Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow Kubelet to run with no Azure identity #77906

Merged
merged 1 commit into from
May 16, 2019
Merged

Allow Kubelet to run with no Azure identity #77906

merged 1 commit into from
May 16, 2019

Conversation

feiskyer
Copy link
Member

@feiskyer feiskyer commented May 15, 2019
edited

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespaces from that line:

/kind api-change
/kind bug
/kind cleanup
/kind design
/kind documentation
/kind failing-test
/kind feature
/kind flake

/kind bug
/sig azure

What this PR does / why we need it:

Allow Kubelet to run with no Azure identity. useInstanceMetadata should be enabled and Kubelet would use IMDS to get node's information.

Which issue(s) this PR fixes:

Fixes #77309

Special notes for your reviewer:

#77851 is also required for no identity working.

Does this PR introduce a user-facing change?:

Kubelet could be run with no Azure identity now. A sample cloud provider configure is:  `{"vmType": "vmss", "useInstanceMetadata": true, "subscriptionId": "<subscriptionId>"}`

@feiskyer
Allow Kubelet to run with no Azure identity
b13d80a 
useInstanceMetadata should be enabled and Kubelet would use IMDS to get
node's information.
@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/bug Categorizes issue or PR as related to a bug. sig/azure size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels May 15, 2019
@feiskyer feiskyer added this to In progress in Provider Azure via automation May 15, 2019
@k8s-ci-robot k8s-ci-robot added area/cloudprovider sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. labels May 15, 2019
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: feiskyer

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 15, 2019
@feiskyer
Copy link
Member Author

/priority important-soon

/hold

@andyzhangx When validating this with #77851, I find AzureDisk is not working as expected. The error message is:

Operation for "\"kubernetes.io/azure-disk//<pvc-resource-id>\"" failed. No retries permitted until 2019-05-15 07:37:44.323108693 +0000 UTC m=+297.614031734 (durationBeforeRetry 1m4s). Error: "MountVolume.WaitForAttach failed for volume \"pvc-dceb8b43-76e3-11e9-a1ab-000d3aa2e18b\" (UniqueName: \"kubernetes.io/azure-disk//<pvc-resource-id>\") pod \"sh\" (UID: \"dcd1c6b5-76e3-11e9-a1ab-000d3aa2e18b\") : azureDisk - WaitForAttach failed within timeout node (k8s-agentpool2-20421826-vmss000000) diskId:(k8s-vmss-dynamic-pvc-dceb8b43-76e3-11e9-a1ab-000d3aa2e18b) lun:(-1)"

As the error message indicated, the lun is -1, which is weird. Do you think this is related to #77483?

@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels May 15, 2019
@feiskyer
Copy link
Member Author

The above issue is fixed by #77912.

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 15, 2019
andyzhangx
andyzhangx reviewed May 15, 2019
View reviewed changes
staging/src/k8s.io/legacy-cloud-providers/azure/azure_instances.go
if metadata.Compute.VMSize != "" {
return metadata.Compute.VMSize, nil
if !isLocalInstance {
if az.vmSet != nil {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why do this code change? not use metadata.Compute.VMSize, nil directly?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

when this is not local instance, and credentials not provided, we should report errors.

the original logic has been moved to L331.

neolit123
neolit123 reviewed May 16, 2019
View reviewed changes
Copy link
Member

@neolit123 neolit123 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@feiskyer the change LGTM
/lgtm
/hold

but there is a good chance the release note with { .. } might break anago (the release tool)
possibly trim it to?

Kubelet could be run with no Azure identity now.

@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. lgtm "Looks good to me", indicates that a PR is ready to be merged. labels May 16, 2019
@feiskyer
Copy link
Member Author

feiskyer commented May 16, 2019
edited

Thanks, let me remove the {} and wrap the example in quotes ``.

@feiskyer
Copy link
Member Author

feiskyer commented May 16, 2019
edited

@neolit123 looked at the old release notes, {} is allowed within ```` quota, so changed the example within `` now.

@neolit123
Copy link
Member

ok, understood.
/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 16, 2019
@k8s-ci-robot k8s-ci-robot merged commit 5a233cc into kubernetes:master May 16, 2019
Provider Azure automation moved this from In progress to Done May 16, 2019
@feiskyer feiskyer deleted the az-no-authz branch May 17, 2019 05:11
This was referenced Aug 16, 2019
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@neolit123 neolit123 neolit123 left review comments

@andyzhangx andyzhangx andyzhangx left review comments

@khenidak khenidak Awaiting requested review from khenidak

Assignees

@neolit123 neolit123

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/cloudprovider cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
Provider Azure
  
Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Azure - Allow kubelet to run with no azure identity
4 participants
@feiskyer @k8s-ci-robot @neolit123 @andyzhangx