그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그 그
4 minute read
ManagedSeeds: Register Shoot as Seed
An existing shoot can be registered as a seed by creating a ManagedSeed resource. This resource contains:
- The name of the shoot that should be registered as seed.
- A
gardenletsection that contains:gardenletdeployment parameters, such as the number of replicas, the image, etc.- The
GardenletConfigurationresource that contains controllers configuration, feature gates, and aseedConfigsection that contains theSeedspec and parts of its metadata. - Additional configuration parameters, such as the garden connection bootstrap mechanism (see TLS Bootstrapping), and whether to merge the provided configuration with the configuration of the parent
gardenlet.
gardenlet is deployed to the shoot, and it registers a new seed upon startup based on the seedConfig section.
Note: Earlier Gardener allowed specifying a
seedTemplatedirectly in theManagedSeedresource. This feature is discontinued, any seed configuration must be via theGardenletConfiguration.
Note the following important aspects:
- Unlike the
Seedresource, theManagedSeedresource is namespaced. Currently, managed seeds are restricted to thegardennamespace. - The newly created
Seedresource always has the same name as theManagedSeedresource. Attempting to specify a different name in theseedConfigwill fail. - The
ManagedSeedresource must always refer to an existing shoot. Attempting to create aManagedSeedreferring to a non-existing shoot will fail. - A shoot that is being referred to by a
ManagedSeedcannot be deleted. Attempting to delete such a shoot will fail. - You can omit practically everything from the
gardenletsection, including all or most of theSeedspec fields. Proper defaults will be supplied in all cases, based either on the most common use cases or the information already available in theShootresource. - Also, if your seed is configured to host HA shoot control planes, then
gardenletwill be deployed with multiple replicas across nodes or availability zones by default. - Some
Seedspec fields, for example the provider type and region, networking CIDRs for pods, services, and nodes, etc., must be the same as the correspondingShootspec fields of the shoot that is being registered as seed. Attempting to use different values (except empty ones, so that they are supplied by the defaulting mechanims) will fail.
Deploying gardenlet to the Shoot
To register a shoot as a seed and deploy gardenlet to the shoot using a default configuration, create a ManagedSeed resource similar to the following:
apiVersion: seedmanagement.gardener.cloud/v1alpha1
kind: ManagedSeed
metadata:
name: my-managed-seed
namespace: garden
spec:
shoot:
name: crazy-botany
For an example that uses non-default configuration, see 55-managed-seed-gardenlet.yaml
Renewing the Gardenlet Kubeconfig Secret
In order to make the ManagedSeed controller renew the gardenlet’s kubeconfig secret, annotate the ManagedSeed with gardener.cloud/operation=renew-kubeconfig. This will trigger a reconciliation during which the kubeconfig secret is deleted and the bootstrapping is performed again (during which gardenlet obtains a new client certificate).
It is also possible to trigger the renewal on the secret directly, see Rotate Certificates Using Bootstrap kubeconfig.
Specifying apiServer replicas and autoscaler Options
There are few configuration options that are not supported in a Shoot resource but due to backward compatibility reasons it is possible to specify them for a Shoot that is referred by a ManagedSeed. These options are:
| Option | Description |
|---|---|
apiServer.autoscaler.minReplicas | Controls the minimum number of kube-apiserver replicas for the shoot registered as seed cluster. |
apiServer.autoscaler.maxReplicas | Controls the maximum number of kube-apiserver replicas for the shoot registered as seed cluster. |
apiServer.replicas | Controls how many kube-apiserver replicas the shoot registered as seed cluster gets by default. |
It is possible to specify these options via the shoot.gardener.cloud/managed-seed-api-server annotation on the Shoot resource. Example configuration:
annotations:
shoot.gardener.cloud/managed-seed-api-server: "apiServer.replicas=3,apiServer.autoscaler.minReplicas=3,apiServer.autoscaler.maxReplicas=6"
Enforced Configuration Options
The following configuration options are enforced by Gardener API server for the ManagedSeed resources:
The vertical pod autoscaler should be enabled from the Shoot specification.
The vertical pod autoscaler is a prerequisite for a Seed cluster. It is possible to enable the VPA feature for a Seed (using the Seed spec) and for a Shoot (using the Shoot spec). In context of
ManagedSeeds, enabling the VPA in the Seed spec (instead of the Shoot spec) offers less flexibility and increases the network transfer and cost. Due to these reasons, the Gardener API server enforces the vertical pod autoscaler to be enabled from the Shoot specification.The nginx-ingress addon should not be enabled for a Shoot referred by a ManagedSeed.
An Ingress controller is also a prerequisite for a Seed cluster. For a Seed cluster, it is possible to enable Gardener managed Ingress controller or to deploy self-managed Ingress controller. There is also the nginx-ingress addon that can be enabled for a Shoot (using the Shoot spec). However, the Shoot nginx-ingress addon is in deprecated mode and it is not recommended for production clusters. Due to these reasons, the Gardener API server does not allow the Shoot nginx-ingress addon to be enabled for ManagedSeeds.