-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Node Authorizer Fixes #5841
Node Authorizer Fixes #5841
Conversation
- creating the directory incase it's not there, is fixes an issue on a rolling update
…to arrive (this fixes the rollout on a in-place cluster)
… better way of performing the rollout while not getting hit by the cluster validation code. perhaps we could add a label no the master and control the deployment of the daemonset via the label.
- updating the version of the node-authorizer manifest
ab44968
to
8401273
Compare
/assign @KashifSaadat |
Give this a quick run for the bazel tests to pass :) |
- fixing the spelling mistake
a639bd1
to
90c48a7
Compare
/test pull-kops-bazel-test |
/test pull-kops-e2e-kubernetes-aws |
1 similar comment
/test pull-kops-e2e-kubernetes-aws |
Hey @KashifSaadat .. e2e looks good now :-) .. |
Discussed over Slack, not sure of a more elegant way to manage upgrades between versions and enabling the NodeAuthorizer without dropping the health-checks for the DS. LG for now to enable the upgrade path. /lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: gambol99, KashifSaadat The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test pull-kops-e2e-kubernetes-aws |
This PR adds a number of fixes for rolling out the node authorizer from a previous version. This main issue is caused by the fact the node-authorizer, a daemonset on the master nodes, is rolled to all nodes regardless of if it's been updated or now. Thus master nodes which have not been rolled yet and thus haven't pulled down the certificates via nodeup will fail. This causes the validation code which checks for failing pods in the
kube-system
namespace to fail, even though everything is fine.