From 1e523a267c8297ffbd3209597a957a34fe7105b0 Mon Sep 17 00:00:00 2001 From: Chad Swenson Date: Mon, 7 Jul 2025 13:29:26 -0500 Subject: [PATCH] Fix kubeadm upgrade node skipPhases with multiple CP nodes (#12367) Add 1.32 conditional defaults Restore support for kubeadm upgrade node --skip-phases < 1.32, apply still needs to be restricted --- .../kubernetes/control-plane/tasks/kubeadm-upgrade.yml | 10 ++++------ .../templates/kubeadm-config.v1beta4.yaml.j2 | 2 +- roles/kubespray_defaults/defaults/main/main.yml | 9 +++++++++ 3 files changed, 14 insertions(+), 7 deletions(-) diff --git a/roles/kubernetes/control-plane/tasks/kubeadm-upgrade.yml b/roles/kubernetes/control-plane/tasks/kubeadm-upgrade.yml index 44b7e1eec..523956d1d 100644 --- a/roles/kubernetes/control-plane/tasks/kubeadm-upgrade.yml +++ b/roles/kubernetes/control-plane/tasks/kubeadm-upgrade.yml @@ -4,7 +4,7 @@ # kubeadm-config.v1beta4 with UpgradeConfiguration requires some values that were previously allowed as args to be specified in the config file # TODO: Remove --skip-phases from command when v1beta4 UpgradeConfiguration supports skipPhases -- name: Kubeadm | Upgrade first control plane node +- name: Kubeadm | Upgrade first control plane node to {{ kube_version }} command: >- timeout -k 600s 600s {{ bin_dir }}/kubeadm upgrade apply -y v{{ kube_version }} @@ -27,8 +27,8 @@ environment: PATH: "{{ bin_dir }}:{{ ansible_env.PATH }}" - # TODO: Remove --skip-phases from command when v1beta4 UpgradeConfiguration supports skipPhases -- name: Kubeadm | Upgrade other control plane nodes +# TODO: When we retire kubeadm-config.v1beta3, remove --certificate-renewal, --ignore-preflight-errors, --etcd-upgrade, --patches, and --skip-phases from command, since v1beta4+ supports these in UpgradeConfiguration.node +- name: Kubeadm | Upgrade other control plane nodes to {{ kube_version }} command: >- {{ bin_dir }}/kubeadm upgrade node {%- if kubeadm_config_api_version == 'v1beta3' %} @@ -39,9 +39,7 @@ {%- else %} --config={{ kube_config_dir }}/kubeadm-config.yaml {%- endif %} - {%- if kube_version is version('1.32.0', '>=') %} - --skip-phases={{ kubeadm_init_phases_skip | join(',') }} - {%- endif %} + --skip-phases={{ kubeadm_upgrade_node_phases_skip | join(',') }} register: kubeadm_upgrade when: inventory_hostname != first_kube_control_plane failed_when: kubeadm_upgrade.rc != 0 and "field is immutable" not in kubeadm_upgrade.stderr diff --git a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2 b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2 index ea0efd816..03799ea8b 100644 --- a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2 +++ b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta4.yaml.j2 @@ -491,7 +491,7 @@ node: {% endif %} imagePullPolicy: {{ k8s_image_pull_policy }} imagePullSerial: {{ kubeadm_image_pull_serial | lower }} -{% for skip_phase in kubeadm_init_phases_skip %} +{% for skip_phase in kubeadm_upgrade_node_phases_skip %} {% if loop.first %} skipPhases: {% endif %} diff --git a/roles/kubespray_defaults/defaults/main/main.yml b/roles/kubespray_defaults/defaults/main/main.yml index bd9332964..23f0ab814 100644 --- a/roles/kubespray_defaults/defaults/main/main.yml +++ b/roles/kubespray_defaults/defaults/main/main.yml @@ -66,6 +66,15 @@ kubeadm_join_phases_skip_default: [] kubeadm_join_phases_skip: >- {{ kubeadm_join_phases_skip_default }} +# List of kubeadm upgrade node phases that should be skipped when upgrading a secondary control plane node (supports different phases than kubeadm init and kubeadm upgrade apply) +kubeadm_upgrade_node_phases_skip_default: [] +kubeadm_upgrade_node_phases_skip: >- + {%- if kube_version is version('1.32.0', '>=') -%} + {{ kubeadm_upgrade_node_phases_skip_default + kubeadm_init_phases_skip }} + {%- else -%} + {{ kubeadm_upgrade_node_phases_skip_default }} + {%- endif -%} + # Set to true to remove the role binding to anonymous users created by kubeadm remove_anonymous_access: false