fix kube_reserved so it only controls kubeReservedCgroup (#11367)

docs/operations/cgroups.md

@@ -1,6 +1,6 @@
 # cgroups
 
-To avoid the rivals for resources between containers or the impact on the host in Kubernetes, the kubelet components will rely on cgroups to limit the container’s resources usage.
+To avoid resource contention between containers and host daemons in Kubernetes, the kubelet components can use cgroups to limit resource usage.
 
 ## Enforcing Node Allocatable
 
@@ -20,8 +20,9 @@ Here is an example:
 ```yaml
 kubelet_enforce_node_allocatable: "pods,kube-reserved,system-reserved"
 
-# Reserve this space for kube resources
-# Set to true to reserve resources for kube daemons
+# Set kube_reserved to true to run kubelet and container-engine daemons in a dedicated cgroup.
+# This is required if you want to enforce limits on the resource usage of these daemons.
+# It is not required if you just want to make resource reservations (kube_memory_reserved, kube_cpu_reserved, etc.)
 kube_reserved: true
 kube_reserved_cgroups_for_service_slice: kube.slice
 kube_reserved_cgroups: "/{{ kube_reserved_cgroups_for_service_slice }}"

inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml

@@ -262,7 +262,7 @@ default_kubelet_config_dir: "{{ kube_config_dir }}/dynamic_kubelet_dir"
 # kubelet_runtime_cgroups_cgroupfs: "/system.slice/{{ container_manager }}.service"
 # kubelet_kubelet_cgroups_cgroupfs: "/system.slice/kubelet.service"
 
-# Optionally reserve this space for kube daemons.
+# Whether to run kubelet and container-engine daemons in a dedicated cgroup.
 # kube_reserved: false
 ## Uncomment to override default values
 ## The following two items need to be set when kube_reserved is true

roles/kubernetes/node/defaults/main.yml

@@ -34,7 +34,7 @@ kube_node_addresses: >-
 kubelet_secure_addresses: "localhost link-local {{ kube_pods_subnet }} {{ kube_node_addresses }}"
 
 # Reserve this space for kube resources
-# Set to true to reserve resources for kube daemons
+# Whether to run kubelet and container-engine daemons in a dedicated cgroup. (Not required for resource reservations).
 kube_reserved: false
 kube_reserved_cgroups_for_service_slice: kube.slice
 kube_reserved_cgroups: "/{{ kube_reserved_cgroups_for_service_slice }}"

roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2

@@ -62,6 +62,7 @@ clusterDNS:
 {# Node reserved CPU/memory #}
 {% if kube_reserved | bool %}
 kubeReservedCgroup: {{ kube_reserved_cgroups }}
+{% endif %}
 kubeReserved:
 {% if is_kube_master | bool %}
   cpu: "{{ kube_master_cpu_reserved }}"
@@ -82,7 +83,6 @@ kubeReserved:
   pid: "{{ kube_pid_reserved }}"
 {% endif %}
 {% endif %}
-{% endif %}
 {% if system_reserved | bool %}
 systemReservedCgroup: {{ system_reserved_cgroups }}
 systemReserved: