@@ -390,6 +390,12 @@ func validateUserKubeletConfig(cfg *mcfgv1.KubeletConfig) error {
390390 cfg .Spec .AutoSizingReserved != nil && * cfg .Spec .AutoSizingReserved {
391391 return fmt .Errorf ("KubeletConfiguration: autoSizingReserved and systemdReserved cannot be set together" )
392392 }
393+ // Validate that systemReservedCgroup matches systemCgroups if both are set
394+ if kcDecoded .SystemReservedCgroup != "" && kcDecoded .SystemCgroups != "" {
395+ if kcDecoded .SystemReservedCgroup != kcDecoded .SystemCgroups {
396+ return fmt .Errorf ("KubeletConfiguration: systemReservedCgroup (%s) must match systemCgroups (%s)" , kcDecoded .SystemReservedCgroup , kcDecoded .SystemCgroups )
397+ }
398+ }
393399 return nil
394400}
395401
@@ -460,7 +466,7 @@ func kubeletConfigToIgnFile(cfg *kubeletconfigv1beta1.KubeletConfiguration) (*ig
460466}
461467
462468// generateKubeletIgnFiles generates the Ignition files from the kubelet config
463- func generateKubeletIgnFiles (kubeletConfig * mcfgv1.KubeletConfig , originalKubeConfig * kubeletconfigv1beta1.KubeletConfiguration ) (* ign3types.File , * ign3types.File , * ign3types.File , error ) {
469+ func generateKubeletIgnFiles (kubeletConfig * mcfgv1.KubeletConfig , originalKubeConfig * kubeletconfigv1beta1.KubeletConfiguration , role string , mcClient mcfgclientset. Interface ) (* ign3types.File , * ign3types.File , * ign3types.File , error ) {
464470 var (
465471 kubeletIgnition * ign3types.File
466472 logLevelIgnition * ign3types.File
@@ -508,6 +514,35 @@ func generateKubeletIgnFiles(kubeletConfig *mcfgv1.KubeletConfig, originalKubeCo
508514 }
509515 }
510516
517+ // Handle systemReservedCgroup and enforceNodeAllocatable based on:
518+ // 1. Presence of "50-{role}-system-compressible-disabled" MachineConfig (upgrade from 4.20)
519+ // 2. OR reservedSystemCPUs being set (incompatible with systemReservedCgroup)
520+ shouldDisableSystemReservedCgroup := false
521+
522+ // Check if the upgrade marker MachineConfig exists (only when mcClient is available, not during bootstrap)
523+ if mcClient != nil {
524+ compressibleDisabledMCName := fmt .Sprintf ("50-%s-system-compressible-disabled" , role )
525+ _ , mcErr := mcClient .MachineconfigurationV1 ().MachineConfigs ().Get (context .TODO (), compressibleDisabledMCName , metav1.GetOptions {})
526+ if mcErr == nil {
527+ // MachineConfig exists, this is an upgrade from 4.20
528+ shouldDisableSystemReservedCgroup = true
529+ klog .Infof ("Found MachineConfig %s, disabling systemReservedCgroup enforcement" , compressibleDisabledMCName )
530+ }
531+ }
532+
533+ // Check if reservedSystemCPUs is set (incompatible with systemReservedCgroup)
534+ if originalKubeConfig .ReservedSystemCPUs != "" {
535+ shouldDisableSystemReservedCgroup = true
536+ klog .Infof ("reservedSystemCPUs is set to %s, disabling systemReservedCgroup enforcement" , originalKubeConfig .ReservedSystemCPUs )
537+ }
538+
539+ if shouldDisableSystemReservedCgroup {
540+ // Clear systemReservedCgroup
541+ originalKubeConfig .SystemReservedCgroup = ""
542+ // Set enforceNodeAllocatable to only pods
543+ originalKubeConfig .EnforceNodeAllocatable = []string {"pods" }
544+ }
545+
511546 // Encode the new config into an Ignition File
512547 kubeletIgnition , err := kubeletConfigToIgnFile (originalKubeConfig )
513548 if err != nil {
0 commit comments