Fix secrets in kubelet running in a container #13791
Conversation
|
GCE e2e build/test failed for commit 84d36268ea2a4d13b7152cf969c76bc1c9055c40. |
|
Quick question. |
fgrzadkowski
force-pushed
the
fix_secrets_in_docker
branch
2 times, most recently
from
1d3a2f5
to
e20ddae
Compare
|
@pmorie @kubernetes/rh-cluster-infra @kubernetes/rh-storage |
|
GCE e2e build/test failed for commit e20ddaeea138ef415da366b70c548de0d000a4ea. |
fgrzadkowski
force-pushed
the
fix_secrets_in_docker
branch
from
e20ddae
to
51f192d
Compare
|
sorry for few iterations with failing tests but I couldn't merge it properly with head |
|
GCE e2e build/test passed for commit 1d3a2f557fb9c9565f3ef85d67837b2d52532e50. |
|
Any change to volumes often explodes into every plugin being changed. It makes this PR huge, though. Any way to peel off smaller PRs for easier review? |
markturansky
added
the
sig/node
|
I think it'd be hard, because the part that spans all plugins is changing the API that they implement. |
markturansky
added
area/platform/local
priority/important-soon
|
I copied the labels from the linked issue to this PR. |
|
GCE e2e build/test passed for commit 51f192d830f3020f97fa49ca3252241e870f477d. |
| @@ -42,6 +42,13 @@ type VolumeOptions struct { | |||
| RootContext string | |||
| } | |||
|
|
|||
| // System is an interface that abstracts certain operations on a host operating | |||
| // system that a volume might want to execute. | |||
| type System interface { | |||
There was a problem hiding this comment.
@markturansky This is really the thing that makes this PR so big.
@fgrzadkowski
I think this is a good abstraction to introduce, but I'm still deciding whether I like this name or not.
There was a problem hiding this comment.
Any thoughts about naming here, @thockin ?
There was a problem hiding this comment.
I think you misspelled Host.GetMounter() and Host.WriteFile()
In all seriousness, the VolumeHost is provided to plugins as THE way to interface with the app that hosts the plugin. I do not think we should be injecting more objects from the host's plane into the plugin's plane.
There was a problem hiding this comment.
To be honest I just followed the same path as mount interface. When reading Host interface I was under the impression that it's supposed to be used only to talk to Kubelet not the host machine itself. Do you suggest moving both interfaces to Host?
There was a problem hiding this comment.
Host is your gateway to the rest of the app (think of it as if the plugin was a .so file). The host application provides an implmentation of Mounter and a function to write files in the filesystem
There was a problem hiding this comment.
clearer: yes, I think you don't need a system object, you need to add either one method WriteFile or to remove the mount.Interface that is passed around and add two methods WriteFile and GetMounter. The latter is probably cleaner overall, but more work.
There was a problem hiding this comment.
Done. Added GetMounter() andGetWritertoVolumeHost. I'm usingGetWriter()instead ofWriteFile()``` so that it will be easier to extend it to other operations (like symbolic links which are used in downward API plugin).
There was a problem hiding this comment.
I'm fine with that, though I bet Writer() becomes ReaderWriter() eventually
|
For context, we carry a patch in the Red Hat distributions for docker that makes the container's mount namespace propagation mode to Ultimately you should be able to just set the propagation mode correctly for the container the kubelet runs in instead of having to do this. I think the idea behind this workaround is good. One concern that I have is that it's a lot of work that solves only a single facet of the problem. For example, this won't make git repo volumes work or the downward API volume work. Have you thought about those cases at all? I have no problem changing the signature of the plugins as you have in this PR, but I would like to ensure that we have the other related aspects of this problem solved out or at least considered. Any thoughts about that? |
| type DefaultWriter struct { | ||
| } | ||
|
|
||
| func NewDefaultWriter() Writer { |
There was a problem hiding this comment.
why a constructor that does nothing?
There was a problem hiding this comment.
To be consistent with mounter.
|
@pmorie I'm aware of the RH patch to docker. There is a docker PR (moby/moby#15648) that should solve it properly. It should be shipped in docker 1.9. However I don't think we can wait for it as we will have to support older docker version for quite some time. At the same time we agreed that docker based setup is supposed to be the default solution for new platforms/OSes so the priority is rather high. Regarding git_repo plugin I think it should work because it doesn't use mounts - it just creates regular directory that will be populated. |
|
@fgrzadkowski Good about re: the other plugins, it was too late and I was wrong 👍 |
|
@fgrzadkowski rebase needed |
|
GCE e2e build/test failed for commit f78e6f59a402fb90daa1df8fd1bdf354fadd601b. |
|
@pmorie Sorry for the noise. It seems I didn't commit the changes locally. |
fgrzadkowski
force-pushed
the
fix_secrets_in_docker
branch
from
f78e6f5
to
7fe34f2
Compare
|
GCE e2e build/test passed for commit 7fe34f2. |
k8s-github-robot
removed
the
needs-rebase
|
@fgrzadkowski np, it happens |
|
LGTM was before last commit, removing LGTM |
k8s-github-robot
removed
the
lgtm
|
@pmorie It seems it will need LGTM again, not that it's rebased. |
|
@pmorie I'm sorry for nagging you, but I'm worried I'll have to rebase again if we don't merge it soon. Can you please re-add LGTM label? |
pmorie
added
the
lgtm
|
@fgrzadkowski NP, added. |
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
GCE e2e build/test passed for commit 7fe34f2. |
|
Automatic merge from SubmitQueue |
Auto commit by PR queue bot
|
@fgrzadkowski Thanks again for the fix. |
|
This broke Kubernetes on Mesos. The fix is in #14169 |
…docker Auto commit by PR queue bot
Fixes #13557
Introduce writer interface that could be used by volume plugins. This PR provides two implementations:
nsenterto write data in host mount namespace.@smarterclayton (who wrote
nsenter_mounter.gowhich is similar)@dchen1107 (as this touches kubelet and volume plugins)
@dalanlan @resouer (who are interested in running kubernetes in containers)
@brendandburns (who is interested in cluster set up UX)
Ref #4869