Chapter 44. Disabling Features Using Feature Gates
As an administrator, you can turn off specific features to specific nodes or to the entire platform using feature gates.
For example, you can turn off new features for production clusters while leaving the features on for test clusters where you can fully test them.
If you disable a feature that appears in the web console, you might see that feature, but no objects are listed. If you attempt to use commands associated with a disabled feature, OpenShift Container Platform displays an error.
If you disable a feature that any application in the cluster relies on, the application might not function properly, depending upon the feature disabled and how the application uses that feature.
Feature gates use a key=value
pair in the master configuration file (/etc/origin/master/master-config.yaml) and the and node configuration files that describe the feature you want to block.
To modify the node configuration files, update the node configuration maps as needed. Do not manually edit the node-config.yaml
file.
For example, the following code turns off the Huge Pages feature:
kubernetesMasterConfig: apiServerArguments: feature-gates: - HugePages=false 1 ... controllerArguments: feature-gates: - HugePages=false 2
Specify multiple feature gates in one, comma-delimited line:
kubeletArguments: feature-gates: - RotateKubeletClientCertificate=true,RotateKubeletServerCertificate=true,ExpandPersistentVolumes=true,HugePages=false
44.1. Disabling Features for a Cluster
To turn off a feature for the entire cluster, edit the master configuration file, by default /etc/origin/master/master-config.yaml:
For the feature you want to turn off, enter:
<feature_name>=false
underapiServerArguments
andcontrollerArguments
.For example:
kubernetesMasterConfig: apiServerArguments: feature-gates: - HugePages=false controllerArguments: feature-gates: - HugePages=false
Specify multiple feature gates in one, comma-delimited line:
kubernetesMasterConfig: apiServerArguments: feature-gates: - RotateKubeletClientCertificate=false,RotateKubeletServerCertificate=false,ExpandPersistentVolumes=true,HugePages=false controllerArguments: feature-gates: - RotateKubeletClientCertificate=false,RotateKubeletServerCertificate=false,ExpandPersistentVolumes=true,HugePages=false
Restart the OpenShift Container Platform master service to apply the changes.
# master-restart api # master-restart controllers
To re-enable a disabled feature, edit the master configuration files to remove the <feature_name>=false
and restart the master services.
44.2. Disabling Features for a Node
To turn off a feature for the node host, edit the appropriate node configuration map:
To modify the node configuration files: update the node configuration maps as needed. Do not manually edit the node-config.yaml
file.
For the feature you want to turn off, enter:
<feature_name>=false
underkubeletArguments
.For example:
kubeletArguments: feature-gates: - HugePages=false
Specify multiple feature gates in one, comma-delimited line:
kubeletArguments: feature-gates: - RotateKubeletClientCertificate=false,RotateKubeletServerCertificate=false,ExpandPersistentVolumes=true,HugePages=false
Restart the OpenShift Container Platform service for the changes to take effect:
# systemctl restart atomic-openshift-node.service
To re-enable a disabled feature, edit the node configuration files to remove the <feature_name>=false
and restart the node services.
To modify the node configuration files, update the node configuration maps as needed. Do not manually edit the node-config.yaml
file.
44.2.1. List of Feature Gates
Use the following list to determine the name of the feature you want to disable:
Feature gate | Description |
---|---|
Accelerators | Enables Nvidia GPU support when using Docker. |
AdvancedAuditing | Enables Advanced Audit. |
APIListChunking | Enables the API clients to retrieve LIST or GET resources from API server in chunks. |
APIResponseCompression | Enables the compression of API responses for LIST or GET requests. |
AppArmor | Enables AppArmor-based mandatory access control on Linux nodes when using Docker. For more information, see the Kubernetes AppArmor documentation. |
BlockVolume | Enables the definition and consumption of raw block devices in pods. For more information, see the Kubernetes Raw Block Volume Support. |
CPUManager | Enables container-level CPU affinity support. For more information, see Using CPU Manager. |
CRIContainerLogRotation | Enables container log rotation for the CRI container runtime. |
CSIPersistentVolume | Enables discovering and mounting volumes provisioned through a CSI (Container Storage Interface) compatible volume plugin. For more information, see the CSI Volume Plugins in Kubernetes Design Documentation. |
CustomPodDNS | Enables customizing the DNS settings for a pod using the dnsConfig property. |
CustomResourceSubresources | Enables /status and /scale subresources on resources created from CustomResourceDefinition. See Extending the Kubernetes API with Custom Resources. |
CustomResourceValidation | Enables schema-based validation on resources created from a custom resource definition. For more information, see Extending the Kubernetes API with Custom Resources. |
DebugContainers | Enables running a debugging container in a pod namespace to troubleshoot a running Pod. |
DevicePlugins | Enables device plug-in-based resource provisioning on nodes. |
DynamicKubeletConfig | Enables the dynamic configuration in a cluster. |
DynamicVolumeProvisioning(deprecated) | Enables the dynamic provisioning of persistent volumes to pods. |
EnableEquivalenceClassCache | Enables the scheduler to cache equivalence of nodes when scheduling Pods. |
ExperimentalCriticalPodAnnotation | Enables annotating specific pods as critical so that their scheduling is guaranteed. |
ExperimentalHostUserNamespaceDefaultingGate | Enables the disabling of user namespaces. This is for containers that are using other host projects, host mounts, or containers that are privileged or using specific non-project capabilities, such as MKNODE, SYS_MODULE, and so forth. This should only be enabled if user project remapping is enabled in the Docker daemon. |
GCERegionalPersistentDisk | Enables the GCE Persistent Disk feature. |
HugePages | Enables the allocation and consumption of pre-allocated huge pages. |
HyperVContainer | Enables Hyper-V isolation for Windows containers. |
Intializers | Enables the dynamic admission control as an extension to the built-in admission controllers. |
LocalStorageCapacityIsolation |
Enables the consumption of local ephemeral storage and the |
MountContainers | Enables using utility containers on the host as the volume mount. |
MountPropagation | Enables sharing a volume mounted by one container to other containers or pods. |
PersistentLocalVolumes | Enables the usage of local volume pods. Pod affinity has to be specified if requesting a local volume. |
PodPriority | Enables the descheduling and preemption of pods based on their priorities. |
ReadOnlyAPIDataVolumes | Set secrets, ConfigMap, DownwardAPI, and projected volumes to be mounted in read-only mode. |
ResourceLimitsPriorityFunction |
Enables a scheduler priority function that assigns a lowest possible score of |
RotateKubeletClientCertificate | Enables the rotation of the client TLS certificate on the cluster. |
RotateKubeletServerCertificate | Enables the rotation of the server TLS certificate on the cluster. |
RunAsGroup | Enables control over the primary group ID set on the init processes of containers. |
ScheduleDaemonSetPods | Enables DaemonSet pods to be scheduled by the default scheduler instead of the DaemonSet controller. |
ServiceNodeExclusion | Enables the exclusion of nodes from load balancers created by a cloud provider. |
StorageObjectInUseProtection | Enables postponing the deletion of persistent volume or persistent volume claim objects if they are still being used. |
StreamingProxyRedirects | Instructs the API server to intercept and follow redirects from the backend kubelet for streaming requests. |
SupportIPVSProxyMode | Enables providing in-cluster service load balancing using IP virtual servers. |
SupportPodPidsLimit | Enables support for limiting the number of processes (PIDs) running in a pod. |
TaintBasedEvictions | Enables evicting pods from nodes based on taints on nodes and tolerations on pods. |
TaintNodesByCondition | Enables automatic tainting nodes based on node conditions. |
TokenRequest | Enables the TokenRequest endpoint on service account resources. |
VolumeScheduling | Enables volume-topology-aware scheduling and make the persistent volume claim (PVC) binding aware of scheduling decisions. It also enables the usage of local volumes types when used together with the PersistentLocalVolumes feature gate. |