Kubernetes SIG/Meetings/2024-09-24

Agenda:

• Introductions for new members (if any):
• SIG administrivia:
  • mediawiki.org SIG page updated with links to read only notes and Gmeet. Still missing a proper way to publish the gcal event
• Misc
• Topics:
  • Context at https://phabricator.wikimedia.org/T373526, 2 questions:
    • Could we use the SIG's email as Maintainer field for “core” images?
    • Could we assign the duty to the SIG to update/assign the right maintainer fields periodically
    • [CD] How about if we have a team as maintainer and perhaps 1-2 individuals recorded as "expert of last resort"?
    • [JM] Or the sig as the expert of last resort for core stuff, maybe without promising maintenance?
    • Probably okay to have the SIG as maintainer for some images, but not for everything
    • How would we design a round-robin core image update duty?
  • Race condition in iptables rules during puppet runs on k8s nodes
    • Situation/Number of ferm reloads should improve with the outstanding patch
    • Moving to nftables (which kube-proxy does not yet support) will probably fix this
  • Reverse DNS for k8s pods IPs
    • Running an additional CoreDNS daemonset on k8s apiservers and using their nodeport is probably the easiest option to integrate - if DNS servers can pull the apiservers APIs automatically via puppet
  • What would be the challenges involved in a rolling upgrade of the dse-k8s cluster, as opposed to a full reimage and reinitialisation?
    • Probably not supported by https://kubernetes.io/releases/version-skew-policy/
    • Def. not tested on other clusters
    • Might still be possible to do
    • Maybe easier (required anyways if more production services are onboarded) to have a codfw cluster for dse