kubeadm: apply the new "control-plane" taint during upgrade

- During "upgrade apply" call a new function AddNewControlPlaneTaint() that finds all nodes with the new "control-plane" node-role label and adds the new "control-plane" taint to them. - The function is called in "apply" and is separate from the step to remove the old "master" label for better debugging if errors occur.
2025-07-29 14:37:00 +00:00 · 2022-01-13 17:25:11 +02:00 · 2022-01-13 17:25:11 +02:00 · db6061f5a6
commit db6061f5a6
parent 370031cada
2 changed files with 45 additions and 0 deletions
--- a/cmd/kubeadm/app/cmd/upgrade/apply.go
+++ b/cmd/kubeadm/app/cmd/upgrade/apply.go
@ -164,6 +164,15 @@ func runApply(flags *applyFlags, args []string) error {
 		return err
 	}

+	// TODO: https://github.com/kubernetes/kubeadm/issues/2200
+	fmt.Printf("[upgrade/postupgrade] Adding the new taint %s to all control plane Nodes. "+
+		"After this step both taints %s and %s should be present on control plane Nodes.\n",
+		kubeadmconstants.ControlPlaneTaint.String(), kubeadmconstants.ControlPlaneTaint.String(),
+		kubeadmconstants.OldControlPlaneTaint.String())
+	if err := upgrade.AddNewControlPlaneTaint(client); err != nil {
+		return err
+	}
+
 	// Upgrade RBAC rules and addons.
 	klog.V(1).Infoln("[upgrade/postupgrade] upgrading RBAC rules and addons")
 	if err := upgrade.PerformPostUpgradeTasks(client, cfg, flags.dryRun); err != nil {
--- a/cmd/kubeadm/app/phases/upgrade/postupgrade.go
+++ b/cmd/kubeadm/app/phases/upgrade/postupgrade.go
@ -239,6 +239,42 @@ func RemoveOldControlPlaneLabel(client clientset.Interface) error {
 	return nil
 }

+// AddNewControlPlaneTaint finds all nodes with the new "control-plane" node-role label
+// and adds the new "control-plane" taint to them.
+// TODO: https://github.com/kubernetes/kubeadm/issues/2200
+func AddNewControlPlaneTaint(client clientset.Interface) error {
+	selectorControlPlane := labels.SelectorFromSet(labels.Set(map[string]string{
+		kubeadmconstants.LabelNodeRoleControlPlane: "",
+	}))
+	nodes, err := client.CoreV1().Nodes().List(context.TODO(), metav1.ListOptions{
+		LabelSelector: selectorControlPlane.String(),
+	})
+	if err != nil {
+		return errors.Wrapf(err, "could not list nodes labeled with %q", kubeadmconstants.LabelNodeRoleControlPlane)
+	}
+
+	for _, n := range nodes.Items {
+		// Check if the node has the taint already and skip it if so
+		hasTaint := false
+		for _, t := range n.Spec.Taints {
+			if t.String() == kubeadmconstants.ControlPlaneTaint.String() {
+				hasTaint = true
+				break
+			}
+		}
+		// If the node does not have the taint, patch it
+		if !hasTaint {
+			err = apiclient.PatchNode(client, n.Name, func(n *v1.Node) {
+				n.Spec.Taints = append(n.Spec.Taints, kubeadmconstants.ControlPlaneTaint)
+			})
+			if err != nil {
+				return err
+			}
+		}
+	}
+	return nil
+}
+
 // UpdateKubeletDynamicEnvFileWithURLScheme reads the kubelet dynamic environment file
 // from disk, ensure that the CRI endpoint flag has a scheme prefix and writes it
 // back to disk.