Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create Google Container Registry if specified #153

Closed
wants to merge 1 commit into from
Closed

Create Google Container Registry if specified #153

wants to merge 1 commit into from

Conversation

felipecruz91
Copy link

Refers to #144

@felipecruz91
Copy link
Author

@pst I'd like to run some kind of integration test to verify the worker nodes of the GKE cluster have permissions to pull images from the registry. Do you have any documentation on how to approach creating this kind of tests in kubestack?

@pst
Copy link
Member

pst commented Dec 7, 2020

I don't see a declarative way to do this. You can do it imperatively in the CI/CD pipeline. Create a job, check the job, delete the job. Alternatively, probably better but also more effort, have a container that checks periodically, or maybe in a cron job and integrate it into your monitoring. I would argue though, that you may be overthinking this. Why do you expect people to remove the Terraform code that gives access and then nobody raising this during the peer and plan review step?

@pst
Copy link
Member

pst commented Dec 7, 2020

When I commented earlier today, I missed the fact that this is a PR, accidentally took it for an issue only. Thanks for your contribution.

However, I am committed to keep the implementations for the three providers as similar as possible. So only creating the registry for GKE is not an option. And again just creating a registry by default may not necessarily work for the majority of teams.

Most teams I met start with containerizing their applications. So they usually have a registry already and it's more about allowing the K8s clusters to pull from that registry. If it's a Google container registry giving the nodes read-only permissions is an option, but not necessarily the best in every case. Maybe a K8s service account with a dockerconfigjson secret attached or potentially workload identities (related: #65) may be the better way forward as a default, because then the permissions are not shared across all workloads due to being assigned to the host identity.

I hope you understand my concerns of merging this due to the uncertainty if it is a good default for many teams and also the uncertainty how this would be handled with the two other providers.

@felipecruz91
Copy link
Author

Thanks for your valuable input! I understand then it wouldn't make sense at this point to integrate it if it's something that you've already seen not really necessary for customers using Kubestack. I totally respect your decision so I'll be closing it.

@felipecruz91 felipecruz91 deleted the feature/gcr-pull-permissions branch December 7, 2020 12:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@felipecruz91 @pst