Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable Node authorizer and NodeRestriction admission in kubemark #46921

Merged
merged 1 commit into from
Jun 13, 2017
Merged

Enable Node authorizer and NodeRestriction admission in kubemark #46921

merged 1 commit into from
Jun 13, 2017

Conversation

liggitt
Copy link
Member

@liggitt liggitt commented Jun 4, 2017
edited
Loading

xref kubernetes/enhancements#279

We want to ensure scale testing covers use of the authorizer/admission pair that partitions nodes. This includes enabling the authorizer, which populates a graph of existing nodes and pods.

Kubemark is still running all nodes with a single credential, so a follow-up step is to generate unique credentials per node (or enable TLS bootstrapping) and remove the temporary rolebinding added in this PR so the node authorizer is the one authorizing each call by a hollow node.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jun 4, 2017
@k8s-github-robot k8s-github-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. release-note-label-needed labels Jun 4, 2017
@liggitt liggitt mentioned this pull request Jun 4, 2017
Merged
@wojtek-t
Copy link
Member

wojtek-t commented Jun 4, 2017

@liggitt - thanks a lot for this PR.

However, it seems that kubemark failed to start, which I guess might be related to this change. Can you please take a look? @shyamjvs can probably help with debugging if needed.

@liggitt
Copy link
Member Author

liggitt commented Jun 4, 2017

Yeah, I know the issue, will fix on monday

@liggitt liggitt changed the title Enable Node authorizer and NodeRestriction admission in kubemark WIP - Enable Node authorizer and NodeRestriction admission in kubemark Jun 4, 2017
@k8s-github-robot k8s-github-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. and removed approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Jun 5, 2017
@k8s-github-robot k8s-github-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jun 9, 2017
@liggitt liggitt added release-note-none Denotes a PR that doesn't merit a release note. and removed release-note-label-needed labels Jun 9, 2017
@liggitt liggitt added this to the v1.8 milestone Jun 9, 2017
@liggitt liggitt changed the title WIP - Enable Node authorizer and NodeRestriction admission in kubemark Enable Node authorizer and NodeRestriction admission in kubemark Jun 10, 2017
@gmarek
Copy link
Contributor

gmarek commented Jun 12, 2017

@liggitt - BIG thanks for this change!
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jun 12, 2017
@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: gmarek, liggitt

Associated issue: 279

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-github-robot k8s-github-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 12, 2017
@mikedanese mikedanese modified the milestones: v1.7, v1.8 Jun 13, 2017
@mikedanese
Copy link
Member

Adding 1.7. We need this test coverage to test scalability of node auth.

@liggitt
Copy link
Member Author

liggitt commented Jun 13, 2017

/retest

@k8s-github-robot
Copy link

Automatic merge from submit-queue (batch tested with PRs 46441, 43987, 46921, 46823, 47276)

@k8s-github-robot k8s-github-robot merged commit d81f71d into kubernetes:master Jun 13, 2017
@liggitt liggitt deleted the kubemark-node-auth branch June 15, 2017 19:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@gmarek gmarek

@wojtek-t wojtek-t

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note-none Denotes a PR that doesn't merit a release note. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
v1.7
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@liggitt @wojtek-t @gmarek @k8s-github-robot @mikedanese @k8s-ci-robot