Bug 1654927 - Disabling Features for a Node configuration is not valid
Summary: Disabling Features for a Node configuration is not valid
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 3.10.0
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: ---
: ---
Assignee: Kathryn Alexander
QA Contact: Weinan Liu
Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-30 03:24 UTC by Daein Park
Modified: 2019-01-08 21:38 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-01-08 21:38:45 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Daein Park 2018-11-30 03:24:53 UTC 
Description of problem:

The configuration steps is not valid and the configuration does not work in Disabling Features for a Node section[0].

* "proxyArguments" was not valid for this configuration.
~~~
For the feature you want to turn off, enter: <feature_name>=false under`proxyArguments`.
~~~

[0] Disabling Features for a Node [https://docs.openshift.com/container-platform/3.10/admin_guide/disabling_features.html#admin-guide-disable-feature-node]


In my test, "kubeletArguments" can be workaround instead of "proxyArguments".
And "--featrure-gates" is also kubelet's arguments, refer the upstream docs as follows.
  - kubelet [https://kubernetes.io/docs/reference/command-line-tools-reference/kubelet/]
  ~~~
    --feature-gates mapStringBool
  ~~~

e.g.> The following configuration work for me.
~~~
kubeletArguments:
  ...
  feature-gates:
  - RotateKubeletClientCertificate=true,RotateKubeletServerCertificate=true,CustomPodDNS=false
~~~

And not required "2. Restart the OpenShift Container Platform service for the changes to take effect:" step in workaround steps.

Version-Release number of selected component (if applicable):

oc v3.10.14

openshift v3.10.14
kubernetes v1.10.0+b81c8f8


How reproducible:

* Create the "test" project
# oc new-project test

* Create Pod for getting imagestream for test
# oc new-app --name test centos/ruby-22-centos7~https://github.com/openshift/ruby-ex.git

* Create the deployment configured CustomPodDNS "dnsConfig".
# oc create -f - <<EOF
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
  labels:
    app: test2
  name: test2
spec:
  replicas: 1
  selector:
    matchLabels:
      app: test2
  strategy:
  template:
    metadata:
      labels:
        app: test2
    spec:
      containers:
      - image: docker-registry.default.svc:5000/test/test:latest
        imagePullPolicy: Always
        name: test2
        ports:
        - containerPort: 8080
          protocol: TCP
      dnsPolicy: "None"
      dnsConfig:
        nameservers:
        - 1.2.3.4
        searches:
        - ns1.svc.cluster.local
        - my.dns.search.suffix
        options:
        - name: ndots
          value: "2"
        - name: edns0
EOF

* Check the pod which deployed with "dnsConfig".
# oc get pod -o wide
NAME                     READY     STATUS      RESTARTS   AGE       IP         NODE
...
test2-6c6d695f4b-12345   1/1       Running     0          15s       10.0.0.9   node2.example.com

* Verify the configuration is valid.
# oc rsh test-6c6d695f4b-12345 cat /etc/resolv.conf
nameserver 1.2.3.4
search ns1.svc.cluster.local my.dns.search.suffix
options ndots:2 edns0

* Configure the node2 configmap and restart conrollers following the documentation steps.
# oc edit cm node-config-compute
...
proxyArguments:
  feature-gates:
  - CustomPodDNS=false
kubeletArguments:
  ...
  feature-gates:
  - RotateKubeletClientCertificate=true,RotateKubeletServerCertificate=true

# master-restart controllers

* Check the kubelet arguments on node2
node2 ~# ps aux | grep feature
root      2346  8.4  2.2 1202052 90548 ?       Ssl  20:28   0:44 /usr/bin/hyperkube kubelet ... --feature-gates=RotateKubeletClientCertificate=true,RotateKubeletServerCertificate=true ...

* The configuration did not take a effect in this time.
# oc rsh test-6c6d695f4b-23456 cat /etc/resolv.conf
nameserver 1.2.3.4
search ns1.svc.cluster.local my.dns.search.suffix
options ndots:2 edns0


- My WORKAROUND is here.

* After reverting above changes, configure again in "kubeletArguments" section.

# oc edit cm node-config-compute
kubeletArguments:
  ...
  feature-gates:
  - RotateKubeletClientCertificate=true,RotateKubeletServerCertificate=true,CustomPodDNS=false

* Check the kubelet arguments on node2
node2 ~# ps aux | grep feature
root      5685 17.8  1.8 764524 76068 ?        Ssl  20:45   0:04 /usr/bin/hyperkube kubelet ... --feature-gates=RotateKubeletClientCertificate=true,RotateKubeletServerCertificate=true,CustomPodDNS=false ...

* The CustomPodDNS was disabled.
# oc rsh test-6c6d695f4b-abcde cat /etc/resolv.conf
nameserver 10.0.7.7
search others.svc.cluster.local svc.cluster.local cluster.local example.com
options ndots:5


Steps to Reproduce:
1.
2.
3.

Actual results:

The following configuration did not work.
~~~
proxyArguments:
  feature-gates:
  - CustomPodDNS=false
~~~

Expected results:

The feature(CustomPodDNS) should be disabled by following configurations.
~~~
proxyArguments:
  feature-gates:
  - CustomPodDNS=false
~~~

Additional info:

The cluster level disabling steps is valid. it work for me.
~~~
* spec.template.spec.dnsPolicy: Invalid value: "None": DNSPolicy: can not use 'None', custom pod DNS is disabled by feature gate
* spec.template.spec.dnsConfig: Forbidden: DNSConfig: custom pod DNS is disabled by feature gate
~~~
Comment 2 Kathryn Alexander 2018-12-11 12:37:29 UTC 
Thank you Daein!

This change was approved on the PR. I've merged it and am waiting for it to go live.
Note You need to log in before you can comment on or make changes to this bug.