Feature Gates?

General Discussions
1

Kubernetes version:1.20
Cloud being used: bare-metal
Installation method:kubeadm init --config
Host OS: CentOS 8
CNI and version: Calico
CRI and version: Containerd

I am new to Kubernetes. I have stood up a HA cluster (3 Control Plan 3 Worker nodes). However I am seeing a lot about different Feature Gates that need to be installed. Also other kube apiserver settings that need to be changed. However it does not appear there is a way to do that from the command line? Is there a good set of instructions on how to enable a feature gate or make other kube apiserver changes? Do I need to recreate my cluster using a new config file?

2

When setting it up you can pass feature-gates as a string or in a kubeadm config:

For more control over it, I’d suggest passing a kubeadm config.

If updating an already deployed cluster you’d do it in two phases:

  1. Edit the component’s manifest directly (/etc/kubernetes/manifests) and restart kubelet.
  2. Edit the stored kubeadm configmap in the kube-system namespace so that when you update the cluster, the featuregates will be added.
3

Ok, thanks. I will look at that.

Brian

4

Are there no good examples on what the yaml file would look like? I just read through kubeadm init | Kubernetes, but I don’t see anything terribly useful.

5

You can use kubeadm config print to view the default config, or kubeadm config view to see the config for a currently deployed cluster.

6

So you have to build a cluster to try and see what the file should look like and then, what, guess what is missing? Was looking at the documentation on the feature gates and there is a summary table of them, but no indication as to the purpose. How do I know what I should enable? The kubeadm config view does not show me the format of how to add them either.

I just would like a good example of how to set up a cluster specifying things like feature gates, and security recommendations. I am seeing indications that things like --anonymous-auth should be set to false. However, when I tried to build the cluster with that set originally it would not start.

7

The kubeadm config print init-defaults variant will display the default config. Beyond that it’s the defaults for each component. kube-apiserver, kube-scheduler etc.

For the kubeadm configs, they’re passed as extraArgs which then get added as cli flags on the pods that are spun up, or parameters for kubelet.

An example from a default kind system:

apiServer:
  certSANs:
  - localhost
  - 127.0.0.1
  extraArgs:
    authorization-mode: Node,RBAC
    runtime-config: ""
  timeoutForControlPlane: 4m0s
apiVersion: kubeadm.k8s.io/v1beta2
certificatesDir: /etc/kubernetes/pki
clusterName: kind
controlPlaneEndpoint: kind-control-plane:6443
controllerManager:
  extraArgs:
    enable-hostpath-provisioner: "true"
dns:
  type: CoreDNS
etcd:
  local:
    dataDir: /var/lib/etcd
imageRepository: k8s.gcr.io
kind: ClusterConfiguration
kubernetesVersion: v1.19.1
networking:
  dnsDomain: cluster.local
  podSubnet: 10.244.0.0/16
  serviceSubnet: 10.96.0.0/12
scheduler: {}

Looking at that, we can take a look at the apiserver

apiServer:
  certSANs:
  - localhost
  - 127.0.0.1
  extraArgs:
    authorization-mode: Node,RBAC

To add featuregates, its just like how youd do it on the cli

apiServer:
  certSANs:
  - localhost
  - 127.0.0.1
  extraArgs:
    authorization-mode: Node,RBAC
    feature-gates: "herp=true,derp=false"

There isn’t a good summary of what each feature-gate is in table form, most of the docs will just reference the what needs to be enabled if you want to use that feature and they explain more of the caveats and gotchas around it.

If you want more details on the features, you can find them in the kubernetes/enhancement repo which has the design proposals and more information on each feature.

8

Ok, thanks. Got it.