Skip to content

✨ Allow to disable KubeProxy and CoreDNS #12359

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

✨ Allow to disable KubeProxy and CoreDNS #12359

wants to merge 1 commit into from

Conversation

sathieu
Copy link
Contributor

@sathieu sathieu commented Jun 13, 2025
edited
Loading

What this PR does / why we need it:

Disabling kube-proxy using controlplane.cluster.x-k8s.io/skip-kube-proxy annotation is not enough because kubeadm will try to pull the kube-proxy image on preflight.

The proper way to disable kube-proxy is to use Proxy.Disable=true, as in this PR.

Which issue(s) this PR fixes:
Related to #12288

/area provider/bootstrap-kubeadm

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. area/provider/bootstrap-kubeadm Issues or PRs related to CAPBK cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Jun 13, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign enxebre for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Jun 13, 2025
@k8s-ci-robot
Copy link
Contributor

Hi @sathieu. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@sathieu sathieu force-pushed the disable-dns-proxy branch from df65ac9 to d9c128f Compare June 15, 2025 05:38
@sathieu sathieu marked this pull request as ready for review June 15, 2025 05:39
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 15, 2025
@k8s-ci-robot k8s-ci-robot requested a review from elmiko June 15, 2025 05:39
@sathieu sathieu force-pushed the disable-dns-proxy branch from d9c128f to 198850a Compare June 15, 2025 05:50
@sathieu sathieu mentioned this pull request Jun 15, 2025
Open
@sathieu sathieu force-pushed the disable-dns-proxy branch from 198850a to 31527e7 Compare June 15, 2025 06:04
@fabriziopandini
Copy link
Member

fabriziopandini commented Jun 21, 2025
edited
Loading

I would like to better understand the transition from where we are today to the target state.

As of today, the API only allows users to delegate to kubeadm installation of core DNS and kube-proxy, and the annotation allows users to take ownership of the management of the upgrades of those addons.

With this PR, I assume we are adding a third use case, which is take ownership of both installation and management of CoreDNS and kube-proxy, but it is not clear if both the existing use cases are going to be still supported.

(BTW, in my opinion we have to support all of them, and possibly more to a more consistent API).

sivchari
sivchari reviewed Jun 22, 2025
View reviewed changes
Copy link
Member

@sivchari sivchari left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for working on this! I left some comments.

api/bootstrap/kubeadm/v1beta1/kubeadm_types.go Outdated
Comment on lines 163 to 166
// Proxy defines the options for the proxy add-on installed in the cluster.
Proxy Proxy `json:"proxy,omitempty"`
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Proxy defines the options for the proxy add-on installed in the cluster.
Proxy Proxy `json:"proxy,omitempty"`
}
// Proxy defines the options for the proxy add-on installed in the cluster.
// +optional
Proxy *Proxy `json:"proxy,omitempty"`

This field is optional, so it would be good to add the optional marker and make it be pointer.

api/bootstrap/kubeadm/v1beta1/kubeadm_types.go Outdated
Comment on lines 208 to 209
// Disabled specifies whether to disable this addon in the cluster
Disabled bool `json:"disabled,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Disabled specifies whether to disable this addon in the cluster
Disabled bool `json:"disabled,omitempty"`
// Disabled specifies whether to disable this addon in the cluster
// +optional
Disabled *bool `json:"disabled,omitempty"`

api/bootstrap/kubeadm/v1beta1/kubeadm_types.go Outdated
Comment on lines 214 to 215
// Disabled specifies whether to disable this addon in the cluster
Disabled bool `json:"disabled,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Disabled specifies whether to disable this addon in the cluster
Disabled bool `json:"disabled,omitempty"`
// Disabled specifies whether to disable this addon in the cluster
// +optional
Disabled *bool `json:"disabled,omitempty"`

api/bootstrap/kubeadm/v1beta2/kubeadm_types.go Outdated
// Proxy defines the proxy addon that should be used in the cluster
type Proxy struct {
// Disabled specifies whether to disable this addon in the cluster
Disabled bool `json:"disabled,omitempty"`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here.

api/bootstrap/kubeadm/v1beta1/kubeadm_types.go
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to add these changes to v1beta1 ? I think it's good way to only add these to v1beta2.

controlplane/kubeadm/internal/controllers/controller_test.go Outdated
Comment on lines 3430 to 3441
objs := []client.Object{
cluster.DeepCopy(),
corednsCM.DeepCopy(),
kubeadmCM.DeepCopy(),
}
kcp := kcp.DeepCopy()
kcp.Spec.KubeadmConfigSpec.ClusterConfiguration.DNS.Disabled = true

depl := depl.DeepCopy()

depl.Spec.Template.Spec.Containers[0].Image = "my-cool-image!!!!" // something very unlikely for getCoreDNSInfo to parse
objs = append(objs, depl)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
objs := []client.Object{
cluster.DeepCopy(),
corednsCM.DeepCopy(),
kubeadmCM.DeepCopy(),
}
kcp := kcp.DeepCopy()
kcp.Spec.KubeadmConfigSpec.ClusterConfiguration.DNS.Disabled = true
depl := depl.DeepCopy()
depl.Spec.Template.Spec.Containers[0].Image = "my-cool-image!!!!" // something very unlikely for getCoreDNSInfo to parse
objs = append(objs, depl)
depl := depl.DeepCopy()
depl.Spec.Template.Spec.Containers[0].Image = "my-cool-image!!!!" // something very unlikely for getCoreDNSInfo to parse
kcp := kcp.DeepCopy()
kcp.Spec.KubeadmConfigSpec.ClusterConfiguration.DNS.Disabled = true
objs := []client.Object{
cluster.DeepCopy(),
corednsCM.DeepCopy(),
kubeadmCM.DeepCopy(),
depl,
}

controlplane/kubeadm/internal/controllers/controller_test.go Outdated

var actualCoreDNSDeployment appsv1.Deployment
g.Expect(fakeClient.Get(ctx, client.ObjectKey{Name: "coredns", Namespace: metav1.NamespaceSystem}, &actualCoreDNSDeployment)).To(Succeed())
g.Expect(actualCoreDNSDeployment.Spec.Template.Spec.Containers[0].Image).ToNot(ContainSubstring("coredns"))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
g.Expect(actualCoreDNSDeployment.Spec.Template.Spec.Containers[0].Image).ToNot(ContainSubstring("coredns"))
g.Expect(actualCoreDNSDeployment.Spec.Template.Spec.Containers[0].Image).To(Equal("my-cool-image!!!!"))

controlplane/kubeadm/internal/workload_cluster.go Outdated
@@ -421,6 +421,12 @@ func staticPodName(component, nodeName string) string {
func (w *Workload) UpdateKubeProxyImageInfo(ctx context.Context, kcp *controlplanev1.KubeadmControlPlane) error {
// Return early if we've been asked to skip kube-proxy upgrades entirely.
if _, ok := kcp.Annotations[controlplanev1.SkipKubeProxyAnnotation]; ok {
//
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
//

controlplane/kubeadm/internal/workload_cluster_coredns.go Outdated
Comment on lines 89 to 95
// Return early if DNS is disabled
if kcp.Spec.KubeadmConfigSpec.ClusterConfiguration.DNS.Disabled {
return nil
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// Return early if DNS is disabled
if kcp.Spec.KubeadmConfigSpec.ClusterConfiguration.DNS.Disabled {
return nil
}
// Return early if DNS is disabled
if clusterCondiguration.DNS.Disabled {
return nil
}

We can rewrite it like suggestion when you move these codes after L-94,

@sathieu sathieu force-pushed the disable-dns-proxy branch from 31527e7 to 166d792 Compare June 22, 2025 21:27
@sathieu
Copy link
Contributor Author

sathieu commented Jun 22, 2025

@fabriziopandini @sivchari Thanks for your review.

@sivchari I've implemented all your suggestions. However, the pointer usage makes code less readable. Should I create helper functions and where?

I've kept the v1beta1 part, because some providers have not yet migrated to v1beta2 (for example capv)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sivchari sivchari sivchari left review comments

@chrischdi chrischdi Awaiting requested review from chrischdi

@elmiko elmiko Awaiting requested review from elmiko

Assignees
No one assigned
Labels
area/provider/bootstrap-kubeadm Issues or PRs related to CAPBK cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@sathieu @k8s-ci-robot @fabriziopandini @sivchari