Kubeadm operator

[shekhar-rajak]

Enhancement Description

• One-line enhancement description (can be used as a release note): Kubeadm operator
• Kubernetes Enhancement Proposal:

https://github.com/kubernetes/enhancements/tree/master/keps/sig-cluster-lifecycle/kubeadm/2505-Kubeadm-operator

Summary

Kubeadm operator would like to enable declarative control of kubeadm workflows, automating the execution and the orchestration of such tasks across existing nodes in a cluster.

Motivation

Kubeadm binary can execute operations only on the machine where it is running e.g. it is not possible to execute operations on other nodes, to copy files across nodes, etc.

As a consequence, most of the kubeadm workflows, like kubeadm upgrade, consists of a complex sequence of tasks that should be manually executed and orchestrated across all the existing nodes in the cluster.

Such a user experience is not ideal due to the error-prone nature of humans running commands. The manual approach can be considered a blocker for implementing more complex workflows such as rotating certificate authorities, modifying the settings of an existing cluster or any task that requires coordination of more than one Kubernetes node.

This KEP aims to address such problems by applying the operator pattern to kubeadm workflows.

• Discussion Link:
• Primary contact (assignee): @fabriziopandini
• Responsible SIGs: sig-cluster-lifecycle
• Enhancement target (which target equals to which milestone):
  • Alpha release target (x.y): TODO
  • Beta release target (x.y): TODO
  • Stable release target (x.y): TODO
• [ ] Alpha
  • [ ] KEP (k/enhancements) update PR(s):
  • [ ] Code (k/k) update PR(s):
  • [ ] Docs (k/website) update PR(s):

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

[fejta-bot]

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale

[neolit123]

/remove-lifecycle stale

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[neolit123]

/remove-lifecycle stale

[pacoxu]

Any plan for this feature

[neolit123]

We haven't dropped the idea. It would support useful features like cluster wide upgrades and cert rotations.

Similarly to other area of kubeadm. Someone has to have the time to work on it.

If someone starts work on it again i would like for us to discuss trimming down the heavy boilerplate that kube builder adds.

[fabriziopandini]

I have a prototype and many ideas around this and the kubeadm, library...

[k8s-triage-robot]

The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs.

This bot triages issues and PRs according to the following rules:

• After 90d of inactivity, lifecycle/stale is applied
• After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
• After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

• Mark this issue or PR as fresh with /remove-lifecycle stale
• Mark this issue or PR as rotten with /lifecycle rotten
• Close this issue or PR with /close
• Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

[fabriziopandini]

/lifecycle frozen

[chendave]

/cc

I will evaluate this feature and see if we can move forward this.

[pacoxu]

https://github.com/pacoxu/kubeadm-operator/issues/53 I did some init implementation for upgrade and certs renew.

I got a problem to implement the kubeadm operator.

1. how to restart kubelet? It is not suggested to run systemctl restart kubelet inside a pod for security concerns.
2. I got a problem to replace the kubelet bin when kubelet is running.(file busy)

If kubelet is not restarted, the apiserver will be the new version and kubelet will be n-1 version.

• A workaround for me, I can start a daemon process on every node to check if kubelet version of /usr/bin/kubelet and /usr/bin/kubelet-new are different. If they are different, it will trigger to execute systemctl stop kubelet && /usr/bin/cp /usr/bin/kubelet-new /usr/bin/kubelet && systemctl restart kubelet. This is not that convenient.

Some other thoughts, can we kill kubelet inside pod? Or can we add a flag file in hostPath to let kubelet know it should be restarted? I don't know if there is a simple way to restart kubelet by a kubelet API calling or other methods.

[chendave]

@pacoxu I am also working on this, all those work for my side are still under internal maintained. It's okay for you to join in but we'd better to sync with each other to avoid the duplicated effort on this.

our work is based on @fabriziopandini's POC, how about yours?

If kubelet is not restarted, the apiserver will be the new version and kubelet will be n-1 version.

This is indeed an issue, so far it is fine since kubelet 1.24 will continue to work with apisever 1.25, but this must be taken care because of the changing from cri support on docker.

[pacoxu]

our work is based on @fabriziopandini's POC, how about yours?

https://github.com/pacoxu/kubeadm-operator/issues/2 The same. The POC was removed from kubeadm code base in https://github.com/kubernetes/kubeadm/pull/2342.

[chendave]

cc @ruquanzhao for awareness, we need to figure out a solution on the upgrade of kubelet as well.

[neolit123]

big +1 for multiple people collaborating on this. happy to help with more ideas / review when needed.

Some other thoughts, can we kill kubelet inside pod? Or can we add a flag file in hostPath to let kubelet know it should be restarted? I don't know if there is a simple way to restart kubelet by a kubelet API calling or other methods.

i don't think there is an API to restart kubelet. then again, that would restart a particular kubelet and we want to upgrade the binary too.

A workaround for me, I can start a daemon process on every node to check if kubelet version of /usr/bin/kubelet and /usr/bin/kubelet-new are different. If they are different, it will trigger to execute systemctl stop kubelet && /usr/bin/cp /usr/bin/kubelet-new /usr/bin/kubelet && systemctl restart kubelet. This is not that convenient.

this sounds like one of the ways to do it. i don't think i have and significantly better ideas right now. e.g. we could (somehow) deploy scripts on the hosts that manage the kubelet restart cycle and upgrade even if the pods that the operator DS deploys are killed due to a kubelet restart.

how to restart kubelet? It is not suggested to run systemctl restart kubelet inside a pod for security concerns.

the operator will have have to have super powers on the hosts, so it will be considered as a trusted "actor"...there is no other way to manage component upgrade (kubeadm, kubelet) and cert rotation, etc.

[pacoxu]

I can build the workaround into a script.

the operator will have to have super powers on the hosts, so it will be considered as a trusted "actor"...there is no other way to manage component upgrade (kubeadm, kubelet) and cert rotation, etc.

If we restart kubelet inside pod, I tried to mount /run/systemd & /var/run/dbus/system_bus_socket and /sys/fs/cgroup to the agent and set privileged/hostPID to true, but the systemctl restart kubelet still failed. I am not sure what I am missing.

[pacoxu]

I write a simple kubelet-reloader

• kubelet-reloader will watch on /usr/bin/kubelet-new.
• once there is a different version of kubelet-new, the reloader will replace /usr/bin/kubelet and restart kubelet.

Currently the kubeadm-operator v0.1.0 can support upgrade cross versions like v1.22 to v1.24.

• kubeadm operator will download kubectl/kubelet/kubeadm and upgrade.
• kubelet will be placed in /usr/bin/kubelet-new for kubelet reloader.

See quick-start.

[neolit123]

Thats great. I think we should have our discussion on the k/kubeadm issue to have it in one place. Also cross coordinate with @chendave to avoid duplicated work.

[pacoxu]

https://github.com/kubernetes/kubeadm/issues/2317 may be the right place.

[chendave]

FYI - We have all the initial scope of the KEP https://github.com/kubernetes/enhancements/pull/1239 implemented here: https://github.com/chendave/kubeadm-operator

• kubeadm upgrade
• certificate renewal
• certificate authority rotation (NEW)
• change configuration in an existing cluster (NEW)

But it is still a just POC.

@pacoxu @neolit123 @ruquanzhao

[pacoxu]

We have a try to ask if kubeadm operator can be a sig-clusterlifecyle subproject earlier this year. Some context can be found in https://docs.google.com/document/d/1Gmc7LyCIL_148a9Tft7pdhdee0NBHdOfHS1SAF0duI4/edit#heading=h.xm2jvfwtcfuz sig clusterlifecycle weekly meeting and https://github.com/kubernetes-sigs/cluster-api/issues/7044 cluster-api gathering feedback issue.

• declarative vs imperative: as kubeadm operator is declarative.
• the immutable node topic in CAPI is complicated and there is no clear way to tell if this operator will be ever used in CAPI. uses cases are not clear.