-
Notifications
You must be signed in to change notification settings - Fork 2.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Deploy statusreconciler for prow.k8s.io #12258
Deploy statusreconciler for prow.k8s.io #12258
Conversation
Signed-off-by: Steve Kuznetsov <skuznets@redhat.com>
@@ -32,6 +32,7 @@ release( | |||
component("prowjob", "customresourcedefinition"), | |||
component("pushgateway", "deployment"), | |||
component("sinker", "deployment"), | |||
component("statusreconciler", "deployment"), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see build
and crier
use RBAC -- I don't fully understand when we can and cannot -- should I use it for status-reconciler
too?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would assume we can everywhere so long as it's properly configured?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cjwagner had some comments about turning off legacy authorization on the cluster?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think our cluster is ignoring RBAC because legacy authorization is enabled and I think it needs to be enabled until we figure out how to configure RBAC correctly for plank
, deck
, and sinker
to be authenticated and authorized to create/list/delete pods in separate build clusters. I'm not entirely certain about either of those points though.
ports: | ||
- name: http | ||
containerPort: 8888 | ||
- --blacklist=kubernetes/kubernetes |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FYI
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/hold
kind: ServiceAccount | ||
metadata: | ||
namespace: default | ||
name: "statusreconciler" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does every service really needs it's own service account as opposed to one scoped for prow or some larger subset thereof?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
More granular permissions are better IMO
LGTM label has been added. Git tree hash: 5616aa868b0ef6884b3e9868e3e3d631f3a68d28
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cjwagner, fejta, stevekuznetsov The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold cancel |
Signed-off-by: Steve Kuznetsov skuznets@redhat.com
/assign @cjwagner @fejta