Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[v14] Relax Kubernetes CRD discovery when building cache #36227

Merged
merged 1 commit into from Jan 3, 2024
Merged

[v14] Relax Kubernetes CRD discovery when building cache #36227

merged 1 commit into from Jan 3, 2024

Conversation

tigrato
Copy link
Contributor

@tigrato tigrato commented Jan 3, 2024

Backport #36214 to branch/v14

changelog: Safeguard against the disruption of cluster access caused by incorrect Kubernetes APIService configurations.

@tigrato
Relax Kubernetes CRD discovery when building cache
b8d8128 
Teleport Kubernetes Service has a monitor that constantly watches the
Resources registered in the Kubernetes Cluster via API Discovery. The
goal is to keep an up-to-date representation of all resources existing
in the cluster in order to be able to register them for Teleport
per-Resource RBAC.

Having an up-to-date represenation allows us to unmarshal the API
responses and filter them when the custom resources are local.

When the Kubernetes APIs are registered using non-local services - i.e.
the API is served by a POD running within the cluster like metrics API -
and those services aren't healthy - i.e. pod not running, invalid
selector, cluster has no nodes - the discovery watcher returns an error
and fails. This is an improper configuration but seems to be a common
problem.

This PR relaxes the discovery mechanism and doesn't enforce that all
APIs return their resources if they aren't currently available.

When the `client.Discovery().ServerGroupsAndResources()` returns a
`*discovery.ErrGroupDiscoveryFailed`, it also returns the partial
results that we will use for registration.

Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
@tigrato tigrato enabled auto-merge January 3, 2024 14:59
@tigrato tigrato added this pull request to the merge queue Jan 3, 2024
Merged via the queue into branch/v14 with commit 53b8730 Jan 3, 2024
26 checks passed
@tigrato tigrato deleted the bot/backport-36214-branch/v14 branch January 3, 2024 15:34
@camscale camscale mentioned this pull request Jan 10, 2024
Merged
@BrewTestBot BrewTestBot mentioned this pull request Jan 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AntonAM AntonAM AntonAM approved these changes

@rosstimothy rosstimothy rosstimothy approved these changes

Assignees
No one assigned
Labels
backport kubernetes-access size/sm
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@tigrato @AntonAM @rosstimothy