Skip to content

Comments

OCPBUGS-38662: node controller: Don't degrade when node rebooting for upgrade#2081

Open
tchap wants to merge 2 commits intoopenshift:masterfrom
tchap:node-controller-not-degraded-during-upgrade
Open

OCPBUGS-38662: node controller: Don't degrade when node rebooting for upgrade#2081
tchap wants to merge 2 commits intoopenshift:masterfrom
tchap:node-controller-not-degraded-during-upgrade

Conversation

@tchap
Copy link
Contributor

@tchap tchap commented Jan 19, 2026
edited
Loading

Treat nodes as Degraded only when they are not rebooting for upgrade.
This prevents Degraded=True in operators from bliping during upgrade.

Based on https://github.com/openshift/machine-config-operator/blob/b4ea81d6885c61c91e1503d5f9f5ebed696092b1/pkg/daemon/update.go#L2812

Now the issue is that the annotation can be removed when the reboot is finished before the node becomes Ready. But this should be like seconds before it's Ready. On top of that, there is a 2-minute inertia for Degraded on the operator status, so this should be plenty to cover the gap. Another potential issue is that failing to update the annotations is only logged, it does not prevent the reboot. So we may have rebooting nodes missing the annotation.

An alternative would be ignore nodes with machineconfiguration.openshift.io/state == Working, but that seems to be too broad a condition as it covers basically the whole upgrade process, so that can show too positive view of the system. But it is a possibility.

There may be other ways to implement this for sure, but that would require pulling in other objects like machineconfignode for the nodes, where you can check the timestamp of the last reboot, for example. This doesn't seem particularly necessary as the inertia should cover vast majority of our use cases. So I focused on what we already have, which are the Node objects.

As discussed, I also ended up adding a Degraded inertia here, which means that the rebooting node is only ignored for certain period of time, which is by default 10 minutes. In case something goes very wrong during the upgrade...

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 19, 2026
@openshift-ci openshift-ci bot requested review from dgrisonnet and tkashem January 19, 2026 15:35
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 19, 2026

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: tchap
Once this PR has been reviewed and has the lgtm label, please assign tkashem for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@tchap tchap changed the title WIP: node controller: Don't Degrade when node Rebooting WIP: OCPBUGS-38662: node controller: Don't Degrade when node Rebooting Jan 19, 2026
@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. labels Jan 19, 2026
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 19, 2026

@tchap: This pull request references Jira Issue OCPBUGS-38662, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Treat nodes as Degraded only when they are not rebooting for upgrade.
This prevents Degraded=True in operators from bliping during upgrade.

Based on https://github.com/openshift/machine-config-operator/blob/b4ea81d6885c61c91e1503d5f9f5ebed696092b1/pkg/daemon/update.go#L2812

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@tchap tchap changed the title WIP: OCPBUGS-38662: node controller: Don't Degrade when node Rebooting WIP: OCPBUGS-38662: node controller: Don't degrade when node rebooting for upgrade Jan 20, 2026
@tchap
node controller: Don't Degrade when node Rebooting
6af210e 
Treat nodes as Degraded only when they are not rebooting for upgrade.
This prevents Degraded=True from bliping during upgrade.
@tchap tchap force-pushed the node-controller-not-degraded-during-upgrade branch from 03571ff to 6af210e Compare January 20, 2026 10:24
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jan 20, 2026

@tchap: This pull request references Jira Issue OCPBUGS-38662, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.22.0) matches configured target version for branch (4.22.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Treat nodes as Degraded only when they are not rebooting for upgrade.
This prevents Degraded=True in operators from bliping during upgrade.

Based on https://github.com/openshift/machine-config-operator/blob/b4ea81d6885c61c91e1503d5f9f5ebed696092b1/pkg/daemon/update.go#L2812

Now the issue is that the annotation can be removed before the node becomes Ready. But this should be like seconds before it's Ready. On top of that, there is a 2-minute inertia for Degraded on the operator status, so this should be plenty to cover the gap.

An alternative would be ignore nodes with machineconfiguration.openshift.io/state == Working, but that seems to be too broad a condition as it covers basically the whole upgrade process.

There may be other ways to implement this for sure, but that would require pulling in other objects like machineconfignode for the nodes, where you can check the timestamp of the last reboot, for example. This doesn't seem particularly necessary as the inertia should cover vast majority of our use cases.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@tchap tchap force-pushed the node-controller-not-degraded-during-upgrade branch from b172632 to 800afca Compare January 20, 2026 13:47
@tchap tchap changed the title WIP: OCPBUGS-38662: node controller: Don't degrade when node rebooting for upgrade OCPBUGS-38662: node controller: Don't degrade when node rebooting for upgrade Jan 20, 2026
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jan 20, 2026
@tchap tchap force-pushed the node-controller-not-degraded-during-upgrade branch from 800afca to 43be5d6 Compare January 20, 2026 13:52
tchap
tchap commented Jan 20, 2026
View reviewed changes
@tchap tchap force-pushed the node-controller-not-degraded-during-upgrade branch 2 times, most recently from 4b67aaf to 2dd855e Compare January 20, 2026 14:49
p0lyn0mial
p0lyn0mial reviewed Jan 21, 2026
View reviewed changes
pkg/operator/staticpod/controller/node/node_controller.go
}

func nodeRebootingForUpgrade(node *coreapiv1.Node) bool {
return node.Annotations[machineConfigDaemonPostConfigAction] == machineConfigDaemonStateRebooting
Copy link
Contributor

@p0lyn0mial p0lyn0mial Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

could we start a conversation with the mco team or the forum-ocp-updates to check what information is available during an upgrade that we could use?

tchap
tchap commented Jan 21, 2026
View reviewed changes
pkg/operator/staticpod/controller/node/node_controller.go Outdated
)

// DefaultRebootingNodeDegradedInertia is the default period during which a node rebooting for upgrade is not considered Degraded.
const DefaultRebootingNodeDegradedInertia = 10 * time.Minute
Copy link
Contributor Author

@tchap tchap Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually need to decide on the default value based on how long it usually takes to restart.

Filip proposed something around an hour, but needs to be verified.

@tchap tchap force-pushed the node-controller-not-degraded-during-upgrade branch from 2dd855e to 9b6527a Compare January 21, 2026 14:51
@tchap
node controller: Add support for Degraded inertia
eeb0eae 
The node is yet again considered Degraded when it's rebooting for too
long. The default inertia interval is set to 2 hours.
@tchap tchap force-pushed the node-controller-not-degraded-during-upgrade branch from 9b6527a to eeb0eae Compare January 23, 2026 09:58
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Jan 23, 2026

@tchap: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

p0lyn0mial
p0lyn0mial reviewed Jan 27, 2026
View reviewed changes
pkg/operator/staticpod/controller/node/node_controller.go
degradedMsg = fmt.Sprintf("node %q not ready since %s because %s (%s)", node.Name, nodeReadyCondition.LastTransitionTime, nodeReadyCondition.Reason, nodeReadyCondition.Message)
}
if len(degradedMsg) > 0 {
if nodeRebootingForUpgrade(node) && !shouldDegradeRebootingNode(nodeReadyCondition, c.rebootingNodeDegradedInertia) {
Copy link
Contributor

@p0lyn0mial p0lyn0mial Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I’m wondering what the chances are that this is the only controller that becomes degraded during an upgrade. Something tells me there might be many more controllers that are unhappy.

I would prefer a more global solution to this problem.

Also, silencing a degraded condition for two hours seems excessive.

What about using StatusSyncer.WithDegradedInertia? I think it has the potential to be a broader solution.

What is the maximum time after a node becomes degraded once the kubelet stops posting status updates?

Thoughts ?

Copy link
Contributor

@tjungblu tjungblu Feb 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@p0lyn0mial just digging this up again with Ondra. I've been using the degraded inertia on CEO for a month now and it has been quite good at shutting up those blips.

Would you be open to discuss this further in openshift/cluster-kube-apiserver-operator#2052 for KAS-O?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@p0lyn0mial p0lyn0mial p0lyn0mial left review comments

@dgrisonnet dgrisonnet Awaiting requested review from dgrisonnet

@tkashem tkashem Awaiting requested review from tkashem

+1 more reviewer

@tjungblu tjungblu tjungblu left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tchap @openshift-ci-robot @p0lyn0mial @tjungblu