🌱 Implement nodeadm bootstrapping type #5700
Conversation
k8s-ci-robot
added
kind/feature
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
size/XXL
|
testing with this manifest apiVersion: cluster.x-k8s.io/v1beta1
kind: Cluster
metadata:
name: default
spec:
clusterNetwork:
pods:
cidrBlocks:
- 192.168.0.0/16
services:
cidrBlocks:
- 10.96.0.0/12
controlPlaneRef:
apiVersion: controlplane.cluster.x-k8s.io/v1beta2
kind: AWSManagedControlPlane
name: default-control-plane
infrastructureRef:
apiVersion: controlplane.cluster.x-k8s.io/v1beta2
kind: AWSManagedControlPlane
name: default-control-plane
---
apiVersion: controlplane.cluster.x-k8s.io/v1beta2
kind: AWSManagedControlPlane
metadata:
name: default-control-plane
spec:
addons:
- name: kube-proxy
version: v1.32.0-eksbuild.2
network:
cni:
cniIngressRules:
- description: kube-proxy metrics
fromPort: 10249
protocol: tcp
toPort: 10249
- description: NVIDIA Data Center GPU Manager metrics
fromPort: 9400
protocol: tcp
toPort: 9400
- description: Prometheus node exporter metrics
fromPort: 9100
protocol: tcp
toPort: 9100
region: us-west-2
sshKeyName: ""
version: v1.33.0
---
apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
kind: AWSMachineTemplate
metadata:
name: default
spec:
template:
spec:
cloudInit:
insecureSkipSecretsManager: true
ami:
eksLookupType: AmazonLinux2023
instanceMetadataOptions:
httpTokens: required
httpPutResponseHopLimit: 2
iamInstanceProfile: nodes.cluster-api-provider-aws.sigs.k8s.io
instanceType: m5a.16xlarge
rootVolume:
size: 80
---
apiVersion: bootstrap.cluster.x-k8s.io/v1beta2
kind: NodeadmConfigTemplate
metadata:
name: default
spec:
template:
spec: {}
---
apiVersion: cluster.x-k8s.io/v1beta1
kind: MachineDeployment
metadata:
name: default
spec:
clusterName: default
replicas: 1
template:
spec:
bootstrap:
configRef:
apiVersion: bootstrap.cluster.x-k8s.io/v1beta2
kind: NodeadmConfigTemplate
name: default
clusterName: default
infrastructureRef:
apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
kind: AWSMachineTemplate
name: default
version: v1.33.0 |
|
/retest |
2 similar comments
|
/retest |
|
/retest |
faiq
force-pushed
the
faiq/nodeadm-upstream
branch
2 times, most recently
from
8f854bd to
81f3664
Compare
|
/test ? |
|
@faiq: The following commands are available to trigger required jobs: The following commands are available to trigger optional jobs: Use In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/test /test pull-cluster-api-provider-aws-e2e-eks |
|
Does this work with AWSManagedMachinePool ? |
faiq
changed the title
faiq
force-pushed
the
faiq/nodeadm-upstream
branch
from
81f3664 to
59ecae0
Compare
|
@dsanders1234 try this apiVersion: cluster.x-k8s.io/v1beta1
kind: MachinePool
metadata:
name: default
spec:
clusterName: default
template:
spec:
bootstrap:
#dataSecretName: ""
configRef:
apiVersion: bootstrap.cluster.x-k8s.io/v1beta2
kind: NodeadmConfig
name: default
clusterName: default
infrastructureRef:
apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
kind: AWSManagedMachinePool
name: default
version: v1.33.0
---
apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
kind: AWSManagedMachinePool
metadata:
name: default
spec:
roleName: "nodes.cluster-api-provider-aws.sigs.k8s.io"
scaling:
minSize: 1
maxSize: 3
amiType: CUSTOM
awsLaunchTemplate:
ami:
eksLookupType: AmazonLinux2023
instanceMetadataOptions:
httpTokens: required
httpPutResponseHopLimit: 2
instanceType: "m5a.16xlarge"
rootVolume:
size: 80
---
apiVersion: bootstrap.cluster.x-k8s.io/v1beta2
kind: NodeadmConfig
metadata:
name: default
spec:
kubelet:
config:
evictionHard:
memory.available: "2000Mi" |
|
/test pull-cluster-api-provider-aws-e2e-eks |
faiq
force-pushed
the
faiq/nodeadm-upstream
branch
2 times, most recently
from
10503ae to
476eb43
Compare
|
/test pull-cluster-api-provider-aws-e2e-eks |
|
/retest |
3 similar comments
|
/retest |
|
/retest |
|
/retest |
faiq
force-pushed
the
faiq/nodeadm-upstream
branch
from
476eb43 to
234d905
Compare
faiq
force-pushed
the
faiq/nodeadm-upstream
branch
from
e89afb2 to
a9bf155
Compare
|
/test pull-cluster-api-provider-aws-e2e-eks |
faiq
force-pushed
the
faiq/nodeadm-upstream
branch
from
a9bf155 to
d657f69
Compare
|
/test pull-cluster-api-provider-aws-e2e-eks |
|
The last test failed in deleting the aws managed control plane, which is entirely unrelated to these changes. EDITS: i'll run the tests once again to get that sweet ✔️ |
|
/test pull-cluster-api-provider-aws-e2e-eks |
|
First of all, thanks for the work on this PR - I'm currently testing the build artifacts from this branch of @faiq in our environment. During evaluation, I encountered RBAC-related errors such as: but we can of course fix that, along with a few other small stumbling blocks with the new CRDs and configuration. While I'm working through these issues and completing our internal validation, I wanted to kindly ask whether there are any remaining blockers preventing this PR from being approved and merged. EKS nodes images based on Amazon Linux 2 will go out of support on November 26 2025, and we are already running into additional problems with AL2 and the latest runc version (see: awslabs/amazon-eks-ami#2498 Thanks in advance for any update or clarification on the merge timeline ✌️ |
As far as I can tell, there are none other than the open source maintainers being busy both with their day jobs. If you can please push in the k8s slack for some reviews. Also, feel free to review this as well. All comments welcome. |
faiq
force-pushed
the
faiq/nodeadm-upstream
branch
from
9f4ef81 to
483bbb3
Compare
k8s-ci-robot
added
the
needs-rebase
faiq
force-pushed
the
faiq/nodeadm-upstream
branch
from
483bbb3 to
439664b
Compare
k8s-ci-robot
removed
the
needs-rebase
|
/test pull-cluster-api-provider-aws-e2e-eks |
|
/retest |
faiq
force-pushed
the
faiq/nodeadm-upstream
branch
from
439664b to
b685eea
Compare
|
/test pull-cluster-api-provider-aws-e2e-eks |
|
/retest |
1 similar comment
|
/retest |
faiq
force-pushed
the
faiq/nodeadm-upstream
branch
from
b685eea to
0dd3488
Compare
|
/test pull-cluster-api-provider-aws-e2e-eks |
|
@faiq: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
AndiDog
changed the title
AndiDog
left a comment
AndiDog
left a comment
There was a problem hiding this comment.
I only reviewed a few pieces for now, might come back to this again later. Someone with more EKS experience would be great as reviewer.
| @@ -0,0 +1,70 @@ | |||
| apiVersion: cluster.x-k8s.io/v1beta1 | |||
There was a problem hiding this comment.
Can we please add a non-ClusterClass template as well?
|
|
||
| With the introduction of Amazon Linux 2023 (AL2023), the bootstrapping method for EKS nodes has changed. Cluster API Provider AWS (CAPA) supports two bootstrap providers for EKS: | ||
|
|
||
| 1. **`EKSConfig`**: The original bootstrap provider. It uses the legacy `bootstrap.sh` script and is intended for use with **Amazon Linux 2 (AL2)** AMIs. |
There was a problem hiding this comment.
Should we add a note about end-of-life for AL2? Either here or a few lines below.
| ### Secrets Manager | ||
| Amazon Linux 2023 does not have the proper tooling to use the secrets manager flow for bootstrapping. Therefore, whenever creating `AWSMachineTemplate` objects `insecureSkipSecretsManager` must be set to false |
There was a problem hiding this comment.
| Amazon Linux 2023 does not have the proper tooling to use the secrets manager flow for bootstrapping. Therefore, whenever creating `AWSMachineTemplate` objects `insecureSkipSecretsManager` must be set to false | |
| Amazon Linux 2023 does not have the proper tooling to use the secrets manager flow for bootstrapping. Therefore, whenever creating `AWSMachineTemplate` objects, `insecureSkipSecretsManager` must be set to true. |
| ### Secrets Manager | ||
| Amazon Linux 2023 does not have the proper tooling to use the secrets manager flow for bootstrapping. Therefore, whenever creating `AWSMachineTemplate` objects `insecureSkipSecretsManager` must be set to false |
There was a problem hiding this comment.
Do we have an issue to fix that? We need to at least document why this isn't possible. The phrase "does not have the proper tooling" doesn't describe it enough so a developer could take this task up in the future.
| } | ||
| return string(b), nil | ||
| } | ||
| if len(r.Raw) > 0 { |
There was a problem hiding this comment.
Please if len(r.Raw) == 0 { return "", nil early instead of adding one level of indentation
6 participants
What type of PR is this?
/kind feature
What this PR does / why we need it:
This PR implements the nodeadm config type outlined by the KEP #5678
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Checklist:
Release note: