-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a KEP for Node-Scoped Daemonset #944
Conversation
Hi @haiyanmeng. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: haiyanmeng If they are not already assigned, you can assign the PR to them by writing The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/cc @tallclair |
ece3332
to
5512312
Compare
/ok-to-test |
/cc @janetkuo |
/sig apps |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @haiyanmeng ! Awesome job for your first ever KEP. Looking forward to discussing at next sig-auth
node-scoped info into the Extra field of user.DefaultInfo; | ||
* NodeRestriction gets the pod info and the node-scoped info from the Extra | ||
field of user.DefaultInfo through GetExtra; using the pod info, | ||
NodeRestriction can gets the node information of P1 by checking |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought it could just fetch it directly from the graph?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do you mean the resource graph used in NodeAuthorizer?
Since NodeRestriction can inspect the request objects, there is no need to check the resource graph.
6033312
to
4fd0cb4
Compare
097bff5
to
4bb5285
Compare
Nodes from 2019-04-17 sig-auth:
Anything else I missed? |
f97c3c7
to
b2b3cc7
Compare
Signed-off-by: Haiyan Meng <haiyanmeng@google.com>
b2b3cc7
to
1e78956
Compare
Based on the feedback from last week's sig-auth meeting, I updated the KEP. The main changes are:
Please let me know if you have any suggestions. |
|
||
Node-scoped info can be defined in two places: | ||
|
||
* Option 1: in |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am still trying to grasp all of the pieces here, but adding a new field to SA seems wrong to me. Could this be handled via the token request API?
|
||
### The Origin of Node-Scoped Resource Spec | ||
|
||
Node-scoped info can be defined in two places: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Both these options feel like authorization bleeding out of authorization. We unfortunately do this in various places already but it hurts our ability to build authorization features, e.g. can-i explain, delegated authz.
As discussed in the sig-auth meeting, the short-term plan to achieve node-scoped daemonsets is to run daemonsets with kubelet credentials, while we work on a long term plan, which will avoid tangling authorizers together and may conditionalize authorization. |
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
Rotten issues close after 30d of inactivity. Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
@fejta-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@haiyanmeng May I ask if we'd like to use Node-Scoped Daemonset. What's the recommended way? Still with kubelet credentials? |
This KEP describes a mechanism restricting a DaemonSet pod to only managing the resources that reside on the same node as the DaemonSet pod.
Tracking issue: the 4.c part of kubernetes/kubernetes#62747