-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use AWS metadata to retrieve local-hostname in nodeup #12844
Conversation
Hi @bwagner5. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
This would break clusters with IMDS disabled. I think it would be reasonable to try IMDS first and fallback to DescribeInstances. |
Can / should a kOps cluster work without IMDS? |
/ok-to-test |
e4ec8ac
to
44b4d13
Compare
/lgtm |
There's some other places that use IMDS in nodeup as well so it might be worth going through and figuring out if it's reasonable to perform a fallback if IMDS is disabled everywhere. But it's almost impossible to do really large scale-ups if you're not using IMDS on node bootstrap so I'd lean towards getting rid of the API calls and requiring IMDS. I have a version of nodeup that does zero API calls and relies only on IMDS and OS calls for node info rather than DescribeInstanceTypes. I may try to PR some of those after they're cleaned up. |
Don't you have to use IMDS to get the instance role credentials to authenticate to kops-controller? I don't think it's going to be possible to bootstrap without IMDS. |
/assign @rifelpet |
In any case one would need instance ID, which is pretty hard to get without IMDS, right?
That would be very nice. |
Instances with RBN enabled can just get this from |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It sounds like IMDS is required at this point then. This lgtm and I agree with proposed follow up PRs.
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rifelpet The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Should we remove eco:DescribeInstances from the node IAM policy? Users may be depending on it for other workloads though, and having them add it back makes the policy size larger since it would become its own statement. |
Doesn't kubelet require |
We can remove it from the nodeup function (if it is there). Kubelet still needs it if the in-tree CCM is used, but it should be a part of the CCM function too. |
Cloud Provider: AWS
This PR changes nodeups method of looking up an instance private DNS name from a DescribeInstances call to an instance metadata lookup. DescribeInstances is prone to throttling with large clusters and can cause significant delays when a node is trying to join a cluster.