From 468c5641b2548318ba1f9ded215dc0e05a2c6f78 Mon Sep 17 00:00:00 2001
From: "R. P. Taylor" <1686627+rptaylor@users.noreply.github.com>
Date: Fri, 26 Jul 2024 01:39:20 -0700
Subject: [PATCH] fix kube_reserved so it only controls kubeReservedCgroup
 (#11367)

---
 docs/operations/cgroups.md                                 | 7 ++++---
 inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml    | 2 +-
 roles/kubernetes/node/defaults/main.yml                    | 2 +-
 .../node/templates/kubelet-config.v1beta1.yaml.j2          | 2 +-
 4 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/docs/operations/cgroups.md b/docs/operations/cgroups.md
index 30ca7778e..68c7581b0 100644
--- a/docs/operations/cgroups.md
+++ b/docs/operations/cgroups.md
@@ -1,6 +1,6 @@
 # cgroups
 
-To avoid the rivals for resources between containers or the impact on the host in Kubernetes, the kubelet components will rely on cgroups to limit the container’s resources usage.
+To avoid resource contention between containers and host daemons in Kubernetes, the kubelet components can use cgroups to limit resource usage.
 
 ## Enforcing Node Allocatable
 
@@ -20,8 +20,9 @@ Here is an example:
 ```yaml
 kubelet_enforce_node_allocatable: "pods,kube-reserved,system-reserved"
 
-# Reserve this space for kube resources
-# Set to true to reserve resources for kube daemons
+# Set kube_reserved to true to run kubelet and container-engine daemons in a dedicated cgroup.
+# This is required if you want to enforce limits on the resource usage of these daemons.
+# It is not required if you just want to make resource reservations (kube_memory_reserved, kube_cpu_reserved, etc.)
 kube_reserved: true
 kube_reserved_cgroups_for_service_slice: kube.slice
 kube_reserved_cgroups: "/{{ kube_reserved_cgroups_for_service_slice }}"
diff --git a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
index 6b36ae4a3..6bcdde8cb 100644
--- a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
+++ b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
@@ -262,7 +262,7 @@ default_kubelet_config_dir: "{{ kube_config_dir }}/dynamic_kubelet_dir"
 # kubelet_runtime_cgroups_cgroupfs: "/system.slice/{{ container_manager }}.service"
 # kubelet_kubelet_cgroups_cgroupfs: "/system.slice/kubelet.service"
 
-# Optionally reserve this space for kube daemons.
+# Whether to run kubelet and container-engine daemons in a dedicated cgroup.
 # kube_reserved: false
 ## Uncomment to override default values
 ## The following two items need to be set when kube_reserved is true
diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml
index 7c2078a4b..7b8438e9b 100644
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -34,7 +34,7 @@ kube_node_addresses: >-
 kubelet_secure_addresses: "localhost link-local {{ kube_pods_subnet }} {{ kube_node_addresses }}"
 
 # Reserve this space for kube resources
-# Set to true to reserve resources for kube daemons
+# Whether to run kubelet and container-engine daemons in a dedicated cgroup. (Not required for resource reservations).
 kube_reserved: false
 kube_reserved_cgroups_for_service_slice: kube.slice
 kube_reserved_cgroups: "/{{ kube_reserved_cgroups_for_service_slice }}"
diff --git a/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2 b/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
index 705b1bfca..bc59f03d2 100644
--- a/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
+++ b/roles/kubernetes/node/templates/kubelet-config.v1beta1.yaml.j2
@@ -62,6 +62,7 @@ clusterDNS:
 {# Node reserved CPU/memory #}
 {% if kube_reserved | bool %}
 kubeReservedCgroup: {{ kube_reserved_cgroups }}
+{% endif %}
 kubeReserved:
 {% if is_kube_master | bool %}
   cpu: "{{ kube_master_cpu_reserved }}"
@@ -82,7 +83,6 @@ kubeReserved:
   pid: "{{ kube_pid_reserved }}"
 {% endif %}
 {% endif %}
-{% endif %}
 {% if system_reserved | bool %}
 systemReservedCgroup: {{ system_reserved_cgroups }}
 systemReserved:
-- 
GitLab