From 1a7b10c0bf915319bc7dc7b9e7bffbbeb04664c8 Mon Sep 17 00:00:00 2001 From: Tomas Nozicka Date: Mon, 19 Mar 2018 15:12:55 +0100 Subject: [PATCH] Disable default project node selector when using daemonsets --- admin_guide/managing_projects.adoc | 4 ++-- dev_guide/daemonsets.adoc | 27 +++++++++++++++++++++++++++ 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/admin_guide/managing_projects.adoc b/admin_guide/managing_projects.adoc index 90e57b543074..01473ffea860 100644 --- a/admin_guide/managing_projects.adoc +++ b/admin_guide/managing_projects.adoc @@ -183,7 +183,7 @@ $ oc adm new-project myproject \ --node-selector='type=user-node,region=east' ---- -Once this command is run, this becomes the adminstrator-set node selector for +Once this command is run, this becomes the administrator-set node selector for all pods contained in the specified project. [NOTE] @@ -215,7 +215,7 @@ You can also override the default value for an existing project namespace by usi ---- If `openshift.io/node-selector` is set to an empty string (`oc adm new-project ---node-selector=""`), the project will not have an adminstrator-set node +--node-selector=""`), the project will not have an administrator-set node selector, even if the cluster-wide default has been set. This means that, as a cluster administrator, you can set a default to restrict developer projects to a subset of nodes and still enable infrastructure or other projects to schedule diff --git a/dev_guide/daemonsets.adoc b/dev_guide/daemonsets.adoc index 8f9bbfb85cc3..2a6f78d6d98d 100644 --- a/dev_guide/daemonsets.adoc +++ b/dev_guide/daemonsets.adoc @@ -19,8 +19,35 @@ A daemonset can be used to run replicas of a pod on specific or all nodes in an Use daemonsets to create shared storage, run a logging pod on every node in your cluster, or deploy a monitoring agent on every node. +For security reasons, only cluster administrators can create daemonsets. +(xref:../admin_guide/manage_rbac.adoc#admin-guide-granting-users-daemonset-permissions[Granting Users Daemonset Permissions.]) + For more information on daemonsets, see the link:http://kubernetes.io/docs/admin/daemons/[Kubernetes documentation]. +[IMPORTANT] +==== +Daemonset scheduling is incompatible with project's default node selector. +If you fail to disable it, the daemonset gets restricted by merging with the +default node selector. This results in frequent pod recreates on the nodes that +got unselected by the merged node selector, which in turn puts unwanted load on +the cluster. + +Therefore, + +* Before you start using daemonsets, disable the default project-wide +xref:../admin_guide/managing_projects.adoc#using-node-selectors[node selector] +in your namespace, by setting the namespace annotation `openshift.io/node-selector` to an empty string: + +---- +# oc patch namespace myproject -p \ + '{"metadata": {"annotations": {"openshift.io/node-selector": ""}}}' +---- + +* If you are creating a new project, overwrite the default node selector using +`oc adm new-project --node-selector=""`. + +==== + [[dev-guide-creating-daemonsets]] == Creating Daemonsets