-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
πββοΈ Provide a way in KCP to disable CoreDNS management via annotations #3023
πββοΈ Provide a way in KCP to disable CoreDNS management via annotations #3023
Conversation
cc @vincepri β not sure if this is the way we should be going, or if we want to look at adding in a controller-level flag to turn off the behavior. Short version is that right now the KCP is failing to update our CoreDNS deployments and we're a little scared of when that bug is fixed and it is able to successfully change things :) |
also cc @dthorsen |
@sethp-nr If there are no changes, should be detected when we check if the from/to images are the same. This is the whole image that's specified in a deployment, so I guess the code somehow is detecting that there is a change. Can we add a test case, or do you have a reproducible we can debug? I'd also suggest to look at the logic in
|
@@ -8,5 +8,5 @@ spec: | |||
spec: | |||
containers: | |||
# Change the value of image field below to your controller image URL | |||
- image: gcr.io/k8s-staging-capi-docker/capd-manager:dev | |||
- image: gcr.io/k8s-staging-capi-docker/capd-manager-amd64:dev |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't this should be part of the commit
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, good catch, stung again by git commit -a
@@ -78,6 +78,12 @@ func (w *Workload) UpdateCoreDNS(ctx context.Context, kcp *controlplanev1.Kubead | |||
return nil | |||
} | |||
|
|||
// If we haven't been asked to do anything, return early | |||
if clusterConfig.DNS.ImageRepository == "" && clusterConfig.ImageRepository == "" && |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should return also if clusterConfig.DNS.Type != CoreDNS
@vincepri is it written somewhere that KCP does not support kube-dns as a DNS option?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is already the case, on line 77
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for pointing out
1b49414
to
5f76d95
Compare
@vincepri I'll look into adding a test; at this point I suspect it's because we're modifying the CoreDNS deployment out of band from kubeadm and so some state is guessing there is something to change. What I was hoping for was some way to avoid having the KCP even check in these cases: we want to change things about the shape of the deployment (at this moment specifically it's tolerations) & would rather use one tool to manage both the version and the Corefile / image versions. From looking into |
Ah, yup, that was it. In v0.3.2:
And in current master,
|
@sethp-nr Is the |
Yeah, that's right β we use an ArgoCD app for managing CoreDNS. |
Got it, I think it's fair to add a check, although the one in this PR could impact the ability to go from a value to the implicit defaults, if that makes sese |
Hmm, yeah β it's the age old default-or-unset issue. I'm open to suggestions, my bad ideas are:
|
I wouldn't be opposed to add a flag or annotation to opt-out @ncdc thoughts? |
The choice to enable or disable CoreDNS management is probably at the provider level and not per KCP, right? Or do we think individual cluster owners would want to make that decision? |
The main benefit of putting it on the KCP is that it's not somewhere else: it saves me from having to check controller flags on a pod in a different namespace if I'm wondering whether the KCP will be attempting to reconcile some DNS config I'm looking at. I'll re-work this PR to use an annotation β I'm not sure if there's an underlying kubeadm issue that'd still be worth filing, though. |
5f76d95
to
513209f
Compare
513209f
to
52070a5
Compare
What's the potential kubeadm issue? |
I'm also fine with a field or annotation on KCP |
52070a5
to
a9694b4
Compare
@sethp-nr: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
a9694b4
to
d6c1c26
Compare
The kubeadm issue that I'm musing on is something around teasing apart the ongoing management of CoreDNS from bootstrapping β as it stands, I think the KCP is in an awkward place because turning up a cluster sometimes requires the ability to override things like registry and image tag, but that's not really sufficiently expressive to take full ownership of the CoreDNS pieces. |
controlplane/kubeadm/api/v1alpha3/kubeadm_control_plane_types.go
Outdated
Show resolved
Hide resolved
/milestone v0.3.7 |
We're seeing a lot of these log lines in our clusters: ``` E0506 19:19:39.493104 1 controller.go:258] controller-runtime/controller "msg"="Reconciler error" "error"="failed to update CoreDNS deployment: failed to validate CoreDNS: toVersion \"1.6.2\" must be greater than fromVersion \"1.6.2\"" "controller"="kubeadmcontrolplane" "request"={"Namespace":"md1a","Name":"md1a-controlplane"} ``` We're managing the CoreDNS Deployment outside of the KCP, and have set the repository to something it doesn't know about. We'd like to be able to separate out the "use the default repository" cases from the "do not manage CoreDNS" cases.
d6c1c26
to
3cfc8d6
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: sethp-nr, vincepri The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retitle πββοΈ Provide a way in KCP to disable CoreDNS management via annotations |
For air-gapped systems that cannot pull container images, the rolling update of add-ons needs to be coordinated in a more particular fashion. This allows users of the KCP to opt out of kube-proxy management with a similar mechanism to how they would opt out of CoreDNS management (kubernetes-sigs#3023)
For air-gapped systems that cannot pull container images, the rolling update of add-ons needs to be coordinated in a more particular fashion. This allows users of the KCP to opt out of kube-proxy management with a similar mechanism to how they would opt out of CoreDNS management (kubernetes-sigs#3023)
What this PR does / why we need it:
We're seeing a lot of these log lines in our cluster(s):
It looks like CoreDNS is being reconciled even though we haven't set up any of the DNS properties to opt in to that behavior.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)
format, will close the issue(s) when PR gets merged):