New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP][Do not merge]exclude kms from kcm health check #116976
Conversation
kubernetes#108014 Testing: - Create cluster with KMS enabled. - Disable KMS key. - Restart APIServer to invalidate the DEK cache. - Restart KCM. - All controllers in KCM still work. Starting 1.21, all controllers have moved to use BoundServiceAccountTokens. Secrets are no longer used for controller authentication. GarbageCollector Controller needs all discovery objects to be synced to create the object graph. Discovery Client fails because secret informer cache fails. Other controllers are able to be synchronized. - Enable KMS key. - APIServer secret cache fills up. Secret informer cache in KCM resyncs. Errors in KCM logs relatd to GarbageCollector Controller disapper. KCM stays healthy throughout the testing process. Signed-off-by: Jyoti Mahapatra <jyotima@amazon.com>
Please note that we're already in Test Freeze for the Fast forwards are scheduled to happen every 6 hours, whereas the most recent run was: Tue Mar 28 22:28:51 UTC 2023. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: jyotimahapatra The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Please note that we're already in Test Freeze for the Fast forwards are scheduled to happen every 6 hours, whereas the most recent run was: Tue Mar 28 22:28:51 UTC 2023. |
/triage accepted |
The Kubernetes project currently lacks enough contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
The Kubernetes project currently lacks enough active contributors to adequately respond to all PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
@k8s-triage-robot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
/kind bug
What this PR does / why we need it:
This CR intends to exclude the kms provider check as an extension to #108014
The following test was done. This tries to gather data that the controllers are mostly resilient to health check errors at bootstrap time. I'll run this in production to gather confidence.
Testing:
KCM stays healthy throughout the testing process.
Which issue(s) this PR fixes:
#108014
Special notes for your reviewer:
Does this PR introduce a user-facing change?
NONE
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
NONE