OCPNODE-3029: features: add requiredMinimumComponentVersion #2224
Conversation
|
Hello @haircommander! Some important instructions when contributing to openshift/api: |
openshift-ci
bot
added
the
size/XXL
config/v1/types_feature.go
Outdated
| // RequiredMinimumKubeletVersion is the lowest version the MinimumKubeletVersion field in the | ||
| // nodes.config object may be set to to enable this feature. | ||
| // +openshift:enable:FeatureGate=MinimumKubeletVersion | ||
| RequiredMinimumKubeletVersion string `json:"requiredMinimumKubeletVersion,omitempty"` |
There was a problem hiding this comment.
Would prefer we make this future extensible, by making this a list type with a map key
requiredMinimumComponentVersion:
- component: Kubelet
minimumVersion: 1.30.0
This would mean in the future we can add other minimum required components e.g. boot images, KAS etc if we find a need for it in the future
This would prevent people proxying the version through an association with kubelet and allow specific operators to act upon their minimum for their component
There was a problem hiding this comment.
Field needs to be marked as optional, with map key of component, component should be an enum type with a single valid value for now, maximum length of the list is 1
haircommander
force-pushed
the
required-min-kubelet-version
branch
from
c06e6c6 to
49b8e6d
Compare
config/v1/types_feature.go
Outdated
| // RequiredMinimumKubeletVersion is the lowest version the MinimumKubeletVersion field in the | ||
| // nodes.config object may be set to to enable this feature. |
There was a problem hiding this comment.
Godoc has not been updated per the new version of this field
config/v1/types_feature.go
Outdated
| // possible (probable?) future additions include | ||
| // 1. support level (Stable, ServiceDeliveryOnly, TechPreview, DevPreview) | ||
| // 2. description | ||
| } | ||
|
|
||
| type RequiredMinimumComponentVersion struct { | ||
| Component RequiredMinimumComponent `json:"component"` | ||
| // +kubebuilder:validation:XValidation:rule="self == \"\" || self.matches('^[0-9]*.[0-9]*.[0-9]*$')",message="minmumKubeletVersion must be in a semver compatible format of x.y.z, or empty" |
There was a problem hiding this comment.
What is the use case for empty string?
config/v1/types_feature.go
Outdated
| Component RequiredMinimumComponent `json:"component"` | ||
| // +kubebuilder:validation:XValidation:rule="self == \"\" || self.matches('^[0-9]*.[0-9]*.[0-9]*$')",message="minmumKubeletVersion must be in a semver compatible format of x.y.z, or empty" | ||
| // +kubebuilder:validation:MaxLength:=8 | ||
| // +openshift:enable:FeatureGate=MinimumKubeletVersion |
There was a problem hiding this comment.
Only need this at the parent level
config/v1/types_feature.go
Outdated
| Version string `json:"version"` | ||
| } | ||
|
|
||
| // +kubebuilder:validation:Enum:=kubelet |
There was a problem hiding this comment.
Enums should be PascalCase
| // +kubebuilder:validation:Enum:=kubelet | |
| // +kubebuilder:validation:Enum:=Kubelet |
haircommander
changed the title
haircommander
force-pushed
the
required-min-kubelet-version
branch
from
49b8e6d to
cab7937
Compare
there's a number of errors not related to the PR, should I fix these too? |
Make sure your local |
|
/retest |
haircommander
changed the title
openshift-ci-robot
added
the
jira/valid-reference
|
@haircommander: This pull request references OCPNODE-3029 which is a valid jira issue. Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
haircommander
force-pushed
the
required-min-kubelet-version
branch
2 times, most recently
from
55e32df to
1cedbe3
Compare
config/v1/types_feature.go
Outdated
| // Currently, the only supported component is Kubelet, and setting a required minimum kubelet component will set the | ||
| // minimumKubeletVersion field in the nodes.config.openshift.io CRD. |
There was a problem hiding this comment.
and setting a required minimum kubelet component will set the
// minimumKubeletVersion field in the nodes.config.openshift.io CRD
I'm struggling with what this actually means. Who/what is modifying nodes.config? Does the presence of a gate having a minimum version force that nodes.config to a specific value?
There was a problem hiding this comment.
cluster admin sets it. it functionally forces though not practically. if the admin wants access to that feature then they set the correct minimum kubelet version, otherwise they don't get it
There was a problem hiding this comment.
How would an admin know that they need to do this? When the admin has no opinion, I would normally expect the feature to get enabled automatically assuming that the cluster can handle it.
Would it make sense (you may have discussed this already) for the feature gate to be considered enabled when the nodes.config minimum is not set, and leave it up to MCO (I assume MCO knows what version of Kubelet a pool is running) to filter out the gates that aren't applicable to this pool? Or does that make a weird situation where gates are enabled in some pools but not others?
What happens for a new cluster, does the minimumKubeletVersion get set on the nodes.config automatically? Or would we have these features just turned off unless someone happens to set the config?
There was a problem hiding this comment.
How would an admin know that they need to do this?
I intend on this being a documentation thing
When the admin has no opinion, I would normally expect the feature to get enabled automatically assuming that the cluster can handle it.
i prefer the opt in because min kubelet verison is mostly a promise that the admin won't try to add nodes that are a lower version (in addition to the promise that they have none currently
Would it make sense (you may have discussed this already) for the feature gate to be considered enabled when the nodes.config minimum is not set, and leave it up to MCO (I assume MCO knows what version of Kubelet a pool is running) to filter out the gates that aren't applicable to this pool? Or does that make a weird situation where gates are enabled in some pools but not others?
yeah since featuregate object is cluster wide I think we should have featuregates be consistent
What happens for a new cluster, does the minimumKubeletVersion get set on the nodes.config automatically?
nope, fully opt in IMO
There was a problem hiding this comment.
yeah since featuregate object is cluster wide I think we should have featuregates be consistent
What do you mean here, can you expand? I'm not following?
nope, fully opt in IMO
Ok, so, lets say over time there are many features that are now gated based on a minimum version. And the cluster admin has never set a minimum version in the nodes.config, what will be the state of all these features?
I expect over time that the gates are actually removed upstream, so eventually the features will come on, but later (3 releases?) than they otherwise would have done? Does this mean then, that the feature here allows an admin to opt-into these features earlier, but in the worst case, if they do nothing, the features still get turned on based on the upstream cadence? Or is it then behind the upstream cadence?
What node skew do we support within OpenShift, is it N-3? So lets say we had a feature gate gated by 1.30, would it be safe to enable it in 1.33 without any nodes.config minimum kubelet version?
There was a problem hiding this comment.
What do you mean here, can you expand? I'm not following?
Since the openshift api for configuring feature gates is cluster level (not configured per machine pool) it'd feel odd to me to have differing feature based on node pool
There was a problem hiding this comment.
Right exactly. A feature author can remove the required min version for a feature when the skew is such that we will support it on all supported node skews, at which point the feature will be on by default for everyone. Until then, it should be gated and would only be on by default if min version was set
There was a problem hiding this comment.
Going back to the original question on the thread, this sentence doesn't say to me that the nodes config needs to be set, it says it will be set, implying that an action here makes it so there. We should update the wording here
There was a problem hiding this comment.
This thread is still outstanding
haircommander
force-pushed
the
required-min-kubelet-version
branch
from
1cedbe3 to
59c2758
Compare
config/v1/types_feature.go
Outdated
| @@ -112,6 +112,16 @@ type FeatureGateStatus struct { | |||
| // +listType=map | |||
| // +listMapKey=version | |||
| FeatureGates []FeatureGateDetails `json:"featureGates"` | |||
|
|
|||
There was a problem hiding this comment.
We wanted to include a generation field in here that would be monotonically increasing every time the featureGates/renderedMinimumComponentVersions list changes
There was a problem hiding this comment.
I don't currently see this as necessary actually . How would the handling be different than a user manually changing the featureset in a custom no upgrade case?
There was a problem hiding this comment.
Yeah, it would be about the same. The intention of the generation was that we thought we'd be able to use it to show the MCP had rolled out the latest observed generation of the feature gates. What signal will we use to check the MCP has rolled out the latest version of these changes?
There was a problem hiding this comment.
my current approach is using the MCP updated condition similar to how the MCS serves the config, because the MCS serving in the config will be how a lower versioned node gets its config, so after the new config is rendered it should be safe for a lower version node to be created
There was a problem hiding this comment.
Is there a race condition that you need to be careful of here? The feature gates get updated, the MCP condition says it's up to date, you continue, the MCP controller then realises the FG change and marks the updated condition false?
How do we ensure that the MCP controller has seen the change before we observe the updated condition?
There was a problem hiding this comment.
yeah I have to get some advice from MCO team on that, but there is an ObservedGeneration field in the mcp status I intend on checking
config/v1/types_feature.go
Outdated
| // Currently, the only supported component is Kubelet, and setting a required minimum kubelet component will set the | ||
| // minimumKubeletVersion field in the nodes.config.openshift.io CRD. |
There was a problem hiding this comment.
Going back to the original question on the thread, this sentence doesn't say to me that the nodes config needs to be set, it says it will be set, implying that an action here makes it so there. We should update the wording here
Signed-off-by: Peter Hunt <[email protected]>
haircommander
force-pushed
the
required-min-kubelet-version
branch
from
59c2758 to
2b1af83
Compare
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: haircommander The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
config/v1/types_feature.go
Outdated
| // Currently, the only supported component is Kubelet, and setting a required minimum kubelet component will set the | ||
| // minimumKubeletVersion field in the nodes.config.openshift.io CRD. |
There was a problem hiding this comment.
This thread is still outstanding
| // +required | ||
| Component MinimumComponent `json:"component"` | ||
| // version is the minimum version the given component may be in this cluster. | ||
| // version must be in semver format (x.y.z) and must consist only of numbers and periods (.). |
There was a problem hiding this comment.
Is there a way to explain that this version is the Kubernetes version, so we know it's going to be ~1.32 and not ~4.19?
There was a problem hiding this comment.
Can we add some tests specifically for the new fields?
Signed-off-by: Peter Hunt <[email protected]>
Signed-off-by: Peter Hunt <[email protected]>
…rsion to 1.30.0 which is the lowest version the kubelet will deny a pod if a userns can't be created Signed-off-by: Peter Hunt <[email protected]>
Signed-off-by: Peter Hunt <[email protected]>
Signed-off-by: Peter Hunt <[email protected]>
haircommander
force-pushed
the
required-min-kubelet-version
branch
from
2b1af83 to
619b24b
Compare
|
@haircommander: The following tests failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
this is an optional field that allows a feature author to declare the minimum version a kubelet on an openshift node can be to use said feature.
This PR also sets UserNamespace related features to set their requiredMinimumKubeletVersion to
1.30.0.