New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Move kubelet secret and configmap manager calls to sync_Pod functions #107821
Move kubelet secret and configmap manager calls to sync_Pod functions #107821
Conversation
@liggitt: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/lgtm Thanks for fixing this! |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, wojtek-t The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
as a note, if this is picked back to any other releases, #107831 should be included as well |
What type of PR is this?
/kind bug
What this PR does / why we need it:
Moves the registration of secret/configmap references into pod worker functions.
xref #105204
The current registration location can make the kubelet start to make requests to fetch secrets/configmaps for pods that would be rejected by kubelet admission and never actually run.
The current unregistration location can make the kubelet forget about secrets/configmaps before a pod has completely terminated, when other subsystems may still need access.
This cuts the "not registered" errors in e2e runs by about 66%. There's still work to do to make the volume subsystem stop trying new mount attempts after the pod lifecycle has marked the pod as terminated to clean up the remaining errors, but that should be done separately by sig-storage
/cc @wojtek-t @smarterclayton