我的书签
添加书签
移除书签- Postinstallation cluster tasks
- Available cluster customizations
- Updating the global cluster pull secret
- Adding worker nodes
- Adjust worker nodes
- Improving cluster stability in high latency environments using worker latency profiles
- Managing control plane machines
- Creating infrastructure machine sets for production environments
- Assigning machine set resources to infrastructure nodes
- Moving resources to infrastructure machine sets
- About the cluster autoscaler
- About the machine autoscaler
- Configuring Linux cgroup
- Enabling Technology Preview features using FeatureGates
- etcd tasks
- Pod disruption budgets
- Rotating or removing cloud provider credentials
- Configuring image streams for a disconnected cluster
- Configuring periodic importing of Cluster Sample Operator image stream tags
Postinstallation cluster tasks
After installing OKD, you can further expand and customize your cluster to your requirements.
Available cluster customizations
You complete most of the cluster configuration and customization after you deploy your OKD cluster. A number of configuration resources are available.
If you install your cluster on IBM Z®, not all features and functions are available. |
You modify the configuration resources to configure the major features of the cluster, such as the image registry, networking configuration, image build behavior, and the identity provider.
For current documentation of the settings that you control by using these resources, use the oc explain command, for example oc explain builds --api-version=config.openshift.io/v1
Cluster configuration resources
All cluster configuration resources are globally scoped (not namespaced) and named cluster.
| Resource name | Description |
|---|---|
| Provides API server configuration such as certificates and certificate authorities. |
| Controls the identity provider and authentication configuration for the cluster. |
| Controls default and enforced configuration for all builds on the cluster. |
| Configures the behavior of the web console interface, including the logout behavior. |
| Enables FeatureGates so that you can use Tech Preview features. |
| Configures how specific image registries should be treated (allowed, disallowed, insecure, CA details). |
| Configuration details related to routing such as the default domain for routes. |
| Configures identity providers and other behavior related to internal OAuth server flows. |
| Configures how projects are created including the project template. |
| Defines proxies to be used by components needing external network access. Note: not all components currently consume this value. |
| Configures scheduler behavior such as profiles and default node selectors. |
Operator configuration resources
These configuration resources are cluster-scoped instances, named cluster, which control the behavior of a specific component as owned by a particular Operator.
| Resource name | Description |
|---|---|
| Controls console appearance such as branding customizations |
| Configures OpenShift image registry settings such as public routing, log levels, proxy settings, resource constraints, replica counts, and storage type. |
| Configures the Samples Operator to control which example image streams and templates are installed on the cluster. |
Additional configuration resources
These configuration resources represent a single instance of a particular component. In some cases, you can request multiple instances by creating multiple instances of the resource. In other cases, the Operator can use only a specific resource instance name in a specific namespace. Reference the component-specific documentation for details on how and when you can create additional resource instances.
| Resource name | Instance name | Namespace | Description |
|---|---|---|---|
|
|
| Controls the Alertmanager deployment parameters. |
|
|
| Configures Ingress Operator behavior such as domain, number of replicas, certificates, and controller placement. |
Informational Resources
You use these resources to retrieve information about the cluster. Some configurations might require you to edit these resources directly.
| Resource name | Instance name | Description |
|---|---|---|
|
| In OKD 4, you must not customize the |
|
| You cannot modify the DNS settings for your cluster. You can view the DNS Operator status. |
|
| Configuration details allowing the cluster to interact with its cloud provider. |
|
| You cannot modify your cluster networking after installation. To customize your network, follow the process to customize networking during installation. |
Updating the global cluster pull secret
You can update the global pull secret for your cluster by either replacing the current pull secret or appending a new pull secret.
The procedure is required when users use a separate registry to store images than the registry used during installation.
Prerequisites
- You have access to the cluster as a user with the
cluster-adminrole.
Procedure
Optional: To append a new pull secret to the existing pull secret, complete the following steps:
Enter the following command to download the pull secret:
$ oc get secret/pull-secret -n openshift-config --template='{{index .data ".dockerconfigjson" | base64decode}}' ><pull_secret_location> (1)
1 Provide the path to the pull secret file. Enter the following command to add the new pull secret:
$ oc registry login --registry="<registry>" \ (1)--auth-basic="<username>:<password>" \ (2)--to=<pull_secret_location> (3)
1 Provide the new registry. You can include multiple repositories within the same registry, for example: —registry=”<registry/my-namespace/my-repository>”.2 Provide the credentials of the new registry. 3 Provide the path to the pull secret file. Alternatively, you can perform a manual update to the pull secret file.
Enter the following command to update the global pull secret for your cluster:
$ oc set data secret/pull-secret -n openshift-config --from-file=.dockerconfigjson=<pull_secret_location> (1)
1 Provide the path to the new pull secret file. This update is rolled out to all nodes, which can take some time depending on the size of your cluster.
As of OKD 4.7.4, changes to the global pull secret no longer trigger a node drain or reboot.
Adding worker nodes
After you deploy your OKD cluster, you can add worker nodes to scale cluster resources. There are different ways you can add worker nodes depending on the installation method and the environment of your cluster.
Adding worker nodes to installer-provisioned infrastructure clusters
For installer-provisioned infrastructure clusters, you can manually or automatically scale the MachineSet object to match the number of available bare-metal hosts.
To add a bare-metal host, you must configure all network prerequisites, configure an associated baremetalhost object, then provision the worker node to the cluster. You can add a bare-metal host manually or by using the web console.
Adding worker nodes to user-provisioned infrastructure clusters
For user-provisioned infrastructure clusters, you can add worker nodes by using a Fedora or FCOS ISO image and connecting it to your cluster using cluster Ignition config files. For RHEL worker nodes, the following example uses Ansible playbooks to add worker nodes to the cluster. For RHCOS worker nodes, the following example uses an ISO image and network booting to add worker nodes to the cluster.
Adding RHCOS worker nodes to a user-provisioned infrastructure cluster
Adding RHEL worker nodes to a user-provisioned infrastructure cluster
Adding worker nodes to clusters managed by the Assisted Installer
For clusters managed by the Assisted Installer, you can add worker nodes by using the Red Hat OpenShift Cluster Manager console, the Assisted Installer REST API or you can manually add worker nodes using an ISO image and cluster Ignition config files.
Adding worker nodes to clusters managed by the multicluster engine for Kubernetes
For clusters managed by the multicluster engine for Kubernetes, you can add worker nodes by using the dedicated multicluster engine console.
Adjust worker nodes
If you incorrectly sized the worker nodes during deployment, adjust them by creating one or more new compute machine sets, scale them up, then scale the original compute machine set down before removing them.
Understanding the difference between compute machine sets and the machine config pool
MachineSet objects describe OKD nodes with respect to the cloud or machine provider.
The MachineConfigPool object allows MachineConfigController components to define and provide the status of machines in the context of upgrades.
The MachineConfigPool object allows users to configure how upgrades are rolled out to the OKD nodes in the machine config pool.
The NodeSelector object can be replaced with a reference to the MachineSet object.
Scaling a compute machine set manually
To add or remove an instance of a machine in a compute machine set, you can manually scale the compute machine set.
This guidance is relevant to fully automated, installer-provisioned infrastructure installations. Customized, user-provisioned infrastructure installations do not have compute machine sets.
Prerequisites
Install an OKD cluster and the
occommand line.Log in to
ocas a user withcluster-adminpermission.
Procedure
View the compute machine sets that are in the cluster by running the following command:
$ oc get machinesets -n openshift-machine-api
The compute machine sets are listed in the form of
<clusterid>-worker-<aws-region-az>.View the compute machines that are in the cluster by running the following command:
$ oc get machine -n openshift-machine-api
Set the annotation on the compute machine that you want to delete by running the following command:
$ oc annotate machine/<machine_name> -n openshift-machine-api machine.openshift.io/delete-machine="true"
Scale the compute machine set by running one of the following commands:
$ oc scale --replicas=2 machineset <machineset> -n openshift-machine-api
Or:
$ oc edit machineset <machineset> -n openshift-machine-api
You can alternatively apply the following YAML to scale the compute machine set:
apiVersion: machine.openshift.io/v1beta1kind: MachineSetmetadata:name: <machineset>namespace: openshift-machine-apispec:replicas: 2
You can scale the compute machine set up or down. It takes several minutes for the new machines to be available.
By default, the machine controller tries to drain the node that is backed by the machine until it succeeds. In some situations, such as with a misconfigured pod disruption budget, the drain operation might not be able to succeed. If the drain operation fails, the machine controller cannot proceed removing the machine.
You can skip draining the node by annotating
machine.openshift.io/exclude-node-drainingin a specific machine.
Verification
Verify the deletion of the intended machine by running the following command:
$ oc get machines
The compute machine set deletion policy
Random, Newest, and Oldest are the three supported deletion options. The default is Random, meaning that random machines are chosen and deleted when scaling compute machine sets down. The deletion policy can be set according to the use case by modifying the particular compute machine set:
spec:deletePolicy: <delete_policy>replicas: <desired_replica_count>
Specific machines can also be prioritized for deletion by adding the annotation machine.openshift.io/delete-machine=true to the machine of interest, regardless of the deletion policy.
By default, the OKD router pods are deployed on workers. Because the router is required to access some cluster resources, including the web console, do not scale the worker compute machine set to |
Custom compute machine sets can be used for use cases requiring that services run on specific nodes and that those services are ignored by the controller when the worker compute machine sets are scaling down. This prevents service disruption. |
Creating default cluster-wide node selectors
You can use default cluster-wide node selectors on pods together with labels on nodes to constrain all pods created in a cluster to specific nodes.
With cluster-wide node selectors, when you create a pod in that cluster, OKD adds the default node selectors to the pod and schedules the pod on nodes with matching labels.
You configure cluster-wide node selectors by editing the Scheduler Operator custom resource (CR). You add labels to a node, a compute machine set, or a machine config. Adding the label to the compute machine set ensures that if the node or machine goes down, new nodes have the label. Labels added to a node or machine config do not persist if the node or machine goes down.
You can add additional key/value pairs to a pod. But you cannot add a different value for a default key. |
Procedure
To add a default cluster-wide node selector:
Edit the Scheduler Operator CR to add the default cluster-wide node selectors:
$ oc edit scheduler cluster
Example Scheduler Operator CR with a node selector
apiVersion: config.openshift.io/v1kind: Schedulermetadata:name: cluster...spec:defaultNodeSelector: type=user-node,region=east (1)mastersSchedulable: false
1 Add a node selector with the appropriate <key>:<value>pairs.After making this change, wait for the pods in the
openshift-kube-apiserverproject to redeploy. This can take several minutes. The default cluster-wide node selector does not take effect until the pods redeploy.Add labels to a node by using a compute machine set or editing the node directly:
Use a compute machine set to add labels to nodes managed by the compute machine set when a node is created:
Run the following command to add labels to a
MachineSetobject:$ oc patch MachineSet <name> --type='json' -p='[{"op":"add","path":"/spec/template/spec/metadata/labels", "value":{"<key>"="<value>","<key>"="<value>"}}]' -n openshift-machine-api (1)
1 Add a <key>/<value>pair for each label.For example:
$ oc patch MachineSet ci-ln-l8nry52-f76d1-hl7m7-worker-c --type='json' -p='[{"op":"add","path":"/spec/template/spec/metadata/labels", "value":{"type":"user-node","region":"east"}}]' -n openshift-machine-api
You can alternatively apply the following YAML to add labels to a compute machine set:
apiVersion: machine.openshift.io/v1beta1kind: MachineSetmetadata:name: <machineset>namespace: openshift-machine-apispec:template:spec:metadata:labels:region: “east”type: “user-node”
Verify that the labels are added to the
MachineSetobject by using theoc editcommand:For example:
$ oc edit MachineSet abc612-msrtw-worker-us-east-1c -n openshift-machine-api
Example
MachineSetobjectapiVersion: machine.openshift.io/v1beta1kind: MachineSet...spec:...template:metadata:...spec:metadata:labels:region: easttype: user-node...
Redeploy the nodes associated with that compute machine set by scaling down to
0and scaling up the nodes:For example:
$ oc scale --replicas=0 MachineSet ci-ln-l8nry52-f76d1-hl7m7-worker-c -n openshift-machine-api
$ oc scale --replicas=1 MachineSet ci-ln-l8nry52-f76d1-hl7m7-worker-c -n openshift-machine-api
When the nodes are ready and available, verify that the label is added to the nodes by using the
oc getcommand:$ oc get nodes -l <key>=<value>
For example:
$ oc get nodes -l type=user-node
Example output
NAME STATUS ROLES AGE VERSIONci-ln-l8nry52-f76d1-hl7m7-worker-c-vmqzp Ready worker 61s v1.28.5
Add labels directly to a node:
Edit the
Nodeobject for the node:$ oc label nodes <name> <key>=<value>
For example, to label a node:
$ oc label nodes ci-ln-l8nry52-f76d1-hl7m7-worker-b-tgq49 type=user-node region=east
You can alternatively apply the following YAML to add labels to a node:
kind: NodeapiVersion: v1metadata:name: <node_name>labels:type: “user-node”region: “east”
Verify that the labels are added to the node using the
oc getcommand:$ oc get nodes -l <key>=<value>,<key>=<value>
For example:
$ oc get nodes -l type=user-node,region=east
Example output
NAME STATUS ROLES AGE VERSIONci-ln-l8nry52-f76d1-hl7m7-worker-b-tgq49 Ready worker 17m v1.28.5
Improving cluster stability in high latency environments using worker latency profiles
If the cluster administrator has performed latency tests for platform verification, they can discover the need to adjust the operation of the cluster to ensure stability in cases of high latency. The cluster administrator need change only one parameter, recorded in a file, which controls four parameters affecting how supervisory processes read status and interpret the health of the cluster. Changing only the one parameter provides cluster tuning in an easy, supportable manner.
The Kubelet process provides the starting point for monitoring cluster health. The Kubelet sets status values for all nodes in the OKD cluster. The Kubernetes Controller Manager (kube controller) reads the status values every 10 seconds, by default. If the kube controller cannot read a node status value, it loses contact with that node after a configured period. The default behavior is:
The node controller on the control plane updates the node health to
Unhealthyand marks the nodeReadycondition`Unknown`.In response, the scheduler stops scheduling pods to that node.
The Node Lifecycle Controller adds a
node.kubernetes.io/unreachabletaint with aNoExecuteeffect to the node and schedules any pods on the node for eviction after five minutes, by default.
This behavior can cause problems if your network is prone to latency issues, especially if you have nodes at the network edge. In some cases, the Kubernetes Controller Manager might not receive an update from a healthy node due to network latency. The Kubelet evicts pods from the node even though the node is healthy.
To avoid this problem, you can use worker latency profiles to adjust the frequency that the Kubelet and the Kubernetes Controller Manager wait for status updates before taking action. These adjustments help to ensure that your cluster runs properly if network latency between the control plane and the worker nodes is not optimal.
These worker latency profiles contain three sets of parameters that are pre-defined with carefully tuned values to control the reaction of the cluster to increased latency. No need to experimentally find the best values manually.
You can configure worker latency profiles when installing a cluster or at any time you notice increased latency in your cluster network.
Understanding worker latency profiles
Worker latency profiles are four different categories of carefully-tuned parameters. The four parameters which implement these values are node-status-update-frequency, node-monitor-grace-period, default-not-ready-toleration-seconds and default-unreachable-toleration-seconds. These parameters can use values which allow you control the reaction of the cluster to latency issues without needing to determine the best values using manual methods.
Setting these parameters manually is not supported. Incorrect parameter settings adversely affect cluster stability. |
All worker latency profiles configure the following parameters:
node-status-update-frequency
Specifies how often the kubelet posts node status to the API server.
node-monitor-grace-period
Specifies the amount of time in seconds that the Kubernetes Controller Manager waits for an update from a kubelet before marking the node unhealthy and adding the node.kubernetes.io/not-ready or node.kubernetes.io/unreachable taint to the node.
default-not-ready-toleration-seconds
Specifies the amount of time in seconds after marking a node unhealthy that the Kube API Server Operator waits before evicting pods from that node.
default-unreachable-toleration-seconds
Specifies the amount of time in seconds after marking a node unreachable that the Kube API Server Operator waits before evicting pods from that node.
The following Operators monitor the changes to the worker latency profiles and respond accordingly:
The Machine Config Operator (MCO) updates the
node-status-update-frequencyparameter on the worker nodes.The Kubernetes Controller Manager updates the
node-monitor-grace-periodparameter on the control plane nodes.The Kubernetes API Server Operator updates the
default-not-ready-toleration-secondsanddefault-unreachable-toleration-secondsparameters on the control plane nodes.
Although the default configuration works in most cases, OKD offers two other worker latency profiles for situations where the network is experiencing higher latency than usual. The three worker latency profiles are described in the following sections:
Default worker latency profile
With the Default profile, each Kubelet updates it’s status every 10 seconds (node-status-update-frequency). The Kube Controller Manager checks the statuses of Kubelet every 5 seconds (node-monitor-grace-period).
The Kubernetes Controller Manager waits 40 seconds for a status update from Kubelet before considering the Kubelet unhealthy. If no status is made available to the Kubernetes Controller Manager, it then marks the node with the node.kubernetes.io/not-ready or node.kubernetes.io/unreachable taint and evicts the pods on that node.
If a pod on that node has the NoExecute taint, the pod is run according to tolerationSeconds. If the pod has no taint, it will be evicted in 300 seconds (default-not-ready-toleration-seconds and default-unreachable-toleration-seconds settings of the Kube API Server).
| Profile | Component | Parameter | Value |
|---|---|---|---|
Default | kubelet |
| 10s |
Kubelet Controller Manager |
| 40s | |
Kubernetes API Server Operator |
| 300s | |
Kubernetes API Server Operator |
| 300s |
Medium worker latency profile
Use the MediumUpdateAverageReaction profile if the network latency is slightly higher than usual.
The MediumUpdateAverageReaction profile reduces the frequency of kubelet updates to 20 seconds and changes the period that the Kubernetes Controller Manager waits for those updates to 2 minutes. The pod eviction period for a pod on that node is reduced to 60 seconds. If the pod has the tolerationSeconds parameter, the eviction waits for the period specified by that parameter.
The Kubernetes Controller Manager waits for 2 minutes to consider a node unhealthy. In another minute, the eviction process starts.
| Profile | Component | Parameter | Value |
|---|---|---|---|
MediumUpdateAverageReaction | kubelet |
| 20s |
Kubelet Controller Manager |
| 2m | |
Kubernetes API Server Operator |
| 60s | |
Kubernetes API Server Operator |
| 60s |
Low worker latency profile
Use the LowUpdateSlowReaction profile if the network latency is extremely high.
The LowUpdateSlowReaction profile reduces the frequency of kubelet updates to 1 minute and changes the period that the Kubernetes Controller Manager waits for those updates to 5 minutes. The pod eviction period for a pod on that node is reduced to 60 seconds. If the pod has the tolerationSeconds parameter, the eviction waits for the period specified by that parameter.
The Kubernetes Controller Manager waits for 5 minutes to consider a node unhealthy. In another minute, the eviction process starts.
| Profile | Component | Parameter | Value |
|---|---|---|---|
LowUpdateSlowReaction | kubelet |
| 1m |
Kubelet Controller Manager |
| 5m | |
Kubernetes API Server Operator |
| 60s | |
Kubernetes API Server Operator |
| 60s |
Using and changing worker latency profiles
To change a worker latency profile to deal with network latency, edit the node.config object to add the name of the profile. You can change the profile at any time as latency increases or decreases.
You must move one worker latency profile at a time. For example, you cannot move directly from the Default profile to the LowUpdateSlowReaction worker latency profile. You must move from the Default worker latency profile to the MediumUpdateAverageReaction profile first, then to LowUpdateSlowReaction. Similarly, when returning to the Default profile, you must move from the low profile to the medium profile first, then to Default.
You can also configure worker latency profiles upon installing an OKD cluster. |
Procedure
To move from the default worker latency profile:
Move to the medium worker latency profile:
Edit the
node.configobject:$ oc edit nodes.config/cluster
Add
spec.workerLatencyProfile: MediumUpdateAverageReaction:Example
node.configobjectapiVersion: config.openshift.io/v1kind: Nodemetadata:annotations:include.release.openshift.io/ibm-cloud-managed: "true"include.release.openshift.io/self-managed-high-availability: "true"include.release.openshift.io/single-node-developer: "true"release.openshift.io/create-only: "true"creationTimestamp: "2022-07-08T16:02:51Z"generation: 1name: clusterownerReferences:- apiVersion: config.openshift.io/v1kind: ClusterVersionname: versionuid: 36282574-bf9f-409e-a6cd-3032939293ebresourceVersion: "1865"uid: 0c0f7a4c-4307-4187-b591-6155695ac85bspec:workerLatencyProfile: MediumUpdateAverageReaction (1)# ...
1 Specifies the medium worker latency policy. Scheduling on each worker node is disabled as the change is being applied.
Optional: Move to the low worker latency profile:
Edit the
node.configobject:$ oc edit nodes.config/cluster
Change the
spec.workerLatencyProfilevalue toLowUpdateSlowReaction:Example
node.configobjectapiVersion: config.openshift.io/v1kind: Nodemetadata:annotations:include.release.openshift.io/ibm-cloud-managed: "true"include.release.openshift.io/self-managed-high-availability: "true"include.release.openshift.io/single-node-developer: "true"release.openshift.io/create-only: "true"creationTimestamp: "2022-07-08T16:02:51Z"generation: 1name: clusterownerReferences:- apiVersion: config.openshift.io/v1kind: ClusterVersionname: versionuid: 36282574-bf9f-409e-a6cd-3032939293ebresourceVersion: "1865"uid: 0c0f7a4c-4307-4187-b591-6155695ac85bspec:workerLatencyProfile: LowUpdateSlowReaction (1)# ...
1 Specifies use of the low worker latency policy.
Scheduling on each worker node is disabled as the change is being applied.
Verification
When all nodes return to the
Readycondition, you can use the following command to look in the Kubernetes Controller Manager to ensure it was applied:$ oc get KubeControllerManager -o yaml | grep -i workerlatency -A 5 -B 5
Example output
# ...- lastTransitionTime: "2022-07-11T19:47:10Z"reason: ProfileUpdatedstatus: "False"type: WorkerLatencyProfileProgressing- lastTransitionTime: "2022-07-11T19:47:10Z" (1)message: all static pod revision(s) have updated latency profilereason: ProfileUpdatedstatus: "True"type: WorkerLatencyProfileComplete- lastTransitionTime: "2022-07-11T19:20:11Z"reason: AsExpectedstatus: "False"type: WorkerLatencyProfileDegraded- lastTransitionTime: "2022-07-11T19:20:36Z"status: "False"# ...
1 Specifies that the profile is applied and active.
To change the medium profile to default or change the default to medium, edit the node.config object and set the spec.workerLatencyProfile parameter to the appropriate value.
Managing control plane machines
Control plane machine sets provide management capabilities for control plane machines that are similar to what compute machine sets provide for compute machines. The availability and initial status of control plane machine sets on your cluster depend on your cloud provider and the version of OKD that you installed. For more information, see Getting started with control plane machine sets.
Creating infrastructure machine sets for production environments
You can create a compute machine set to create machines that host only infrastructure components, such as the default router, the integrated container image registry, and components for cluster metrics and monitoring. These infrastructure machines are not counted toward the total number of subscriptions that are required to run the environment.
In a production deployment, it is recommended that you deploy at least three compute machine sets to hold infrastructure components. Both OpenShift Logging and Red Hat OpenShift Service Mesh deploy Elasticsearch, which requires three instances to be installed on different nodes. Each of these nodes can be deployed to different availability zones for high availability. A configuration like this requires three different compute machine sets, one for each availability zone. In global Azure regions that do not have multiple availability zones, you can use availability sets to ensure high availability.
For information on infrastructure nodes and which components can run on infrastructure nodes, see Creating infrastructure machine sets.
To create an infrastructure node, you can use a machine set, assign a label to the nodes, or use a machine config pool.
For sample machine sets that you can use with these procedures, see Creating machine sets for different clouds.
Applying a specific node selector to all infrastructure components causes OKD to schedule those workloads on nodes with that label.
Creating a compute machine set
In addition to the compute machine sets created by the installation program, you can create your own to dynamically manage the machine compute resources for specific workloads of your choice.
Prerequisites
Deploy an OKD cluster.
Install the OpenShift CLI (
oc).Log in to
ocas a user withcluster-adminpermission.
Procedure
Create a new YAML file that contains the compute machine set custom resource (CR) sample and is named
<file_name>.yaml.Ensure that you set the
<clusterID>and<role>parameter values.Optional: If you are not sure which value to set for a specific field, you can check an existing compute machine set from your cluster.
To list the compute machine sets in your cluster, run the following command:
$ oc get machinesets -n openshift-machine-api
Example output
NAME DESIRED CURRENT READY AVAILABLE AGEagl030519-vplxk-worker-us-east-1a 1 1 1 1 55magl030519-vplxk-worker-us-east-1b 1 1 1 1 55magl030519-vplxk-worker-us-east-1c 1 1 1 1 55magl030519-vplxk-worker-us-east-1d 0 0 55magl030519-vplxk-worker-us-east-1e 0 0 55magl030519-vplxk-worker-us-east-1f 0 0 55m
To view values of a specific compute machine set custom resource (CR), run the following command:
$ oc get machineset <machineset_name> \-n openshift-machine-api -o yaml
Example output
apiVersion: machine.openshift.io/v1beta1kind: MachineSetmetadata:labels:machine.openshift.io/cluster-api-cluster: <infrastructure_id> (1)name: <infrastructure_id>-<role> (2)namespace: openshift-machine-apispec:replicas: 1selector:matchLabels:machine.openshift.io/cluster-api-cluster: <infrastructure_id>machine.openshift.io/cluster-api-machineset: <infrastructure_id>-<role>template:metadata:labels:machine.openshift.io/cluster-api-cluster: <infrastructure_id>machine.openshift.io/cluster-api-machine-role: <role>machine.openshift.io/cluster-api-machine-type: <role>machine.openshift.io/cluster-api-machineset: <infrastructure_id>-<role>spec:providerSpec: (3)...
1 The cluster infrastructure ID. 2 A default node label. For clusters that have user-provisioned infrastructure, a compute machine set can only create
workerandinfratype machines.3 The values in the <providerSpec>section of the compute machine set CR are platform-specific. For more information about<providerSpec>parameters in the CR, see the sample compute machine set CR configuration for your provider.
Create a
MachineSetCR by running the following command:$ oc create -f <file_name>.yaml
Verification
View the list of compute machine sets by running the following command:
$ oc get machineset -n openshift-machine-api
Example output
NAME DESIRED CURRENT READY AVAILABLE AGEagl030519-vplxk-infra-us-east-1a 1 1 1 1 11magl030519-vplxk-worker-us-east-1a 1 1 1 1 55magl030519-vplxk-worker-us-east-1b 1 1 1 1 55magl030519-vplxk-worker-us-east-1c 1 1 1 1 55magl030519-vplxk-worker-us-east-1d 0 0 55magl030519-vplxk-worker-us-east-1e 0 0 55magl030519-vplxk-worker-us-east-1f 0 0 55m
When the new compute machine set is available, the
DESIREDandCURRENTvalues match. If the compute machine set is not available, wait a few minutes and run the command again.
Creating an infrastructure node
See Creating infrastructure machine sets for installer-provisioned infrastructure environments or for any cluster where the control plane nodes are managed by the machine API. |
Requirements of the cluster dictate that infrastructure, also called infra nodes, be provisioned. The installer only provides provisions for control plane and worker nodes. Worker nodes can be designated as infrastructure nodes or application, also called app, nodes through labeling.
Procedure
Add a label to the worker node that you want to act as application node:
$ oc label node <node-name> node-role.kubernetes.io/app=""
Add a label to the worker nodes that you want to act as infrastructure nodes:
$ oc label node <node-name> node-role.kubernetes.io/infra=""
Check to see if applicable nodes now have the
infrarole andapproles:$ oc get nodes
Create a default cluster-wide node selector. The default node selector is applied to pods created in all namespaces. This creates an intersection with any existing node selectors on a pod, which additionally constrains the pod’s selector.
If the default node selector key conflicts with the key of a pod’s label, then the default node selector is not applied.
However, do not set a default node selector that might cause a pod to become unschedulable. For example, setting the default node selector to a specific node role, such as
node-role.kubernetes.io/infra=””, when a pod’s label is set to a different node role, such asnode-role.kubernetes.io/master=””, can cause the pod to become unschedulable. For this reason, use caution when setting the default node selector to specific node roles.You can alternatively use a project node selector to avoid cluster-wide node selector key conflicts.
Edit the
Schedulerobject:$ oc edit scheduler cluster
Add the
defaultNodeSelectorfield with the appropriate node selector:apiVersion: config.openshift.io/v1kind: Schedulermetadata:name: clusterspec:defaultNodeSelector: topology.kubernetes.io/region=us-east-1 (1)# ...
1 This example node selector deploys pods on nodes in the us-east-1region by default.Save the file to apply the changes.
You can now move infrastructure resources to the newly labeled infra nodes.
Additional resources
- For information on how to configure project node selectors to avoid cluster-wide node selector key conflicts, see Project node selectors.
Creating a machine config pool for infrastructure machines
If you need infrastructure machines to have dedicated configurations, you must create an infra pool.
Creating a custom machine configuration pool overrides default worker pool configurations if they refer to the same file or unit. |
Procedure
Add a label to the node you want to assign as the infra node with a specific label:
$ oc label node <node_name> <label>
$ oc label node ci-ln-n8mqwr2-f76d1-xscn2-worker-c-6fmtx node-role.kubernetes.io/infra=
Create a machine config pool that contains both the worker role and your custom role as machine config selector:
$ cat infra.mcp.yaml
Example output
apiVersion: machineconfiguration.openshift.io/v1kind: MachineConfigPoolmetadata:name: infraspec:machineConfigSelector:matchExpressions:- {key: machineconfiguration.openshift.io/role, operator: In, values: [worker,infra]} (1)nodeSelector:matchLabels:node-role.kubernetes.io/infra: "" (2)
1 Add the worker role and your custom role. 2 Add the label you added to the node as a nodeSelector.Custom machine config pools inherit machine configs from the worker pool. Custom pools use any machine config targeted for the worker pool, but add the ability to also deploy changes that are targeted at only the custom pool. Because a custom pool inherits resources from the worker pool, any change to the worker pool also affects the custom pool.
After you have the YAML file, you can create the machine config pool:
$ oc create -f infra.mcp.yaml
Check the machine configs to ensure that the infrastructure configuration rendered successfully:
$ oc get machineconfig
Example output
NAME GENERATEDBYCONTROLLER IGNITIONVERSION CREATED00-master 365c1cfd14de5b0e3b85e0fc815b0060f36ab955 3.2.0 31d00-worker 365c1cfd14de5b0e3b85e0fc815b0060f36ab955 3.2.0 31d01-master-container-runtime 365c1cfd14de5b0e3b85e0fc815b0060f36ab955 3.2.0 31d01-master-kubelet 365c1cfd14de5b0e3b85e0fc815b0060f36ab955 3.2.0 31d01-worker-container-runtime 365c1cfd14de5b0e3b85e0fc815b0060f36ab955 3.2.0 31d01-worker-kubelet 365c1cfd14de5b0e3b85e0fc815b0060f36ab955 3.2.0 31d99-master-1ae2a1e0-a115-11e9-8f14-005056899d54-registries 365c1cfd14de5b0e3b85e0fc815b0060f36ab955 3.2.0 31d99-master-ssh 3.2.0 31d99-worker-1ae64748-a115-11e9-8f14-005056899d54-registries 365c1cfd14de5b0e3b85e0fc815b0060f36ab955 3.2.0 31d99-worker-ssh 3.2.0 31drendered-infra-4e48906dca84ee702959c71a53ee80e7 365c1cfd14de5b0e3b85e0fc815b0060f36ab955 3.2.0 23mrendered-master-072d4b2da7f88162636902b074e9e28e 5b6fb8349a29735e48446d435962dec4547d3090 3.2.0 31drendered-master-3e88ec72aed3886dec061df60d16d1af 02c07496ba0417b3e12b78fb32baf6293d314f79 3.2.0 31drendered-master-419bee7de96134963a15fdf9dd473b25 365c1cfd14de5b0e3b85e0fc815b0060f36ab955 3.2.0 17drendered-master-53f5c91c7661708adce18739cc0f40fb 365c1cfd14de5b0e3b85e0fc815b0060f36ab955 3.2.0 13drendered-master-a6a357ec18e5bce7f5ac426fc7c5ffcd 365c1cfd14de5b0e3b85e0fc815b0060f36ab955 3.2.0 7d3hrendered-master-dc7f874ec77fc4b969674204332da037 5b6fb8349a29735e48446d435962dec4547d3090 3.2.0 31drendered-worker-1a75960c52ad18ff5dfa6674eb7e533d 5b6fb8349a29735e48446d435962dec4547d3090 3.2.0 31drendered-worker-2640531be11ba43c61d72e82dc634ce6 5b6fb8349a29735e48446d435962dec4547d3090 3.2.0 31drendered-worker-4e48906dca84ee702959c71a53ee80e7 365c1cfd14de5b0e3b85e0fc815b0060f36ab955 3.2.0 7d3hrendered-worker-4f110718fe88e5f349987854a1147755 365c1cfd14de5b0e3b85e0fc815b0060f36ab955 3.2.0 17drendered-worker-afc758e194d6188677eb837842d3b379 02c07496ba0417b3e12b78fb32baf6293d314f79 3.2.0 31drendered-worker-daa08cc1e8f5fcdeba24de60cd955cc3 365c1cfd14de5b0e3b85e0fc815b0060f36ab955 3.2.0 13d
You should see a new machine config, with the
rendered-infra-*prefix.Optional: To deploy changes to a custom pool, create a machine config that uses the custom pool name as the label, such as
infra. Note that this is not required and only shown for instructional purposes. In this manner, you can apply any custom configurations specific to only your infra nodes.After you create the new machine config pool, the MCO generates a new rendered config for that pool, and associated nodes of that pool reboot to apply the new configuration.
Create a machine config:
$ cat infra.mc.yaml
Example output
apiVersion: machineconfiguration.openshift.io/v1kind: MachineConfigmetadata:name: 51-infralabels:machineconfiguration.openshift.io/role: infra (1)spec:config:ignition:version: 3.2.0storage:files:- path: /etc/infratestmode: 0644contents:source: data:,infra
1 Add the label you added to the node as a nodeSelector.Apply the machine config to the infra-labeled nodes:
$ oc create -f infra.mc.yaml
Confirm that your new machine config pool is available:
$ oc get mcp
Example output
NAME CONFIG UPDATED UPDATING DEGRADED MACHINECOUNT READYMACHINECOUNT UPDATEDMACHINECOUNT DEGRADEDMACHINECOUNT AGEinfra rendered-infra-60e35c2e99f42d976e084fa94da4d0fc True False False 1 1 1 0 4m20smaster rendered-master-9360fdb895d4c131c7c4bebbae099c90 True False False 3 3 3 0 91mworker rendered-worker-60e35c2e99f42d976e084fa94da4d0fc True False False 2 2 2 0 91m
In this example, a worker node was changed to an infra node.
Additional resources
- See Node configuration management with machine config pools for more information on grouping infra machines in a custom pool.
Assigning machine set resources to infrastructure nodes
After creating an infrastructure machine set, the worker and infra roles are applied to new infra nodes. Nodes with the infra role are not counted toward the total number of subscriptions that are required to run the environment, even when the worker role is also applied.
However, when an infra node is assigned the worker role, there is a chance that user workloads can get assigned inadvertently to the infra node. To avoid this, you can apply a taint to the infra node and tolerations for the pods that you want to control.
Binding infrastructure node workloads using taints and tolerations
If you have an infra node that has the infra and worker roles assigned, you must configure the node so that user workloads are not assigned to it.
It is recommended that you preserve the dual |
Prerequisites
- Configure additional
MachineSetobjects in your OKD cluster.
Procedure
Add a taint to the infra node to prevent scheduling user workloads on it:
Determine if the node has the taint:
$ oc describe nodes <node_name>
Sample output
oc describe node ci-ln-iyhx092-f76d1-nvdfm-worker-b-wln2lName: ci-ln-iyhx092-f76d1-nvdfm-worker-b-wln2lRoles: worker...Taints: node-role.kubernetes.io/infra:NoSchedule...
This example shows that the node has a taint. You can proceed with adding a toleration to your pod in the next step.
If you have not configured a taint to prevent scheduling user workloads on it:
$ oc adm taint nodes <node_name> <key>=<value>:<effect>
For example:
$ oc adm taint nodes node1 node-role.kubernetes.io/infra=reserved:NoExecute
You can alternatively apply the following YAML to add the taint:
kind: NodeapiVersion: v1metadata:name: <node_name>labels:…spec:taints:- key: node-role.kubernetes.io/infraeffect: NoExecutevalue: reserved…
This example places a taint on
node1that has keynode-role.kubernetes.io/infraand taint effectNoSchedule. Nodes with theNoScheduleeffect schedule only pods that tolerate the taint, but allow existing pods to remain scheduled on the node.If a descheduler is used, pods violating node taints could be evicted from the cluster.
Add tolerations for the pod configurations you want to schedule on the infra node, like router, registry, and monitoring workloads. Add the following code to the
Podobject specification:tolerations:- effect: NoExecute (1)key: node-role.kubernetes.io/infra (2)operator: Exists (3)value: reserved (4)
1 Specify the effect that you added to the node. 2 Specify the key that you added to the node. 3 Specify the ExistsOperator to require a taint with the keynode-role.kubernetes.io/infrato be present on the node.4 Specify the value of the key-value pair taint that you added to the node. This toleration matches the taint created by the
oc adm taintcommand. A pod with this toleration can be scheduled onto the infra node.Moving pods for an Operator installed via OLM to an infra node is not always possible. The capability to move Operator pods depends on the configuration of each Operator.
Schedule the pod to the infra node using a scheduler. See the documentation for Controlling pod placement onto nodes for details.
Additional resources
- See Controlling pod placement using the scheduler for general information on scheduling a pod to a node.
Moving resources to infrastructure machine sets
Some of the infrastructure resources are deployed in your cluster by default. You can move them to the infrastructure machine sets that you created.
Moving the router
You can deploy the router pod to a different compute machine set. By default, the pod is deployed to a worker node.
Prerequisites
- Configure additional compute machine sets in your OKD cluster.
Procedure
View the
IngressControllercustom resource for the router Operator:$ oc get ingresscontroller default -n openshift-ingress-operator -o yaml
The command output resembles the following text:
apiVersion: operator.openshift.io/v1kind: IngressControllermetadata:creationTimestamp: 2019-04-18T12:35:39Zfinalizers:- ingresscontroller.operator.openshift.io/finalizer-ingresscontrollergeneration: 1name: defaultnamespace: openshift-ingress-operatorresourceVersion: "11341"selfLink: /apis/operator.openshift.io/v1/namespaces/openshift-ingress-operator/ingresscontrollers/defaultuid: 79509e05-61d6-11e9-bc55-02ce4781844aspec: {}status:availableReplicas: 2conditions:- lastTransitionTime: 2019-04-18T12:36:15Zstatus: "True"type: Availabledomain: apps.<cluster>.example.comendpointPublishingStrategy:type: LoadBalancerServiceselector: ingresscontroller.operator.openshift.io/deployment-ingresscontroller=default
Edit the
ingresscontrollerresource and change thenodeSelectorto use theinfralabel:$ oc edit ingresscontroller default -n openshift-ingress-operator
spec:nodePlacement:nodeSelector: (1)matchLabels:node-role.kubernetes.io/infra: ""tolerations:- effect: NoSchedulekey: node-role.kubernetes.io/infravalue: reserved- effect: NoExecutekey: node-role.kubernetes.io/infravalue: reserved
1 Add a nodeSelectorparameter with the appropriate value to the component you want to move. You can use anodeSelectorin the format shown or use<key>: <value>pairs, based on the value specified for the node. If you added a taint to the infrastructure node, also add a matching toleration.Confirm that the router pod is running on the
infranode.View the list of router pods and note the node name of the running pod:
$ oc get pod -n openshift-ingress -o wide
Example output
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATESrouter-default-86798b4b5d-bdlvd 1/1 Running 0 28s 10.130.2.4 ip-10-0-217-226.ec2.internal <none> <none>router-default-955d875f4-255g8 0/1 Terminating 0 19h 10.129.2.4 ip-10-0-148-172.ec2.internal <none> <none>
In this example, the running pod is on the
ip-10-0-217-226.ec2.internalnode.View the node status of the running pod:
$ oc get node <node_name> (1)
1 Specify the <node_name>that you obtained from the pod list.Example output
NAME STATUS ROLES AGE VERSIONip-10-0-217-226.ec2.internal Ready infra,worker 17h v1.28.5
Because the role list includes
infra, the pod is running on the correct node.
Moving the default registry
You configure the registry Operator to deploy its pods to different nodes.
Prerequisites
- Configure additional compute machine sets in your OKD cluster.
Procedure
View the
config/instanceobject:$ oc get configs.imageregistry.operator.openshift.io/cluster -o yaml
Example output
apiVersion: imageregistry.operator.openshift.io/v1kind: Configmetadata:creationTimestamp: 2019-02-05T13:52:05Zfinalizers:- imageregistry.operator.openshift.io/finalizergeneration: 1name: clusterresourceVersion: "56174"selfLink: /apis/imageregistry.operator.openshift.io/v1/configs/clusteruid: 36fd3724-294d-11e9-a524-12ffeee2931bspec:httpSecret: d9a012ccd117b1e6616ceccb2c3bb66a5fed1b5e481623logging: 2managementState: Managedproxy: {}replicas: 1requests:read: {}write: {}storage:s3:bucket: image-registry-us-east-1-c92e88cad85b48ec8b312344dff03c82-392cregion: us-east-1status:...
Edit the
config/instanceobject:$ oc edit configs.imageregistry.operator.openshift.io/cluster
spec:affinity:podAntiAffinity:preferredDuringSchedulingIgnoredDuringExecution:- podAffinityTerm:namespaces:- openshift-image-registrytopologyKey: kubernetes.io/hostnameweight: 100logLevel: NormalmanagementState: ManagednodeSelector: (1)node-role.kubernetes.io/infra: ""tolerations:- effect: NoSchedulekey: node-role.kubernetes.io/infravalue: reserved- effect: NoExecutekey: node-role.kubernetes.io/infravalue: reserved
1 Add a nodeSelectorparameter with the appropriate value to the component you want to move. You can use anodeSelectorin the format shown or use<key>: <value>pairs, based on the value specified for the node. If you added a taint to the infrasructure node, also add a matching toleration.Verify the registry pod has been moved to the infrastructure node.
Run the following command to identify the node where the registry pod is located:
$ oc get pods -o wide -n openshift-image-registry
Confirm the node has the label you specified:
$ oc describe node <node_name>
Review the command output and confirm that
node-role.kubernetes.io/infrais in theLABELSlist.
Moving the monitoring solution
The monitoring stack includes multiple components, including Prometheus, Thanos Querier, and Alertmanager. The Cluster Monitoring Operator manages this stack. To redeploy the monitoring stack to infrastructure nodes, you can create and apply a custom config map.
Procedure
Edit the
cluster-monitoring-configconfig map and change thenodeSelectorto use theinfralabel:$ oc edit configmap cluster-monitoring-config -n openshift-monitoring
apiVersion: v1kind: ConfigMapmetadata:name: cluster-monitoring-confignamespace: openshift-monitoringdata:config.yaml: |+alertmanagerMain:nodeSelector: (1)node-role.kubernetes.io/infra: ""tolerations:- key: node-role.kubernetes.io/infravalue: reservedeffect: NoSchedule- key: node-role.kubernetes.io/infravalue: reservedeffect: NoExecuteprometheusK8s:nodeSelector:node-role.kubernetes.io/infra: ""tolerations:- key: node-role.kubernetes.io/infravalue: reservedeffect: NoSchedule- key: node-role.kubernetes.io/infravalue: reservedeffect: NoExecuteprometheusOperator:nodeSelector:node-role.kubernetes.io/infra: ""tolerations:- key: node-role.kubernetes.io/infravalue: reservedeffect: NoSchedule- key: node-role.kubernetes.io/infravalue: reservedeffect: NoExecutek8sPrometheusAdapter:nodeSelector:node-role.kubernetes.io/infra: ""tolerations:- key: node-role.kubernetes.io/infravalue: reservedeffect: NoSchedule- key: node-role.kubernetes.io/infravalue: reservedeffect: NoExecutekubeStateMetrics:nodeSelector:node-role.kubernetes.io/infra: ""tolerations:- key: node-role.kubernetes.io/infravalue: reservedeffect: NoSchedule- key: node-role.kubernetes.io/infravalue: reservedeffect: NoExecutetelemeterClient:nodeSelector:node-role.kubernetes.io/infra: ""tolerations:- key: node-role.kubernetes.io/infravalue: reservedeffect: NoSchedule- key: node-role.kubernetes.io/infravalue: reservedeffect: NoExecuteopenshiftStateMetrics:nodeSelector:node-role.kubernetes.io/infra: ""tolerations:- key: node-role.kubernetes.io/infravalue: reservedeffect: NoSchedule- key: node-role.kubernetes.io/infravalue: reservedeffect: NoExecutethanosQuerier:nodeSelector:node-role.kubernetes.io/infra: ""tolerations:- key: node-role.kubernetes.io/infravalue: reservedeffect: NoSchedule- key: node-role.kubernetes.io/infravalue: reservedeffect: NoExecutemonitoringPlugin:nodeSelector:node-role.kubernetes.io/infra: ""tolerations:- key: node-role.kubernetes.io/infravalue: reservedeffect: NoSchedule- key: node-role.kubernetes.io/infravalue: reservedeffect: NoExecute
1 Add a nodeSelectorparameter with the appropriate value to the component you want to move. You can use anodeSelectorin the format shown or use<key>: <value>pairs, based on the value specified for the node. If you added a taint to the infrastructure node, also add a matching toleration.Watch the monitoring pods move to the new machines:
$ watch 'oc get pod -n openshift-monitoring -o wide'
If a component has not moved to the
infranode, delete the pod with this component:$ oc delete pod -n openshift-monitoring <pod>
The component from the deleted pod is re-created on the
infranode.
Moving logging subsystem resources
You can configure the Red Hat OpenShift Logging Operator to deploy the pods for logging subsystem components, such as Elasticsearch and Kibana, to different nodes. You cannot move the Red Hat OpenShift Logging Operator pod from its installed location.
For example, you can move the Elasticsearch pods to a separate node because of high CPU, memory, and disk requirements.
Prerequisites
- You have installed the Red Hat OpenShift Logging Operator and the OpenShift Elasticsearch Operator.
Procedure
Edit the
ClusterLoggingcustom resource (CR) in theopenshift-loggingproject:$ oc edit ClusterLogging instance
Example
ClusterLoggingCRapiVersion: logging.openshift.io/v1kind: ClusterLogging# ...spec:logStore:elasticsearch:nodeCount: 3nodeSelector: (1)node-role.kubernetes.io/infra: ''tolerations:- effect: NoSchedulekey: node-role.kubernetes.io/infravalue: reserved- effect: NoExecutekey: node-role.kubernetes.io/infravalue: reservedredundancyPolicy: SingleRedundancyresources:limits:cpu: 500mmemory: 16Girequests:cpu: 500mmemory: 16Gistorage: {}type: elasticsearchmanagementState: Managedvisualization:kibana:nodeSelector: (1)node-role.kubernetes.io/infra: ''tolerations:- effect: NoSchedulekey: node-role.kubernetes.io/infravalue: reserved- effect: NoExecutekey: node-role.kubernetes.io/infravalue: reservedproxy:resources: nullreplicas: 1resources: nulltype: kibana# ...
1 Add a nodeSelectorparameter with the appropriate value to the component you want to move. You can use anodeSelectorin the format shown or use<key>: <value>pairs, based on the value specified for the node. If you added a taint to the infrasructure node, also add a matching toleration.
Verification
To verify that a component has moved, you can use the oc get pod -o wide command.
For example:
You want to move the Kibana pod from the
ip-10-0-147-79.us-east-2.compute.internalnode:$ oc get pod kibana-5b8bdf44f9-ccpq9 -o wide
Example output
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATESkibana-5b8bdf44f9-ccpq9 2/2 Running 0 27s 10.129.2.18 ip-10-0-147-79.us-east-2.compute.internal <none> <none>
You want to move the Kibana pod to the
ip-10-0-139-48.us-east-2.compute.internalnode, a dedicated infrastructure node:$ oc get nodes
Example output
NAME STATUS ROLES AGE VERSIONip-10-0-133-216.us-east-2.compute.internal Ready master 60m v1.28.5ip-10-0-139-146.us-east-2.compute.internal Ready master 60m v1.28.5ip-10-0-139-192.us-east-2.compute.internal Ready worker 51m v1.28.5ip-10-0-139-241.us-east-2.compute.internal Ready worker 51m v1.28.5ip-10-0-147-79.us-east-2.compute.internal Ready worker 51m v1.28.5ip-10-0-152-241.us-east-2.compute.internal Ready master 60m v1.28.5ip-10-0-139-48.us-east-2.compute.internal Ready infra 51m v1.28.5
Note that the node has a
node-role.kubernetes.io/infra: ''label:$ oc get node ip-10-0-139-48.us-east-2.compute.internal -o yaml
Example output
kind: NodeapiVersion: v1metadata:name: ip-10-0-139-48.us-east-2.compute.internalselfLink: /api/v1/nodes/ip-10-0-139-48.us-east-2.compute.internaluid: 62038aa9-661f-41d7-ba93-b5f1b6ef8751resourceVersion: '39083'creationTimestamp: '2020-04-13T19:07:55Z'labels:node-role.kubernetes.io/infra: ''...
To move the Kibana pod, edit the
ClusterLoggingCR to add a node selector:apiVersion: logging.openshift.io/v1kind: ClusterLogging# ...spec:# ...visualization:kibana:nodeSelector: (1)node-role.kubernetes.io/infra: ''proxy:resources: nullreplicas: 1resources: nulltype: kibana
1 Add a node selector to match the label in the node specification. After you save the CR, the current Kibana pod is terminated and new pod is deployed:
$ oc get pods
Example output
NAME READY STATUS RESTARTS AGEcluster-logging-operator-84d98649c4-zb9g7 1/1 Running 0 29melasticsearch-cdm-hwv01pf7-1-56588f554f-kpmlg 2/2 Running 0 28melasticsearch-cdm-hwv01pf7-2-84c877d75d-75wqj 2/2 Running 0 28melasticsearch-cdm-hwv01pf7-3-f5d95b87b-4nx78 2/2 Running 0 28mcollector-42dzz 1/1 Running 0 28mcollector-d74rq 1/1 Running 0 28mcollector-m5vr9 1/1 Running 0 28mcollector-nkxl7 1/1 Running 0 28mcollector-pdvqb 1/1 Running 0 28mcollector-tflh6 1/1 Running 0 28mkibana-5b8bdf44f9-ccpq9 2/2 Terminating 0 4m11skibana-7d85dcffc8-bfpfp 2/2 Running 0 33s
The new pod is on the
ip-10-0-139-48.us-east-2.compute.internalnode:$ oc get pod kibana-7d85dcffc8-bfpfp -o wide
Example output
NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATESkibana-7d85dcffc8-bfpfp 2/2 Running 0 43s 10.131.0.22 ip-10-0-139-48.us-east-2.compute.internal <none> <none>
After a few moments, the original Kibana pod is removed.
$ oc get pods
Example output
NAME READY STATUS RESTARTS AGEcluster-logging-operator-84d98649c4-zb9g7 1/1 Running 0 30melasticsearch-cdm-hwv01pf7-1-56588f554f-kpmlg 2/2 Running 0 29melasticsearch-cdm-hwv01pf7-2-84c877d75d-75wqj 2/2 Running 0 29melasticsearch-cdm-hwv01pf7-3-f5d95b87b-4nx78 2/2 Running 0 29mcollector-42dzz 1/1 Running 0 29mcollector-d74rq 1/1 Running 0 29mcollector-m5vr9 1/1 Running 0 29mcollector-nkxl7 1/1 Running 0 29mcollector-pdvqb 1/1 Running 0 29mcollector-tflh6 1/1 Running 0 29mkibana-7d85dcffc8-bfpfp 2/2 Running 0 62s
About the cluster autoscaler
The cluster autoscaler adjusts the size of an OKD cluster to meet its current deployment needs. It uses declarative, Kubernetes-style arguments to provide infrastructure management that does not rely on objects of a specific cloud provider. The cluster autoscaler has a cluster scope, and is not associated with a particular namespace.
The cluster autoscaler increases the size of the cluster when there are pods that fail to schedule on any of the current worker nodes due to insufficient resources or when another node is necessary to meet deployment needs. The cluster autoscaler does not increase the cluster resources beyond the limits that you specify.
The cluster autoscaler computes the total memory, CPU, and GPU on all nodes the cluster, even though it does not manage the control plane nodes. These values are not single-machine oriented. They are an aggregation of all the resources in the entire cluster. For example, if you set the maximum memory resource limit, the cluster autoscaler includes all the nodes in the cluster when calculating the current memory usage. That calculation is then used to determine if the cluster autoscaler has the capacity to add more worker resources.
Ensure that the |
Every 10 seconds, the cluster autoscaler checks which nodes are unnecessary in the cluster and removes them. The cluster autoscaler considers a node for removal if the following conditions apply:
The node utilization is less than the node utilization level threshold for the cluster. The node utilization level is the sum of the requested resources divided by the allocated resources for the node. If you do not specify a value in the
ClusterAutoscalercustom resource, the cluster autoscaler uses a default value of0.5, which corresponds to 50% utilization.The cluster autoscaler can move all pods running on the node to the other nodes. The Kubernetes scheduler is responsible for scheduling pods on the nodes.
The cluster autoscaler does not have scale down disabled annotation.
If the following types of pods are present on a node, the cluster autoscaler will not remove the node:
Pods with restrictive pod disruption budgets (PDBs).
Kube-system pods that do not run on the node by default.
Kube-system pods that do not have a PDB or have a PDB that is too restrictive.
Pods that are not backed by a controller object such as a deployment, replica set, or stateful set.
Pods with local storage.
Pods that cannot be moved elsewhere because of a lack of resources, incompatible node selectors or affinity, matching anti-affinity, and so on.
Unless they also have a
"cluster-autoscaler.kubernetes.io/safe-to-evict": "true"annotation, pods that have a"cluster-autoscaler.kubernetes.io/safe-to-evict": "false"annotation.
For example, you set the maximum CPU limit to 64 cores and configure the cluster autoscaler to only create machines that have 8 cores each. If your cluster starts with 30 cores, the cluster autoscaler can add up to 4 more nodes with 32 cores, for a total of 62.
If you configure the cluster autoscaler, additional usage restrictions apply:
Do not modify the nodes that are in autoscaled node groups directly. All nodes within the same node group have the same capacity and labels and run the same system pods.
Specify requests for your pods.
If you have to prevent pods from being deleted too quickly, configure appropriate PDBs.
Confirm that your cloud provider quota is large enough to support the maximum node pools that you configure.
Do not run additional node group autoscalers, especially the ones offered by your cloud provider.
The horizontal pod autoscaler (HPA) and the cluster autoscaler modify cluster resources in different ways. The HPA changes the deployment’s or replica set’s number of replicas based on the current CPU load. If the load increases, the HPA creates new replicas, regardless of the amount of resources available to the cluster. If there are not enough resources, the cluster autoscaler adds resources so that the HPA-created pods can run. If the load decreases, the HPA stops some replicas. If this action causes some nodes to be underutilized or completely empty, the cluster autoscaler deletes the unnecessary nodes.
The cluster autoscaler takes pod priorities into account. The Pod Priority and Preemption feature enables scheduling pods based on priorities if the cluster does not have enough resources, but the cluster autoscaler ensures that the cluster has resources to run all pods. To honor the intention of both features, the cluster autoscaler includes a priority cutoff function. You can use this cutoff to schedule “best-effort” pods, which do not cause the cluster autoscaler to increase resources but instead run only when spare resources are available.
Pods with priority lower than the cutoff value do not cause the cluster to scale up or prevent the cluster from scaling down. No new nodes are added to run the pods, and nodes running these pods might be deleted to free resources.
Cluster autoscaling is supported for the platforms that have machine API available on it.
Cluster autoscaler resource definition
This ClusterAutoscaler resource definition shows the parameters and sample values for the cluster autoscaler.
apiVersion: "autoscaling.openshift.io/v1"kind: "ClusterAutoscaler"metadata:name: "default"spec:podPriorityThreshold: -10 (1)resourceLimits:maxNodesTotal: 24 (2)cores:min: 8 (3)max: 128 (4)memory:min: 4 (5)max: 256 (6)gpus:- type: nvidia.com/gpu (7)min: 0 (8)max: 16 (9)- type: amd.com/gpumin: 0max: 4logVerbosity: 4 (10)scaleDown: (11)enabled: true (12)delayAfterAdd: 10m (13)delayAfterDelete: 5m (14)delayAfterFailure: 30s (15)unneededTime: 5m (16)utilizationThreshold: "0.4" (17)
| 1 | Specify the priority that a pod must exceed to cause the cluster autoscaler to deploy additional nodes. Enter a 32-bit integer value. The podPriorityThreshold value is compared to the value of the PriorityClass that you assign to each pod. |
| 2 | Specify the maximum number of nodes to deploy. This value is the total number of machines that are deployed in your cluster, not just the ones that the autoscaler controls. Ensure that this value is large enough to account for all of your control plane and compute machines and the total number of replicas that you specify in your MachineAutoscaler resources. |
| 3 | Specify the minimum number of cores to deploy in the cluster. |
| 4 | Specify the maximum number of cores to deploy in the cluster. |
| 5 | Specify the minimum amount of memory, in GiB, in the cluster. |
| 6 | Specify the maximum amount of memory, in GiB, in the cluster. |
| 7 | Optional: Specify the type of GPU node to deploy. Only nvidia.com/gpu and amd.com/gpu are valid types. |
| 8 | Specify the minimum number of GPUs to deploy in the cluster. |
| 9 | Specify the maximum number of GPUs to deploy in the cluster. |
| 10 | Specify the logging verbosity level between 0 and 10. The following log level thresholds are provided for guidance:
If you do not specify a value, the default value of |
| 11 | In this section, you can specify the period to wait for each action by using any valid ParseDuration interval, including ns, us, ms, s, m, and h. |
| 12 | Specify whether the cluster autoscaler can remove unnecessary nodes. |
| 13 | Optional: Specify the period to wait before deleting a node after a node has recently been added. If you do not specify a value, the default value of 10m is used. |
| 14 | Optional: Specify the period to wait before deleting a node after a node has recently been deleted. If you do not specify a value, the default value of 0s is used. |
| 15 | Optional: Specify the period to wait before deleting a node after a scale down failure occurred. If you do not specify a value, the default value of 3m is used. |
| 16 | Optional: Specify a period of time before an unnecessary node is eligible for deletion. If you do not specify a value, the default value of 10m is used. |
| 17 | Optional: Specify the node utilization level. Nodes below this utilization level are eligible for deletion. If you do not specify a value, the default value of 10m is used.. The node utilization level is the sum of the requested resources divided by the allocated resources for the node, and must be a value greater than “0” but less than “1”. If you do not specify a value, the cluster autoscaler uses a default value of “0.5”, which corresponds to 50% utilization. This value must be expressed as a string. |
When performing a scaling operation, the cluster autoscaler remains within the ranges set in the The minimum and maximum CPUs, memory, and GPU values are determined by calculating those resources on all nodes in the cluster, even if the cluster autoscaler does not manage the nodes. For example, the control plane nodes are considered in the total memory in the cluster, even though the cluster autoscaler does not manage the control plane nodes. |
Deploying a cluster autoscaler
To deploy a cluster autoscaler, you create an instance of the ClusterAutoscaler resource.
Procedure
Create a YAML file for a
ClusterAutoscalerresource that contains the custom resource definition.Create the custom resource in the cluster by running the following command:
$ oc create -f <filename>.yaml (1)
1 <filename>is the name of the custom resource file.
About the machine autoscaler
The machine autoscaler adjusts the number of Machines in the compute machine sets that you deploy in an OKD cluster. You can scale both the default worker compute machine set and any other compute machine sets that you create. The machine autoscaler makes more Machines when the cluster runs out of resources to support more deployments. Any changes to the values in MachineAutoscaler resources, such as the minimum or maximum number of instances, are immediately applied to the compute machine set they target.
You must deploy a machine autoscaler for the cluster autoscaler to scale your machines. The cluster autoscaler uses the annotations on compute machine sets that the machine autoscaler sets to determine the resources that it can scale. If you define a cluster autoscaler without also defining machine autoscalers, the cluster autoscaler will never scale your cluster. |
Machine autoscaler resource definition
This MachineAutoscaler resource definition shows the parameters and sample values for the machine autoscaler.
apiVersion: "autoscaling.openshift.io/v1beta1"kind: "MachineAutoscaler"metadata:name: "worker-us-east-1a" (1)namespace: "openshift-machine-api"spec:minReplicas: 1 (2)maxReplicas: 12 (3)scaleTargetRef: (4)apiVersion: machine.openshift.io/v1beta1kind: MachineSet (5)name: worker-us-east-1a (6)
| 1 | Specify the machine autoscaler name. To make it easier to identify which compute machine set this machine autoscaler scales, specify or include the name of the compute machine set to scale. The compute machine set name takes the following form: <clusterid>-<machineset>-<region>. | ||
| 2 | Specify the minimum number machines of the specified type that must remain in the specified zone after the cluster autoscaler initiates cluster scaling. If running in AWS, GCP, Azure, OpenStack, or vSphere, this value can be set to 0. For other providers, do not set this value to 0.You can save on costs by setting this value to
| ||
| 3 | Specify the maximum number machines of the specified type that the cluster autoscaler can deploy in the specified zone after it initiates cluster scaling. Ensure that the maxNodesTotal value in the ClusterAutoscaler resource definition is large enough to allow the machine autoscaler to deploy this number of machines. | ||
| 4 | In this section, provide values that describe the existing compute machine set to scale. | ||
| 5 | The kind parameter value is always MachineSet. | ||
| 6 | The name value must match the name of an existing compute machine set, as shown in the metadata.name parameter value. |
Deploying a machine autoscaler
To deploy a machine autoscaler, you create an instance of the MachineAutoscaler resource.
Procedure
Create a YAML file for a
MachineAutoscalerresource that contains the custom resource definition.Create the custom resource in the cluster by running the following command:
$ oc create -f <filename>.yaml (1)
1 <filename>is the name of the custom resource file.
Configuring Linux cgroup
OKD uses Linux control group version 2 (cgroup v2) in your cluster.
cgroup v2 is the current version of the Linux cgroup API. cgroup v2 offers several improvements over cgroup v1, including a unified hierarchy, safer sub-tree delegation, new features such as Pressure Stall Information, and enhanced resource management and isolation. However, cgroup v2 has different CPU, memory, and I/O management characteristics than cgroup v1. Therefore, some workloads might experience slight differences in memory or CPU usage on clusters that run cgroup v2.
You can change between cgroup v1 and cgroup v2, as needed. Enabling cgroup v1 in OKD disables all cgroup v2 controllers and hierarchies in your cluster.
Currently, disabling CPU load balancing is not supported by cgroup v2. As a result, you might not get the desired behavior from performance profiles if you have cgroup v2 enabled. Enabling cgroup v2 is not recommended if you are using performance profiles. |
Prerequisites
You have a running OKD cluster that uses version 4.12 or later.
You are logged in to the cluster as a user with administrative privileges.
Procedure
Enable cgroup v1 on nodes:
Edit the
node.configobject:$ oc edit nodes.config/cluster
Add
spec.cgroupMode: "v1":Example
node.configobjectapiVersion: config.openshift.io/v2kind: Nodemetadata:annotations:include.release.openshift.io/ibm-cloud-managed: "true"include.release.openshift.io/self-managed-high-availability: "true"include.release.openshift.io/single-node-developer: "true"release.openshift.io/create-only: "true"creationTimestamp: "2022-07-08T16:02:51Z"generation: 1name: clusterownerReferences:- apiVersion: config.openshift.io/v2kind: ClusterVersionname: versionuid: 36282574-bf9f-409e-a6cd-3032939293ebresourceVersion: "1865"uid: 0c0f7a4c-4307-4187-b591-6155695ac85bspec:cgroupMode: "v1" (1)...
1 Enables cgroup v1.
Verification
Check the machine configs to see that the new machine configs were added:
$ oc get mc
Example output
NAME GENERATEDBYCONTROLLER IGNITIONVERSION AGE00-master 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m00-worker 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m01-master-container-runtime 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m01-master-kubelet 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m01-worker-container-runtime 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m01-worker-kubelet 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m97-master-generated-kubelet 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m99-worker-generated-kubelet 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m99-master-generated-registries 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m99-master-ssh 3.2.0 40m99-worker-generated-registries 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33m99-worker-ssh 3.2.0 40mrendered-master-23d4317815a5f854bd3553d689cfe2e9 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 10s (1)rendered-master-23e785de7587df95a4b517e0647e5ab7 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33mrendered-worker-5d596d9293ca3ea80c896a1191735bb1 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 33mrendered-worker-dcc7f1b92892d34db74d6832bcc9ccd4 52dd3ba6a9a527fc3ab42afac8d12b693534c8c9 3.2.0 10s
1 New machine configs are created, as expected. Check that the new
kernelArgumentswere added to the new machine configs:$ oc describe mc <name>
Example output for cgroup v1
apiVersion: machineconfiguration.openshift.io/v2kind: MachineConfigmetadata:labels:machineconfiguration.openshift.io/role: workername: 05-worker-kernelarg-selinuxpermissivespec:kernelArguments:systemd.unified_cgroup_hierarchy=0 (1)systemd.legacy_systemd_cgroup_controller=1 (2)
1 Disables cgroup v2. 2 Enables cgroup v1 in systemd. Check the nodes to see that scheduling on the nodes is disabled. This indicates that the change is being applied:
$ oc get nodes
Example output
NAME STATUS ROLES AGE VERSIONci-ln-fm1qnwt-72292-99kt6-master-0 Ready,SchedulingDisabled master 58m v1.28.5ci-ln-fm1qnwt-72292-99kt6-master-1 Ready master 58m v1.28.5ci-ln-fm1qnwt-72292-99kt6-master-2 Ready master 58m v1.28.5ci-ln-fm1qnwt-72292-99kt6-worker-a-h5gt4 Ready,SchedulingDisabled worker 48m v1.28.5ci-ln-fm1qnwt-72292-99kt6-worker-b-7vtmd Ready worker 48m v1.28.5ci-ln-fm1qnwt-72292-99kt6-worker-c-rhzkv Ready worker 48m v1.28.5
After a node returns to the
Readystate, start a debug session for that node:$ oc debug node/<node_name>
Set
/hostas the root directory within the debug shell:sh-4.4# chroot /host
Check that the
sys/fs/cgroup/cgroup2fsfile is present on your nodes. This file is created by cgroup v1:$ stat -c %T -f /sys/fs/cgroup
Example output
cgroup2fs
Additional resources
Enabling Technology Preview features using FeatureGates
You can turn on a subset of the current Technology Preview features on for all nodes in the cluster by editing the FeatureGate custom resource (CR).
Understanding feature gates
You can use the FeatureGate custom resource (CR) to enable specific feature sets in your cluster. A feature set is a collection of OKD features that are not enabled by default.
You can activate the following feature set by using the FeatureGate CR:
TechPreviewNoUpgrade. This feature set is a subset of the current Technology Preview features. This feature set allows you to enable these Technology Preview features on test clusters, where you can fully test them, while leaving the features disabled on production clusters.Enabling the
TechPreviewNoUpgradefeature set on your cluster cannot be undone and prevents minor version updates. You should not enable this feature set on production clusters.The following Technology Preview features are enabled by this feature set:
External cloud providers. Enables support for external cloud providers for clusters on vSphere, AWS, Azure, and GCP. Support for OpenStack is GA. This is an internal feature that most users do not need to interact with. (
ExternalCloudProvider)Shared Resources CSI Driver in OpenShift Builds. Enables the Container Storage Interface (CSI). (
CSIDriverSharedResource)Swap memory on nodes. Enables swap memory use for OKD workloads on a per-node basis. (
NodeSwap)OpenStack Machine API Provider. This gate has no effect and is planned to be removed from this feature set in a future release. (
MachineAPIProviderOpenStack)Insights Operator. Enables the Insights Operator, which gathers OKD configuration data and sends it to Red Hat. (
InsightsConfigAPI)Retroactive Default Storage Class. Enables OKD to retroactively assign the default storage class to PVCs if there was no default storage class when the PVC was created.(
RetroactiveDefaultStorageClass)Dynamic Resource Allocation API. Enables a new API for requesting and sharing resources between pods and containers. This is an internal feature that most users do not need to interact with. (
DynamicResourceAllocation)Pod security admission enforcement. Enables the restricted enforcement mode for pod security admission. Instead of only logging a warning, pods are rejected if they violate pod security standards. (
OpenShiftPodSecurityAdmission)StatefulSet pod availability upgrading limits. Enables users to define the maximum number of statefulset pods unavailable during updates which reduces application downtime. (
MaxUnavailableStatefulSet)Admin Network Policy and Baseline Admin Network Policy. Enables
AdminNetworkPolicyandBaselineAdminNetworkPolicyresources, which are part of the Network Policy V2 API, in clusters running the OVN-Kubernetes CNI plugin. Cluster administrators can apply cluster-scoped policies and safeguards for an entire cluster before namespaces are created. Network administrators can secure clusters by enforcing network traffic controls that cannot be overridden by users. Network administrators can enforce optional baseline network traffic controls that can be overridden by users in the cluster, if necessary. Currently, these APIs support only expressing policies for intra-cluster traffic. (AdminNetworkPolicy)MatchConditionsis a list of conditions that must be met for a request to be sent to this webhook. Match conditions filter requests that have already been matched by the rules, namespaceSelector, and objectSelector. An empty list ofmatchConditionsmatches all requests. (admissionWebhookMatchConditions)Gateway API. To enable the OKD Gateway API, set the value of the
enabledfield totruein thetechPreview.gatewayAPIspecification of theServiceMeshControlPlaneresource.(gateGatewayAPI)sigstoreImageVerificationgcpLabelsTagsvSphereStaticIPsrouteExternalCertificateautomatedEtcdBackup
Enabling feature sets using the web console
You can use the OKD web console to enable feature sets for all of the nodes in a cluster by editing the FeatureGate custom resource (CR).
Procedure
To enable feature sets:
In the OKD web console, switch to the Administration → Custom Resource Definitions page.
On the Custom Resource Definitions page, click FeatureGate.
On the Custom Resource Definition Details page, click the Instances tab.
Click the cluster feature gate, then click the YAML tab.
Edit the cluster instance to add specific feature sets:
Enabling the
TechPreviewNoUpgradefeature set on your cluster cannot be undone and prevents minor version updates. You should not enable this feature set on production clusters.Sample Feature Gate custom resource
apiVersion: config.openshift.io/v1kind: FeatureGatemetadata:name: cluster (1)# ...spec:featureSet: TechPreviewNoUpgrade (2)
1 The name of the FeatureGateCR must becluster.2 Add the feature set that you want to enable: TechPreviewNoUpgradeenables specific Technology Preview features.
After you save the changes, new machine configs are created, the machine config pools are updated, and scheduling on each node is disabled while the change is being applied.
Verification
You can verify that the feature gates are enabled by looking at the kubelet.conf file on a node after the nodes return to the ready state.
From the Administrator perspective in the web console, navigate to Compute → Nodes.
Select a node.
In the Node details page, click Terminal.
In the terminal window, change your root directory to
/host:sh-4.2# chroot /host
View the
kubelet.conffile:sh-4.2# cat /etc/kubernetes/kubelet.conf
Sample output
# ...featureGates:InsightsOperatorPullingSCA: true,LegacyNodeRoleBehavior: false# ...
The features that are listed as
trueare enabled on your cluster.The features listed vary depending upon the OKD version.
Enabling feature sets using the CLI
You can use the OpenShift CLI (oc) to enable feature sets for all of the nodes in a cluster by editing the FeatureGate custom resource (CR).
Prerequisites
- You have installed the OpenShift CLI (
oc).
Procedure
To enable feature sets:
Edit the
FeatureGateCR namedcluster:$ oc edit featuregate cluster
Enabling the
TechPreviewNoUpgradefeature set on your cluster cannot be undone and prevents minor version updates. You should not enable this feature set on production clusters.Sample FeatureGate custom resource
apiVersion: config.openshift.io/v1kind: FeatureGatemetadata:name: cluster (1)# ...spec:featureSet: TechPreviewNoUpgrade (2)
1 The name of the FeatureGateCR must becluster.2 Add the feature set that you want to enable: TechPreviewNoUpgradeenables specific Technology Preview features.
After you save the changes, new machine configs are created, the machine config pools are updated, and scheduling on each node is disabled while the change is being applied.
Verification
You can verify that the feature gates are enabled by looking at the kubelet.conf file on a node after the nodes return to the ready state.
From the Administrator perspective in the web console, navigate to Compute → Nodes.
Select a node.
In the Node details page, click Terminal.
In the terminal window, change your root directory to
/host:sh-4.2# chroot /host
View the
kubelet.conffile:sh-4.2# cat /etc/kubernetes/kubelet.conf
Sample output
# ...featureGates:InsightsOperatorPullingSCA: true,LegacyNodeRoleBehavior: false# ...
The features that are listed as
trueare enabled on your cluster.The features listed vary depending upon the OKD version.
etcd tasks
Back up etcd, enable or disable etcd encryption, or defragment etcd data.
About etcd encryption
By default, etcd data is not encrypted in OKD. You can enable etcd encryption for your cluster to provide an additional layer of data security. For example, it can help protect the loss of sensitive data if an etcd backup is exposed to the incorrect parties.
When you enable etcd encryption, the following OpenShift API server and Kubernetes API server resources are encrypted:
Secrets
Config maps
Routes
OAuth access tokens
OAuth authorize tokens
When you enable etcd encryption, encryption keys are created. You must have these keys to restore from an etcd backup.
Etcd encryption only encrypts values, not keys. Resource types, namespaces, and object names are unencrypted. If etcd encryption is enabled during a backup, the |
Supported encryption types
The following encryption types are supported for encrypting etcd data in OKD:
AES-CBC
Uses AES-CBC with PKCS#7 padding and a 32 byte key to perform the encryption. The encryption keys are rotated weekly.
AES-GCM
Uses AES-GCM with a random nonce and a 32 byte key to perform the encryption. The encryption keys are rotated weekly.
Enabling etcd encryption
You can enable etcd encryption to encrypt sensitive resources in your cluster.
Do not back up etcd resources until the initial encryption process is completed. If the encryption process is not completed, the backup might be only partially encrypted. After you enable etcd encryption, several changes can occur:
|
You can encrypt the etcd database in either AES-GCM or AES-CBC encryption.
To migrate your etcd database from one encryption type to the other, you can modify the API server’s |
Prerequisites
- Access to the cluster as a user with the
cluster-adminrole.
Procedure
Modify the
APIServerobject:$ oc edit apiserver
Set the
spec.encryption.typefield toaesgcmoraescbc:spec:encryption:type: aesgcm (1)
1 Set to aesgcmfor AES-GCM encryption oraescbcfor AES-CBC encryption.Save the file to apply the changes.
The encryption process starts. It can take 20 minutes or longer for this process to complete, depending on the size of the etcd database.
Verify that etcd encryption was successful.
Review the
Encryptedstatus condition for the OpenShift API server to verify that its resources were successfully encrypted:$ oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'
The output shows
EncryptionCompletedupon successful encryption:EncryptionCompletedAll resources encrypted: routes.route.openshift.io
If the output shows
EncryptionInProgress, encryption is still in progress. Wait a few minutes and try again.Review the
Encryptedstatus condition for the Kubernetes API server to verify that its resources were successfully encrypted:$ oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'
The output shows
EncryptionCompletedupon successful encryption:EncryptionCompletedAll resources encrypted: secrets, configmaps
If the output shows
EncryptionInProgress, encryption is still in progress. Wait a few minutes and try again.Review the
Encryptedstatus condition for the OpenShift OAuth API server to verify that its resources were successfully encrypted:$ oc get authentication.operator.openshift.io -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'
The output shows
EncryptionCompletedupon successful encryption:EncryptionCompletedAll resources encrypted: oauthaccesstokens.oauth.openshift.io, oauthauthorizetokens.oauth.openshift.io
If the output shows
EncryptionInProgress, encryption is still in progress. Wait a few minutes and try again.
Disabling etcd encryption
You can disable encryption of etcd data in your cluster.
Prerequisites
- Access to the cluster as a user with the
cluster-adminrole.
Procedure
Modify the
APIServerobject:$ oc edit apiserver
Set the
encryptionfield type toidentity:spec:encryption:type: identity (1)
1 The identitytype is the default value and means that no encryption is performed.Save the file to apply the changes.
The decryption process starts. It can take 20 minutes or longer for this process to complete, depending on the size of your cluster.
Verify that etcd decryption was successful.
Review the
Encryptedstatus condition for the OpenShift API server to verify that its resources were successfully decrypted:$ oc get openshiftapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'
The output shows
DecryptionCompletedupon successful decryption:DecryptionCompletedEncryption mode set to identity and everything is decrypted
If the output shows
DecryptionInProgress, decryption is still in progress. Wait a few minutes and try again.Review the
Encryptedstatus condition for the Kubernetes API server to verify that its resources were successfully decrypted:$ oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'
The output shows
DecryptionCompletedupon successful decryption:DecryptionCompletedEncryption mode set to identity and everything is decrypted
If the output shows
DecryptionInProgress, decryption is still in progress. Wait a few minutes and try again.Review the
Encryptedstatus condition for the OpenShift OAuth API server to verify that its resources were successfully decrypted:$ oc get authentication.operator.openshift.io -o=jsonpath='{range .items[0].status.conditions[?(@.type=="Encrypted")]}{.reason}{"\n"}{.message}{"\n"}'
The output shows
DecryptionCompletedupon successful decryption:DecryptionCompletedEncryption mode set to identity and everything is decrypted
If the output shows
DecryptionInProgress, decryption is still in progress. Wait a few minutes and try again.
Backing up etcd data
Follow these steps to back up etcd data by creating an etcd snapshot and backing up the resources for the static pods. This backup can be saved and used at a later time if you need to restore etcd.
Only save a backup from a single control plane host. Do not take a backup from each control plane host in the cluster. |
Prerequisites
You have access to the cluster as a user with the
cluster-adminrole.You have checked whether the cluster-wide proxy is enabled.
You can check whether the proxy is enabled by reviewing the output of
oc get proxy cluster -o yaml. The proxy is enabled if thehttpProxy,httpsProxy, andnoProxyfields have values set.
Procedure
Start a debug session as root for a control plane node:
$ oc debug --as-root node/<node_name>
Change your root directory to
/hostin the debug shell:sh-4.4# chroot /host
If the cluster-wide proxy is enabled, be sure that you have exported the
NO_PROXY,HTTP_PROXY, andHTTPS_PROXYenvironment variables.Run the
cluster-backup.shscript in the debug shell and pass in the location to save the backup to.The
cluster-backup.shscript is maintained as a component of the etcd Cluster Operator and is a wrapper around theetcdctl snapshot savecommand.sh-4.4# /usr/local/bin/cluster-backup.sh /home/core/assets/backup
Example script output
found latest kube-apiserver: /etc/kubernetes/static-pod-resources/kube-apiserver-pod-6found latest kube-controller-manager: /etc/kubernetes/static-pod-resources/kube-controller-manager-pod-7found latest kube-scheduler: /etc/kubernetes/static-pod-resources/kube-scheduler-pod-6found latest etcd: /etc/kubernetes/static-pod-resources/etcd-pod-3ede95fe6b88b87ba86a03c15e669fb4aa5bf0991c180d3c6895ce72eaade54a1etcdctl version: 3.4.14API version: 3.4{"level":"info","ts":1624647639.0188997,"caller":"snapshot/v3_snapshot.go:119","msg":"created temporary db file","path":"/home/core/assets/backup/snapshot_2021-06-25_190035.db.part"}{"level":"info","ts":"2021-06-25T19:00:39.030Z","caller":"clientv3/maintenance.go:200","msg":"opened snapshot stream; downloading"}{"level":"info","ts":1624647639.0301006,"caller":"snapshot/v3_snapshot.go:127","msg":"fetching snapshot","endpoint":"https://10.0.0.5:2379"}{"level":"info","ts":"2021-06-25T19:00:40.215Z","caller":"clientv3/maintenance.go:208","msg":"completed snapshot read; closing"}{"level":"info","ts":1624647640.6032252,"caller":"snapshot/v3_snapshot.go:142","msg":"fetched snapshot","endpoint":"https://10.0.0.5:2379","size":"114 MB","took":1.584090459}{"level":"info","ts":1624647640.6047094,"caller":"snapshot/v3_snapshot.go:152","msg":"saved","path":"/home/core/assets/backup/snapshot_2021-06-25_190035.db"}Snapshot saved at /home/core/assets/backup/snapshot_2021-06-25_190035.db{"hash":3866667823,"revision":31407,"totalKey":12828,"totalSize":114446336}snapshot db and kube resources are successfully saved to /home/core/assets/backup
In this example, two files are created in the
/home/core/assets/backup/directory on the control plane host:snapshot_<datetimestamp>.db: This file is the etcd snapshot. Thecluster-backup.shscript confirms its validity.static_kuberesources_<datetimestamp>.tar.gz: This file contains the resources for the static pods. If etcd encryption is enabled, it also contains the encryption keys for the etcd snapshot.If etcd encryption is enabled, it is recommended to store this second file separately from the etcd snapshot for security reasons. However, this file is required to restore from the etcd snapshot.
Keep in mind that etcd encryption only encrypts values, not keys. This means that resource types, namespaces, and object names are unencrypted.
Defragmenting etcd data
For large and dense clusters, etcd can suffer from poor performance if the keyspace grows too large and exceeds the space quota. Periodically maintain and defragment etcd to free up space in the data store. Monitor Prometheus for etcd metrics and defragment it when required; otherwise, etcd can raise a cluster-wide alarm that puts the cluster into a maintenance mode that accepts only key reads and deletes.
Monitor these key metrics:
etcd_server_quota_backend_bytes, which is the current quota limitetcd_mvcc_db_total_size_in_use_in_bytes, which indicates the actual database usage after a history compactionetcd_mvcc_db_total_size_in_bytes, which shows the database size, including free space waiting for defragmentation
Defragment etcd data to reclaim disk space after events that cause disk fragmentation, such as etcd history compaction.
History compaction is performed automatically every five minutes and leaves gaps in the back-end database. This fragmented space is available for use by etcd, but is not available to the host file system. You must defragment etcd to make this space available to the host file system.
Defragmentation occurs automatically, but you can also trigger it manually.
Automatic defragmentation is good for most cases, because the etcd operator uses cluster information to determine the most efficient operation for the user. |
Automatic defragmentation
The etcd Operator automatically defragments disks. No manual intervention is needed.
Verify that the defragmentation process is successful by viewing one of these logs:
etcd logs
cluster-etcd-operator pod
operator status error log
Automatic defragmentation can cause leader election failure in various OpenShift core components, such as the Kubernetes controller manager, which triggers a restart of the failing component. The restart is harmless and either triggers failover to the next running instance or the component resumes work again after the restart. |
Example log output for successful defragmentation
etcd member has been defragmented: <member_name>, memberID: <member_id>
Example log output for unsuccessful defragmentation
failed defrag on member: <member_name>, memberID: <member_id>: <error_message>
Manual defragmentation
A Prometheus alert indicates when you need to use manual defragmentation. The alert is displayed in two cases:
When etcd uses more than 50% of its available space for more than 10 minutes
When etcd is actively using less than 50% of its total database size for more than 10 minutes
You can also determine whether defragmentation is needed by checking the etcd database size in MB that will be freed by defragmentation with the PromQL expression: (etcd_mvcc_db_total_size_in_bytes - etcd_mvcc_db_total_size_in_use_in_bytes)/1024/1024
Defragmenting etcd is a blocking action. The etcd member will not respond until defragmentation is complete. For this reason, wait at least one minute between defragmentation actions on each of the pods to allow the cluster to recover. |
Follow this procedure to defragment etcd data on each etcd member.
Prerequisites
- You have access to the cluster as a user with the
cluster-adminrole.
Procedure
Determine which etcd member is the leader, because the leader should be defragmented last.
Get the list of etcd pods:
$ oc -n openshift-etcd get pods -l k8s-app=etcd -o wide
Example output
etcd-ip-10-0-159-225.example.redhat.com 3/3 Running 0 175m 10.0.159.225 ip-10-0-159-225.example.redhat.com <none> <none>etcd-ip-10-0-191-37.example.redhat.com 3/3 Running 0 173m 10.0.191.37 ip-10-0-191-37.example.redhat.com <none> <none>etcd-ip-10-0-199-170.example.redhat.com 3/3 Running 0 176m 10.0.199.170 ip-10-0-199-170.example.redhat.com <none> <none>
Choose a pod and run the following command to determine which etcd member is the leader:
$ oc rsh -n openshift-etcd etcd-ip-10-0-159-225.example.redhat.com etcdctl endpoint status --cluster -w table
Example output
Defaulting container name to etcdctl.Use 'oc describe pod/etcd-ip-10-0-159-225.example.redhat.com -n openshift-etcd' to see all of the containers in this pod.+---------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+| ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |+---------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+| https://10.0.191.37:2379 | 251cd44483d811c3 | 3.5.9 | 104 MB | false | false | 7 | 91624 | 91624 | || https://10.0.159.225:2379 | 264c7c58ecbdabee | 3.5.9 | 104 MB | false | false | 7 | 91624 | 91624 | || https://10.0.199.170:2379 | 9ac311f93915cc79 | 3.5.9 | 104 MB | true | false | 7 | 91624 | 91624 | |+---------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
Based on the
IS LEADERcolumn of this output, thehttps://10.0.199.170:2379endpoint is the leader. Matching this endpoint with the output of the previous step, the pod name of the leader isetcd-ip-10-0-199-170.example.redhat.com.
Defragment an etcd member.
Connect to the running etcd container, passing in the name of a pod that is not the leader:
$ oc rsh -n openshift-etcd etcd-ip-10-0-159-225.example.redhat.com
Unset the
ETCDCTL_ENDPOINTSenvironment variable:sh-4.4# unset ETCDCTL_ENDPOINTS
Defragment the etcd member:
sh-4.4# etcdctl --command-timeout=30s --endpoints=https://localhost:2379 defrag
Example output
Finished defragmenting etcd member[https://localhost:2379]
If a timeout error occurs, increase the value for
--command-timeoutuntil the command succeeds.Verify that the database size was reduced:
sh-4.4# etcdctl endpoint status -w table --cluster
Example output
+---------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+| ENDPOINT | ID | VERSION | DB SIZE | IS LEADER | IS LEARNER | RAFT TERM | RAFT INDEX | RAFT APPLIED INDEX | ERRORS |+---------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+| https://10.0.191.37:2379 | 251cd44483d811c3 | 3.5.9 | 104 MB | false | false | 7 | 91624 | 91624 | || https://10.0.159.225:2379 | 264c7c58ecbdabee | 3.5.9 | 41 MB | false | false | 7 | 91624 | 91624 | | (1)| https://10.0.199.170:2379 | 9ac311f93915cc79 | 3.5.9 | 104 MB | true | false | 7 | 91624 | 91624 | |+---------------------------+------------------+---------+---------+-----------+------------+-----------+------------+--------------------+--------+
This example shows that the database size for this etcd member is now 41 MB as opposed to the starting size of 104 MB.
Repeat these steps to connect to each of the other etcd members and defragment them. Always defragment the leader last.
Wait at least one minute between defragmentation actions to allow the etcd pod to recover. Until the etcd pod recovers, the etcd member will not respond.
If any
NOSPACEalarms were triggered due to the space quota being exceeded, clear them.Check if there are any
NOSPACEalarms:sh-4.4# etcdctl alarm list
Example output
memberID:12345678912345678912 alarm:NOSPACE
Clear the alarms:
sh-4.4# etcdctl alarm disarm
Restoring to a previous cluster state
You can use a saved etcd backup to restore a previous cluster state or restore a cluster that has lost the majority of control plane hosts.
If your cluster uses a control plane machine set, see “Troubleshooting the control plane machine set” for a more simple etcd recovery procedure. |
When you restore your cluster, you must use an etcd backup that was taken from the same z-stream release. For example, an OKD 4.7.2 cluster must use an etcd backup that was taken from 4.7.2. |
Prerequisites
Access to the cluster as a user with the
cluster-adminrole through a certificate-basedkubeconfigfile, like the one that was used during installation.A healthy control plane host to use as the recovery host.
SSH access to control plane hosts.
A backup directory containing both the etcd snapshot and the resources for the static pods, which were from the same backup. The file names in the directory must be in the following formats:
snapshot_<datetimestamp>.dbandstatic_kuberesources_<datetimestamp>.tar.gz.
For non-recovery control plane nodes, it is not required to establish SSH connectivity or to stop the static pods. You can delete and recreate other non-recovery, control plane machines, one by one. |
Procedure
Select a control plane host to use as the recovery host. This is the host that you will run the restore operation on.
Establish SSH connectivity to each of the control plane nodes, including the recovery host.
The Kubernetes API server becomes inaccessible after the restore process starts, so you cannot access the control plane nodes. For this reason, it is recommended to establish SSH connectivity to each control plane host in a separate terminal.
If you do not complete this step, you will not be able to access the control plane hosts to complete the restore procedure, and you will be unable to recover your cluster from this state.
Copy the etcd backup directory to the recovery control plane host.
This procedure assumes that you copied the
backupdirectory containing the etcd snapshot and the resources for the static pods to the/home/core/directory of your recovery control plane host.Stop the static pods on any other control plane nodes.
You do not need to stop the static pods on the recovery host.
Access a control plane host that is not the recovery host.
Move the existing etcd pod file out of the kubelet manifest directory:
$ sudo mv /etc/kubernetes/manifests/etcd-pod.yaml /tmp
Verify that the etcd pods are stopped.
$ sudo crictl ps | grep etcd | egrep -v "operator|etcd-guard"
The output of this command should be empty. If it is not empty, wait a few minutes and check again.
Move the existing Kubernetes API server pod file out of the kubelet manifest directory:
$ sudo mv /etc/kubernetes/manifests/kube-apiserver-pod.yaml /tmp
Verify that the Kubernetes API server pods are stopped.
$ sudo crictl ps | grep kube-apiserver | egrep -v "operator|guard"
The output of this command should be empty. If it is not empty, wait a few minutes and check again.
Move the etcd data directory to a different location:
$ sudo mv /var/lib/etcd/ /tmp
Repeat this step on each of the other control plane hosts that is not the recovery host.
Access the recovery control plane host.
If the cluster-wide proxy is enabled, be sure that you have exported the
NO_PROXY,HTTP_PROXY, andHTTPS_PROXYenvironment variables.You can check whether the proxy is enabled by reviewing the output of
oc get proxy cluster -o yaml. The proxy is enabled if thehttpProxy,httpsProxy, andnoProxyfields have values set.Run the restore script on the recovery control plane host and pass in the path to the etcd backup directory:
$ sudo -E /usr/local/bin/cluster-restore.sh /home/core/backup
Example script output
...stopping kube-scheduler-pod.yaml...stopping kube-controller-manager-pod.yaml...stopping etcd-pod.yaml...stopping kube-apiserver-pod.yamlWaiting for container etcd to stop.completeWaiting for container etcdctl to stop.............................completeWaiting for container etcd-metrics to stopcompleteWaiting for container kube-controller-manager to stopcompleteWaiting for container kube-apiserver to stop..........................................................................................completeWaiting for container kube-scheduler to stopcompleteMoving etcd data-dir /var/lib/etcd/member to /var/lib/etcd-backupstarting restore-etcd static podstarting kube-apiserver-pod.yamlstatic-pod-resources/kube-apiserver-pod-7/kube-apiserver-pod.yamlstarting kube-controller-manager-pod.yamlstatic-pod-resources/kube-controller-manager-pod-7/kube-controller-manager-pod.yamlstarting kube-scheduler-pod.yamlstatic-pod-resources/kube-scheduler-pod-8/kube-scheduler-pod.yaml
The restore process can cause nodes to enter the
NotReadystate if the node certificates were updated after the last etcd backup.Check the nodes to ensure they are in the
Readystate.Run the following command:
$ oc get nodes -w
Sample output
NAME STATUS ROLES AGE VERSIONhost-172-25-75-28 Ready master 3d20h v1.28.5host-172-25-75-38 Ready infra,worker 3d20h v1.28.5host-172-25-75-40 Ready master 3d20h v1.28.5host-172-25-75-65 Ready master 3d20h v1.28.5host-172-25-75-74 Ready infra,worker 3d20h v1.28.5host-172-25-75-79 Ready worker 3d20h v1.28.5host-172-25-75-86 Ready worker 3d20h v1.28.5host-172-25-75-98 Ready infra,worker 3d20h v1.28.5
It can take several minutes for all nodes to report their state.
If any nodes are in the
NotReadystate, log in to the nodes and remove all of the PEM files from the/var/lib/kubelet/pkidirectory on each node. You can SSH into the nodes or use the terminal window in the web console.$ ssh -i <ssh-key-path> core@<master-hostname>
Sample
pkidirectorysh-4.4# pwd/var/lib/kubelet/pkish-4.4# lskubelet-client-2022-04-28-11-24-09.pem kubelet-server-2022-04-28-11-24-15.pemkubelet-client-current.pem kubelet-server-current.pem
Restart the kubelet service on all control plane hosts.
From the recovery host, run the following command:
$ sudo systemctl restart kubelet.service
Repeat this step on all other control plane hosts.
Approve the pending CSRs:
Clusters with no worker nodes, such as single-node clusters or clusters consisting of three schedulable control plane nodes, will not have any pending CSRs to approve. You can skip all the commands listed in this step.
Get the list of current CSRs:
$ oc get csr
Example output
NAME AGE SIGNERNAME REQUESTOR CONDITIONcsr-2s94x 8m3s kubernetes.io/kubelet-serving system:node:<node_name> Pending (1)csr-4bd6t 8m3s kubernetes.io/kubelet-serving system:node:<node_name> Pending (1)csr-4hl85 13m kubernetes.io/kube-apiserver-client-kubelet system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending (2)csr-zhhhp 3m8s kubernetes.io/kube-apiserver-client-kubelet system:serviceaccount:openshift-machine-config-operator:node-bootstrapper Pending (2)...
1 A pending kubelet service CSR (for user-provisioned installations). 2 A pending node-bootstrapperCSR.Review the details of a CSR to verify that it is valid:
$ oc describe csr <csr_name> (1)
1 <csr_name>is the name of a CSR from the list of current CSRs.Approve each valid
node-bootstrapperCSR:$ oc adm certificate approve <csr_name>
For user-provisioned installations, approve each valid kubelet service CSR:
$ oc adm certificate approve <csr_name>
Verify that the single member control plane has started successfully.
From the recovery host, verify that the etcd container is running.
$ sudo crictl ps | grep etcd | egrep -v "operator|etcd-guard"
Example output
3ad41b7908e32 36f86e2eeaaffe662df0d21041eb22b8198e0e58abeeae8c743c3e6e977e8009 About a minute ago Running etcd 0 7c05f8af362f0
From the recovery host, verify that the etcd pod is running.
$ oc -n openshift-etcd get pods -l k8s-app=etcd
Example output
NAME READY STATUS RESTARTS AGEetcd-ip-10-0-143-125.ec2.internal 1/1 Running 1 2m47s
If the status is
Pending, or the output lists more than one running etcd pod, wait a few minutes and check again.
If you are using the
OVNKubernetesnetwork plugin, you must restartovnkube-controlplanepods.Delete all of the
ovnkube-controlplanepods by running the following command:$ oc -n openshift-ovn-kubernetes delete pod -l app=ovnkube-control-plane
Verify that all of the
ovnkube-controlplanepods were redeployed by running the following command:$ oc -n openshift-ovn-kubernetes get pod -l app=ovnkube-control-plane
If you are using the OVN-Kubernetes network plugin, restart the Open Virtual Network (OVN) Kubernetes pods on all the nodes one by one. Use the following steps to restart OVN-Kubernetes pods on each node:
Restart OVN-Kubernetes pods in the following order:The recovery control plane host
The other control plane hosts (if available)
The other nodes
Validating and mutating admission webhooks can reject pods. If you add any additional webhooks with the
failurePolicyset toFail, then they can reject pods and the restoration process can fail. You can avoid this by saving and deleting webhooks while restoring the cluster state. After the cluster state is restored successfully, you can enable the webhooks again.Alternatively, you can temporarily set the
failurePolicytoIgnorewhile restoring the cluster state. After the cluster state is restored successfully, you can set thefailurePolicytoFail.Remove the northbound database (nbdb) and southbound database (sbdb). Access the recovery host and the remaining control plane nodes by using Secure Shell (SSH) and run the following command:
$ sudo rm -f /var/lib/ovn-ic/etc/*.db
Restart the OpenVSwitch services. Access the node by using Secure Shell (SSH) and run the following command:
$ sudo systemctl restart ovs-vswitchd ovsdb-server
Delete the
ovnkube-nodepod on the node by running the following command, replacing<node>with the name of the node that you are restarting:$ oc -n openshift-ovn-kubernetes delete pod -l app=ovnkube-node --field-selector=spec.nodeName==<node>
Verify that the
ovnkube-nodepod is running again with the following command:$ oc -n openshift-ovn-kubernetes get pod -l app=ovnkube-node --field-selector=spec.nodeName==<node>
It might take several minutes for the pods to restart.
Delete and re-create other non-recovery, control plane machines, one by one. After the machines are re-created, a new revision is forced and etcd automatically scales up.
If you use a user-provisioned bare metal installation, you can re-create a control plane machine by using the same method that you used to originally create it. For more information, see “Installing a user-provisioned cluster on bare metal”.
Do not delete and re-create the machine for the recovery host.
If you are running installer-provisioned infrastructure, or you used the Machine API to create your machines, follow these steps:
Do not delete and re-create the machine for the recovery host.
For bare metal installations on installer-provisioned infrastructure, control plane machines are not re-created. For more information, see “Replacing a bare-metal control plane node”.
Obtain the machine for one of the lost control plane hosts.
In a terminal that has access to the cluster as a cluster-admin user, run the following command:
$ oc get machines -n openshift-machine-api -o wide
Example output:
NAME PHASE TYPE REGION ZONE AGE NODE PROVIDERID STATEclustername-8qw5l-master-0 Running m4.xlarge us-east-1 us-east-1a 3h37m ip-10-0-131-183.ec2.internal aws:///us-east-1a/i-0ec2782f8287dfb7e stopped (1)clustername-8qw5l-master-1 Running m4.xlarge us-east-1 us-east-1b 3h37m ip-10-0-143-125.ec2.internal aws:///us-east-1b/i-096c349b700a19631 runningclustername-8qw5l-master-2 Running m4.xlarge us-east-1 us-east-1c 3h37m ip-10-0-154-194.ec2.internal aws:///us-east-1c/i-02626f1dba9ed5bba runningclustername-8qw5l-worker-us-east-1a-wbtgd Running m4.large us-east-1 us-east-1a 3h28m ip-10-0-129-226.ec2.internal aws:///us-east-1a/i-010ef6279b4662ced runningclustername-8qw5l-worker-us-east-1b-lrdxb Running m4.large us-east-1 us-east-1b 3h28m ip-10-0-144-248.ec2.internal aws:///us-east-1b/i-0cb45ac45a166173b runningclustername-8qw5l-worker-us-east-1c-pkg26 Running m4.large us-east-1 us-east-1c 3h28m ip-10-0-170-181.ec2.internal aws:///us-east-1c/i-06861c00007751b0a running
1 This is the control plane machine for the lost control plane host, ip-10-0-131-183.ec2.internal.Save the machine configuration to a file on your file system:
$ oc get machine clustername-8qw5l-master-0 \ (1)-n openshift-machine-api \-o yaml \> new-master-machine.yaml
1 Specify the name of the control plane machine for the lost control plane host. Edit the
new-master-machine.yamlfile that was created in the previous step to assign a new name and remove unnecessary fields.Remove the entire
statussection:status:addresses:- address: 10.0.131.183type: InternalIP- address: ip-10-0-131-183.ec2.internaltype: InternalDNS- address: ip-10-0-131-183.ec2.internaltype: HostnamelastUpdated: "2020-04-20T17:44:29Z"nodeRef:kind: Nodename: ip-10-0-131-183.ec2.internaluid: acca4411-af0d-4387-b73e-52b2484295adphase: RunningproviderStatus:apiVersion: awsproviderconfig.openshift.io/v1beta1conditions:- lastProbeTime: "2020-04-20T16:53:50Z"lastTransitionTime: "2020-04-20T16:53:50Z"message: machine successfully createdreason: MachineCreationSucceededstatus: "True"type: MachineCreationinstanceId: i-0fdb85790d76d0c3finstanceState: stoppedkind: AWSMachineProviderStatus
Change the
metadata.namefield to a new name.It is recommended to keep the same base name as the old machine and change the ending number to the next available number. In this example,
clustername-8qw5l-master-0is changed toclustername-8qw5l-master-3:apiVersion: machine.openshift.io/v1beta1kind: Machinemetadata:...name: clustername-8qw5l-master-3...
Remove the
spec.providerIDfield:providerID: aws:///us-east-1a/i-0fdb85790d76d0c3f
Remove the
metadata.annotationsandmetadata.generationfields:annotations:machine.openshift.io/instance-state: running...generation: 2
Remove the
metadata.resourceVersionandmetadata.uidfields:resourceVersion: "13291"uid: a282eb70-40a2-4e89-8009-d05dd420d31a
Delete the machine of the lost control plane host:
$ oc delete machine -n openshift-machine-api clustername-8qw5l-master-0 (1)
1 Specify the name of the control plane machine for the lost control plane host. Verify that the machine was deleted:
$ oc get machines -n openshift-machine-api -o wide
Example output:
NAME PHASE TYPE REGION ZONE AGE NODE PROVIDERID STATEclustername-8qw5l-master-1 Running m4.xlarge us-east-1 us-east-1b 3h37m ip-10-0-143-125.ec2.internal aws:///us-east-1b/i-096c349b700a19631 runningclustername-8qw5l-master-2 Running m4.xlarge us-east-1 us-east-1c 3h37m ip-10-0-154-194.ec2.internal aws:///us-east-1c/i-02626f1dba9ed5bba runningclustername-8qw5l-worker-us-east-1a-wbtgd Running m4.large us-east-1 us-east-1a 3h28m ip-10-0-129-226.ec2.internal aws:///us-east-1a/i-010ef6279b4662ced runningclustername-8qw5l-worker-us-east-1b-lrdxb Running m4.large us-east-1 us-east-1b 3h28m ip-10-0-144-248.ec2.internal aws:///us-east-1b/i-0cb45ac45a166173b runningclustername-8qw5l-worker-us-east-1c-pkg26 Running m4.large us-east-1 us-east-1c 3h28m ip-10-0-170-181.ec2.internal aws:///us-east-1c/i-06861c00007751b0a running
Create a machine by using the
new-master-machine.yamlfile:$ oc apply -f new-master-machine.yaml
Verify that the new machine has been created:
$ oc get machines -n openshift-machine-api -o wide
Example output:
NAME PHASE TYPE REGION ZONE AGE NODE PROVIDERID STATEclustername-8qw5l-master-1 Running m4.xlarge us-east-1 us-east-1b 3h37m ip-10-0-143-125.ec2.internal aws:///us-east-1b/i-096c349b700a19631 runningclustername-8qw5l-master-2 Running m4.xlarge us-east-1 us-east-1c 3h37m ip-10-0-154-194.ec2.internal aws:///us-east-1c/i-02626f1dba9ed5bba runningclustername-8qw5l-master-3 Provisioning m4.xlarge us-east-1 us-east-1a 85s ip-10-0-173-171.ec2.internal aws:///us-east-1a/i-015b0888fe17bc2c8 running (1)clustername-8qw5l-worker-us-east-1a-wbtgd Running m4.large us-east-1 us-east-1a 3h28m ip-10-0-129-226.ec2.internal aws:///us-east-1a/i-010ef6279b4662ced runningclustername-8qw5l-worker-us-east-1b-lrdxb Running m4.large us-east-1 us-east-1b 3h28m ip-10-0-144-248.ec2.internal aws:///us-east-1b/i-0cb45ac45a166173b runningclustername-8qw5l-worker-us-east-1c-pkg26 Running m4.large us-east-1 us-east-1c 3h28m ip-10-0-170-181.ec2.internal aws:///us-east-1c/i-06861c00007751b0a running
1 The new machine, clustername-8qw5l-master-3is being created and is ready after the phase changes fromProvisioningtoRunning.It might take a few minutes for the new machine to be created. The etcd cluster Operator will automatically sync when the machine or node returns to a healthy state.
Repeat these steps for each lost control plane host that is not the recovery host.
Turn off the quorum guard by entering the following command:
$ oc patch etcd/cluster --type=merge -p '{"spec": {"unsupportedConfigOverrides": {"useUnsupportedUnsafeNonHANonProductionUnstableEtcd": true}}}'
This command ensures that you can successfully re-create secrets and roll out the static pods.
In a separate terminal window within the recovery host, export the recovery
kubeconfigfile by running the following command:$ export KUBECONFIG=/etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost-recovery.kubeconfig
Force etcd redeployment.
In the same terminal window where you exported the recovery
kubeconfigfile, run the following command:$ oc patch etcd cluster -p='{"spec": {"forceRedeploymentReason": "recovery-'"$( date --rfc-3339=ns )"'"}}' --type=merge (1)
1 The forceRedeploymentReasonvalue must be unique, which is why a timestamp is appended.When the etcd cluster Operator performs a redeployment, the existing nodes are started with new pods similar to the initial bootstrap scale up.
Turn the quorum guard back on by entering the following command:
$ oc patch etcd/cluster --type=merge -p '{"spec": {"unsupportedConfigOverrides": null}}'
You can verify that the
unsupportedConfigOverridessection is removed from the object by entering this command:$ oc get etcd/cluster -oyaml
Verify all nodes are updated to the latest revision.
In a terminal that has access to the cluster as a
cluster-adminuser, run the following command:$ oc get etcd -o=jsonpath='{range .items[0].status.conditions[?(@.type=="NodeInstallerProgressing")]}{.reason}{"\n"}{.message}{"\n"}'
Review the
NodeInstallerProgressingstatus condition for etcd to verify that all nodes are at the latest revision. The output showsAllNodesAtLatestRevisionupon successful update:AllNodesAtLatestRevision3 nodes are at revision 7 (1)
1 In this example, the latest revision number is 7.If the output includes multiple revision numbers, such as
2 nodes are at revision 6; 1 nodes are at revision 7, this means that the update is still in progress. Wait a few minutes and try again.After etcd is redeployed, force new rollouts for the control plane. The Kubernetes API server will reinstall itself on the other nodes because the kubelet is connected to API servers using an internal load balancer.
In a terminal that has access to the cluster as a
cluster-adminuser, run the following commands.Force a new rollout for the Kubernetes API server:
$ oc patch kubeapiserver cluster -p='{"spec": {"forceRedeploymentReason": "recovery-'"$( date --rfc-3339=ns )"'"}}' --type=merge
Verify all nodes are updated to the latest revision.
$ oc get kubeapiserver -o=jsonpath='{range .items[0].status.conditions[?(@.type=="NodeInstallerProgressing")]}{.reason}{"\n"}{.message}{"\n"}'
Review the
NodeInstallerProgressingstatus condition to verify that all nodes are at the latest revision. The output showsAllNodesAtLatestRevisionupon successful update:AllNodesAtLatestRevision3 nodes are at revision 7 (1)
1 In this example, the latest revision number is 7.If the output includes multiple revision numbers, such as
2 nodes are at revision 6; 1 nodes are at revision 7, this means that the update is still in progress. Wait a few minutes and try again.Force a new rollout for the Kubernetes controller manager:
$ oc patch kubecontrollermanager cluster -p='{"spec": {"forceRedeploymentReason": "recovery-'"$( date --rfc-3339=ns )"'"}}' --type=merge
Verify all nodes are updated to the latest revision.
$ oc get kubecontrollermanager -o=jsonpath='{range .items[0].status.conditions[?(@.type=="NodeInstallerProgressing")]}{.reason}{"\n"}{.message}{"\n"}'
Review the
NodeInstallerProgressingstatus condition to verify that all nodes are at the latest revision. The output showsAllNodesAtLatestRevisionupon successful update:AllNodesAtLatestRevision3 nodes are at revision 7 (1)
1 In this example, the latest revision number is 7.If the output includes multiple revision numbers, such as
2 nodes are at revision 6; 1 nodes are at revision 7, this means that the update is still in progress. Wait a few minutes and try again.Force a new rollout for the Kubernetes scheduler:
$ oc patch kubescheduler cluster -p='{"spec": {"forceRedeploymentReason": "recovery-'"$( date --rfc-3339=ns )"'"}}' --type=merge
Verify all nodes are updated to the latest revision.
$ oc get kubescheduler -o=jsonpath='{range .items[0].status.conditions[?(@.type=="NodeInstallerProgressing")]}{.reason}{"\n"}{.message}{"\n"}'
Review the
NodeInstallerProgressingstatus condition to verify that all nodes are at the latest revision. The output showsAllNodesAtLatestRevisionupon successful update:AllNodesAtLatestRevision3 nodes are at revision 7 (1)
1 In this example, the latest revision number is 7.If the output includes multiple revision numbers, such as
2 nodes are at revision 6; 1 nodes are at revision 7, this means that the update is still in progress. Wait a few minutes and try again.
Verify that all control plane hosts have started and joined the cluster.
In a terminal that has access to the cluster as a
cluster-adminuser, run the following command:$ oc -n openshift-etcd get pods -l k8s-app=etcd
Example output
etcd-ip-10-0-143-125.ec2.internal 2/2 Running 0 9hetcd-ip-10-0-154-194.ec2.internal 2/2 Running 0 9hetcd-ip-10-0-173-171.ec2.internal 2/2 Running 0 9h
To ensure that all workloads return to normal operation following a recovery procedure, restart each pod that stores Kubernetes API information. This includes OKD components such as routers, Operators, and third-party components.
On completion of the previous procedural steps, you might need to wait a few minutes for all services to return to their restored state. For example, authentication by using Consider using the
Issue the following command to display your authenticated user name:
|
Additional resources
Issues and workarounds for restoring a persistent storage state
If your OKD cluster uses persistent storage of any form, a state of the cluster is typically stored outside etcd. It might be an Elasticsearch cluster running in a pod or a database running in a StatefulSet object. When you restore from an etcd backup, the status of the workloads in OKD is also restored. However, if the etcd snapshot is old, the status might be invalid or outdated.
The contents of persistent volumes (PVs) are never part of the etcd snapshot. When you restore an OKD cluster from an etcd snapshot, non-critical workloads might gain access to critical data, or vice-versa. |
The following are some example scenarios that produce an out-of-date status:
MySQL database is running in a pod backed up by a PV object. Restoring OKD from an etcd snapshot does not bring back the volume on the storage provider, and does not produce a running MySQL pod, despite the pod repeatedly attempting to start. You must manually restore this pod by restoring the volume on the storage provider, and then editing the PV to point to the new volume.
Pod P1 is using volume A, which is attached to node X. If the etcd snapshot is taken while another pod uses the same volume on node Y, then when the etcd restore is performed, pod P1 might not be able to start correctly due to the volume still being attached to node Y. OKD is not aware of the attachment, and does not automatically detach it. When this occurs, the volume must be manually detached from node Y so that the volume can attach on node X, and then pod P1 can start.
Cloud provider or storage provider credentials were updated after the etcd snapshot was taken. This causes any CSI drivers or Operators that depend on the those credentials to not work. You might have to manually update the credentials required by those drivers or Operators.
A device is removed or renamed from OKD nodes after the etcd snapshot is taken. The Local Storage Operator creates symlinks for each PV that it manages from
/dev/disk/by-idor/devdirectories. This situation might cause the local PVs to refer to devices that no longer exist.To fix this problem, an administrator must:
Manually remove the PVs with invalid devices.
Remove symlinks from respective nodes.
Delete
LocalVolumeorLocalVolumeSetobjects (see Storage → Configuring persistent storage → Persistent storage using local volumes → Deleting the Local Storage Operator Resources).
Pod disruption budgets
Understand and configure pod disruption budgets.
Understanding how to use pod disruption budgets to specify the number of pods that must be up
A pod disruption budget allows the specification of safety constraints on pods during operations, such as draining a node for maintenance.
PodDisruptionBudget is an API object that specifies the minimum number or percentage of replicas that must be up at a time. Setting these in projects can be helpful during node maintenance (such as scaling a cluster down or a cluster upgrade) and is only honored on voluntary evictions (not on node failures).
A PodDisruptionBudget object’s configuration consists of the following key parts:
A label selector, which is a label query over a set of pods.
An availability level, which specifies the minimum number of pods that must be available simultaneously, either:
minAvailableis the number of pods must always be available, even during a disruption.maxUnavailableis the number of pods can be unavailable during a disruption.
A |
You can check for pod disruption budgets across all projects with the following:
$ oc get poddisruptionbudget --all-namespaces
Example output
NAMESPACE NAME MIN AVAILABLE MAX UNAVAILABLE ALLOWED DISRUPTIONS AGEopenshift-apiserver openshift-apiserver-pdb N/A 1 1 121mopenshift-cloud-controller-manager aws-cloud-controller-manager 1 N/A 1 125mopenshift-cloud-credential-operator pod-identity-webhook 1 N/A 1 117mopenshift-cluster-csi-drivers aws-ebs-csi-driver-controller-pdb N/A 1 1 121mopenshift-cluster-storage-operator csi-snapshot-controller-pdb N/A 1 1 122mopenshift-cluster-storage-operator csi-snapshot-webhook-pdb N/A 1 1 122mopenshift-console console N/A 1 1 116m#...
The PodDisruptionBudget is considered healthy when there are at least minAvailable pods running in the system. Every pod above that limit can be evicted.
Depending on your pod priority and preemption settings, lower-priority pods might be removed despite their pod disruption budget requirements. |
Specifying the number of pods that must be up with pod disruption budgets
You can use a PodDisruptionBudget object to specify the minimum number or percentage of replicas that must be up at a time.
Procedure
To configure a pod disruption budget:
Create a YAML file with the an object definition similar to the following:
apiVersion: policy/v1 (1)kind: PodDisruptionBudgetmetadata:name: my-pdbspec:minAvailable: 2 (2)selector: (3)matchLabels:name: my-pod
1 PodDisruptionBudgetis part of thepolicy/v1API group.2 The minimum number of pods that must be available simultaneously. This can be either an integer or a string specifying a percentage, for example, 20%.3 A label query over a set of resources. The result of matchLabelsandmatchExpressionsare logically conjoined. Leave this parameter blank, for exampleselector {}, to select all pods in the project.Or:
apiVersion: policy/v1 (1)kind: PodDisruptionBudgetmetadata:name: my-pdbspec:maxUnavailable: 25% (2)selector: (3)matchLabels:name: my-pod
1 PodDisruptionBudgetis part of thepolicy/v1API group.2 The maximum number of pods that can be unavailable simultaneously. This can be either an integer or a string specifying a percentage, for example, 20%.3 A label query over a set of resources. The result of matchLabelsandmatchExpressionsare logically conjoined. Leave this parameter blank, for exampleselector {}, to select all pods in the project.Run the following command to add the object to project:
$ oc create -f </path/to/file> -n <project_name>
Specifying the eviction policy for unhealthy pods
When you use pod disruption budgets (PDBs) to specify how many pods must be available simultaneously, you can also define the criteria for how unhealthy pods are considered for eviction.
You can choose one of the following policies:
IfHealthyBudget
Running pods that are not yet healthy can be evicted only if the guarded application is not disrupted.
AlwaysAllow
Running pods that are not yet healthy can be evicted regardless of whether the criteria in the pod disruption budget is met. This policy can help evict malfunctioning applications, such as ones with pods stuck in the CrashLoopBackOff state or failing to report the Ready status.
It is recommended to set the |
Procedure
Create a YAML file that defines a
PodDisruptionBudgetobject and specify the unhealthy pod eviction policy:Example
pod-disruption-budget.yamlfileapiVersion: policy/v1kind: PodDisruptionBudgetmetadata:name: my-pdbspec:minAvailable: 2selector:matchLabels:name: my-podunhealthyPodEvictionPolicy: AlwaysAllow (1)
1 Choose either IfHealthyBudgetorAlwaysAllowas the unhealthy pod eviction policy. The default isIfHealthyBudgetwhen theunhealthyPodEvictionPolicyfield is empty.Create the
PodDisruptionBudgetobject by running the following command:$ oc create -f pod-disruption-budget.yaml
With a PDB that has the AlwaysAllow unhealthy pod eviction policy set, you can now drain nodes and evict the pods for a malfunctioning application guarded by this PDB.
Additional resources
Unhealthy Pod Eviction Policy in the Kubernetes documentation
Rotating or removing cloud provider credentials
After installing OKD, some organizations require the rotation or removal of the cloud provider credentials that were used during the initial installation.
To allow the cluster to use the new credentials, you must update the secrets that the Cloud Credential Operator (CCO) uses to manage cloud provider credentials.
Rotating cloud provider credentials with the Cloud Credential Operator utility
The Cloud Credential Operator (CCO) utility ccoctl supports updating secrets for clusters installed on IBM Cloud®.
Rotating API keys
You can rotate API keys for your existing service IDs and update the corresponding secrets.
Prerequisites
You have configured the
ccoctlbinary.You have existing service IDs in a live OKD cluster installed.
Procedure
Use the
ccoctlutility to rotate your API keys for the service IDs and update the secrets:$ ccoctl <provider_name> refresh-keys \ (1)--kubeconfig <openshift_kubeconfig_file> \ (2)--credentials-requests-dir <path_to_credential_requests_directory> \ (3)--name <name> (4)
1 The name of the provider. For example: ibmcloudorpowervs.2 The kubeconfigfile associated with the cluster. For example,<installation_directory>/auth/kubeconfig.3 The directory where the credential requests are stored. 4 The name of the OKD cluster. If your cluster uses Technology Preview features that are enabled by the
TechPreviewNoUpgradefeature set, you must include the—enable-tech-previewparameter.
Rotating cloud provider credentials manually
If your cloud provider credentials are changed for any reason, you must manually update the secret that the Cloud Credential Operator (CCO) uses to manage cloud provider credentials.
The process for rotating cloud credentials depends on the mode that the CCO is configured to use. After you rotate credentials for a cluster that is using mint mode, you must manually remove the component credentials that were created by the removed credential.
Prerequisites
Your cluster is installed on a platform that supports rotating cloud credentials manually with the CCO mode that you are using:
For mint mode, Amazon Web Services (AWS) and Google Cloud Platform (GCP) are supported.
For passthrough mode, Amazon Web Services (AWS), Microsoft Azure, Google Cloud Platform (GCP), OpenStack, and VMware vSphere are supported.
You have changed the credentials that are used to interface with your cloud provider.
The new credentials have sufficient permissions for the mode CCO is configured to use in your cluster.
Procedure
In the Administrator perspective of the web console, navigate to Workloads → Secrets.
In the table on the Secrets page, find the root secret for your cloud provider.
Platform Secret name AWS
aws-credsAzure
azure-credentialsGCP
gcp-credentialsOpenStack
openstack-credentialsVMware vSphere
vsphere-credsClick the Options menu
in the same row as the secret and select Edit Secret.Record the contents of the Value field or fields. You can use this information to verify that the value is different after updating the credentials.
Update the text in the Value field or fields with the new authentication information for your cloud provider, and then click Save.
If you are updating the credentials for a vSphere cluster that does not have the vSphere CSI Driver Operator enabled, you must force a rollout of the Kubernetes controller manager to apply the updated credentials.
If the vSphere CSI Driver Operator is enabled, this step is not required.
To apply the updated vSphere credentials, log in to the OKD CLI as a user with the
cluster-adminrole and run the following command:$ oc patch kubecontrollermanager cluster \-p='{"spec": {"forceRedeploymentReason": "recovery-'"$( date )"'"}}' \--type=merge
While the credentials are rolling out, the status of the Kubernetes Controller Manager Operator reports
Progressing=true. To view the status, run the following command:$ oc get co kube-controller-manager
If the CCO for your cluster is configured to use mint mode, delete each component secret that is referenced by the individual
CredentialsRequestobjects.Log in to the OKD CLI as a user with the
cluster-adminrole.Get the names and namespaces of all referenced component secrets:
$ oc -n openshift-cloud-credential-operator get CredentialsRequest \-o json | jq -r '.items[] | select (.spec.providerSpec.kind=="<provider_spec>") | .spec.secretRef'
where
<provider_spec>is the corresponding value for your cloud provider:AWS:
AWSProviderSpecGCP:
GCPProviderSpec
Partial example output for AWS
{"name": "ebs-cloud-credentials","namespace": "openshift-cluster-csi-drivers"}{"name": "cloud-credential-operator-iam-ro-creds","namespace": "openshift-cloud-credential-operator"}
Delete each of the referenced component secrets:
$ oc delete secret <secret_name> \(1)-n <secret_namespace> (2)
1 Specify the name of a secret. 2 Specify the namespace that contains the secret. Example deletion of an AWS secret
$ oc delete secret ebs-cloud-credentials -n openshift-cluster-csi-drivers
You do not need to manually delete the credentials from your provider console. Deleting the referenced component secrets will cause the CCO to delete the existing credentials from the platform and create new ones.
Verification
To verify that the credentials have changed:
In the Administrator perspective of the web console, navigate to Workloads → Secrets.
Verify that the contents of the Value field or fields have changed.
Additional resources
Removing cloud provider credentials
After installing an OKD cluster with the Cloud Credential Operator (CCO) in mint mode, you can remove the administrator-level credential secret from the kube-system namespace in the cluster. The administrator-level credential is required only during changes that require its elevated permissions, such as upgrades.
Prior to a non z-stream upgrade, you must reinstate the credential secret with the administrator-level credential. If the credential is not present, the upgrade might be blocked. |
Prerequisites
- Your cluster is installed on a platform that supports removing cloud credentials from the CCO. Supported platforms are AWS and GCP.
Procedure
In the Administrator perspective of the web console, navigate to Workloads → Secrets.
In the table on the Secrets page, find the root secret for your cloud provider.
Platform Secret name AWS
aws-credsGCP
gcp-credentialsClick the Options menu
in the same row as the secret and select Delete Secret.
Additional resources
Configuring image streams for a disconnected cluster
After installing OKD in a disconnected environment, configure the image streams for the Cluster Samples Operator and the must-gather image stream.
Cluster Samples Operator assistance for mirroring
During installation, OKD creates a config map named imagestreamtag-to-image in the openshift-cluster-samples-operator namespace. The imagestreamtag-to-image config map contains an entry, the populating image, for each image stream tag.
The format of the key for each entry in the data field in the config map is <image_stream_name>_<image_stream_tag_name>.
During a disconnected installation of OKD, the status of the Cluster Samples Operator is set to Removed. If you choose to change it to Managed, it installs samples.
The use of samples in a network-restricted or discontinued environment may require access to services external to your network. Some example services include: Github, Maven Central, npm, RubyGems, PyPi and others. There might be additional steps to take that allow the cluster samples operators’s objects to reach the services they require. |
You can use this config map as a reference for which images need to be mirrored for your image streams to import.
While the Cluster Samples Operator is set to
Removed, you can create your mirrored registry, or determine which existing mirrored registry you want to use.Mirror the samples you want to the mirrored registry using the new config map as your guide.
Add any of the image streams you did not mirror to the
skippedImagestreamslist of the Cluster Samples Operator configuration object.Set
samplesRegistryof the Cluster Samples Operator configuration object to the mirrored registry.Then set the Cluster Samples Operator to
Managedto install the image streams you have mirrored.
Using Cluster Samples Operator image streams with alternate or mirrored registries
Most image streams in the openshift namespace managed by the Cluster Samples Operator point to images located in the Red Hat registry at registry.redhat.io. Mirroring will not apply to these image streams.
The |
The Cluster Samples Operator must be set to |
Prerequisites
Access to the cluster as a user with the
cluster-adminrole.Create a pull secret for your mirror registry.
Procedure
Access the images of a specific image stream to mirror, for example:
$ oc get is <imagestream> -n openshift -o json | jq .spec.tags[].from.name | grep registry.redhat.io
Mirror images from registry.redhat.io associated with any image streams you need in the restricted network environment into one of the defined mirrors, for example:
$ oc image mirror registry.redhat.io/rhscl/ruby-25-rhel7:latest ${MIRROR_ADDR}/rhscl/ruby-25-rhel7:latest
Create the cluster’s image configuration object:
$ oc create configmap registry-config --from-file=${MIRROR_ADDR_HOSTNAME}..5000=$path/ca.crt -n openshift-config
Add the required trusted CAs for the mirror in the cluster’s image configuration object:
$ oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-config"}}}' --type=merge
Update the
samplesRegistryfield in the Cluster Samples Operator configuration object to contain thehostnameportion of the mirror location defined in the mirror configuration:$ oc edit configs.samples.operator.openshift.io -n openshift-cluster-samples-operator
This is required because the image stream import process does not use the mirror or search mechanism at this time.
Add any image streams that are not mirrored into the
skippedImagestreamsfield of the Cluster Samples Operator configuration object. Or if you do not want to support any of the sample image streams, set the Cluster Samples Operator toRemovedin the Cluster Samples Operator configuration object.The Cluster Samples Operator issues alerts if image stream imports are failing but the Cluster Samples Operator is either periodically retrying or does not appear to be retrying them.
Many of the templates in the
openshiftnamespace reference the image streams. So usingRemovedto purge both the image streams and templates will eliminate the possibility of attempts to use them if they are not functional because of any missing image streams.
Preparing your cluster to gather support data
Clusters using a restricted network must import the default must-gather image to gather debugging data for Red Hat support. The must-gather image is not imported by default, and clusters on a restricted network do not have access to the internet to pull the latest image from a remote repository.
Procedure
If you have not added your mirror registry’s trusted CA to your cluster’s image configuration object as part of the Cluster Samples Operator configuration, perform the following steps:
Create the cluster’s image configuration object:
$ oc create configmap registry-config --from-file=${MIRROR_ADDR_HOSTNAME}..5000=$path/ca.crt -n openshift-config
Add the required trusted CAs for the mirror in the cluster’s image configuration object:
$ oc patch image.config.openshift.io/cluster --patch '{"spec":{"additionalTrustedCA":{"name":"registry-config"}}}' --type=merge
Import the default must-gather image from your installation payload:
$ oc import-image is/must-gather -n openshift
When running the oc adm must-gather command, use the --image flag and point to the payload image, as in the following example:
$ oc adm must-gather --image=$(oc adm release info --image-for must-gather)
Configuring periodic importing of Cluster Sample Operator image stream tags
You can ensure that you always have access to the latest versions of the Cluster Sample Operator images by periodically importing the image stream tags when new versions become available.
Procedure
Fetch all the imagestreams in the
openshiftnamespace by running the following command:oc get imagestreams -nopenshift
Fetch the tags for every imagestream in the
openshiftnamespace by running the following command:$ oc get is <image-stream-name> -o jsonpath="{range .spec.tags[*]}{.name}{'\t'}{.from.name}{'\n'}{end}" -nopenshift
For example:
$ oc get is ubi8-openjdk-17 -o jsonpath="{range .spec.tags[*]}{.name}{'\t'}{.from.name}{'\n'}{end}" -nopenshift
Example output
1.11 registry.access.redhat.com/ubi8/openjdk-17:1.111.12 registry.access.redhat.com/ubi8/openjdk-17:1.12
Schedule periodic importing of images for each tag present in the image stream by running the following command:
$ oc tag <repository/image> <image-stream-name:tag> --scheduled -nopenshift
For example:
$ oc tag registry.access.redhat.com/ubi8/openjdk-17:1.11 ubi8-openjdk-17:1.11 --scheduled -nopenshift$ oc tag registry.access.redhat.com/ubi8/openjdk-17:1.12 ubi8-openjdk-17:1.12 --scheduled -nopenshift
This command causes OKD to periodically update this particular image stream tag. This period is a cluster-wide setting set to 15 minutes by default.
Verify the scheduling status of the periodic import by running the following command:
oc get imagestream <image-stream-name> -o jsonpath="{range .spec.tags[*]}Tag: {.name}{'\t'}Scheduled: {.importPolicy.scheduled}{'\n'}{end}" -nopenshift
For example:
oc get imagestream ubi8-openjdk-17 -o jsonpath="{range .spec.tags[*]}Tag: {.name}{'\t'}Scheduled: {.importPolicy.scheduled}{'\n'}{end}" -nopenshift
Example output
Tag: 1.11 Scheduled: trueTag: 1.12 Scheduled: true
