Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove deprecated Kubelet security controls #77820

Merged
merged 2 commits into from
May 22, 2019
Merged

Remove deprecated Kubelet security controls #77820

merged 2 commits into from
May 22, 2019

Conversation

dims
Copy link
Member

@dims dims commented May 13, 2019
edited by liggitt
Loading

What type of PR is this?
/kind cleanup

What this PR does / why we need it:

fix: #58010

Co-Authored-By: chaowang chaowang95@outlook.com

Does this PR introduce a user-facing change?:

ACTION REQUIRED: Deprecated Kubelet security controls AllowPrivileged, HostNetworkSources, HostPIDSources, HostIPCSources have been removed. Enforcement of these restrictions should be done through admission control instead (e.g. PodSecurityPolicy).
ACTION REQUIRED: The deprecated Kubelet flag `--allow-privileged` has been removed. Remove any use of `--allow-privileged` from your kubelet scripts or manifests.

@k8s-ci-robot k8s-ci-robot added release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels May 13, 2019
@dims dims changed the title Remove deprecated Kubelet security controls [WIP] Remove deprecated Kubelet security controls May 13, 2019
@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. area/kubelet area/test sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/testing Categorizes an issue or PR as relevant to SIG Testing. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels May 13, 2019
@dims dims mentioned this pull request May 13, 2019
Closed
@dims
Copy link
Member Author

dims commented May 13, 2019

/test pull-kubernetes-e2e-gce

@dims
Copy link
Member Author

dims commented May 13, 2019

/test pull-kubernetes-conformance-image-test

@dims dims force-pushed the charrywanganthony-pr-71835-delete-kubelet-security-controls branch from 1c5b26a to 23b74f7 Compare May 13, 2019 17:32
@dims
Copy link
Member Author

dims commented May 13, 2019

/retest

@dims dims force-pushed the charrywanganthony-pr-71835-delete-kubelet-security-controls branch from 30662ba to 357dffb Compare May 13, 2019 21:10
@dims
Copy link
Member Author

dims commented May 13, 2019

/test pull-kubernetes-e2e-gce-device-plugin-gpu

@dims dims changed the title [WIP] Remove deprecated Kubelet security controls Remove deprecated Kubelet security controls May 13, 2019
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 13, 2019
@dims
Copy link
Member Author

dims commented May 13, 2019

/assign @mtaufen @tallclair

@dims
Copy link
Member Author

dims commented May 13, 2019

/priority important-soon
/kind cleanup

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 20, 2019
@dims
Copy link
Member Author

dims commented May 21, 2019

@liggitt can you please approve if appropriate? (this has @mtaufen 's lgtm now)

liggitt
liggitt reviewed May 21, 2019
View reviewed changes
Copy link
Member

@liggitt liggitt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a couple nits, just to avoid leaving dead code in place

cmd/kubelet/app/server.go Outdated Show resolved Hide resolved
cmd/kubelet/app/server.go Outdated Show resolved Hide resolved
@liggitt
Copy link
Member

liggitt commented May 21, 2019

/approve

/hold
for last cleanup comments

@k8s-ci-robot k8s-ci-robot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels May 21, 2019
@dims
Same as defaulting allow-privileged to true
c7dcb61 
Change-Id: Ib0337bd4eabf9c0cc0d3b0c5a865ed0c468ba370
@dims dims force-pushed the charrywanganthony-pr-71835-delete-kubelet-security-controls branch from 323fe53 to c7dcb61 Compare May 21, 2019 12:52
@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 21, 2019
@liggitt
Copy link
Member

liggitt commented May 21, 2019

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 21, 2019
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dims, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@dims
Copy link
Member Author

dims commented May 22, 2019

/hold cancel

done with "cleanup comments"

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 22, 2019
@k8s-ci-robot k8s-ci-robot merged commit 4f33b5f into kubernetes:master May 22, 2019
@feiskyer feiskyer mentioned this pull request May 27, 2019
Closed
@andyzhangx andyzhangx mentioned this pull request May 28, 2019
Merged
4 tasks
@akutz akutz mentioned this pull request Jun 6, 2019
Merged
@tedyu tedyu mentioned this pull request Jun 21, 2019
Closed
rfranzke added a commit to gardener/gardener that referenced this pull request Jun 21, 2019
@rfranzke
Adapt Kubelet flags
0befd80 
See kubernetes/kubernetes#77820
Also:

```
Jun 20 15:09:21 ip-10-250-0-205.eu-west-1.compute.internal hyperkube[2405]: W0620 15:09:21.310565    2405 options.go:251] unknown 'kubernetes.io' or 'k8s.io' labels specified with --node-labels: [kubernetes.io/role node-role.kubernetes.io/node]
Jun 20 15:09:21 ip-10-250-0-205.eu-west-1.compute.internal hyperkube[2405]: W0620 15:09:21.310583    2405 options.go:252] in 1.16, --node-labels in the 'kubernetes.io' namespace must begin with an allowed prefix (kubelet.kubernetes.io, node.kubernetes.io) or be in the specifically allowed set (beta.kubernetes.io/arch, beta.kubernetes.io/instance-type, beta.kubernetes.io/os, failure-domain.beta.kubernetes.io/region, failure-domain.beta.kubernetes.io/zone, failure-domain.kubernetes.io/region, failure-domain.kubernetes.io/zone, kubernetes.io/arch, kubernetes.io/hostname, kubernetes.io/instance-type, kubernetes.io/os)
```
openstack-gerrit pushed a commit to openstack/magnum that referenced this pull request Jul 5, 2019
@strigazi
Add build-arg for --allow-privileged
fe0f0ef 
kubernetes/kubernetes#77820
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.15.md#node

story: 2005124

Change-Id: I2935d34ace08800c805028f1673bc515f2f577e6
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
openstack-gerrit pushed a commit to openstack/openstack that referenced this pull request Jul 5, 2019
@openstack-gerrit
Update git submodules
ae7898b 
* Update magnum from branch 'master'
  - Merge "Add build-arg for --allow-privileged"
  - Add build-arg for --allow-privileged
    
    kubernetes/kubernetes#77820
    https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.15.md#node
    
    story: 2005124
    
    Change-Id: I2935d34ace08800c805028f1673bc515f2f577e6
    Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
@wilmardo wilmardo mentioned this pull request Jul 23, 2019
Closed
@Xtigyro Xtigyro mentioned this pull request Aug 20, 2019
Merged
@neolit123 neolit123 mentioned this pull request Jan 2, 2020
Closed
@Colstuwjx Colstuwjx mentioned this pull request Mar 24, 2020
Merged
@SataQiu SataQiu mentioned this pull request Sep 14, 2022
Merged
@tico88612 tico88612 mentioned this pull request Jun 29, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@brendandburns brendandburns Awaiting requested review from brendandburns

@dchen1107 dchen1107 Awaiting requested review from dchen1107

Assignees

@mtaufen mtaufen

@liggitt liggitt

@tallclair tallclair

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubelet area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. sig/cluster-lifecycle Categorizes an issue or PR as relevant to SIG Cluster Lifecycle. sig/node Categorizes an issue or PR as relevant to SIG Node. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Remove deprecated Kubelet security controls in v1.13
8 participants
@dims @ChiuWang @mtaufen @BenTheElder @mauilion @liggitt @k8s-ci-robot @tallclair