Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cherry pick of #59686 #67224: Add cloud-provider policies to be applied via addon mgr #66872

Merged
merged 1 commit into from
Sep 18, 2018
Merged

Cherry pick of #59686 #67224: Add cloud-provider policies to be applied via addon mgr #66872

merged 1 commit into from
Sep 18, 2018

Conversation

grayluck
Copy link
Contributor

@grayluck grayluck commented Aug 1, 2018
edited

Cherry pick of #59686 and #67224 on release-1.9.

#59686: Add cloud-provider policies to be applied via addon mgr
#67224 Add namespace for (cluster)role(binding) cloud-provider.

Grant service account permissions to create/update events.

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Aug 1, 2018
@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Aug 1, 2018
@k8s-github-robot
Copy link

This PR is not for the master branch but does not have the cherrypick-approved label. Adding the do-not-merge/cherry-pick-not-approved label.

@k8s-github-robot k8s-github-robot added the do-not-merge/cherry-pick-not-approved Indicates that a PR is not yet approved to merge into a release branch. label Aug 1, 2018
@grayluck
Copy link
Contributor Author

grayluck commented Aug 1, 2018

/hold Need test before applying this auto cherrypick.
/uncc @vishh

@k8s-ci-robot k8s-ci-robot removed the request for review from vishh August 1, 2018 20:25
@grayluck
Copy link
Contributor Author

grayluck commented Aug 1, 2018

/hold

@grayluck grayluck closed this Aug 1, 2018
@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 1, 2018
@grayluck grayluck reopened this Aug 1, 2018
@grayluck
Copy link
Contributor Author

grayluck commented Aug 1, 2018

  1. ClusterRole for cloud-provider observed. Rules showed up for events and configmaps.
  2. plugin/pkg/auth/authorizer/rbac/bootstrappolicy/namespace_policy.go will init and apply bootstrap policy as one of the postStartHooks for apiserver. I killed the apiserver. After it reboots, the rules remain.

@grayluck
Copy link
Contributor Author

grayluck commented Aug 2, 2018
edited

  1. The ILB service can report firewall events after the fix.

No conflict observed between policies created by kube-apiserver when bootstrap and those created with addon when create-lb-controller.
The PR is good to go.
/unhold
/assign @tallclair @liggitt

@grayluck
Copy link
Contributor Author

grayluck commented Aug 2, 2018

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 2, 2018
@grayluck
Copy link
Contributor Author

grayluck commented Aug 2, 2018

/priority important-soon
/sig auth
/release-note-none

@k8s-ci-robot k8s-ci-robot added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. sig/auth Categorizes an issue or PR as relevant to SIG Auth. release-note-none Denotes a PR that doesn't merit a release note. labels Aug 2, 2018
@grayluck grayluck mentioned this pull request Aug 2, 2018
Closed
@tallclair
Copy link
Member

/assign @bowei
/ok-to-test

@k8s-ci-robot k8s-ci-robot removed the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Aug 2, 2018
@tallclair
Copy link
Member

Why does this need to be cherrypicked? What is broken right now?

@grayluck
Copy link
Contributor Author

grayluck commented Aug 3, 2018

/retest

@grayluck grayluck changed the title Automated cherry pick of #59686: Add cloud-provider policies to be applied via addon mgr Cherry pick of #59686 #67224: Add cloud-provider policies to be applied via addon mgr Aug 10, 2018
@grayluck
Copy link
Contributor Author

Thanks Tim. PR#67244 created. Description modified so that this is no longer auto cherrypick, but cherrypick for #59686 #67224.

/hold
Waiting for #67224 to be merged first.

@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-none Denotes a PR that doesn't merit a release note. labels Aug 10, 2018
@grayluck grayluck force-pushed the automated-cherry-pick-of-#59686-upstream-release-1.9 branch from 4b0036a to 568e82c Compare September 5, 2018 02:50
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Sep 5, 2018
@grayluck grayluck force-pushed the automated-cherry-pick-of-#59686-upstream-release-1.9 branch 3 times, most recently from c67da9f to 07c9ae8 Compare September 5, 2018 02:56
@grayluck grayluck force-pushed the automated-cherry-pick-of-#59686-upstream-release-1.9 branch from 07c9ae8 to eef2aa2 Compare September 5, 2018 02:58
@grayluck
Copy link
Contributor Author

grayluck commented Sep 5, 2018
edited

Manual test passed in e2e cluster:

$ kk auth can-i create events --as=system:serviceaccount:kube-system:cloud-provider
yes
$ kk auth can-i list configmaps --as=system:serviceaccount:kube-system:cloud-provider
yes

Expected role/clusterroles observed.
/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 5, 2018
@grayluck
Copy link
Contributor Author

grayluck commented Sep 5, 2018

/retest

@bowei
Copy link
Member

bowei commented Sep 10, 2018

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 10, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bowei, grayluck

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 10, 2018
@grayluck
Copy link
Contributor Author

/assign @mbohlool
For milestone 1.9 and cherrypick approval. Thanks!

@grayluck
Copy link
Contributor Author

grayluck commented Sep 12, 2018
edited

/priority critical-urgent
We have GKE users affected. This PR needs to be cherrypicked to the next 1.9 release.

@k8s-ci-robot k8s-ci-robot added the priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. label Sep 12, 2018
@mbohlool
Copy link
Contributor

@grayluck Please be aware that the release note on this PR will be ignored and the release tool will use two release notes on the original PRs. If you need to change the text of release notes, please do so on those PRs.

@mbohlool mbohlool added cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. and removed do-not-merge/cherry-pick-not-approved Indicates that a PR is not yet approved to merge into a release branch. labels Sep 17, 2018
@grayluck
Copy link
Contributor Author

grayluck commented Sep 17, 2018
edited

That's fine. The release notes on the original PRs explains themselves. Thanks Mehdy!

@grayluck
Copy link
Contributor Author

/retest

@k8s-ci-robot k8s-ci-robot merged commit b65e797 into kubernetes:release-1.9 Sep 18, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@tallclair tallclair tallclair left review comments

@bowei bowei Awaiting requested review from bowei

@mikedanese mikedanese Awaiting requested review from mikedanese

Assignees

@bowei bowei

@mbohlool mbohlool

@tallclair tallclair

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/auth Categorizes an issue or PR as relevant to SIG Auth. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
7 participants
@grayluck @k8s-github-robot @tallclair @bowei @k8s-ci-robot @mbohlool @liggitt