-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
auth: standalone kubelets shouldn't start a token manager #64795
Conversation
@mikedanese: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/test gke |
/test pull-kubernetes-e2e-gke |
pkg/kubelet/kubelet.go
Outdated
@@ -780,7 +780,11 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration, | |||
containerRefManager, | |||
kubeDeps.Recorder) | |||
|
|||
tokenManager := token.NewManager(kubeDeps.KubeClient.CoreV1()) | |||
var tokenManager *token.Manager |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/volume_host.go#L200 guaranteed not to be called in this case?
Otherwise, consider passing kubeDeps.KubeClient
to NewManager
, and handling the null case within getToken(...)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks like the other managers aren't protected against this. Fixed anyway.
[MILESTONENOTIFIER] Milestone Pull Request: Up-to-date for process @dchen1107 @mikedanese @tallclair Pull Request Labels
|
/test pull-kubernetes-e2e-gke |
From the issue (#64789), only gke related tests are affected. But this pr thought the issue is in standalone kubelet. Shouldn't GCE related tests are also run master nodes with standalone Kubelet? What are the difference between GKE master and GCE master here to trigger the issue? |
@dchen1107 GCE master kubelets register with the apiserver. They don't run in standalone. |
We should probably have a standalone-kubelet E2E suite if we really support it... |
lgtm |
@mikedanese Ahh, I forgot that bit of ugly difference. Yes. /lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: dchen1107, mikedanese The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
/retest Review the full test history for this PR. Silence the bot with an |
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
fixes #64789