VirtualMachineScaleSets support for Kubernetes #2620
Conversation
ghost
assigned 
|
👍 VirtualMachineScaleSets is only supported with kubernetes v1.10 and above versions. So I think we don't need to check backward compatibility. |
sozercan
force-pushed
the
vmss
branch
3 times, most recently
from
19a7d05 to
61cc30b
Compare
|
I don't really understand why is this documented as supported if there is an open PR. Is that a bug? https://github.com/Azure/acs-engine/blob/master/docs/clusterdefinition.md#agentpoolprofiles |
|
@todoesverso VMSS is supported for Swarm and DCOS but not for Kubernetes yet (support is added with Kubernetes v1.10) |
|
@sozercan hey! we're trying to test this PR with kubernetes 1.10.0 and cluster autoscaler. We've got a problem with unregistered nodes. Digging through other issues, I found this Is useInstanceMetadata supposed to be false with VMSS and k8s 1.10.0? |
Yep, this is supported in v1.10. But there are a bug for vmss with autoscaler 1.2.0, the fix is here kubernetes/autoscaler#758. It should be included in v1.2.1. |
|
@feiskyer oh thx! We'll try it with 1.2.1. |
| ] | ||
| } | ||
| }, | ||
| "servicePrincipalProfile": { |
There was a problem hiding this comment.
Let us default our examples to MSI. MSI (and later EMSi when possible)
parts/k8s/kubernetesmastervars.t
Outdated
| @@ -119,7 +119,11 @@ | |||
| "cloudProviderRatelimitQPS": "[parameters('cloudProviderRatelimitQPS')]", | |||
| "cloudProviderRatelimitBucket": "[parameters('cloudProviderRatelimitBucket')]", | |||
| "useManagedIdentityExtension": "{{ UseManagedIdentity }}", | |||
| {{if .HasVirtualMachineScaleSets}} | |||
| "useInstanceMetadata": "false", | |||
There was a problem hiding this comment.
what is the reason for this?
There was a problem hiding this comment.
1.10 supports setting useInstanceMetadata to both true and false, so we should keep same logic: "useInstanceMetadata": "{{ UseInstanceMetadata }}"
There was a problem hiding this comment.
due to kubernetes/kubernetes#62611, if instanceMetadata is enabled and vmType is set to vmss, master kubelet won't start. If it's disabled, it works fine. One possible (and messy) workaround is to duplicate cloud config on the masters, so master has kubelet vmType as standard and controller-manager has vmss. Better option is to wait until 1.10.2 with above pr merged.
There was a problem hiding this comment.
Since this is experimental (we'll add docs later) let's change the above to "useInstanceMetadata": "{{ UseInstanceMetadata }}". Experimenters pre-1.10.2 should specify "useInstanceMetadata": "false" in their api models until then.
This way we don't have to submit a follow-up PR after 1.10.2.
parts/k8s/kubernetesbase.t
Outdated
| @@ -55,6 +55,8 @@ | |||
| {{if $index}}, {{end}} | |||
| {{if .IsWindows}} | |||
| {{template "k8s/kuberneteswinagentresourcesvmas.t" .}} | |||
| {{else if .IsVirtualMachineScaleSets}} | |||
There was a problem hiding this comment.
Do we have a reason not support windows as well?
There was a problem hiding this comment.
windows agents should be working now
| for _, agentProfile := range cs.Properties.AgentPoolProfiles { | ||
| if agentProfile.IsAvailabilitySets() { | ||
| return true | ||
| } | ||
| } | ||
| return false | ||
| }, | ||
| "AnyAgentUsesVirtualMachineScaleSets": func() bool { |
There was a problem hiding this comment.
I think we shouldn't allow bootstrapping a mixed mode cluster. Either availability sets or scale sets but not both.
There was a problem hiding this comment.
added validation check so mixed mode clusters are not allowed
| "secrets": "[variables('linuxProfileSecrets')]" | ||
| {{end}} | ||
| }, | ||
| "storageProfile": { |
There was a problem hiding this comment.
There was a PR recently enabling users to provision using their own images. is this included? Used currently by openshift on acs-engine @jim-minter FYI
There was a problem hiding this comment.
Yes, seems to be included, thanks
There was a problem hiding this comment.
custom images should be included now
| "osDisk": { | ||
| "createOption": "FromImage", | ||
| "caching": "ReadWrite" | ||
| {{if .IsStorageAccount}} |
There was a problem hiding this comment.
@jackfrancis I think we should validate against storage accounts for new clusters while allowing them for scale ops. Is this possible?
There was a problem hiding this comment.
@khenidak I'm not sure what you mean.
@JackQuincy can you confirm that there's no special validation/template processing context for deployment vs scale?
|
@kkmsft for autoscaler + VMSS work |
sozercan
force-pushed
the
vmss
branch
2 times, most recently
from
90346d0 to
092547e
Compare
sozercan
changed the title
|
@sozercan Thanks for awesome work. LGTM @JiangtianLi Could you also have a look at this? |
| "subnetName": "$global:SubnetName", | ||
| "securityGroupName": "$global:SecurityGroupName", | ||
| "vnetName": "$global:VNetName", | ||
| "routeTableName": "$global:RouteTableName", | ||
| "primaryAvailabilitySetName": "$global:PrimaryAvailabilitySetName", | ||
| "primaryScaleSetName": "$global:PrimaryScaleSetName", |
There was a problem hiding this comment.
where is primaryScaleSetName used?
There was a problem hiding this comment.
Both vmType and primaryScaleSetName are part of the cloud provider config for Azure for v1.10.
| @@ -188,11 +186,13 @@ Write-AzureConfig() | |||
| "aadClientSecret": "$AADClientSecret", | |||
| "resourceGroup": "$global:ResourceGroup", | |||
| "location": "$Location", | |||
| "vmType": "$global:VmType", | |||
| @@ -346,7 +345,7 @@ $KubeletCommandLine | |||
| "@ | |||
| } else { | |||
| $kubeStartStr += @" | |||
|
|
|||
There was a problem hiding this comment.
thanks for cleaning up. :)
| @@ -0,0 +1,193 @@ | |||
| {{if .IsStorageAccount}} | |||
There was a problem hiding this comment.
what is the diff of this file with kubernetesagentresourcesvmss.t?
There was a problem hiding this comment.
74c74
< "resourceNameSuffix" : "[variables('winResourceNamePrefix')]",
---
> "resourceNameSuffix" : "[variables('nameSuffix')]",
131,134c131,148
< "computerNamePrefix": "[concat(substring(variables('nameSuffix'), 0, 5), 'acs')]",
< {{GetKubernetesWindowsAgentCustomData .}}
< "adminUsername": "[variables('windowsAdminUsername')]",
< "adminPassword": "[variables('windowsAdminPassword')]"
---
> "adminUsername": "[variables('username')]",
> "computerNamePrefix": "[variables('{{.Name}}VMNamePrefix')]",
> {{GetKubernetesAgentCustomData .}}
> "linuxConfiguration": {
> "disablePasswordAuthentication": "true",
> "ssh": {
> "publicKeys": [
> {
> "keyData": "[parameters('sshRSAPublicKey')]",
> "path": "[variables('sshKeyPath')]"
> }
> ]
> }
> }
> {{if HasLinuxSecrets}}
> ,
> "secrets": "[variables('linuxProfileSecrets')]"
> {{end}}
137c151,153
< {{GetDataDisks .}}
---
> {{if not (UseAgentCustomImage .)}}
> {{GetDataDisks .}}
> {{end}}
139,142c155,162
< "offer": "[variables('agentWindowsOffer')]",
< "publisher": "[variables('agentWindowsPublisher')]",
< "sku": "[variables('agentWindowsSku')]",
< "version": "[variables('agentWindowsVersion')]"
---
> {{if UseAgentCustomImage .}}
> "id": "[resourceId(variables('{{.Name}}osImageResourceGroup'), 'Microsoft.Compute/images', variables('{{.Name}}osImageName'))]"
> {{else}}
> "offer": "[variables('{{.Name}}osImageOffer')]",
> "publisher": "[variables('{{.Name}}osImagePublisher')]",
> "sku": "[variables('{{.Name}}osImageSKU')]",
> "version": "[variables('{{.Name}}osImageVersion')]"
> {{end}}
163,165c183,185
< "publisher": "Microsoft.Compute",
< "type": "CustomScriptExtension",
< "typeHandlerVersion": "1.8",
---
> "publisher": "Microsoft.Azure.Extensions",
> "type": "CustomScript",
> "typeHandlerVersion": "2.0",
169c189
< "commandToExecute": "[concat('powershell.exe -ExecutionPolicy Unrestricted -command \"', '$arguments = ', variables('singleQuote'),'-MasterIP ',variables('kubernetesAPIServerIP'),' -KubeDnsServiceIp ',variables('kubeDnsServiceIp'),' -MasterFQDNPrefix ',variables('masterFqdnPrefix'),' -Location ',variables('location'),' -AgentKey ',variables('clientPrivateKey'),' -AADClientId ',variables('servicePrincipalClientId'),' -AADClientSecret ',variables('servicePrincipalClientSecret'),variables('singleQuote'), ' ; ', variables('windowsCustomScriptSuffix'), '\" > %SYSTEMDRIVE%\\AzureData\\CustomDataSetupScript.log 2>&1')]"
---
> "commandToExecute": "[concat(variables('provisionScriptParametersCommon'),' /usr/bin/nohup /bin/bash -c \"/bin/bash /opt/azure/containers/provision.sh >> /var/log/azure/cluster-provision.log 2>&1\"')]"
178c198
< "type": "ManagedIdentityExtensionForWindows",
---
> "type": "ManagedIdentityExtensionForLinux",
|
Just one more request @sozercan: could you kindly add a validation that requires instanceMetadata to be false for k8s < 1.10.2? (I know that's basically everything now but that will become useful over time.) Thanks so much for this, looks great! |
|
@jackfrancis that is a bit of an overkill? we can run imds on 1.8 and 1.9 |
|
Is the description for
|
|
@jackfrancis added validation when using VMSS with k8s < v1.10.2 @CecileRobertMichon thanks, updated |
What this PR does / why we need it:
Which issue this PR fixes:
fixes #2403
If applicable:
ie. deploy with previous version, upgrade with this branch)Release note:
cc @feiskyer @JiangtianLi