New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
let standalone npd use kubelet credentials #85014
Conversation
@dekkagaijin: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@dekkagaijin: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@dekkagaijin: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@dekkagaijin: The label(s) In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign awly |
roleRef: | ||
apiGroup: rbac.authorization.k8s.io | ||
kind: ClusterRole | ||
name: system:node-problem-detector |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
where is this role defined?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
in the parent directory's npd.yaml
cluster/gce/gci/configure-helper.sh
Outdated
@@ -1245,6 +1245,12 @@ current-context: service-account-context | |||
EOF | |||
} | |||
|
|||
function setup-kubelet-user-npd-creds { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
how about create-node-problem-detector-kubeconfig-from-kubelet
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
/assign @cheftako |
Signed-off-by: Jake Sanders <jsand@google.com>
/lgtm |
/test pull-kubernetes-integration |
@cheftako any concerns? would be helpful to get this merged in 1.17 |
/approve |
Ping @wangzhen127 @cheftako |
subjects: | ||
- apiGroup: rbac.authorization.k8s.io | ||
kind: User | ||
name: kubelet |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why is this needed? What did it fix?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It makes sure that the kubelet user has all the permissions that NPD requires
function create-node-problem-detector-kubeconfig-from-kubelet { | ||
echo "Creating node-problem-detector kubeconfig from /var/lib/kubelet/kubeconfig" | ||
mkdir -p /var/lib/node-problem-detector | ||
cp /var/lib/kubelet/kubeconfig /var/lib/node-problem-detector/kubeconfig |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why copy? Why not just configure NPD to read the kubelet's kubeconfig directly?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I figured that it'd be a larger, more confusing/fragile change. This way the used kubeconfig is always in the same location, regardless of NPD configuration
@@ -2781,7 +2790,14 @@ function main() { | |||
create-kubeproxy-user-kubeconfig | |||
fi | |||
if [[ "${ENABLE_NODE_PROBLEM_DETECTOR:-}" == "standalone" ]]; then | |||
create-node-problem-detector-kubeconfig ${KUBERNETES_MASTER_NAME} | |||
if [[ -n "${NODE_PROBLEM_DETECTOR_TOKEN:-}" ]]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm pro just removing NODE_PROBLEM_DETECTOR_TOKEN in one swoosh and not supporting both.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IIUC that'd break this script on plain GCE
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cjcullen, dekkagaijin, mikedanese The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
This will allow for the NODE_PROBLEM_DETECTOR_TOKEN to be removed from GCE metadata, while retaining the increased visibility offered by a
standalone
NPD./kind feature
/kind cleanup
/sig cloud-provider
/area provider/gcp
/release-note-none
/priority important-soon