Warn user to disable default node selector when using daemonsets #8125
Conversation
openshift-ci-robot
added
the
size/M
|
/cherrypick enterprise-3.9 |
|
@tnozicka: once the present PR merges, I will cherry-pick it on top of enterprise-3.9 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/cc @openshift/team-documentation |
tnozicka
changed the title
|
This is 3.9 blocker, needs to go asap. /cc @vikram-redhat @adellape @bmcelvee @ahardin-rh @gaurav-nelson |
openshift-ci-robot
requested review from
adellape,
ahardin-rh,
bmcelvee,
gaurav-nelson and
vikram-redhat
|
@tnozicka: https://github.com/openshift/openshift-docs/blob/master/contributing_to_docs/create_or_edit_content.adoc#submit-pr-to-merge-your-work. Does this apply to dedicated and online as well? |
dev_guide/daemonsets.adoc
Outdated
| '{"metadata": {"annotations": {"openshift.io/node-selector": ""}}}' | ||
| ---- | ||
|
|
||
| xref:../admin_guide/manage_projects.adoc#using-node-selectors[Learn more about node selectors.] |
There was a problem hiding this comment.
managing_projects.adoc
There was a problem hiding this comment.
good catch; one would say that CI should scream though
|
@tnozicka I have one comment. Assigning it to @mburke5678 to have a proper look when he is in for a follow up. |
|
@mburke5678 note that @tnozicka has already started the CP process by using the robot. If it fails, you will need to resolve and fix on command line. If it succeeds, remember to merge the CP. |
|
@vikram-redhat thanks for the quick reply!
Well, it kinda does apply to online but only for it's admins since users can't create daemonsets.
I don't think squashing unrelated commits is a good idea as you will make cherry-picking or reverting harder, but I can do that if you want me to. |
tnozicka
force-pushed
the
daemonsets-disable-default-node-selector
branch
from
66d965d to
160befe
Compare
dev_guide/daemonsets.adoc
Outdated
| @@ -19,8 +19,36 @@ A daemonset can be used to run replicas of a pod on specific or all nodes in an | |||
| Use daemonsets to create shared storage, run a logging pod on every node in | |||
| your cluster, or deploy a monitoring agent on every node. | |||
|
|
|||
| For security reasons and by their nature creating DaemonSets is restricted to cluster administrators. | |||
|
|
|||
There was a problem hiding this comment.
@tnozicka Do we need the and by their nature?
For security reasons, only cluster administrators can create daemonsets.
dev_guide/daemonsets.adoc
Outdated
| [IMPORTANT] | ||
| ==== | ||
| Before you start using daemonset you need to make sure to disable project default node selector in your namespace. | ||
|
|
There was a problem hiding this comment.
Before you start using daemonsets ensure that you disable the default project-wide xref:../admin_guide/managing_projects.adoc#using-node-selectors[node selector] in your namespace.
There was a problem hiding this comment.
s/daemonset/DaemonSets
I'd prefer it to be this way but the rest of the doc uses all lowercase.
There was a problem hiding this comment.
@tnozicka I agree. The term is used both ways throughout the full docs set. But, we should be consistent in this topic at least.
There was a problem hiding this comment.
maybe we can get rid of you need to make sure so the sentence becomes Before you start using daemonsets, disable the default project-wide... as per @mburke5678 's comment.
dev_guide/daemonsets.adoc
Outdated
| ---- | ||
|
|
||
| xref:../admin_guide/managing_projects.adoc#using-node-selectors[Learn more about node selectors.] | ||
|
|
There was a problem hiding this comment.
If you use the node selector link above, don't need it here.
There was a problem hiding this comment.
If you are pointing out those commands to disable it there is no such patch in the link. There is one for setting the selector, not disabling it.
dev_guide/daemonsets.adoc
Outdated
|
|
||
| xref:../admin_guide/managing_projects.adoc#using-node-selectors[Learn more about node selectors.] | ||
|
|
||
| Daemonset scheduling is incompatible with project default node selector. Nor you usually want the default node selector |
There was a problem hiding this comment.
lowercase to honor rest of the doc, plus D in the start of a sentence
|
@tnozicka A couple small comments. Let me know when you are ready and we can merge. |
tnozicka
force-pushed
the
daemonsets-disable-default-node-selector
branch
from
160befe to
656965e
Compare
|
updated as @enj sugested -For security reasons and by their nature creating DaemonSets is restricted to cluster administrators.
+For security reasons, only cluster administrators can create daemonsets.
+(xref:../admin_guide/manage_rbac.adoc#admin-guide-granting-users-daemonset-permissions[Granting Users Daemonset Permissions.]) |
dev_guide/daemonsets.adoc
Outdated
| ==== | ||
| Before you start using daemonset you need to make sure to disable project default node selector in your namespace. | ||
|
|
||
| If you are creating a new project make sure to overwrite the default node selector using |
There was a problem hiding this comment.
As with previous case, maybe If you are creating a new project, overwrite the...
dev_guide/daemonsets.adoc
Outdated
| `oc adm new-project --node-selector=""`. | ||
|
|
||
| To disable the default node selector on existing project set namespace annotation | ||
| `openshift.io/node-selector` to empty string: |
There was a problem hiding this comment.
s/to empty string/to an empty string
Yes please. |
|
@geliu2016 would you be the right person to review this from the QE side? |
| For more information on daemonsets, see the link:http://kubernetes.io/docs/admin/daemons/[Kubernetes documentation]. | ||
|
|
||
| [IMPORTANT] |
There was a problem hiding this comment.
We can reword it like this:
- shows what goes wrong first
- and then how to deal with it.
[IMPORTANT]
====
Daemonset scheduling is incompatible with project's default node selector. If
you fail to disable it, the daemonset gets restricted by merging with the
default node selector. This results in frequent pod recreates on the nodes that
got unselected by the merged node selector, which in turn puts unwanted load on
the cluster.
Therefore,
* Before you start using daemonsets, disable the default project-wide xref:../admin_guide/managing_projects.adoc#using-node-selectors[node selector]
in your namespace, by setting the namespace
annotation `openshift.io/node-selector` to an empty string:
+
----
# oc patch namespace myproject -p \
'{"metadata": {"annotations": {"openshift.io/node-selector": ""}}}'
----
* If you are creating a new project, overwrite the default node selector using
`oc adm new-project --node-selector=""`.
====
|
@mburke5678 - we have QE approval as well. Not sure if it requires peer review. Commits need squashing before merging. |
tnozicka
force-pushed
the
daemonsets-disable-default-node-selector
branch
from
656965e to
97308db
Compare
tnozicka
force-pushed
the
daemonsets-disable-default-node-selector
branch
from
97308db to
1a7b10c
Compare
|
comments addressed; commits squasched per request |
|
@tnozicka: new pull request created: #8197 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
@tnozicka @geliu2016 |
|
@tnozicka please work with @kalexand-rh to get these docs updated to v3.9.26-1. https://bugzilla.redhat.com/show_bug.cgi?id=1536304#c19 |
Stems from https://bugzilla.redhat.com/show_bug.cgi?id=1501514#c9
Permissions were disabled here: openshift/origin#18971
This is a part of solving 3.9 blocker, so we need to backport it in time.
/cc @mfojtik