fix(kubelet): remove streamingConnectionIdleTimeout for k8s >= 1.34#8812
Conversation
There was a problem hiding this comment.
Pull request overview
This PR aims to prevent streamingConnectionIdleTimeout from being propagated to kubelet for Kubernetes >= 1.34, where the corresponding KubeletConfiguration field/flag has been removed, by stripping it from kubelet CLI flags and clearing it from the kubelet config-file content.
Changes:
- Delete
--streaming-connection-idle-timeoutfrom kubelet flags for Kubernetes >= 1.34 in both the legacy NodeBootstrappingConfiguration path and the aks-node-controller helper path. - Clear
KubeletConfigFileConfig.StreamingConnectionIdleTimeoutfor Kubernetes >= 1.34 before marshaling kubelet config-file JSON in aks-node-controller. - Add version gating comments explaining why the field must not appear for 1.34+.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| pkg/agent/baker.go | Removes --streaming-connection-idle-timeout from kubelet flags for k8s >= 1.34 in the NodeBootstrappingConfiguration validation path. |
| aks-node-controller/parser/parser.go | Clears StreamingConnectionIdleTimeout before kubelet config-file JSON marshaling for k8s >= 1.34. |
| aks-node-controller/helpers/utils.go | Removes --streaming-connection-idle-timeout from kubelet flags for k8s >= 1.34 in helper validation. |
| ImageGcHighThresholdPercent: to.Ptr(int32(90)), | ||
| ImageGcLowThresholdPercent: to.Ptr(int32(70)), | ||
| CgroupsPerQos: to.Ptr(true), | ||
| CpuManagerPolicy: "static", |
There was a problem hiding this comment.
this change block due to gofmt/goimports column alignment.
When a struct literal contains multiple fields, gofmt attempts to align the values following the colons into the same column. The width of the aligned column is determined by the longest field name in the group:
| // nested | ||
| "--client-ca-file": "/etc/kubernetes/certs/ca.crt", | ||
| "--authentication-token-webhook": "true", | ||
| "--authorization-mode": "Webhook", |
There was a problem hiding this comment.
same gofmt behave
|
The latest Buf updates on your PR. Results from workflow Buf CI / buf (pull_request).
|
917e68a to
7ad9f47
Compare
aaa9706 to
2075fc1
Compare
streamingConnectionIdleTimeout was removed from KubeletConfiguration in Kubernetes 1.34. This field must not appear on the command line or in the kubelet config file for those versions. RP already strips the flag from the incoming payload via removeKubeletFlags() for >= 1.34. This change adds defense-in-depth checks in AgentBaker to ensure the field is also cleared from KubeletConfigFileConfig before marshaling.
…version gate Add unit tests asserting that --streaming-connection-idle-timeout is: - Kept for k8s 1.33 (below threshold) - Removed for k8s 1.34.0 (exact boundary) - Removed for k8s 1.35.0 (above threshold) Tests cover all three paths: - aks-node-controller/helpers: ValidateAndSetLinuxKubeletFlags - aks-node-controller/parser: getCSEEnv config file marshaling - pkg/agent: ValidateAndSetLinuxNodeBootstrappingConfiguration
Remove the deprecated streamingConnectionIdleTimeout field from helper_test.go fixtures (both proto input and expected JSON/flags output). The field is deprecated and should not be part of the default test baseline.
…lpers The helpers/ValidateAndSetLinuxKubeletFlags test is redundant — it tests a function that only exists as a test helper (mirrors RP logic). The same version-gated removal is already covered by: - parser_test.go: tests the aks-node-controller production path - pkg/agent/utils_test.go: tests the RP library production path
…for k8s >= 1.34 Add version-gated removal in pruneKubeletConfig() so that e2e tests running on k8s >= 1.34 clusters don't include the deprecated flag in the NodeBootstrappingConfiguration.
…d ensure it is not reintroduced in AgentBaker for k8s >= 1.34
…gs and KubeletConfigFileConfig for k8s >= 1.34
…and expected outputs for k8s >= 1.34
…iguration files for k8s >= 1.34
2075fc1 to
c2dd0bb
Compare
Summary
Remove
streamingConnectionIdleTimeoutfrom both the kubelet command line and the kubelet config file for Kubernetes >= 1.34, where this field was removed fromKubeletConfiguration.Context: RP-side flow (scriptless path)
RP already handles this in
removeKubeletFlags(). However, the field may still arrive inKubeletConfigFileConfigfrom:GetAKSNodeConfig(NBC conversion) path where the removal may not be appliedChanges (defense-in-depth)
aks-node-controller/helpers/utils.goValidateAndSetLinuxKubeletFlags(): delete--streaming-connection-idle-timeoutfor >= 1.34aks-node-controller/parser/parser.gogetCSEEnv(): clearKubeletConfigFileConfig.StreamingConnectionIdleTimeoutfor >= 1.34 before marshalingpkg/agent/baker.goValidateAndSetLinuxNodeBootstrappingConfiguration(): same flag deletion for the old NBC pathWhy both flag deletion AND config file clearing?
helpers/utils.go,baker.go): coversenableKCF=falsecase where translated flags stay on the command lineparser.go): coversenableKCF=truecase where the field would appear inkubeletconfig.jsonif RP sets itTest plan