Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove deprecated Kubelet security controls #77820

Conversation

@dims
Copy link
Member

commented May 13, 2019

What type of PR is this?
/kind cleanup

What this PR does / why we need it:

fix: #58010

Co-Authored-By: chaowang chaowang95@outlook.com

Does this PR introduce a user-facing change?:

ACTION REQUIRED: Deprecated Kubelet security controls AllowPrivileged, HostNetworkSources, HostPIDSources, HostIPCSources have been removed. Enforcement of these restrictions should be done through admission control instead (e.g. PodSecurityPolicy).
ACTION REQUIRED: The deprecated Kubelet flag `--allow-privileged` has been removed. Remove any use of `--allow-privileged` from your kubelet scripts or manifests.
@dims

This comment has been minimized.

Copy link
Member Author

commented May 13, 2019

/test pull-kubernetes-e2e-gce

@dims

This comment has been minimized.

Copy link
Member Author

commented May 13, 2019

/test pull-kubernetes-conformance-image-test

@dims dims force-pushed the dims:charrywanganthony-pr-71835-delete-kubelet-security-controls branch from 1c5b26a to 23b74f7 May 13, 2019

@dims

This comment has been minimized.

Copy link
Member Author

commented May 13, 2019

/retest

@dims dims force-pushed the dims:charrywanganthony-pr-71835-delete-kubelet-security-controls branch from 30662ba to 357dffb May 13, 2019

@dims

This comment has been minimized.

Copy link
Member Author

commented May 13, 2019

/test pull-kubernetes-e2e-gce-device-plugin-gpu

@dims dims changed the title [WIP] Remove deprecated Kubelet security controls Remove deprecated Kubelet security controls May 13, 2019

@dims

This comment has been minimized.

Copy link
Member Author

commented May 13, 2019

@dims

This comment has been minimized.

Copy link
Member Author

commented May 13, 2019

/priority important-soon
/kind cleanup

@dims

This comment has been minimized.

Copy link
Member Author

commented May 18, 2019

/retest

@dims

This comment has been minimized.

Copy link
Member Author

commented May 19, 2019

/skip

@mtaufen

This comment has been minimized.

Copy link
Contributor

commented May 20, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label May 20, 2019

@dims

This comment has been minimized.

Copy link
Member Author

commented May 21, 2019

@liggitt can you please approve if appropriate? (this has @mtaufen 's lgtm now)

@liggitt
Copy link
Member

left a comment

a couple nits, just to avoid leaving dead code in place

cmd/kubelet/app/server.go Outdated Show resolved Hide resolved
cmd/kubelet/app/server.go Outdated Show resolved Hide resolved
@liggitt

This comment has been minimized.

Copy link
Member

commented May 21, 2019

/approve

/hold
for last cleanup comments

Same as defaulting allow-privileged to true
Change-Id: Ib0337bd4eabf9c0cc0d3b0c5a865ed0c468ba370

@dims dims force-pushed the dims:charrywanganthony-pr-71835-delete-kubelet-security-controls branch from 323fe53 to c7dcb61 May 21, 2019

@k8s-ci-robot k8s-ci-robot removed the lgtm label May 21, 2019

@liggitt

This comment has been minimized.

Copy link
Member

commented May 21, 2019

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm label May 21, 2019

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented May 21, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: dims, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@dims

This comment has been minimized.

Copy link
Member Author

commented May 22, 2019

/hold cancel

done with "cleanup comments"

@k8s-ci-robot k8s-ci-robot merged commit 4f33b5f into kubernetes:master May 22, 2019

20 checks passed

cla/linuxfoundation dims authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-conformance-image-test Job succeeded.
Details
pull-kubernetes-cross Skipped.
pull-kubernetes-dependencies Job succeeded.
Details
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-csi-serial Skipped.
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gce-storage-slow Skipped.
pull-kubernetes-godeps Skipped.
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Job succeeded.
Details
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
pull-publishing-bot-validate Skipped.
tide In merge pool.
Details
@andyzhangx andyzhangx referenced this pull request May 28, 2019
0 of 4 tasks complete
@akutz akutz referenced this pull request Jun 6, 2019
rfranzke added a commit to gardener/gardener that referenced this pull request Jun 20, 2019
Adapt Kubelet flags
See kubernetes/kubernetes#77820
Also:

```
Jun 20 15:09:21 ip-10-250-0-205.eu-west-1.compute.internal hyperkube[2405]: W0620 15:09:21.310565    2405 options.go:251] unknown 'kubernetes.io' or 'k8s.io' labels specified with --node-labels: [kubernetes.io/role node-role.kubernetes.io/node]
Jun 20 15:09:21 ip-10-250-0-205.eu-west-1.compute.internal hyperkube[2405]: W0620 15:09:21.310583    2405 options.go:252] in 1.16, --node-labels in the 'kubernetes.io' namespace must begin with an allowed prefix (kubelet.kubernetes.io, node.kubernetes.io) or be in the specifically allowed set (beta.kubernetes.io/arch, beta.kubernetes.io/instance-type, beta.kubernetes.io/os, failure-domain.beta.kubernetes.io/region, failure-domain.beta.kubernetes.io/zone, failure-domain.kubernetes.io/region, failure-domain.kubernetes.io/zone, kubernetes.io/arch, kubernetes.io/hostname, kubernetes.io/instance-type, kubernetes.io/os)
```
@tedyu tedyu referenced this pull request Jun 21, 2019
rfranzke added a commit to gardener/gardener that referenced this pull request Jun 21, 2019
Adapt Kubelet flags
See kubernetes/kubernetes#77820
Also:

```
Jun 20 15:09:21 ip-10-250-0-205.eu-west-1.compute.internal hyperkube[2405]: W0620 15:09:21.310565    2405 options.go:251] unknown 'kubernetes.io' or 'k8s.io' labels specified with --node-labels: [kubernetes.io/role node-role.kubernetes.io/node]
Jun 20 15:09:21 ip-10-250-0-205.eu-west-1.compute.internal hyperkube[2405]: W0620 15:09:21.310583    2405 options.go:252] in 1.16, --node-labels in the 'kubernetes.io' namespace must begin with an allowed prefix (kubelet.kubernetes.io, node.kubernetes.io) or be in the specifically allowed set (beta.kubernetes.io/arch, beta.kubernetes.io/instance-type, beta.kubernetes.io/os, failure-domain.beta.kubernetes.io/region, failure-domain.beta.kubernetes.io/zone, failure-domain.kubernetes.io/region, failure-domain.kubernetes.io/zone, kubernetes.io/arch, kubernetes.io/hostname, kubernetes.io/instance-type, kubernetes.io/os)
```
rfranzke added a commit to gardener/gardener that referenced this pull request Jun 21, 2019
Adapt Kubelet flags
See kubernetes/kubernetes#77820
Also:

```
Jun 20 15:09:21 ip-10-250-0-205.eu-west-1.compute.internal hyperkube[2405]: W0620 15:09:21.310565    2405 options.go:251] unknown 'kubernetes.io' or 'k8s.io' labels specified with --node-labels: [kubernetes.io/role node-role.kubernetes.io/node]
Jun 20 15:09:21 ip-10-250-0-205.eu-west-1.compute.internal hyperkube[2405]: W0620 15:09:21.310583    2405 options.go:252] in 1.16, --node-labels in the 'kubernetes.io' namespace must begin with an allowed prefix (kubelet.kubernetes.io, node.kubernetes.io) or be in the specifically allowed set (beta.kubernetes.io/arch, beta.kubernetes.io/instance-type, beta.kubernetes.io/os, failure-domain.beta.kubernetes.io/region, failure-domain.beta.kubernetes.io/zone, failure-domain.kubernetes.io/region, failure-domain.kubernetes.io/zone, kubernetes.io/arch, kubernetes.io/hostname, kubernetes.io/instance-type, kubernetes.io/os)
```
openstack-gerrit pushed a commit to openstack/magnum that referenced this pull request Jul 5, 2019
Add build-arg for --allow-privileged
kubernetes/kubernetes#77820
https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.15.md#node

story: 2005124

Change-Id: I2935d34ace08800c805028f1673bc515f2f577e6
Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
openstack-gerrit added a commit to openstack/openstack that referenced this pull request Jul 5, 2019
Update git submodules
* Update magnum from branch 'master'
  - Merge "Add build-arg for --allow-privileged"
  - Add build-arg for --allow-privileged
    
    kubernetes/kubernetes#77820
    https://github.com/kubernetes/kubernetes/blob/master/CHANGELOG-1.15.md#node
    
    story: 2005124
    
    Change-Id: I2935d34ace08800c805028f1673bc515f2f577e6
    Signed-off-by: Spyros Trigazis <spyridon.trigazis@cern.ch>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.