New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
separate RootCAConfigMap from BoundServiceAccountTokenVolume #96197
Conversation
/cc @liggitt @mikedanese |
/sig auth |
/cc @neolit123 |
suggesting minor reword of the release note:
|
pkg/features/kube_features.go
Outdated
// | ||
// Allows kube-controller-manager to publish kube-root-ca.crt configmap to | ||
// every namespace. This feature is separated from BoundServiceAccountTokenVolume | ||
// to solve multi-server cluster upgrade issue. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
potentially we can omit the second sentence here that explains the upgrade issue and instead include a mention that BoundServiceAccountTokenVolume requires RootCAConfigMap.
deferring to sig-auth, though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
agree the separation is not important, just that it is a prereq of BoundServiceAccountTokenVolume
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
- events | ||
verbs: | ||
- create | ||
- patch |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does rootcacertpublisher need "patch" for events?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, that's part of the standard event permissions used by the event recorder:
kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
Lines 53 to 55 in 71fea80
func eventsRule() rbacv1.PolicyRule { | |
return rbacv1helpers.NewRule("create", "update", "patch").Groups(legacyGroup, eventsGroup).Resources("events").RuleOrDie() | |
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
add validation that makes sure RootCAConfigMap is enabled if BoundServiceAccountTokenVolume is enabled, and update the doc on RootCAConfigMap as noted
lgtm otherwise
- events | ||
verbs: | ||
- create | ||
- patch |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, that's part of the standard event permissions used by the event recorder:
kubernetes/plugin/pkg/auth/authorizer/rbac/bootstrappolicy/controller_policy.go
Lines 53 to 55 in 71fea80
func eventsRule() rbacv1.PolicyRule { | |
return rbacv1helpers.NewRule("create", "update", "patch").Groups(legacyGroup, eventsGroup).Resources("events").RuleOrDie() | |
} |
/retest |
test/e2e/auth/service_accounts.go
Outdated
ginkgo.It("should guarantee kube-root-ca.crt exist in any namespace", func() { | ||
const rootCAConfigMapName = "kube-root-ca.crt" | ||
|
||
_, err := f.ClientSet.CoreV1().ConfigMaps(f.Namespace.Name).Get(context.TODO(), rootCAConfigMapName, metav1.GetOptions{}) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the configmap might not exist instantly in the new test namespace (it's created by a controller), so this should be a wait.PollImmediate with a wait.ForeverTestTimeout
framework.ExpectNoError(wait.PollImmediate(time.Second, wait.ForeverTestTimetout, func() (bool, error) {
_, err := f.ClientSet.CoreV1().ConfigMaps(f.Namespace.Name).Get(context.TODO(), rootCAConfigMapName, metav1.GetOptions{})
if err == nil {
return true, nil
}
if errors.IsNotFound(err) {
framework.Logf("root ca configmap not found, retrying")
return false, nil
}
return false, err
}))
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
7f379cd
to
cc5de7e
Compare
/retest |
1 similar comment
/retest |
Both e2e failures look related. The config map quota test might need to be adjusted. I'm surprised we have a conformance test that fails if anything else creates a config map in the name space. That does not seem right |
the config map quota test is just flaky.
if found does count the kube-root-ca.crt , then the test will pass. otherwise not.
|
bazel failure is #96243 |
/lgtm please open a doc update against the dev-1.20 branch of the website, adding details about this feature gate and beta status |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, zshihang The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
this definitely makes the flake worse. previous flakes in the alpha job: new flakes in the main job: |
opened #96265 to reduce the test flake, but the mechanism that test uses to detect existing configmaps is questionable |
What type of PR is this?
/kind feature
What this PR does / why we need it:
before BoundServiceAccountTokenVolume graduate to Beta,
kube-controller-manager
needs to publishkube-root-ca.crt
to every namespace. In the multi-server cluster upgrade, a leading oldkube-controller-manager
might not publish the configmap for a short period of time. However, during the period, new pods may have the new projected tokens and as a result, those pods will fail to start.Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?:
-->
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: