document pvc finalizer issue during 1.10 -> 1.9 downgrade #7731
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| * TOC | ||
| {:toc} | ||
|
|
||
| --- | ||
| title: Kubernetes Downgrade issue from 1.10 to 1.9 due to PV/PVC Protection | ||
| --- | ||
|
|
||
| ## PV/PVC Protection in Kubernetes 1.10 | ||
|
There was a problem hiding this comment. To work with previous edit: |
||
|
|
||
| When enabled, [PV/PVC Protection](docs/admin/admission-controllers.md#storage-object-in-use-protection-beta) prevents PV/PVC from being removed when the finalizers are removed. | ||
|
There was a problem hiding this comment. "If you enable the admission controller Not sure I've got this right because there seems to be some contradiction between the text ^^ and text below. There was a problem hiding this comment. good catch, it is should be There was a problem hiding this comment.
Correct, when the finalizer is present in an PV or PVC object, the object is not removed. There was a problem hiding this comment. The link should be There was a problem hiding this comment. Because the feature is called |
||
|
|
||
| ## Downgrading issue | ||
|
|
||
| After downgrading from Kubernetes 1.10 to 1.9, PV/PVCs that are created in Kubernetes 1.10 with PVC Protection cannot be removed. | ||
|
There was a problem hiding this comment. "After you downgrade from Kubernetes 1.10 to 1.9, PersistentVolume or PersistentVolumeClaim objects that were created with version 1.10 cannot be removed. This is because their finalizers are not recognized in version 1.9." I'm extrapolating from the first section -- is this indeed correct? Clearer to be explicit even if it looks repetitive to someone who knows the feature. There was a problem hiding this comment. I think that is the case, let @pospispa confirm There was a problem hiding this comment. Well, let me firstly explain the purpose of the When the So when the In K8s 1.9 the finalizers work in the same way as in K8s 1.10, i.e. when a finalizer is present in an object and the object is deleted the object is not removed immediately, but the object transitions into Note: there is I personally would describe the downgrading issue in the below way: |
||
|
|
||
| ## Workaround | ||
|
|
||
| Currently PV/PVC finalizers have to be manually removed so PV/PVC can be removed after downgrading to Kubernetes 1.9. | ||
|
There was a problem hiding this comment. "Currently the yeah, I added "before you downgrade" because that's what it looks like from the following instructions, but it was not completely clear. Also adding another step to make when you do what even clearer. |
||
|
|
||
| Before downgrading to Kubernetes 1.9, disable `StorageObjectInUseProtection` plugin and restart admission controller. | ||
|
There was a problem hiding this comment. "1. Before you downgrade, disable the Can we also please provide the shell command here? (and if you indent four spaces it will keep the step numbering, with my great thanks) There was a problem hiding this comment.
There was a problem hiding this comment. Or Also -- I see nothing in the admission controller docs about a restart. If it's necessary, what's the command? Do you have to restart the apiserver? There was a problem hiding this comment.
The restart process is to stop apiserver, and start it again but with a different command line option as above:
There was a problem hiding this comment. How to There was a problem hiding this comment. Just notice that @Bradamant3 already mentioned this in #7731 (comment) :) |
||
|
|
||
| Then patch PV/PVC (e.g. `pv1`) using the following command: | ||
|
|
||
| ```bash | ||
| kubectl patch pv pv1 --type=json -p='[{"op": "remove", "path": "/metadata/finalizers"}]' | ||
| ``` | ||
|
|
||
| then verify the finalizers are removed: | ||
| ```bash | ||
| kubectl get pv pv1 -o yaml |grep finalizer | ||
| # (result should be empty) | ||
| ``` | ||
|
There was a problem hiding this comment. And for ll22 to end: There was a problem hiding this comment. sounds good. this process has to iterate over all pv/pvcs created in 1.10 |
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's be more precise here:
"Issue downgrading Kubernetes from 1.10 to 1.9 if
StorageObjectInUseProtectionadmission controller is enabled"I suggest the change because of the name of the flag the user actually sets. I understand that the finalizer names are different, and the user needs to know what they are to troubleshoot.
The docs also explain about the finalizers, but wouldn't a user be more likely to think in terms of the plugin name?
If I have time, I'll submit a PR and flag y'all on it, to explain the feature more clearly in the docs, too. It took me a number of reads to sort out what was going on, and I know about admission controllers and finalizers. (I am also in high end-of-release-cycle mode, I admit.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Bradamant3 yes your rephrase sounds good to me. I feel both doc (admission controller in admin doc in the reference) and this one need to be in sync to help end users know what the term is and what it is for.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would vote for a shorter title for this because when the article is online, long titles would be a problem for navigation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The feature is called
StorageObjectInUseProtectionin K8s 1.10 andPVCProtectionin K8s 1.9 that's why I would change the title in such a way that it refers to the feature names.Do we need to include exact numbers from 1.10 to 1.9 in the title?
What about title:
StorageObjectInUse/PVC Protection Downgrade Issue?