You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/graceful-shutdown.adoc
+27-46Lines changed: 27 additions & 46 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -20,83 +20,64 @@ You can shut down a cluster until a year from the installation date and expect i
20
20
21
21
.Procedure
22
22
23
-
. If you plan to shut down the cluster for an extended period of time, determine the date that cluster certificates expire.
24
-
+
25
-
You must restart the cluster prior to the date that certificates expire. As the cluster restarts, the process might require you to manually approve the pending certificate signing requests (CSRs) to recover kubelet certificates.
26
-
27
-
.. Check the expiration date for the `kube-apiserver-to-kubelet-signer` CA certificate:
23
+
. If you are shutting the cluster down for an extended period, determine the date on which certificates expire and run the following command:
28
24
+
29
25
[source,terminal]
30
26
----
31
-
$ oc -n openshift-kube-apiserver-operator get secret kube-apiserver-to-kubelet-signer -o jsonpath='{.metadata.annotations.auth\.openshift\.io/certificate-not-after}{"\n"}'
27
+
$ oc -n openshift-kube-apiserver-operator get secret kube-apiserver-to-kubelet-signer -o jsonpath='{.metadata.annotations.auth\.openshift\.io/certificate-not-after}'
32
28
----
33
29
+
34
30
.Example output
35
31
[source,terminal]
36
32
----
37
-
2023-08-05T14:37:50Z
38
-
----
39
-
40
-
.. Check the expiration date for the kubelet certificates:
41
-
42
-
... Start a debug session for a control plane node by running the following command:
43
-
+
44
-
[source,terminal]
45
-
----
46
-
$ oc debug node/<node_name>
33
+
2022-08-05T14:37:50Zuser@user:~ $ <1>
47
34
----
35
+
<1> To ensure that the cluster can restart gracefully, plan to restart it on or before the specified date. As the cluster restarts, the process might require you to manually approve the pending certificate signing requests (CSRs) to recover kubelet certificates.
48
36
49
-
... Change your root directory to `/host` by running the following command:
37
+
. Mark all the nodes in the cluster as unschedulable. You can do this from your cloud provider's web console, or by running the following loop:
50
38
+
51
39
[source,terminal]
52
40
----
53
-
sh-4.4# chroot /host
54
-
----
55
-
56
-
... Check the kubelet client certificate expiration date by running the following command:
$ for node in $(oc get nodes -l node-role.kubernetes.io/worker -o jsonpath='{.items[*].metadata.name}'); do echo ${node} ; oc adm drain ${node}--delete-emptydir-data --ignore-daemonsets=true --timeout=15s ; done
80
66
----
81
67
82
-
... Exit the debug session.
83
-
84
-
... Repeat these steps to check certificate expiration dates on all control plane nodes. To ensure that the cluster can restart gracefully, plan to restart it before the earliest certificate expiration date.
85
-
86
-
. Shut down all of the nodes in the cluster. You can do this from your cloud provider's web console, or run the following loop:
68
+
. Shut down all of the nodes in the cluster. You can do this from your cloud provider’s web console, or by running the following loop:
87
69
+
88
70
[source,terminal]
89
71
----
90
-
$ for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}'); do oc debug node/${node}-- chroot /host shutdown -h 1; done <1>
72
+
$ for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}'); do oc debug node/${node}-- chroot /host shutdown -h 1; done
91
73
----
92
-
<1> `-h 1` indicates how long, in minutes, this process lasts before the control-plane nodes are shut down. For large-scale clusters with 10 nodes or more, set to 10 minutes or longer to make sure all the compute nodes have time to shut down first.
@@ -108,6 +89,7 @@ Shutting down the nodes using one of these methods allows pods to terminate grac
108
89
[NOTE]
109
90
====
110
91
Adjust the shut down time to be longer for large-scale clusters:
92
+
111
93
[source,terminal]
112
94
----
113
95
$ for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}'); do oc debug node/${node} -- chroot /host shutdown -h 10; done
@@ -117,7 +99,6 @@ $ for node in $(oc get nodes -o jsonpath='{.items[*].metadata.name}'); do oc deb
117
99
[NOTE]
118
100
====
119
101
It is not necessary to drain control plane nodes of the standard pods that ship with {product-title} prior to shutdown.
120
-
121
102
Cluster administrators are responsible for ensuring a clean restart of their own workloads after the cluster is restarted. If you drained control plane nodes prior to shutdown because of custom workloads, you must mark the control plane nodes as schedulable before the cluster will be functional again after restart.
122
103
====
123
104
@@ -126,4 +107,4 @@ Cluster administrators are responsible for ensuring a clean restart of their own
126
107
[IMPORTANT]
127
108
====
128
109
If you deployed your cluster on a cloud-provider platform, do not shut down, suspend, or delete the associated cloud resources. If you delete the cloud resources of a suspended virtual machine, {product-title} might not restore successfully.
0 commit comments