Update kubeadm upgrade instructions

[lichao127]

This PR moves kubectl drain instructions before kubeadm upgrade plan and kubeadm upgrade apply, because the node must be cordoned before upgrading (not after)

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign natalisucks for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• content/en/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[netlify]

✅ Pull request preview available for checking

Built without sensitive environment variables

Name	Link
🔨 Latest commit	3e49ea8
🔍 Latest deploy log	https://app.netlify.com/sites/kubernetes-io-main-staging/deploys/65b1f7bf175c6a0008bec42b
😎 Deploy Preview	https://deploy-preview-44891--kubernetes-io-main-staging.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify site configuration.

[T-Lakshmi]

Hi @lichao127,
Thank you for your contribution.

adds sudo before apt commands so that all commands can be performed by a user with sudo privilege

This change has already been implemented by PR #44832, which was opened before this. So, i recommend that you to remove the content related to adding sudo privilege.

[sftim]

/sig cluster-lifecycle

[neolit123]

This PR moves kubectl drain instructions before kubeadm plan, because the node must be cordoned before upgrading

can you elaborate why?

[neolit123]

/triage needs-information

[dipesh-rawat]

@lichao127 When you have some time, could you kindly review the reviewer's query and provide a response? Appreciate it!

[lichao127]

This PR moves kubectl drain instructions before kubeadm plan, because the node must be cordoned before upgrading

can you elaborate why?

The current version of doc has kubeadm upgrade plan and kubeadm upgrade apply instructions before draining the node. Draining should be done before kubeadm upgrade apply so that no pods can be scheduled during the upgrade.

[neolit123]

This PR moves kubectl drain instructions before kubeadm plan, because the node must be cordoned before upgrading

can you elaborate why?

The current version of doc has kubeadm upgrade plan and kubeadm upgrade apply instructions before draining the node. Draining should be done before kubeadm upgrade apply so that no pods can be scheduled during the upgrade.

kubeadm does not manage non static pods, only static pods and their mirror pods at the apiserver. draining is done before kubelet upgrade because the kubelet manages all other pods and also generally draining and cordon is a kubelet upgrade requirement.

[stmcginnis]

If anything, I would think we would want the cordon after kubeadm upgrade plan to minimize the maintenance window. Though if you have the capacity and want to give the most time for workloads to drain, you could even run cordon as the first step in the process. But it isn't strictly necessary until later.

But the current instructions should be fine. Upgrading the kubeadm upgrade apply portion should be non-disruptive. It's only when upgrading kubelet that there is a risk of disruption, from my understanding.

Maybe it should also be noted that upgrading containerd (or whatever container runtime you are using) should be done between that cordon and uncordon window.

[neolit123]

Maybe it should also be noted that upgrading containerd (or whatever container runtime you are using) should be done between that cordon and uncordon window.

this can be mentioned, yes

[lichao127]

attempting to gather the points so far:

• kubeadm upgrade plan should be done before draining, to minimize the maintenance window
• kubeadm upgrade apply can be performed without draining
  • question: in a one-node cluster, or when pods are tainted to run on control plane nodes, will this be different?
• upgrading containerd (or other runtime) should be done within the cordon and uncordon window. we could mention in this doc.

[neolit123]

question: in a one-node cluster, or when pods are tainted to run on control plane nodes, will this be different?

no, same steps.

[lichao127]

no, same steps.

In that case we should leave the draining step as-is.

This doc mentions the container runtime upgrade:

When upgrading Kubernetes, the kubelet tries to automatically select the latest CRI version on restart of the component.

It seems redundant to mention the cordon/uncordon for containerd upgrade here. Closing PR.