hiding this comment.
This is going to be a problem, if someone switches naming topology midway through, then disks could potentially get orphaned.
|
/retest |
|
I was going to offer help here, but I can't see any comments that haven't already been addressed |
|
I'm happy to take a stab at addressing this: #61878 (comment) (documentation) comment |
|
@karlhungus There needs to be dire warnings in the documentation that the node naming convention can never be switched after cloud resources have been deployed by Kubernetes without orphaning those resources (I suppose you could just manually delete them), however disks would get orphaned. |
| // as the assigned node name, and want to explicitly set the names of their nodes, via | ||
| // tags. This configuration indicates that all node names have been explicitly | ||
| // set with the tag "kubernetes.io/node-name". | ||
| ExplicitNodeNames bool |
There was a problem hiding this comment.
looking at this cold, a name like useTagsForNodeNames might be clearer
k8s-ci-robot
added
the
needs-rebase
|
as a service provider, it would be a great option to see implemented. is there any status update, or is there a way we can throw our hat in the ring and lend a hand with this issue? it seems like this fell off the wagon... |
|
I'd recommend getting on the agenda in a sig-aws and/or sig-cloudprovider meeting for visibility and blessing to help get it over the finish line. Would also be good to make sure it's a pattern that could be imitated by other providers and make the maintainers of those providers aware of this effort. |
|
What's happening with this one? We really need this at our site. |
|
@liggitt With the benefit of time I am starting to think that this PR is a bad idea. I can't think of another K8s feature that requires the admin to understand such a significant amount of how the underlying cloud-controller works. I think a better solution would be for the cloud controller to include an interface for changing node names (this would require them to persist) so that if the admin decides to change the node naming convention it is easy to do so. Another reason I think that is a better solution is that this current PR only fixes the problem for new clusters. Old clusters really can't make use of this PR. I'd be willing to draft something like this up (I'll be working on K8s full time again in January), but WG should I propose this idea to? |
cloud providers have been consolidated under sig-cloud-provider, to improve consistency in how k8s interfaces with cloud providers. That group would be the venue for discussing this |
as an aside, changing an existing node's name is likely to be just as disruptive as removing and creating a new node. API object names are immutable, as is the spec.nodeName field in pods. |
|
I think it would be great to have the cloudprovider pass Node objects, instead of NodeNames, because then we could get the instance id from the node object (the ProviderID field IIRC). Then the cloudprovider wouldn't care about the Node Name at all. It's also good because it avoids having to map from a NodeName -> an AWS instance ID, which requires caching and/or API calls. As @liggitt points out, we can work on this as part of the cloudprovider extraction; and we probably won't be able to rename Nodes, but we can at least remove the cloudprovider constraint on the Name. I think at that point it's easy to wrap kubelet in a script to build a name from tags, IP, instance ID, etc. |
|
@justinsb is there a target release for the cloud provider extraction project? |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
This PR is stale and not happening. |
Provider extraction efforts are still ongoing and will be ongoing for the next few releases. I personally am not opposed to addressing this along-side the extraction effort. Feel free to add this to the next SIG cloud provider meeting agenda |
|
/remove-lifecycle stale |
k8s-ci-robot
removed
the
lifecycle/stale
Can you add it to that agenda? It seems like this issue is getting lost in the noise. |
|
@cabrinha best place to continue this discussion would be our mailing list https://groups.google.com/forum/#!forum/kubernetes-sig-cloud-provider |
What this PR does / why we need it:
Currently node names in aws are derived from the private-dns entry of the ec2 instance.
This PR offers administrators, who might have differing dns toplogies in their VPCs,
the option to manually configure their node names. This PR also directly addresses a
bug in K8s that prevents the Node Admission Controller from working properly when the AWS cloud provider is selected.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #11543
Fixes #47695
Fixes #52241
Addresses #48929
Is there someone where I need to document this?
/sig aws