Chapter 44. Disabling Features Using Feature Gates


As an administrator, you can turn off specific features to specific nodes or to the entire platform using feature gates.

For example, you can turn off new features for production clusters while leaving the features on for test clusters where you can fully test them.

If you disable a feature that appears in the web console, you might see that feature, but no objects are listed. If you attempt to use commands associated with a disabled feature, OpenShift Container Platform displays an error.

Note

If you disable a feature that any application in the cluster relies on, the application might not function properly, depending upon the feature disabled and how the application uses that feature.

Feature gates use a key=value pair in the master configuration file (/etc/origin/master/master-config.yaml) and the and node configuration files that describe the feature you want to block.

To modify the node configuration files, update the node configuration maps as needed. Do not manually edit the node-config.yaml file.

For example, the following code turns off the Huge Pages feature:

kubernetesMasterConfig:
  apiServerArguments:
    feature-gates:
    - HugePages=false 1
  ...
  controllerArguments:
    feature-gates:
    - HugePages=false 2
1 2
A key/value pair that turns off a feature:
  • true enables the specified feature
  • false disables the specified feature

Specify multiple feature gates in one, comma-delimited line:

kubeletArguments:
  feature-gates:
  - RotateKubeletClientCertificate=true,RotateKubeletServerCertificate=true,ExpandPersistentVolumes=true,HugePages=false

44.1. Disabling Features for a Cluster

To turn off a feature for the entire cluster, edit the master configuration file, by default /etc/origin/master/master-config.yaml:

  1. For the feature you want to turn off, enter: <feature_name>=false under apiServerArguments and controllerArguments.

    For example:

    kubernetesMasterConfig:
      apiServerArguments:
        feature-gates:
        - HugePages=false
      controllerArguments:
        feature-gates:
        - HugePages=false

    Specify multiple feature gates in one, comma-delimited line:

    kubernetesMasterConfig:
      apiServerArguments:
        feature-gates:
        - RotateKubeletClientCertificate=false,RotateKubeletServerCertificate=false,ExpandPersistentVolumes=true,HugePages=false
      controllerArguments:
        feature-gates:
        - RotateKubeletClientCertificate=false,RotateKubeletServerCertificate=false,ExpandPersistentVolumes=true,HugePages=false
  2. Restart the OpenShift Container Platform master service to apply the changes.

    # master-restart api
    # master-restart controllers

To re-enable a disabled feature, edit the master configuration files to remove the <feature_name>=false and restart the master services.

44.2. Disabling Features for a Node

To turn off a feature for the node host, edit the appropriate node configuration map:

To modify the node configuration files: update the node configuration maps as needed. Do not manually edit the node-config.yaml file.

  1. For the feature you want to turn off, enter: <feature_name>=false under kubeletArguments.

    For example:

    kubeletArguments:
      feature-gates:
      - HugePages=false

    Specify multiple feature gates in one, comma-delimited line:

    kubeletArguments:
      feature-gates:
      - RotateKubeletClientCertificate=false,RotateKubeletServerCertificate=false,ExpandPersistentVolumes=true,HugePages=false
  2. Restart the OpenShift Container Platform service for the changes to take effect:

    # systemctl restart atomic-openshift-node.service

To re-enable a disabled feature, edit the node configuration files to remove the <feature_name>=false and restart the node services.

To modify the node configuration files, update the node configuration maps as needed. Do not manually edit the node-config.yaml file.

44.2.1. List of Feature Gates

Use the following list to determine the name of the feature you want to disable:

Feature gateDescription

Accelerators

Enables Nvidia GPU support when using Docker.

AdvancedAuditing

Enables Advanced Audit.

APIListChunking

Enables the API clients to retrieve LIST or GET resources from API server in chunks.

APIResponseCompression

Enables the compression of API responses for LIST or GET requests.

AppArmor

Enables AppArmor-based mandatory access control on Linux nodes when using Docker. For more information, see the Kubernetes AppArmor documentation.

BlockVolume

Enables the definition and consumption of raw block devices in pods. For more information, see the Kubernetes Raw Block Volume Support.

CPUManager

Enables container-level CPU affinity support. For more information, see Using CPU Manager.

CRIContainerLogRotation

Enables container log rotation for the CRI container runtime.

CSIPersistentVolume

Enables discovering and mounting volumes provisioned through a CSI (Container Storage Interface) compatible volume plugin. For more information, see the CSI Volume Plugins in Kubernetes Design Documentation.

CustomPodDNS

Enables customizing the DNS settings for a pod using the dnsConfig property.

CustomResourceSubresources

Enables /status and /scale subresources on resources created from CustomResourceDefinition. See Extending the Kubernetes API with Custom Resources.

CustomResourceValidation

Enables schema-based validation on resources created from a custom resource definition. For more information, see Extending the Kubernetes API with Custom Resources.

DebugContainers

Enables running a debugging container in a pod namespace to troubleshoot a running Pod.

DevicePlugins

Enables device plug-in-based resource provisioning on nodes.

DynamicKubeletConfig

Enables the dynamic configuration in a cluster.

DynamicVolumeProvisioning(deprecated)

Enables the dynamic provisioning of persistent volumes to pods.

EnableEquivalenceClassCache

Enables the scheduler to cache equivalence of nodes when scheduling Pods.

ExperimentalCriticalPodAnnotation

Enables annotating specific pods as critical so that their scheduling is guaranteed.

ExperimentalHostUserNamespaceDefaultingGate

Enables the disabling of user namespaces. This is for containers that are using other host projects, host mounts, or containers that are privileged or using specific non-project capabilities, such as MKNODE, SYS_MODULE, and so forth. This should only be enabled if user project remapping is enabled in the Docker daemon.

GCERegionalPersistentDisk

Enables the GCE Persistent Disk feature.

HugePages

Enables the allocation and consumption of pre-allocated huge pages.

HyperVContainer

Enables Hyper-V isolation for Windows containers.

Intializers

Enables the dynamic admission control as an extension to the built-in admission controllers.

LocalStorageCapacityIsolation

Enables the consumption of local ephemeral storage and the sizeLimit property of an emptyDir volume.

MountContainers

Enables using utility containers on the host as the volume mount.

MountPropagation

Enables sharing a volume mounted by one container to other containers or pods.

PersistentLocalVolumes

Enables the usage of local volume pods. Pod affinity has to be specified if requesting a local volume.

PodPriority

Enables the descheduling and preemption of pods based on their priorities.

ReadOnlyAPIDataVolumes

Set secrets, ConfigMap, DownwardAPI, and projected volumes to be mounted in read-only mode.

ResourceLimitsPriorityFunction

Enables a scheduler priority function that assigns a lowest possible score of 1 to a node that satisfies at least one of the input pod CPU and memory limits. The intent is to break ties between nodes with same scores.

RotateKubeletClientCertificate

Enables the rotation of the client TLS certificate on the cluster.

RotateKubeletServerCertificate

Enables the rotation of the server TLS certificate on the cluster.

RunAsGroup

Enables control over the primary group ID set on the init processes of containers.

ScheduleDaemonSetPods

Enables DaemonSet pods to be scheduled by the default scheduler instead of the DaemonSet controller.

ServiceNodeExclusion

Enables the exclusion of nodes from load balancers created by a cloud provider.

StorageObjectInUseProtection

Enables postponing the deletion of persistent volume or persistent volume claim objects if they are still being used.

StreamingProxyRedirects

Instructs the API server to intercept and follow redirects from the backend kubelet for streaming requests.

SupportIPVSProxyMode

Enables providing in-cluster service load balancing using IP virtual servers.

SupportPodPidsLimit

Enables support for limiting the number of processes (PIDs) running in a pod.

TaintBasedEvictions

Enables evicting pods from nodes based on taints on nodes and tolerations on pods.

TaintNodesByCondition

Enables automatic tainting nodes based on node conditions.

TokenRequest

Enables the TokenRequest endpoint on service account resources.

VolumeScheduling

Enables volume-topology-aware scheduling and make the persistent volume claim (PVC) binding aware of scheduling decisions. It also enables the usage of local volumes types when used together with the PersistentLocalVolumes feature gate.

Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.