Add Port-10250 to default kubeadm_ignore_preflight_errors

[sathieu]

kubelet is started before kubeadm init is run.

Since, #11710, this leads to the following error:

W0116 14:54:04.224835   11902 utils.go:69] The recommended value for "clusterDNS" in "KubeletConfiguration" is: [10.233.0.10]; the provided value is: [169.254.25.10]
error execution phase preflight: [preflight] Some fatal errors occurred:
    [ERROR Port-10250]: Port 10250 is in use
[preflight] If you know what you are doing, you can make a check non-fatal with `--ignore-preflight-errors=...`
To see the stack trace of this error execute with --v=5 or highe
[init] Using Kubernetes version: v1.31.4
[preflight] Running pre-flight checks

[k8s-ci-robot]

Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sathieu
Once this PR has been reviewed and has the lgtm label, please assign floryut for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[k8s-ci-robot]

Hi @sathieu. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[VannTen]

First, on the overall change:

kubelet is started before kubeadm init is run.

Is that legitimate from kubespray ? Without context, this looks wrong, so maybe we should not be doing this ? And in that case, that's what we should be fixing.

[VannTen]

This can't be done here because this would break customization of this variable.
It should instead be done locally on the task experiencing the issue, like :

kubespray/roles/kubernetes/kubeadm/tasks/main.yml

Lines 87 to 96 in 0e91000

	vars:
	ignored:
	- DirAvailable--etc-kubernetes-manifests
	- "{{ kubeadm_ignore_preflight_errors }}"
	command: >-
	timeout -k {{ kubeadm_join_timeout }} {{ kubeadm_join_timeout }}
	{{ bin_dir }}/kubeadm join
	--config {{ kube_config_dir }}/kubeadm-client.conf
	--ignore-preflight-errors={{ ignored | flatten | join(',') }}
	--skip-phases={{ kubeadm_join_phases_skip | join(',') }}

Or if this affect several tasks, have another variables which is combined to form the full list at the relevant use sites.

[sathieu]

I don't understand why we have this problem and it was not caught by kubespray's CI.

Here is our inventory (generated by ansible, so double jinja): https://gitlab.com/kubitus-project/kubitus-installer/-/tree/d97c911f3a6eba275f21c19b5994f55cb3fc3ac5/roles/kubespray/templates/inventory

And the renovate MR: https://gitlab.com/kubitus-project/kubitus-installer/-/merge_requests/3610

[VannTen]

I don't understand why we have this problem and it was not caught by kubespray's CI.

Yeah I was having the same thought, this should happens in all cases. We're probably missing something here.

Here is our inventory (generated by ansible, so double jinja): https://gitlab.com/kubitus-project/kubitus-installer/-/tree/4c905613744eef7635a2a708564a23c07d23e345/roles/kubespray/templates/inventory

I don't see anything egregious at first glance. Are you able to reproduce it in another context ? Does it happens on multiples inventories / clusters ?

[sathieu]

Are you able to reproduce it in another context ? Does it happens on multiples inventories / clusters ?

Not yet, but I can test changing the inventory if there is a suspiciour variable.

NB: We are using Debian 12

[yankay]

/ok-to-test

[sathieu]

In the manual doc for kubeadm, kubelet is started:

5. (Optional) Enable the kubelet service before running kubeadm:

sudo systemctl enable --now kubelet

The kubelet is now restarting every few seconds, as it waits in a crashloop for kubeadm to tell it what to do.

I think it is crashlooping until the cert is available.