From d8d10b825baa413bcdcbfc0fe1e336a777ef4e5d Mon Sep 17 00:00:00 2001
From: Tom Wieczorek <twieczorek@mirantis.com>
Date: Thu, 19 Dec 2024 11:23:30 +0100
Subject: [PATCH] Move hard-coded cgroup settings into worker profiles

This makes them overridable. Also, don't set cgroupsPerQOS to true,
which is the default anyway.

Signed-off-by: Tom Wieczorek <twieczorek@mirantis.com>
---
 .../controller/workerconfig/reconciler.go         |  5 ++++-
 .../controller/workerconfig/reconciler_test.go    | 15 ++++++++++++++-
 pkg/component/worker/kubelet.go                   |  8 --------
 3 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/pkg/component/controller/workerconfig/reconciler.go b/pkg/component/controller/workerconfig/reconciler.go
index 15553748120c..e62eca4134be 100644
--- a/pkg/component/controller/workerconfig/reconciler.go
+++ b/pkg/component/controller/workerconfig/reconciler.go
@@ -504,11 +504,12 @@ func (r *Reconciler) buildConfigMaps(snapshot *snapshot) ([]*corev1.ConfigMap, e
 	workerProfiles := make(map[string]*workerconfig.Profile)
 
 	workerProfile := r.buildProfile(snapshot)
-	workerProfile.KubeletConfiguration.CgroupsPerQOS = ptr.To(true)
 	workerProfiles["default"] = workerProfile
 
 	workerProfile = r.buildProfile(snapshot)
 	workerProfile.KubeletConfiguration.CgroupsPerQOS = ptr.To(false)
+	workerProfile.KubeletConfiguration.KubeReservedCgroup = ""
+	workerProfile.KubeletConfiguration.KubeletCgroups = ""
 	workerProfiles["default-windows"] = workerProfile
 
 	for _, profile := range snapshot.profiles {
@@ -597,6 +598,8 @@ func (r *Reconciler) buildProfile(snapshot *snapshot) *workerconfig.Profile {
 			},
 			ClusterDNS:         []string{r.clusterDNSIP.String()},
 			ClusterDomain:      r.clusterDomain,
+			KubeReservedCgroup: "system.slice",
+			KubeletCgroups:     "/system.slice/containerd.service",
 			TLSMinVersion:      "VersionTLS12",
 			TLSCipherSuites:    cipherSuites,
 			FailSwapOn:         ptr.To(false),
diff --git a/pkg/component/controller/workerconfig/reconciler_test.go b/pkg/component/controller/workerconfig/reconciler_test.go
index 2f6fd5b5a2b8..e49b92b2bc23 100644
--- a/pkg/component/controller/workerconfig/reconciler_test.go
+++ b/pkg/component/controller/workerconfig/reconciler_test.go
@@ -369,19 +369,23 @@ func TestReconciler_ResourceGeneration(t *testing.T) {
 			}, {
 				Name:   "profile_YYY",
 				Config: &runtime.RawExtension{Raw: []byte(`{"authentication": {"webhook": {"cacheTTL": "15s"}}}`)},
+			}, {
+				Name:   "profile_ZZZ",
+				Config: &runtime.RawExtension{Raw: []byte(`{"cgroupsPerQOS": false, "kubeletCgroups": "", "kubeReservedCgroup": ""}`)},
 			}},
 		},
 	}))
 
 	expectedConfigMaps := map[string]func(expected *kubeletConfig){
 		"worker-config-default-1.31": func(expected *kubeletConfig) {
-			expected.CgroupsPerQOS = ptr.To(true)
 			expected.FeatureGates = map[string]bool{"kubelet-feature": true}
 		},
 
 		"worker-config-default-windows-1.31": func(expected *kubeletConfig) {
 			expected.CgroupsPerQOS = ptr.To(false)
 			expected.FeatureGates = map[string]bool{"kubelet-feature": true}
+			expected.KubeletCgroups = ""
+			expected.KubeReservedCgroup = ""
 		},
 
 		"worker-config-profile_XXX-1.31": func(expected *kubeletConfig) {
@@ -393,6 +397,13 @@ func TestReconciler_ResourceGeneration(t *testing.T) {
 			expected.Authentication.Webhook.CacheTTL = metav1.Duration{Duration: 15 * time.Second}
 			expected.FeatureGates = map[string]bool{"kubelet-feature": true}
 		},
+
+		"worker-config-profile_ZZZ-1.31": func(expected *kubeletConfig) {
+			expected.CgroupsPerQOS = ptr.To(false)
+			expected.FeatureGates = map[string]bool{"kubelet-feature": true}
+			expected.KubeletCgroups = ""
+			expected.KubeReservedCgroup = ""
+		},
 	}
 
 	appliedResources := applied()
@@ -751,6 +762,8 @@ func makeKubeletConfig(t *testing.T, mods ...func(*kubeletConfig)) string {
 		ClusterDomain:      "test.local",
 		EventRecordQPS:     ptr.To(int32(0)),
 		FailSwapOn:         ptr.To(false),
+		KubeletCgroups:     "/system.slice/containerd.service",
+		KubeReservedCgroup: "system.slice",
 		RotateCertificates: true,
 		ServerTLSBootstrap: true,
 		TLSMinVersion:      "VersionTLS12",
diff --git a/pkg/component/worker/kubelet.go b/pkg/component/worker/kubelet.go
index 8a0465808674..d0320706e599 100644
--- a/pkg/component/worker/kubelet.go
+++ b/pkg/component/worker/kubelet.go
@@ -42,7 +42,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/util/validation"
 	kubeletv1beta1 "k8s.io/kubelet/config/v1beta1"
-	"k8s.io/utils/ptr"
 
 	"github.com/sirupsen/logrus"
 	"sigs.k8s.io/yaml"
@@ -243,13 +242,6 @@ func (k *Kubelet) writeKubeletConfig() error {
 		config.RegisterWithTaints = taints
 	}
 
-	// cgroup related things (Linux only)
-	if runtime.GOOS == "linux" {
-		config.KubeReservedCgroup = "system.slice"
-		config.KubeletCgroups = "/system.slice/containerd.service"
-		config.CgroupsPerQOS = ptr.To(true)
-	}
-
 	configBytes, err := yaml.Marshal(config)
 	if err != nil {
 		return fmt.Errorf("can't marshal kubelet config: %w", err)