Hi @mmerrill3. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mmerrill3
To complete the pull request process, please assign zetaab
You can assign the PR to them by writing /assign @zetaab in a comment when ready.

The full list of commands accepted by this bot can be found here.

/ok-to-test

@mmerrill3: The following tests failed, say /retest to rerun all failed tests:

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Run hack/update-bazel.sh and commit the results in order to pass the pull-kops-verify-bazel and Travis checks.

@johngmyers thanks for all the feedback and your insight. Before I go forward, do we want to address all the use cases where pods can get drained from a node, or just the rolling update feature of kops? To confirm, I see three use cases. One is a user initiated rolling update, via kops. The next use case is node deletion via an ASG, or even via the cloud providers' console or a CLI. Finally, there's node deletion for any other reason.

Yes, this PR only addresses the first use case, which is the user initiated rolling update command.

To address #7119, I'm not sure if the kubelet sends a delete node request to the API server in this case. If so, maybe we could leverage that. That's nice since the rolling-update also sends a delete node signal to the API server, and we can come up with one solution, based around that delete node API request.

no, kubelet does not send a delete node API request when the instances are terminated via the AWS console

I feel like we are at a design impasse here, since one use case is a CLI use case where we do a rolling update, and kops is in the flow. The other use case is an ASG or another tool terminating an instance, and kops is not in the flow. The solutions in #7119, in particular the last one where a systemd service is registered at shutdown, are not initiated by kops.

The rolling update can be controlled by kops, so that's what this PR is for. I don't see a way, without introducing another component (operator, systemd unit, daemon set) of handling the "cloud" termination gracefully.
Moreover, the solutions for #7119 won't help when we want to make sure that all pods are removed before we delete the node through the k8s API server during a rolling update. For instance, if I setup a node with a systemd stop script to gracefully remove all the pods upon node termination, it will have ran too late. The node will already have been deleted from the API server. My goal is to gracefully remove all pods before the calls is made to the API server to delete the node.

Maybe that's the hang up. During a rolling update, I care when the delete request is made to the API server. In the other cases, the delete node API call doesn't get made, and its not relevant.

According to the comment in the code, which was added in e982087, rolling update deletes the node because the cloud provider could create a replacement with the same name and that could get the same node object with the cordoning in place.

One possibility would be to move the node deletion to the systemd stop script, assuming we would have enough confidence that it would reliably run.

It seems odd to me that kubelet would reuse a node resource like this. One would think that the deletion-through-console case would also suffer from such stale data in reused node resources. Perhaps we could have kops-controller delete such orphaned nodes when the replacement instance goes through bootstrapping?

@justinsb what would you say to moving the node deletion that is in rolling update to someplace later? The assertion is that Weave uses the node deletion event as a signal to deallocate that node's IP address assignments, which is a problem if that node's Weave pod is still running and communicating with other Weave pods.

@mmerrill3 to answer your first question, I would prefer we spend some time exploring whether we can find a systematic solution. If we can, then work done on rolling update would likely be wasted.

If there were to be more work on rolling update, it would probably be to add a second drain call to evict the daemonsets. I'm not sure this would need to be an option.

Thanks @johngmyers, I like your idea that the node deletion doesn't need to occur during rolling update, but rather moving the node deletion action to a workflow that handles graceful node termination, like discussed in #7119. That would allow us to do graceful terminations the same way, for both use cases.
Nodeup could add a systemd "shutdown" unit to be invoked when the instance is being shutdown. We can make that configurable, default turned on, as a kops configuration general option. That shutdown systemd service needs to be able to send API commands to the API server, so we would need to maybe do something like protokube. As opposed to being ran to setup volumes, DNS, etc, a new "postkube" container would be ran after we are done with the node as a member of the cluster, and allow us to do node deletion, removing any remaining pods if need be, gracefully close mounts, or anything else really.

this PR is going to be closed in support of a different approach.

@mmerrill3: PR needs rebase.

closing to come at the from a different angle.