Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Node Authorizer Fixes #5841

Merged
merged 6 commits into from
Sep 28, 2018
Merged

Node Authorizer Fixes #5841

merged 6 commits into from
Sep 28, 2018

Conversation

gambol99
Copy link
Contributor

@gambol99 gambol99 commented Sep 27, 2018
edited
Loading

This PR adds a number of fixes for rolling out the node authorizer from a previous version. This main issue is caused by the fact the node-authorizer, a daemonset on the master nodes, is rolled to all nodes regardless of if it's been updated or now. Thus master nodes which have not been rolled yet and thus haven't pulled down the certificates via nodeup will fail. This causes the validation code which checks for failing pods in the kube-system namespace to fail, even though everything is fine.

@gambol99
Node Authorizer Directory
1690444 
- creating the directory incase it's not there, is fixes an issue on a rolling update
@gambol99
- adding the waitForCertificates method to wait for the certificates …
8c11ecf 
…to arrive (this fixes the rollout on a in-place cluster)
@gambol99
- removing the liveness and readiness probes for now until i figure a…
d784db0 
… better way of performing the rollout while not getting hit by the cluster validation code.

  perhaps we could add a label no the master and control the deployment of the daemonset via the label.
@gambol99
- updating to the fix rollout image for node authorizer
26942eb
@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. approved Indicates a PR has been approved by an approver from all required OWNERS files. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels Sep 27, 2018
@gambol99
- fixing the reference to the import, goimports made an error
8401273 
- updating the version of the node-authorizer manifest
@gambol99
Copy link
Contributor Author

/assign @KashifSaadat

@KashifSaadat
Copy link
Contributor

Give this a quick run for the bazel tests to pass :) ./hack/update-bazel.sh

@gambol99
Copy link
Contributor Author

/test pull-kops-bazel-test

@gambol99
Copy link
Contributor Author

/test pull-kops-e2e-kubernetes-aws

1 similar comment
@gambol99
Copy link
Contributor Author

/test pull-kops-e2e-kubernetes-aws

@gambol99
Copy link
Contributor Author

Hey @KashifSaadat .. e2e looks good now :-) ..

@KashifSaadat
Copy link
Contributor

Discussed over Slack, not sure of a more elegant way to manage upgrades between versions and enabling the NodeAuthorizer without dropping the health-checks for the DS. LG for now to enable the upgrade path.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 28, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gambol99, KashifSaadat

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [KashifSaadat,gambol99]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@gambol99
Copy link
Contributor Author

/test pull-kops-e2e-kubernetes-aws

@k8s-ci-robot k8s-ci-robot merged commit edf4a70 into kubernetes:master Sep 28, 2018
@gambol99 gambol99 deleted the node_authorizer_directory branch September 28, 2018 12:15
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chrisz100 chrisz100 Awaiting requested review from chrisz100

@robinpercy robinpercy Awaiting requested review from robinpercy

Assignees

@KashifSaadat KashifSaadat

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@gambol99 @KashifSaadat @k8s-ci-robot