Bug 1654927

Summary: Disabling Features for a Node configuration is not valid
Product: OpenShift Container Platform Reporter: Daein Park <dapark>
Component: DocumentationAssignee: Kathryn Alexander <kalexand>
Status: CLOSED CURRENTRELEASE QA Contact: Weinan Liu <weinliu>
Severity: medium Docs Contact: Vikram Goyal <vigoyal>
Priority: unspecified    
Version: 3.10.0CC: aos-bugs, jokerman, kalexand, mmccomas
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-01-08 21:38:45 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Daein Park 2018-11-30 03:24:53 UTC 
Description of problem:

The configuration steps is not valid and the configuration does not work in Disabling Features for a Node section[0].

* "proxyArguments" was not valid for this configuration.
~~~
For the feature you want to turn off, enter: <feature_name>=false under`proxyArguments`.
~~~

[0] Disabling Features for a Node [https://docs.openshift.com/container-platform/3.10/admin_guide/disabling_features.html#admin-guide-disable-feature-node]


In my test, "kubeletArguments" can be workaround instead of "proxyArguments".
And "--featrure-gates" is also kubelet's arguments, refer the upstream docs as follows.
  - kubelet [https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/]
  ~~~
    --feature-gates mapStringBool
  ~~~

e.g.> The following configuration work for me.
~~~
kubeletArguments:
  ...
  feature-gates:
  - RotateKubeletClientCertificate=true,RotateKubeletServerCertificate=true,CustomPodDNS=false
~~~

And not required "2. Restart the OpenShift Container Platform service for the changes to take effect:" step in workaround steps.

Version-Release number of selected component (if applicable):

oc v3.10.14

openshift v3.10.14
kubernetes v1.10.0+b81c8f8


How reproducible:

* Create the "test" project
# oc new-project test

* Create Pod for getting imagestream for test
# oc new-app --name test centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git

* Create the deployment configured CustomPodDNS "dnsConfig".
# oc create -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
  labels:
    app: test2
  name: test2
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test2
  strategy:
  template:
    metadata:
      labels:
        app: test2
    spec:
      containers:
      - image: docker-registry.default.svc:5000/test/test:latest
        imagePullPolicy: Always
        name: test2
        ports:
        - containerPort: 8080
          protocol: TCP
      dnsPolicy: "None"
      dnsConfig:
        nameservers:
        - 1.2.3.4
        searches:
        - ns1.svc.cluster.local
        - my.dns.search.suffix
        options:
        - name: ndots
          value: "2"
        - name: edns0
EOF

* Check the pod which deployed with "dnsConfig".
# oc get pod -o wide
NAME                     READY     STATUS      RESTARTS   AGE       IP         NODE
...
test2-6c6d695f4b-12345   1/1       Running     0          15s       10.0.0.9   node2.example.com

* Verify the configuration is valid.
# oc rsh test-6c6d695f4b-12345 cat /etc/resolv.conf
nameserver 1.2.3.4
search ns1.svc.cluster.local my.dns.search.suffix
options ndots:2 edns0

* Configure the node2 configmap and restart conrollers following the documentation steps.
# oc edit cm node-config-compute
...
proxyArguments:
  feature-gates:
  - CustomPodDNS=false
kubeletArguments:
  ...
  feature-gates:
  - RotateKubeletClientCertificate=true,RotateKubeletServerCertificate=true

# master-restart controllers

* Check the kubelet arguments on node2
node2 ~# ps aux | grep feature
root      2346  8.4  2.2 1202052 90548 ?       Ssl  20:28   0:44 /usr/bin/hyperkube kubelet ... --feature-gates=RotateKubeletClientCertificate=true,RotateKubeletServerCertificate=true ...

* The configuration did not take a effect in this time.
# oc rsh test-6c6d695f4b-23456 cat /etc/resolv.conf
nameserver 1.2.3.4
search ns1.svc.cluster.local my.dns.search.suffix
options ndots:2 edns0


- My WORKAROUND is here.

* After reverting above changes, configure again in "kubeletArguments" section.

# oc edit cm node-config-compute
kubeletArguments:
  ...
  feature-gates:
  - RotateKubeletClientCertificate=true,RotateKubeletServerCertificate=true,CustomPodDNS=false

* Check the kubelet arguments on node2
node2 ~# ps aux | grep feature
root      5685 17.8  1.8 764524 76068 ?        Ssl  20:45   0:04 /usr/bin/hyperkube kubelet ... --feature-gates=RotateKubeletClientCertificate=true,RotateKubeletServerCertificate=true,CustomPodDNS=false ...

* The CustomPodDNS was disabled.
# oc rsh test-6c6d695f4b-abcde cat /etc/resolv.conf
nameserver 10.0.7.7
search others.svc.cluster.local svc.cluster.local cluster.local example.com
options ndots:5


Steps to Reproduce:
1.
2.
3.

Actual results:

The following configuration did not work.
~~~
proxyArguments:
  feature-gates:
  - CustomPodDNS=false
~~~

Expected results:

The feature(CustomPodDNS) should be disabled by following configurations.
~~~
proxyArguments:
  feature-gates:
  - CustomPodDNS=false
~~~

Additional info:

The cluster level disabling steps is valid. it work for me.
~~~
* spec.template.spec.dnsPolicy: Invalid value: "None": DNSPolicy: can not use 'None', custom pod DNS is disabled by feature gate
* spec.template.spec.dnsConfig: Forbidden: DNSConfig: custom pod DNS is disabled by feature gate
~~~
Comment 2 Kathryn Alexander 2018-12-11 12:37:29 UTC 
Thank you Daein!

This change was approved on the PR. I've merged it and am waiting for it to go live.
Comment 3 Kathryn Alexander 2019-01-08 21:38:45 UTC 
The PR was here: https://github.com/openshift/openshift-docs/pull/13068

This change is live on docs.openshift, eg: https://docs.openshift.com/container-platform/3.10/admin_guide/disabling_features.html#admin-guide-disable-feature-node

and on the portal, eg: https://access.redhat.com/documentation/en-us/openshift_container_platform/3.11/html-single/cluster_administration/index#admin-guide-disable-feature-node