Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

changed the default value for allow-privileged for the kubelet (kuber… #64104

Merged
merged 6 commits into from Jun 20, 2018

Conversation

@CalvinHartwell
Copy link
Contributor

CalvinHartwell commented May 21, 2018

What this PR does / why we need it:

This PR modifies the default value for the kubernetes-worker: it sets the allow-privileged kubelet value to true, based on this issue:juju-solutions/bundle-canonical-kubernetes#579.

The original PR was here: #63442 which included this change for the k8s 1.10 release. This PR incorporates this fix into the Canonical distribution of Kubernetes.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #

This change fixes two issues:

juju-solutions/bundle-canonical-kubernetes#579
rancher/rancher#13612

Special notes for your reviewer:

Waiting review from Canonical Kubernetes charm tea.

Release note:

The new default value for the --allow-privileged parameter of the Kubernetes-worker charm has been set to true based on changes which went into the Kubernetes 1.10 release. Before this change the default value was set to false. If you're installing Canonical Kubernetes you should expect this value to now be true by default and you should now look to use PSP (pod security policies). 
changed the default value for allow-privileged for the kubelet (kuber…
…netes-worker) based on new standard for 1.10 release
@@ -13,7 +13,7 @@ options:
cluster. Declare node labels in key=value format, separated by spaces.
allow-privileged:
type: string
default: "auto"
default: true
description: |
Allow privileged containers to run on worker nodes. Supported values are

This comment has been minimized.

@hyperbolic2346

hyperbolic2346 May 21, 2018

Contributor

We should update the description to deprecate this flag. I think we should also remove auto, but maybe that's another issue.

This comment has been minimized.

@CalvinHartwell

CalvinHartwell May 22, 2018

Author Contributor

@hyperbolic2346 yes - I can update the description if you wish, and I also think the auto option should be removed, but perhaps this can be another PR.

Will you approve if I make those changes?

This comment has been minimized.

@hyperbolic2346

hyperbolic2346 May 22, 2018

Contributor

I'm not able to approve, but it looks good to me. Maybe we should /assign @Cynerva

This comment has been minimized.

@Cynerva

Cynerva May 25, 2018

Contributor

I've opened juju-solutions/bundle-canonical-kubernetes#585 to address the deprecation of allow-privileged. We can follow up on that later. 👍

@Cynerva

This comment has been minimized.

Copy link
Contributor

Cynerva commented May 25, 2018

/ok-to-test
/assign @Cynerva

@Cynerva

This comment has been minimized.

Copy link
Contributor

Cynerva commented May 25, 2018

default: true could be problematic. Because in yaml, true is a boolean, not a string (even though you can normally omit quotes and get a string. don't get me started). It would be safer to have this as default: "true"

@CalvinHartwell could you add the quotes back in? It's possible that Juju and the kubernetes-worker charm are able to handle this gracefully, but I'd rather not rely on that.

Merge pull request #1 from kubernetes/master
Adding recent upstream changes to k8s.

@k8s-ci-robot k8s-ci-robot added size/S and removed size/XS labels Jun 1, 2018

@CalvinHartwell

This comment has been minimized.

Copy link
Contributor Author

CalvinHartwell commented Jun 1, 2018

@Cynerva @hyperbolic2346 added the quotes back in, ready for testing and merge if ALL ok!

@Cynerva

This comment has been minimized.

Copy link
Contributor

Cynerva commented Jun 1, 2018

@CalvinHartwell Where did that cluster-context config come from? That wasn't in this PR before.

@CalvinHartwell CalvinHartwell force-pushed the CalvinHartwell:kubelet-allow-privileged-true branch from c5c6323 to 7322f7f Jun 1, 2018

@CalvinHartwell

This comment has been minimized.

Copy link
Contributor Author

CalvinHartwell commented Jun 1, 2018

@Cynerva apologies, accidentally a merged an old branch into the mix. I've now fixed that and appended some context to the readme section. More importantly I've also adjusted the same value for the kubernetes-master as this is also causing an issue for workloads.

Looking good? Should be fixed.

@CalvinHartwell CalvinHartwell force-pushed the CalvinHartwell:kubelet-allow-privileged-true branch 2 times, most recently from 69cbc6c to d0e6f73 Jun 1, 2018

@CalvinHartwell CalvinHartwell force-pushed the CalvinHartwell:kubelet-allow-privileged-true branch from d0e6f73 to 28b5587 Jun 1, 2018

@k8s-ci-robot k8s-ci-robot added size/XS and removed size/S labels Jun 1, 2018

@@ -1591,4 +1591,4 @@ def _write_gcp_snap_config(component):
if gcp_creds_env_key not in daemon_env:
daemon_env += '{}={}\n'.format(gcp_creds_env_key, creds_path)
daemon_env_path.parent.mkdir(parents=True, exist_ok=True)
daemon_env_path.write_text(daemon_env)
daemon_env_path.write_text(daemon_env)

This comment has been minimized.

@Cynerva

Cynerva Jun 1, 2018

Contributor

I'd let this slide, but our automation runs flake8 when building the charms, and the newline change here will cause it to fail:

$ flake8 reactive/
reactive/kubernetes_master.py:1594:47: W292 no newline at end of file

CalvinHartwell added some commits Jun 1, 2018

@Cynerva

This comment has been minimized.

Copy link
Contributor

Cynerva commented Jun 1, 2018

/lgtm

Thanks!

@k8s-ci-robot k8s-ci-robot added the lgtm label Jun 1, 2018

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

k8s-ci-robot commented Jun 1, 2018

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: CalvinHartwell, Cynerva

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@CalvinHartwell

This comment has been minimized.

Copy link
Contributor Author

CalvinHartwell commented Jun 1, 2018

@thockin @eparis any ideas on whats wrong with the E2E tests?

@fejta-bot

This comment has been minimized.

Copy link

fejta-bot commented Jun 2, 2018

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel comment for consistent failures.

4 similar comments
@fejta-bot

This comment has been minimized.

Copy link

fejta-bot commented Jun 6, 2018

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel comment for consistent failures.

@fejta-bot

This comment has been minimized.

Copy link

fejta-bot commented Jun 10, 2018

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel comment for consistent failures.

@fejta-bot

This comment has been minimized.

Copy link

fejta-bot commented Jun 15, 2018

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel comment for consistent failures.

@fejta-bot

This comment has been minimized.

Copy link

fejta-bot commented Jun 20, 2018

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to fejta).

Review the full test history for this PR.

Silence the bot with an /lgtm cancel comment for consistent failures.

@k8s-github-robot

This comment has been minimized.

Copy link
Contributor

k8s-github-robot commented Jun 20, 2018

Automatic merge from submit-queue (batch tested with PRs 65032, 63471, 64104, 64672, 64427). If you want to cherry-pick this change to another branch, please follow the instructions here.

@k8s-github-robot k8s-github-robot merged commit 2fb7af7 into kubernetes:master Jun 20, 2018

18 checks passed

Submit Queue Queued to run github e2e tests a second time.
Details
cla/linuxfoundation CalvinHartwell authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-cross Skipped
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gke Skipped
pull-kubernetes-e2e-kops-aws Job succeeded.
Details
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped
pull-kubernetes-local-e2e-containerized Skipped
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.