assert that number of pods on node does not exceed CIDR address range

The number of pods on a given node is determined by the --max-pods=k directive. When the address space is exhausted, no more pods can be scheduled even if from the --max-pods-perspective, the node still has capacity. The special case that a pod is scheduled and uses the node IP in the host network namespace is too "soft" to derive a guarantee. Comparing kubelet_max_pods with kube_network_node_prefix when given allows to assert that pod limits match the CIDR address space.
2026-03-09 19:58:07 +03:00 · 2018-05-15 14:34:03 +00:00
parent 7c93e71801
commit c1bc4615fe
4 changed files with 20 additions and 0 deletions
--- a/roles/kubernetes/preinstall/tasks/verify-settings.yml
+++ b/roles/kubernetes/preinstall/tasks/verify-settings.yml
@@ -61,6 +61,20 @@
  ignore_errors: "{{ ignore_assert_errors }}"
  when: inventory_hostname in groups['kube-node']

+# This assertion will fail on the safe side: One can indeed schedule more pods
+# on a node than the CIDR-range has space for when additional pods use the host
+# network namespace. It is impossible to ascertain the number of such pods at
+# provisioning time, so to establish a guarantee, we factor these out.
+# NOTICE: the check blatantly ignores the inet6-case
+- name: Guarantee that enough network address space is available for all pods
+  assert:
+    that: "{{ kubelet_max_pods <= ((32 - kube_network_node_prefix) ** 2) - 2 }}"
+    msg: "Do not schedule more pods on a node than inet addresses are available."
+  ignore_errors: "{{ ignore_assert_errors }}"
+  when:
+    - inventory_hostname in groups['kube-node']
+    - kube_network_node_prefix is defined
+
 - name: Stop if ip var does not match local ips
  assert:
    that: ip in ansible_all_ipv4_addresses