-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KEP-2133: kubelet credential provider plugins #2151
KEP-2133: kubelet credential provider plugins #2151
Conversation
163b349
to
17cee38
Compare
/assign @cheftako @liggitt @derekwaynecarr |
17cee38
to
45c67ca
Compare
Thanks for updating this as requested for your 1.20 Exception Request! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A few nits, looks good overall for alpha.
@@ -20,7 +20,7 @@ approvers: | |||
editor: TBD | |||
creation-date: 2019-10-04 | |||
last-updated: 2019-12-10 | |||
status: implementable | |||
status: replaced |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
point at the replacement?
|
||
### Upgrade / Downgrade Strategy | ||
|
||
This feature is feature gated so explicit opt-in is required on upgrade and explcit opt-out is required on downgrade. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This feature is feature gated so explicit opt-in is required on upgrade and explcit opt-out is required on downgrade. | |
This feature is feature gated so explicit opt-in is required on upgrade and explicit opt-out is required on downgrade. |
Yes, but not from kubelet directly. The plugin invoked by the kubelet may be responsible | ||
for making new requests to the cloud provider. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would say no here. The feature does not make calls to a cloud provider, and different plugin implementations may or may not.
|
||
* **How does this feature react if the API server and/or etcd is unavailable?** | ||
|
||
TBD for beta. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this feature has no dependencies on the API server or etcd
# The following PRR answers are required at beta release | ||
metrics: | ||
- my_feature_metric |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
comment out until populated
- [ ] (R) Test plan is in place, giving consideration to SIG Architecture and SIG Testing input | ||
- [ ] (R) Graduation criteria is in place |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
these are in place for alpha
45c67ca
to
c0bd3fd
Compare
Signed-off-by: Andrew Sy Kim <kim.andrewsy@gmail.com>
c0bd3fd
to
e882a17
Compare
looks good for sig-node and captures present state. /lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: andrewsykim, derekwaynecarr The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
||
* in contrast to existing built-in implementations, credentials for a image registry is now passed | ||
through stdio of a process invoked by the kubelet, as opposed to those credentials only remaining in-memory. | ||
* exec-ing plugins for image credentials can be expensive for the kubelet. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might this be an appropriate place to mention the strategy that the current implementation takes of timing out plugins after 1 minute to prevent plugin processes from becoming too long-lived? LGTM otherwise, I think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good catch! Will make sure to include that for the v1.21 beta update of this KEP :)
Signed-off-by: Andrew Sy Kim kim.andrewsy@gmail.com