-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update RBAC file #3
Comments
Looking through the code I think it only needs CSIDriver create and delete permissions cc @gnufied who is working on testing this in our e2es |
Michelle Au <notifications@github.com> writes:
cc @gnufied who is working on testing this in our e2es
@gnufied: please make sure that the RBAC file in Kubernetes E2E stays in
sync with the one here.
I have a PR pending
(kubernetes/kubernetes#71703) which pulls yaml
files via URLs, but that can only work when the right file content is
really available elsewhere.
|
/assign |
@gnufied: GitHub didn't allow me to assign the following users: gnufied. Note that only kubernetes-csi members and repo collaborators can be assigned. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The current RBAC definitions don't include permissions to create the CSIDriver CRD which are created on startup:
At the moment, the cluster-driver-registrar exits with From the current CSI documentation, it is unclear to me who the responsible party for creating the CRDs is. The HostPath example mentions that the CRDs need to be created manually by a kubernetes administrator. |
@ferdinandhuebner good catch, our intention is that the CRDs have to be created by the deployment tool or an administrator beforehand. @saad-ali wdyt of the sidecar trying to install the CRD? |
Discussed a bit with @saad-ali wrt sidecar installing the CRD. We need to think through potential version skew issues, if we add new fields to the CRD and want to update the CRD definition. Also we should be consistent with whatever we do for CSINodeInfo too. Right now, we're leaning towards not having the sidecar install the CRD. |
check subtree for changes
…r needs more permissions His comment: cluster-driver-registrar currently needs permissions to create the CSIDriver CRD see kubernetes-csi/cluster-driver-registrar#3
The v1.0.1 release was tagged without fixing the RBAC rules contained in that release. We should prepare a release v1.1.0 which no longer installs the CRD and has correct RBAC rules. @msau42 The master branch has that fixed and looks like it could be turned into v1.1.0. |
There are other big changes coming to cluster driver registrar soon, namely that the crd is going to be replaced by an intree beta object. Do you think it's worth it to have a 1.1, or move straight to a 2.0? The crds were technically alpha so should we consider breaking them to warrant a major version bump? |
Michelle Au <notifications@github.com> writes:
There are other big changes coming to cluster driver registrar soon,
namely that the crd is going to be replaced by an intree beta
object. Do you think it's worth it to have a 1.1, or move straight to
a 2.0? The crds were technically alpha so should we consider breaking
them to warrant a major version bump?
Right now there is no "good" release that works on Kubernetes
1.13. V1.0.1 works but has the broken RBAC file. I guess we could fix
this with an updated release note where we quote the correct RBAC rules.
A v2.0 won't work on Kubernetes 1.13.
I would prefer to tag v1.1.0 on master before replacing the CRDs. If you
set a v1.1.0-rc1, then I can do some testing with it.
|
How about cherry picking #19 to release 1.0 and cut a new 1.0.x? |
Michelle Au <notifications@github.com> writes:
How about cherry picking #19 to release 1.0 and cut a new 1.0.x?
As there's no code change in that case, I think it's enough to add a
note to the 1.0.1 release note with the errata - basically just a link
to the PR and the resulting revision of the RBAC file.
Remember that the release process in 1.0.x is still manual, so it would
be more work to do a new release there compared to master.
|
"Patrick Ohly" <patrick.ohly@intel.com> writes:
Michelle Au ***@***.***> writes:
> How about cherry picking #19 to release 1.0 and cut a new 1.0.x?
As there's no code change in that case, I think it's enough to add a
note to the 1.0.1 release note with the errata - basically just a link
to the PR and the resulting revision of the RBAC file.
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@fejta-bot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The RBAC file was copied unmodified from driver-registrar. Is it still correct?
The introduction still refers to "external provisioner" (was already broken when creating that file initially for driver-registrar).
The text was updated successfully, but these errors were encountered: