Update KEP kubeadm join --master #2331
Conversation
k8s-ci-robot
added
size/XL
|
How would folks feel about Thumbs up/Thumbs down would work as a response |
i think |
There was a problem hiding this comment.
Thanks a lot @fabriziopandini!
The initial reaction is that this looks good, but I have comments/questions on how to manage the certs and identities in this scenario.
| - "@fabriziopandini" | ||
| owning-sig: sig-cluster-lifecycle | ||
| reviewers: | ||
| - "@cha” |
| owning-sig: sig-cluster-lifecycle | ||
| reviewers: | ||
| - "@cha” | ||
| - "@jdtibier" |
| using kubeadm in combination with some scripts and/or automation tools (e.g. | ||
| [this](https://kubernetes.io/docs/setup/independent/high-availability/)), this KEP was | ||
| designed with the objective to introduce an upstream simple and reliable solution for | ||
| achieving the same goal. |
There was a problem hiding this comment.
... with important non-goals. Say clearly (also in the summary) that this doesn't solve every case or even the full end-to-end flow automatically
| user stories for creating an highly available Kubernetes cluster, but instead | ||
| focuses on: | ||
|
|
||
| - Defining a generic and extensible flow for bootstrapping an HA cluster, the |
There was a problem hiding this comment.
a cluster consisting of multiple masters instead of HA?
|
|
||
| Higher-level tools could create nodes in parallel (both masters and workers) | ||
| for reducing the overall cluster startup time. | ||
| `kubeadm join --master` should support natively this practice without requiring |
There was a problem hiding this comment.
You can create in parallel bootstrap master, secondary masters and workers because:
- all the joining nodes (secondary masters and workers) use the same discovery mechanism, that "automatically" waits for the bootstrap master to complete its setup
- the joining nodes (secondary masters and workers) can join in any order
|
|
||
| #### Static workflow (advertise-address != `controlplaneAddress`) | ||
|
|
||
| In case of a static bootstrap workflow the final layout of the controlplane - the number, the |
There was a problem hiding this comment.
what is technically the difference between these?
There was a problem hiding this comment.
This was discussed in some kubeadm office hours meetings, and I wrote also a blog post with all the details https://blog.heptio.com/kubernetes-ha-under-x-ray-5d05f552c9f
| (`kubeadm join --master` will fail immediately), but nothing in this proposal should | ||
| prevent to address this in subsequent phases. | ||
|
|
||
| #### Strategies for distributing cluster certificates |
There was a problem hiding this comment.
Please dive into how the CSR API could be utilized in an external CA-world.
It'd be cool to just use the CSR API, but we're stuck needing the front-proxy clientcert for the API server and the SA key that is not bound to the CA.
There was a problem hiding this comment.
I would prefer to keep this out of scope of this scope, because it does not apply specifically to the multi-master scenario (e.g. it is relevant also for the existing kubeadm join workflow).
Never the less I totally agree the we should document how the CSR API could be used in an external CA-world, but I don't have real expertise in this. Eventually, let's raise the topic at the sig-meeting
| Nothing in this proposal prevents implementation of `kubeadm upgrade` for HA cluster. | ||
|
|
||
| Further detail will be provided in a subsequent release of this KEP when all the detail | ||
| of the `v1Beta1` release of kubeadm api will be available (including a proper modeling |
|
|
||
| ## Drawbacks | ||
|
|
||
| The kubeadm join --master workflow requires that some condition are satisfied at `kubeadm-init` time, |
| proposal (`kubeadm join --master` will fail immediately), but nothing in this proposal | ||
| should prevent to address this in subsequent phases. | ||
|
|
||
| #### `kubeadm upgrade` for HA clusters |
There was a problem hiding this comment.
can you dive into exactly how and in which order the upgrade should be performed.
i.e. upgrade etcd fully first (in some way out of scope for this proposal probably), then remove one master from the loadbalancer, upgrade it, (add it back to the LB, or not). Upgrades without downtime supported officially or not? etc. etc.
There was a problem hiding this comment.
The only prior art I'm aware of is https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-upgrade-ha/ , but I'm not sure there is already a consensus about how to do this, and so I prefer to get a first release of the KEP approved and the iterate on the upgrade part.
|
/assign |
fabriziopandini
force-pushed
the
kubeadm-join-master2
branch
from
efc199f
to
fd91c5b
Compare
|
@luxas I provided answer to your questions and addressed all comments. Let me know if there is something that requires further deep dives. |
fabriziopandini
force-pushed
the
kubeadm-join-master2
branch
from
fd91c5b
to
1c55635
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: timothysc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
There was a problem hiding this comment.
I'm trying to understand exactly how this is different than kubeadm init and I'm having a bit of trouble.
Under the section that outlines kubeadm join --master [New step], I don't see anything new.
The static workflow case is taken care of today with a carefully crafted kubeadm init --config=config.yaml. This is documented in official docs. Its almost exactly this document:
- A user must copy certificates across nodes
- A user must run some command on the new node
The dynamic case is more interesting, but I think this document handwaves over the manual steps the user will have to take regardless. For instance, the api-serving-cert will have to be regenerated on the bootstrapping master or copied over from the new master to the bootstrapping master.
What are we getting from a kubeadm join --master that kubeadm init --config=config.yaml is not getting us?
|
|
||
| - Provide support both for dynamic and static bootstrap flow | ||
|
|
||
| At the time a user is running `kubeadm init`, he might not know what |
There was a problem hiding this comment.
please use gender neutral pronouns throughout. This should be
At the time a user is running
kubeadm init, they might ...
| in advance the target layout of the controlplane instances (the number, the name and the IP | ||
| of master nodes). | ||
|
|
||
| - Support different etcd deployment scenarios, and more specifically run master nodes components |
There was a problem hiding this comment.
we're calling these stacked control plane nodes in the upstream documentation if you want to use that language here for consistency.
| - This proposal doesn't include a solution for etcd cluster management (but nothing in this proposal should | ||
| prevent to address this in future). | ||
|
|
||
| > At the time of writing, the CoreOS recommended approach for etcd is to run |
There was a problem hiding this comment.
This section adds confusion -- where etcd is run entirely depends on what the goals of the cluster are. Kubeadm provides instructions for both, single etcd (traditional kubeadm workflow), external etcd (bootstrapped with kubeadm) and stacked control planes.
I think you can delete this paragraph if you want.
| neither in the initial proposal nor in the foreseeable future (but nothing in this proposal should | ||
| explicitly prevent to reconsider this in future as well). | ||
|
|
||
| - This proposal doesn't provide an automated solution for transferring the CA key and other required |
There was a problem hiding this comment.
I cannot wait until we solve this
|
|
||
| - if the user is not planning to distribute the apiserver certificate among masters, kubeadm | ||
| will generate a new apiserver serving certificate with the required SANS | ||
| - if the user is planning to distribute the apiserver certificate among masters, he/she/the |
There was a problem hiding this comment.
can you delete the "he/she" part? This reads fine with "the operator".
fabriziopandini
force-pushed
the
kubeadm-join-master2
branch
from
1c55635
to
e7520a4
Compare
|
@chuckha thanks for your comments! What we are getting on top is the fact that we are going to simplify what the user has to do for getting a multi-master cluster up and running, and at the same time, we are reducing the probability to make errors along the way. This is basically achieved by:
On top of that :
Does this sound good to you? PS. the above points are documented in the alternatives paragraphs; let me know if this should be further clarified |
|
BTW, during one of the meeting last week we've agreed that |
|
/lgtm Thanks for the detailed response @fabianofranz. I think the alternatives section is good. I think you have to intimately know the code to get |
k8s-ci-robot
added
the
lgtm
|
@fabianofranz I believe this KEP should be number |
Update to the kubeadm join --master KEP
/area kubeadm
/sig sig-cluster-lifecycle
@kubernetes/sig-cluster-lifecycle-pr-reviews
/CC @luxas @timothysc