Enable Service Topology on k8s

Question

I'm using k8s with kubeadm version 1.17. I'm trying to enable Service Topology feature gates but I can't. Documentation say to use "--feature-gates="ServiceTopology=true,EndpointSlice=true". I tried to use that in "kubeadm init"... But kubeadm say that is not available to the cluster. Can you help me? That is the documentation that I'm following: https://kubernetes.io/docs/tasks/administer-cluster/enabling-service-topology/

Answer 1

It's not a flag of kubeadm. You need to enable it for each kubernetes control plane component such as controller manager, API Server, Scheduler, Kube proxy. The yamls for each of these components located at /etc/kubernetes/manifests location on all the master nodes need to be modified to add the feature flag - --feature-gates=ServiceTopology=true

API Server yaml for example

root@kind-control-plane:/# cat /etc/kubernetes/manifests/kube-apiserver.yaml 
apiVersion: v1
kind: Pod
metadata:
  annotations:
    kubeadm.kubernetes.io/kube-apiserver.advertise-address.endpoint: 172.18.0.2:6443
  creationTimestamp: null
  labels:
    component: kube-apiserver
    tier: control-plane
  name: kube-apiserver
  namespace: kube-system
spec:
  containers:
  - command:
    - kube-apiserver
    - --advertise-address=172.18.0.2
    - --allow-privileged=true
    - --authorization-mode=Node,RBAC
    - --client-ca-file=/etc/kubernetes/pki/ca.crt
    - --enable-admission-plugins=NodeRestriction
    - --enable-bootstrap-token-auth=true
    - --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt
    - --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt
    - --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key
    - --etcd-servers=https://127.0.0.1:2379
    - --insecure-port=0
    - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt
    - --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key
    - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
    - --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt
    - --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key
    - --requestheader-allowed-names=front-proxy-client
    - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt
    - --requestheader-extra-headers-prefix=X-Remote-Extra-
    - --requestheader-group-headers=X-Remote-Group
    - --requestheader-username-headers=X-Remote-User
    - --secure-port=6443
    - --service-account-key-file=/etc/kubernetes/pki/sa.pub
    - --service-cluster-ip-range=10.96.0.0/12
    - --tls-cert-file=/etc/kubernetes/pki/apiserver.crt
    - --tls-private-key-file=/etc/kubernetes/pki/apiserver.key
    - --feature-gates=ServiceTopology=true 

Edit:

For kube proxy a custom kubeadm config file need to be created to add the feature flag

apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
...
---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
FeatureGates:
  ServiceTopology: true

Reference here

Answer 2

In my case (kubeadm version 1.18.2), it works with the following kubeadm configuration .yaml file (podSubnet is there because I am using Flannel CNI). The key of kube-proxy is "featureGates" as mentioned in https://godoc.org/k8s.io/kube-proxy/config/v1alpha1#KubeProxyConfiguration

---
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
apiServer:
  extraArgs:
    feature-gates: "ServiceTopology=true,EndpointSlice=true"
controllerManager:
  extraArgs:
    feature-gates: "ServiceTopology=true,EndpointSlice=true"
scheduler:
  extraArgs:
    feature-gates: "ServiceTopology=true,EndpointSlice=true"
networking:
   podSubnet: "10.244.0.0/16"

---
apiVersion: kubeproxy.config.k8s.io/v1alpha1
kind: KubeProxyConfiguration
featureGates:
  ServiceTopology: true
  EndpointSliceProxying: true