New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support --admission-control-config-file option for kube-apiserver #5170

Open
lig opened this Issue May 17, 2018 · 9 comments

Comments

Projects
None yet
4 participants
@lig
Copy link

lig commented May 17, 2018

kops Version: 1.9.0 (git-cccd71e67)

Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.3", GitCommit:"d2835416544f298c919e2ead3be3d0864b52323b", GitTreeState:"clean", BuildDate:"2018-02-07T11:55:20Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}

Cloud provider: aws

There is no way to provide --admission-control-config-file option for the kube-apiserver at the moment. Thus, there is no way to provide advanced configuration for some admission controllers, e.g. PodNodeSelector.

According to the docs (https://kubernetes.io/docs/admin/admission-controllers/#podnodeselector) a config file for PodNodeSelector must be declared in an admission control config file provided via --admission-control-config-file option.

The following spec fragment is the closest state to the desired configuration available in the current kops version.

spec:
  kubeAPIServer:
    admissionControl:
    - PodNodeSelector
@deyceg

This comment has been minimized.

Copy link

deyceg commented Jul 13, 2018

+1 we're really keen on this. Happy to work on it if need be although not too familiar with that area of the codebase

@deyceg

This comment has been minimized.

Copy link

deyceg commented Jul 13, 2018

@lig I think this is the relevant code:

	if b.IsKubernetesGTE("1.10") {
		// @note: note sure if this is the best place to put it, I could place into the validation.go which has the benefit of
		// fixing up the manifests itself, but that feels VERY hacky
		// @note: it's fine to use AdmissionControl here and it's not populated by the model, thus the only data could have come from the cluster spec
		c := b.Cluster.Spec.KubeAPIServer
		if len(c.AdmissionControl) > 0 {
			copy(c.EnableAdmissionPlugins, c.AdmissionControl)
			c.AdmissionControl = []string{}
		}
	}

any reason why you couldn't just follow the existing convention for other flags e.g. --cloud-config and then supply the configuration via fileAssets?

@ysaakpr

This comment has been minimized.

Copy link

ysaakpr commented Jul 26, 2018

This is a must need, especially PodNodeSelector is very needed for better production use of this system. What is the current way to hack this in a kops cluster

@deyceg

This comment has been minimized.

Copy link

deyceg commented Jul 26, 2018

@ysaakpr Use a validating/mutating admission Web hook. That's what I'm doing at least so it just ensures any deployments in a particular name space get scheduled on a subset of nodes

@ysaakpr

This comment has been minimized.

Copy link

ysaakpr commented Jul 31, 2018

@deyceg let me try what you said... btw on which version we can expect kops support for these advanced configurations.

@deyceg

This comment has been minimized.

Copy link

deyceg commented Jul 31, 2018

@ysaakpr seems milestoned for 1.10

@kevdowney

This comment has been minimized.

Copy link

kevdowney commented Aug 8, 2018

@ysaakpr

This comment has been minimized.

Copy link

ysaakpr commented Aug 29, 2018

kops 1.10 is released, any update on this ??

@deyceg

This comment has been minimized.

Copy link

deyceg commented Nov 27, 2018

Doesn't look like it. Very surprised this hasn't been pulled in.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment