kubeadm-reset: add notes about more manual cleanup steps #49448
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
size/M
|
/cc @SataQiu @pacoxu @carlory |
| ### Network traffic assets cleanup | ||
|
|
||
| The `kubeadm reset` command does not clean any iptables, nftables or IPVS assets applied |
There was a problem hiding this comment.
changing 'traffic assets' to 'traffic rules', despite IPVS using 'tables', afaik.
neolit123
force-pushed
the
1.33-add-kubeadm-reset-note-about-kubeproxy-cleanup
branch
from
e0905eb to
d0e97a5
Compare
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
✅ Pull request preview available for checkingBuilt without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify site configuration. |
neolit123
force-pushed
the
1.33-add-kubeadm-reset-note-about-kubeproxy-cleanup
branch
from
d0e97a5 to
79af26c
Compare
| ``` | ||
|
|
||
| The output of the above command should print `DONE` at the end. | ||
| Instead of `docker` you can use an alternative tool such as `nerdctl` or `crictl`. |
There was a problem hiding this comment.
nodes may not contain the docker command since kubernetes removed the dockershim support. nerdctl may be a good example than docker command. crictl is incompatible with docker command, it is hard for many users to start and run a container to do cleanup work without an example.
There was a problem hiding this comment.
Compared to containerd and docker, crictl is not friendly to users in this task. I prefer to remove it.
There was a problem hiding this comment.
I'm not sure whether the nerdctl binary is installed by default on nodes. Maybe ctr is more common. For example,
(base) ➜ ~ kind create cluster -n demo
Creating cluster "demo" ...
✓ Ensuring node image (kindest/node:v1.32.0) 🖼
✓ Preparing nodes 📦
✓ Writing configuration 📜
✓ Starting control-plane 🕹️
✓ Installing CNI 🔌
✓ Installing StorageClass 💾
Set kubectl context to "kind-demo"
You can now use your cluster with:
kubectl cluster-info --context kind-demo
Have a question, bug, or feature request? Let us know! https://kind.sigs.k8s.io/#community 🙂
(base) ➜ ~ docker exec -it demo-control-plane bash
root@demo-control-plane:/# nerdctl
bash: nerdctl: command not found
root@demo-control-plane:/# kubeadm reset
root@demo-control-plane:/# ctr i ls
REF TYPE DIGEST SIZE PLATFORMS LABELS
root@demo-control-plane:/# ctr i pull registry.k8s.io/kube-proxy:v1.32.0
registry.k8s.io/kube-proxy:v1.32.0: resolved |++++++++++++++++++++++++++++++++++++++|
index-sha256:6aee00d0c7f4869144d1bdbbed7572cd55fd1a4d58fef5a21f53836054cb39b4: exists |++++++++++++++++++++++++++++++++++++++|
manifest-sha256:49a3f84e8bce619ff28cc9158971b0e52c46c250b134f0c480724737dcc28730: exists |++++++++++++++++++++++++++++++++++++++|
layer-sha256:4170bfc2cfa28b288cfcd60bb36f514f1c9205c022d23ecbdfc12da09ec16836: done |++++++++++++++++++++++++++++++++++++++|
config-sha256:2f50386e20bfdb3f3b38672c585959554196426c66cc1905e7e7115c47cc2e67: exists |++++++++++++++++++++++++++++++++++++++|
layer-sha256:3a0d728ec69d783850f9c318b97adfc9c6f726b7d075e0a22b8c2725ba0607e1: done |++++++++++++++++++++++++++++++++++++++|
elapsed: 4.9 s total: 25.3 M (5.2 MiB/s)
unpacking linux/arm64/v8 sha256:6aee00d0c7f4869144d1bdbbed7572cd55fd1a4d58fef5a21f53836054cb39b4...
done: 384.1175ms
root@demo-control-plane:/# ctr run --rm --privileged registry.k8s.io/kube-proxy:v1.32.0 kube-proxy sh -c "kube-proxy --cleanup && echo DONE"
I0116 03:33:31.409626 7 server_linux.go:66] "Using iptables proxy"
time="2025-01-16T03:33:31Z" level=warning msg="Running modprobe ip_vs failed with message: `modprobe: WARNING: Module ip_vs not found in directory /lib/modules/6.10.14-linuxkit`, error: exit status 1"
DONE
There was a problem hiding this comment.
root@demo-control-plane:/# iptables -S INPUT
-P INPUT ACCEPT
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes load balancer firewall" -j KUBE-PROXY-FIREWALL
-A INPUT -m comment --comment "kubernetes health check service ports" -j KUBE-NODEPORTS
-A INPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes externally-visible service portals" -j KUBE-EXTERNAL-SERVICES
-A INPUT -j KUBE-FIREWALL
root@demo-control-plane:/# iptables -S OUTPUT
-P OUTPUT ACCEPT
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes load balancer firewall" -j KUBE-PROXY-FIREWALL
-A OUTPUT -m conntrack --ctstate NEW -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A OUTPUT -j KUBE-FIREWALL
The above chains are not removed. Should we document this?
There was a problem hiding this comment.
nodes may not contain the
dockercommand since kubernetes removed the dockershim support.nerdctlmay be a good example thandockercommand.crictlis incompatible withdockercommand, it is hard for many users to start and run a container to do cleanup work without an example.
Compared to containerd and docker, crictl is not friendly to users in this task. I prefer to remove it.
it just boils down to preference. the users can just use what they want. crictl is indeed complicated but k8s owns a deb/rpm package for it and it's probably the most available on nodes. docker and nerdctl are probably missing but easy to use.
ctr is containerd specific and not available for cri-o users.
There was a problem hiding this comment.
The above chains are not removed. Should we document this?
kubernetes/kubeadm#3133 (comment)
kubernetes/kubernetes#129639
sig network plan to fix it. i prefer that we don't have a temporary message about it in the docs.
but if you think it's better i can add it.
There was a problem hiding this comment.
sig network plan to fix it. i prefer that we don't have a temporary message about it in the docs.
Agreed.
There was a problem hiding this comment.
Is it possible to add podman as an alternative tool for cri-o? https://www.redhat.com/en/blog/crictl-vs-podman
Podman’s CLI is based on the Docker CLI giving users a familiar CLI experience.
There was a problem hiding this comment.
i don't want us to be listing all possible tools and/or including examples for all of them, so i just updated this to:
Instead of Docker, you can use your preferred container runtime to start the container.
we assume that our users would know how to run a container on their setup, one way or another.
neolit123
force-pushed
the
1.33-add-kubeadm-reset-note-about-kubeproxy-cleanup
branch
2 times, most recently
from
dbeb24d to
a09240a
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 627936f273e37d8f82416f748e9d6ff74867ba7b
|
neolit123
force-pushed
the
1.33-add-kubeadm-reset-note-about-kubeproxy-cleanup
branch
from
a09240a to
fc22259
Compare
k8s-ci-robot
removed
the
lgtm
|
@tengqm i applied the clarifications you requested. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: SataQiu, tengqm The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 9567ddf529dc76e07471baa01ba117fad68b3d7f
|
currently the
kubeadm resetcommand when finished prints the following:instead of printing that information from the CLI we should keep it document at the website and link to the reset page from the output of the command.
xref
kube-proxy --cleanup#49445