separate RootCAConfigMap from BoundServiceAccountTokenVolume #96197
Conversation
k8s-ci-robot
added
release-note
|
/cc @liggitt @mikedanese |
|
/sig auth |
k8s-ci-robot
added
sig/auth
k8s-ci-robot
added
the
sig/api-machinery
k8s-ci-robot
added
area/test
sig/testing
|
/cc @neolit123 |
|
suggesting minor reword of the release note:
|
pkg/features/kube_features.go
Outdated
| // | ||
| // Allows kube-controller-manager to publish kube-root-ca.crt configmap to | ||
| // every namespace. This feature is separated from BoundServiceAccountTokenVolume | ||
| // to solve multi-server cluster upgrade issue. |
There was a problem hiding this comment.
potentially we can omit the second sentence here that explains the upgrade issue and instead include a mention that BoundServiceAccountTokenVolume requires RootCAConfigMap.
deferring to sig-auth, though.
There was a problem hiding this comment.
agree the separation is not important, just that it is a prereq of BoundServiceAccountTokenVolume
| - events | ||
| verbs: | ||
| - create | ||
| - patch |
There was a problem hiding this comment.
does rootcacertpublisher need "patch" for events?
There was a problem hiding this comment.
yes, that's part of the standard event permissions used by the event recorder:
| - events | ||
| verbs: | ||
| - create | ||
| - patch |
There was a problem hiding this comment.
yes, that's part of the standard event permissions used by the event recorder:
k8s-ci-robot
added
size/L
|
/retest |
test/e2e/auth/service_accounts.go
Outdated
| ginkgo.It("should guarantee kube-root-ca.crt exist in any namespace", func() { | ||
| const rootCAConfigMapName = "kube-root-ca.crt" | ||
|
|
||
| _, err := f.ClientSet.CoreV1().ConfigMaps(f.Namespace.Name).Get(context.TODO(), rootCAConfigMapName, metav1.GetOptions{}) |
There was a problem hiding this comment.
the configmap might not exist instantly in the new test namespace (it's created by a controller), so this should be a wait.PollImmediate with a wait.ForeverTestTimeout
framework.ExpectNoError(wait.PollImmediate(time.Second, wait.ForeverTestTimetout, func() (bool, error) {
_, err := f.ClientSet.CoreV1().ConfigMaps(f.Namespace.Name).Get(context.TODO(), rootCAConfigMapName, metav1.GetOptions{})
if err == nil {
return true, nil
}
if errors.IsNotFound(err) {
framework.Logf("root ca configmap not found, retrying")
return false, nil
}
return false, err
}))
zshihang
force-pushed
the
token
branch
2 times, most recently
from
7f379cd
to
cc5de7e
Compare
k8s-ci-robot
added
the
sig/apps
|
/retest |
1 similar comment
|
/retest |
|
Both e2e failures look related. The config map quota test might need to be adjusted. I'm surprised we have a conformance test that fails if anything else creates a config map in the name space. That does not seem right |
|
the config map quota test is just flaky. if found does count the kube-root-ca.crt, then the test will pass. otherwise not.
|
|
bazel failure is #96243 |
|
/lgtm please open a doc update against the dev-1.20 branch of the website, adding details about this feature gate and beta status |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, zshihang The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
this definitely makes the flake worse. previous flakes in the alpha job: new flakes in the main job: |
|
opened #96265 to reduce the test flake, but the mechanism that test uses to detect existing configmaps is questionable |
What type of PR is this?
/kind feature
What this PR does / why we need it:
before BoundServiceAccountTokenVolume graduate to Beta,
kube-controller-managerneeds to publishkube-root-ca.crtto every namespace. In the multi-server cluster upgrade, a leading oldkube-controller-managermight not publish the configmap for a short period of time. However, during the period, new pods may have the new projected tokens and as a result, those pods will fail to start.Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
-->
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: