Merge pull request #14356 from hakman/automated-cherry-pick-of-#14333…

…-upstream-release-1.25 Automated cherry pick of #14333: Ensure kubelet configuration from IG takes precedence
kubernetes · Sep 29, 2022 · 8098c61 · 8098c61
2 parents db1c9f3 + ad64cec
commit 8098c61
Show file tree

Hide file tree

Showing 10 changed files with 239 additions and 55 deletions.
diff --git a/k8s/crds/kops.k8s.io_clusters.yaml b/k8s/crds/kops.k8s.io_clusters.yaml
@@ -3489,7 +3489,9 @@ spec:
                     type: boolean
                 type: object
               kubelet:
-                description: KubeletConfigSpec defines the kubelet configuration
+                description: Kubelet is the kubelet configuration for nodes not belonging
+                  to the control plane. It can be overridden by the kubelet configuration
+                  specified in the instance group.
                 properties:
                   allowPrivileged:
                     description: AllowPrivileged enables containers to request privileged
@@ -3917,7 +3919,9 @@ spec:
                   nodes
                 type: string
               masterKubelet:
-                description: KubeletConfigSpec defines the kubelet configuration
+                description: MasterKubelet is the kubelet configuration for nodes
+                  belonging to the control plane It can be overridden by the kubelet
+                  configuration specified in the instance group.
                 properties:
                   allowPrivileged:
                     description: AllowPrivileged enables containers to request privileged

diff --git a/nodeup/pkg/model/kubelet_test.go b/nodeup/pkg/model/kubelet_test.go
@@ -19,6 +19,7 @@ package model
 import (
 	"fmt"
 	"path/filepath"
+	"sort"
 	"testing"
 	"time"
 
@@ -137,6 +138,8 @@ func TestTaintsApplied(t *testing.T) {
 }
 
 func stringSlicesEqual(exp, other []string) bool {
+	sort.Sort(sort.StringSlice(exp))
+	sort.Sort(sort.StringSlice(other))
 	if exp == nil && other != nil {
 		return false
 	}

diff --git a/pkg/apis/kops/cluster.go b/pkg/apis/kops/cluster.go
@@ -157,11 +157,15 @@ type ClusterSpec struct {
 	ExternalCloudControllerManager *CloudControllerManagerConfig `json:"cloudControllerManager,omitempty"`
 	KubeScheduler                  *KubeSchedulerConfig          `json:"kubeScheduler,omitempty"`
 	KubeProxy                      *KubeProxyConfig              `json:"kubeProxy,omitempty"`
-	Kubelet                        *KubeletConfigSpec            `json:"kubelet,omitempty"`
-	MasterKubelet                  *KubeletConfigSpec            `json:"masterKubelet,omitempty"`
-	CloudConfig                    *CloudConfiguration           `json:"cloudConfig,omitempty"`
-	ExternalDNS                    *ExternalDNSConfig            `json:"externalDNS,omitempty"`
-	NTP                            *NTPConfig                    `json:"ntp,omitempty"`
+	// Kubelet is the kubelet configuration for nodes not belonging to the control plane.
+	// It can be overridden by the kubelet configuration specified in the instance group.
+	Kubelet *KubeletConfigSpec `json:"kubelet,omitempty"`
+	// MasterKubelet is the kubelet configuration for nodes belonging to the control plane
+	// It can be overridden by the kubelet configuration specified in the instance group.
+	MasterKubelet *KubeletConfigSpec  `json:"masterKubelet,omitempty"`
+	CloudConfig   *CloudConfiguration `json:"cloudConfig,omitempty"`
+	ExternalDNS   *ExternalDNSConfig  `json:"externalDNS,omitempty"`
+	NTP           *NTPConfig          `json:"ntp,omitempty"`
 
 	// NodeTerminationHandler determines the node termination handler configuration.
 	NodeTerminationHandler *NodeTerminationHandlerConfig `json:"nodeTerminationHandler,omitempty"`
@@ -244,20 +248,16 @@ type CloudProviderSpec struct {
 }
 
 // AWSSpec configures the AWS cloud provider.
-type AWSSpec struct {
-}
+type AWSSpec struct{}
 
 // DOSpec configures the Digital Ocean cloud provider.
-type DOSpec struct {
-}
+type DOSpec struct{}
 
 // GCESpec configures the GCE cloud provider.
-type GCESpec struct {
-}
+type GCESpec struct{}
 
 // HetznerSpec configures the Hetzner cloud provider.
-type HetznerSpec struct {
-}
+type HetznerSpec struct{}
 
 type KarpenterConfig struct {
 	Enabled bool `json:"enabled,omitempty"`

diff --git a/pkg/apis/kops/v1alpha2/cluster.go b/pkg/apis/kops/v1alpha2/cluster.go
@@ -156,11 +156,15 @@ type ClusterSpec struct {
 	ExternalCloudControllerManager *CloudControllerManagerConfig `json:"cloudControllerManager,omitempty"`
 	KubeScheduler                  *KubeSchedulerConfig          `json:"kubeScheduler,omitempty"`
 	KubeProxy                      *KubeProxyConfig              `json:"kubeProxy,omitempty"`
-	Kubelet                        *KubeletConfigSpec            `json:"kubelet,omitempty"`
-	MasterKubelet                  *KubeletConfigSpec            `json:"masterKubelet,omitempty"`
-	CloudConfig                    *CloudConfiguration           `json:"cloudConfig,omitempty"`
-	ExternalDNS                    *ExternalDNSConfig            `json:"externalDns,omitempty"`
-	NTP                            *NTPConfig                    `json:"ntp,omitempty"`
+	// Kubelet is the kubelet configuration for nodes not belonging to the control plane.
+	// It can be overridden by the kubelet configuration specified in the instance group.
+	Kubelet *KubeletConfigSpec `json:"kubelet,omitempty"`
+	// MasterKubelet is the kubelet configuration for nodes belonging to the control plane
+	// It can be overridden by the kubelet configuration specified in the instance group.
+	MasterKubelet *KubeletConfigSpec  `json:"masterKubelet,omitempty"`
+	CloudConfig   *CloudConfiguration `json:"cloudConfig,omitempty"`
+	ExternalDNS   *ExternalDNSConfig  `json:"externalDns,omitempty"`
+	NTP           *NTPConfig          `json:"ntp,omitempty"`
 
 	// NodeTerminationHandler determines the cluster autoscaler configuration.
 	NodeTerminationHandler *NodeTerminationHandlerConfig `json:"nodeTerminationHandler,omitempty"`

diff --git a/pkg/apis/kops/v1alpha3/cluster.go b/pkg/apis/kops/v1alpha3/cluster.go
@@ -155,11 +155,15 @@ type ClusterSpec struct {
 	ExternalCloudControllerManager *CloudControllerManagerConfig `json:"cloudControllerManager,omitempty"`
 	KubeScheduler                  *KubeSchedulerConfig          `json:"kubeScheduler,omitempty"`
 	KubeProxy                      *KubeProxyConfig              `json:"kubeProxy,omitempty"`
-	Kubelet                        *KubeletConfigSpec            `json:"kubelet,omitempty"`
-	MasterKubelet                  *KubeletConfigSpec            `json:"masterKubelet,omitempty"`
-	CloudConfig                    *CloudConfiguration           `json:"cloudConfig,omitempty"`
-	ExternalDNS                    *ExternalDNSConfig            `json:"externalDNS,omitempty"`
-	NTP                            *NTPConfig                    `json:"ntp,omitempty"`
+	// Kubelet is the kubelet configuration for nodes not belonging to the control plane.
+	// It can be overridden by the kubelet configuration specified in the instance group.
+	Kubelet *KubeletConfigSpec `json:"kubelet,omitempty"`
+	// MasterKubelet is the kubelet configuration for nodes belonging to the control plane
+	// It can be overridden by the kubelet configuration specified in the instance group.
+	MasterKubelet *KubeletConfigSpec  `json:"masterKubelet,omitempty"`
+	CloudConfig   *CloudConfiguration `json:"cloudConfig,omitempty"`
+	ExternalDNS   *ExternalDNSConfig  `json:"externalDNS,omitempty"`
+	NTP           *NTPConfig          `json:"ntp,omitempty"`
 
 	// NodeTerminationHandler determines the cluster autoscaler configuration.
 	NodeTerminationHandler *NodeTerminationHandlerConfig `json:"nodeTerminationHandler,omitempty"`
@@ -241,20 +245,16 @@ type CloudProviderSpec struct {
 }
 
 // AWSSpec configures the AWS cloud provider.
-type AWSSpec struct {
-}
+type AWSSpec struct{}
 
 // DOSpec configures the Digital Ocean cloud provider.
-type DOSpec struct {
-}
+type DOSpec struct{}
 
 // GCESpec configures the GCE cloud provider.
-type GCESpec struct {
-}
+type GCESpec struct{}
 
 // HetznerSpec configures the Hetzner cloud provider.
-type HetznerSpec struct {
-}
+type HetznerSpec struct{}
 
 type KarpenterConfig struct {
 	Enabled bool `json:"enabled,omitempty"`

diff --git a/upup/pkg/fi/cloudup/populate_cluster_spec_test.go b/upup/pkg/fi/cloudup/populate_cluster_spec_test.go
@@ -177,6 +177,28 @@ func TestPopulateCluster_StorageDefault(t *testing.T) {
 	}
 }
 
+func TestPopulateCluster_EvictionHard(t *testing.T) {
+	cloud, c := buildMinimalCluster()
+
+	err := PerformAssignments(c, cloud)
+	if err != nil {
+		t.Fatalf("error from PerformAssignments: %v", err)
+	}
+
+	c.Spec.Kubelet = &kopsapi.KubeletConfigSpec{
+		EvictionHard: fi.String("memory.available<250Mi"),
+	}
+
+	full, err := mockedPopulateClusterSpec(c, cloud)
+	if err != nil {
+		t.Fatalf("Unexpected error from PopulateCluster: %v", err)
+	}
+
+	if fi.StringValue(full.Spec.Kubelet.EvictionHard) != "memory.available<250Mi" {
+		t.Fatalf("Unexpected StorageBackend: %v", *full.Spec.Kubelet.EvictionHard)
+	}
+}
+
 func build(c *kopsapi.Cluster) (*kopsapi.Cluster, error) {
 	cloud, err := BuildCloud(c)
 	if err != nil {

diff --git a/upup/pkg/fi/cloudup/populate_instancegroup_spec.go b/upup/pkg/fi/cloudup/populate_instancegroup_spec.go
@@ -20,6 +20,7 @@ import (
 	"fmt"
 	"strings"
 
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/klog/v2"
 
 	"k8s.io/kops/pkg/apis/kops"
@@ -74,7 +75,7 @@ func PopulateInstanceGroupSpec(cluster *kops.Cluster, input *kops.InstanceGroup,
 	ig := &kops.InstanceGroup{}
 	reflectutils.JSONMergeStruct(ig, input)
 
-	spec := &ig.Spec
+	igSpec := &ig.Spec
 
 	// TODO: Clean up
 	if ig.IsMaster() {
@@ -223,39 +224,57 @@ func PopulateInstanceGroupSpec(cluster *kops.Cluster, input *kops.InstanceGroup,
 		ig.Spec.Manager = kops.InstanceManagerCloudGroup
 	}
 
-	if spec.Kubelet == nil {
-		spec.Kubelet = &kops.KubeletConfigSpec{}
+	if igSpec.Kubelet == nil {
+		igSpec.Kubelet = &kops.KubeletConfigSpec{}
 	}
 
-	kubeletConfig := spec.Kubelet
-
-	// We include the NodeLabels in the userdata even for Kubernetes 1.16 and later so that
-	// rolling update will still replace nodes when they change.
-	kubeletConfig.NodeLabels = nodelabels.BuildNodeLabels(cluster, ig)
-
-	kubeletConfig.Taints = append(kubeletConfig.Taints, spec.Taints...)
-
+	var igKubeletConfig *kops.KubeletConfigSpec
+	// Start with the cluster kubelet config
 	if ig.IsMaster() {
-		reflectutils.JSONMergeStruct(kubeletConfig, cluster.Spec.MasterKubelet)
-
+		if cluster.Spec.MasterKubelet != nil {
+			igKubeletConfig = cluster.Spec.MasterKubelet.DeepCopy()
+		} else {
+			igKubeletConfig = &kops.KubeletConfigSpec{}
+		}
 		// A few settings in Kubelet override those in MasterKubelet. I'm not sure why.
 		if cluster.Spec.Kubelet != nil && cluster.Spec.Kubelet.AnonymousAuth != nil && !*cluster.Spec.Kubelet.AnonymousAuth {
-			kubeletConfig.AnonymousAuth = fi.Bool(false)
+			igKubeletConfig.AnonymousAuth = fi.Bool(false)
 		}
 	} else {
-		reflectutils.JSONMergeStruct(kubeletConfig, cluster.Spec.Kubelet)
+		if cluster.Spec.Kubelet != nil {
+			igKubeletConfig = cluster.Spec.Kubelet.DeepCopy()
+		} else {
+			igKubeletConfig = &kops.KubeletConfigSpec{}
+		}
 	}
 
+	// We include the NodeLabels in the userdata even for Kubernetes 1.16 and later so that
+	// rolling update will still replace nodes when they change.
+	igKubeletConfig.NodeLabels = nodelabels.BuildNodeLabels(cluster, ig)
+
+	useSecureKubelet := fi.BoolValue(igKubeletConfig.AnonymousAuth)
+
+	// While slices are overridden in most cases, taints are explicitly merged
+	taints := sets.NewString(igKubeletConfig.Taints...)
+	taints.Insert(igSpec.Taints...)
 	if ig.Spec.Kubelet != nil {
-		useSecureKubelet := fi.BoolValue(kubeletConfig.AnonymousAuth)
+		taints.Insert(igSpec.Kubelet.Taints...)
+	}
+	if cluster.Spec.Kubelet != nil {
+		taints.Insert(cluster.Spec.Kubelet.Taints...)
+	}
+	if ig.Spec.Kubelet != nil {
+		reflectutils.JSONMergeStruct(igKubeletConfig, ig.Spec.Kubelet)
+	}
 
-		reflectutils.JSONMergeStruct(kubeletConfig, spec.Kubelet)
+	igKubeletConfig.Taints = taints.List()
 
-		if useSecureKubelet {
-			kubeletConfig.AnonymousAuth = fi.Bool(false)
-		}
+	if useSecureKubelet {
+		igKubeletConfig.AnonymousAuth = fi.Bool(false)
 	}
 
+	ig.Spec.Kubelet = igKubeletConfig
+
 	return ig, nil
 }
 

diff --git a/upup/pkg/fi/cloudup/populate_instancegroup_spec_test.go b/upup/pkg/fi/cloudup/populate_instancegroup_spec_test.go
@@ -109,7 +109,6 @@ func TestPopulateInstanceGroup_AddTaintsCollision3(t *testing.T) {
 	}
 
 	channel := &kopsapi.Channel{}
-
 	cloud, err := BuildCloud(cluster)
 	if err != nil {
 		t.Fatalf("error from BuildCloud: %v", err)
@@ -119,7 +118,99 @@ func TestPopulateInstanceGroup_AddTaintsCollision3(t *testing.T) {
 		t.Fatalf("error from PopulateInstanceGroupSpec: %v", err)
 	}
 	if len(output.Spec.Kubelet.Taints) != 2 {
-		t.Errorf("Expected only 2 taints, got %d", len(output.Spec.Kubelet.Taints))
+		t.Errorf("Expected 2 taints, got %d", len(output.Spec.Kubelet.Taints))
+	}
+}
+
+func TestPopulateInstanceGroup_EvictionHard(t *testing.T) {
+	_, cluster := buildMinimalCluster()
+	cluster.Spec.Kubelet = &kopsapi.KubeletConfigSpec{
+		EvictionHard: fi.String("memory.available<350Mi"),
+	}
+	input := buildMinimalNodeInstanceGroup()
+	input.Spec.Kubelet = &kopsapi.KubeletConfigSpec{
+		EvictionHard: fi.String("memory.available<250Mi"),
+	}
+
+	channel := &kopsapi.Channel{}
+
+	cloud, err := BuildCloud(cluster)
+	if err != nil {
+		t.Fatalf("error from BuildCloud: %v", err)
+	}
+	output, err := PopulateInstanceGroupSpec(cluster, input, cloud, channel)
+	if err != nil {
+		t.Fatalf("error from PopulateInstanceGroupSpec: %v", err)
+	}
+	if fi.StringValue(output.Spec.Kubelet.EvictionHard) != "memory.available<250Mi" {
+		t.Errorf("Unexpected value %v", fi.StringValue(output.Spec.Kubelet.EvictionHard))
+	}
+}
+
+func TestPopulateInstanceGroup_EvictionHard3(t *testing.T) {
+	_, cluster := buildMinimalCluster()
+	cluster.Spec.Kubelet = &kopsapi.KubeletConfigSpec{
+		EvictionHard: fi.String("memory.available<350Mi"),
+	}
+	input := buildMinimalMasterInstanceGroup("us-test-1")
+
+	channel := &kopsapi.Channel{}
+
+	cloud, err := BuildCloud(cluster)
+	if err != nil {
+		t.Fatalf("error from BuildCloud: %v", err)
+	}
+	output, err := PopulateInstanceGroupSpec(cluster, input, cloud, channel)
+	if err != nil {
+		t.Fatalf("error from PopulateInstanceGroupSpec: %v", err)
+	}
+	// There is no default EvictionHard
+	if fi.StringValue(output.Spec.Kubelet.EvictionHard) != "" {
+		t.Errorf("Unexpected value %v", fi.StringValue(output.Spec.Kubelet.EvictionHard))
+	}
+}
+
+func TestPopulateInstanceGroup_EvictionHard4(t *testing.T) {
+	_, cluster := buildMinimalCluster()
+	cluster.Spec.MasterKubelet = &kopsapi.KubeletConfigSpec{
+		EvictionHard: fi.String("memory.available<350Mi"),
+	}
+	input := buildMinimalMasterInstanceGroup("us-test-1")
+
+	channel := &kopsapi.Channel{}
+
+	cloud, err := BuildCloud(cluster)
+	if err != nil {
+		t.Fatalf("error from BuildCloud: %v", err)
+	}
+	output, err := PopulateInstanceGroupSpec(cluster, input, cloud, channel)
+	if err != nil {
+		t.Fatalf("error from PopulateInstanceGroupSpec: %v", err)
+	}
+	if fi.StringValue(output.Spec.Kubelet.EvictionHard) != "memory.available<350Mi" {
+		t.Errorf("Unexpected value %v", fi.StringValue(output.Spec.Kubelet.EvictionHard))
+	}
+}
+
+func TestPopulateInstanceGroup_EvictionHard2(t *testing.T) {
+	_, cluster := buildMinimalCluster()
+	input := buildMinimalNodeInstanceGroup()
+	input.Spec.Kubelet = &kopsapi.KubeletConfigSpec{
+		EvictionHard: fi.String("memory.available<250Mi"),
+	}
+
+	channel := &kopsapi.Channel{}
+
+	cloud, err := BuildCloud(cluster)
+	if err != nil {
+		t.Fatalf("error from BuildCloud: %v", err)
+	}
+	output, err := PopulateInstanceGroupSpec(cluster, input, cloud, channel)
+	if err != nil {
+		t.Fatalf("error from PopulateInstanceGroupSpec: %v", err)
+	}
+	if fi.StringValue(output.Spec.Kubelet.EvictionHard) != "memory.available<250Mi" {
+		t.Errorf("Unexpected value %v", fi.StringValue(output.Spec.Kubelet.EvictionHard))
 	}
 }
 

diff --git a/util/pkg/reflectutils/walk.go b/util/pkg/reflectutils/walk.go
@@ -44,6 +44,7 @@ func IsMethodNotFound(err error) bool {
 
 // JSONMergeStruct merges src into dest
 // It uses a JSON marshal & unmarshal, so only fields that are JSON-visible will be copied
+// If both source and destination has a value for a field, source takes presedence
 func JSONMergeStruct(dest, src interface{}) {
 	// Not the most efficient approach, but simple & relatively well defined
 	j, err := json.Marshal(src)