Add support for token authentication with network proxy #88419
Conversation
k8s-ci-robot
added
release-note-none
|
@Jefftree: GitHub didn't allow me to request PR reviews from the following users: dberkov. Note that only kubernetes members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
cncf-cla: yes
cluster/gce/addons/konnectivity-agent/konnectivity-agent-ds.yaml
Outdated
Show resolved
Hide resolved
cluster/gce/addons/konnectivity-agent/konnectivity-agent-rbac.yaml
Outdated
Show resolved
Hide resolved
Jefftree
force-pushed
the
netproxy-udstoken
branch
from
3d8e31b
to
18df560
Compare
k8s-ci-robot
added
area/release-eng
Jefftree
force-pushed
the
netproxy-udstoken
branch
2 times, most recently
from
42965ed
to
0d0eb69
Compare
k8s-ci-robot
added
area/apiserver
area/cloudprovider
area/dependency
Jefftree
force-pushed
the
netproxy-udstoken
branch
from
0d0eb69
to
7a69acf
Compare
|
/retest |
|
The configuration changes are consistent with kubernetes-sigs/apiserver-network-proxy#51. /lgtm |
k8s-ci-robot
added
the
lgtm
|
/assign @liggitt (for approval) |
| @@ -652,8 +652,13 @@ function create-master-auth { | |||
| append_or_replace_prefixed_line "${known_tokens_csv}" "${GCE_GLBC_TOKEN}," "system:controller:glbc,uid:system:controller:glbc" | |||
| fi | |||
| if [[ -n "${ADDON_MANAGER_TOKEN:-}" ]]; then | |||
| append_or_replace_prefixed_line "${known_tokens_csv}" "${ADDON_MANAGER_TOKEN}," "system:addon-manager,uid:system:addon-manager,system:masters" | |||
| append_or_replace_prefixed_line "${known_tokens_csv}" "${ADDON_MANAGER_TOKEN}," "system:addon-manager,uid:system:addon-manager,system:masters" | |||
There was a problem hiding this comment.
(there should be 1 space instead of a bunch of spaces and a tab there)
There was a problem hiding this comment.
actually just revert this change?
There was a problem hiding this comment.
This fixes the alignment with the previous lines. Would you still like me to revert?
There was a problem hiding this comment.
ack, sorry, the diff obscured this.
| type: DirectoryOrCreate | ||
| --- |
There was a problem hiding this comment.
it's weird to have a second blob in this .yaml, when you made a separate file above?
There was a problem hiding this comment.
Each cluster addon has its own directory but all the manifests share the same directory (at least in gce). Didn't want to pollute the manifests directory.
|
/approve /hold for nit fixes |
k8s-ci-robot
added
the
do-not-merge/hold
Jefftree
force-pushed
the
netproxy-udstoken
branch
from
7a69acf
to
964deef
Compare
k8s-ci-robot
removed
the
lgtm
cluster/gce/addons/konnectivity-agent/konnectivity-agent-ds.yaml
Outdated
Show resolved
Hide resolved
Jefftree
force-pushed
the
netproxy-udstoken
branch
from
964deef
to
0cd61e9
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
/retest |
1 similar comment
|
/retest |
|
/retest Review the full test history for this PR. Silence the bot with an |
2 similar comments
|
/retest Review the full test history for this PR. Silence the bot with an |
|
/retest Review the full test history for this PR. Silence the bot with an |
Jefftree
force-pushed
the
netproxy-udstoken
branch
from
0cd61e9
to
0989770
Compare
k8s-ci-robot
removed
the
lgtm
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/retest Review the full test history for this PR. Silence the bot with an |
|
/test pull-kubernetes-e2e-gce |
k8s-ci-robot
removed
the
lgtm
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/test pull-kubernetes-e2e-gce-100-performance |
|
@Jefftree: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/test pull-kubernetes-e2e-gce-100-performance |
What type of PR is this?
/kind feature
What this PR does / why we need it:
Add support for token based authentication for konnectivity server to authenticate konnectivity agent.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
KUBE_ENABLE_EGRESS_VIA_KONNECTIVITY_SERVICE=true ./cluster/kube-up.shto set upDoes this PR introduce a user-facing change?:
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
/assign @caesarxuchao
/cc @cheftako
/cc @dberkov
/sig api-machinery