New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Admission controller not supporting --server-dry-run #2850
Comments
@olix0r @grampelberg This was the issue I was talking about at KubeCon EU, which is on my personal wishlist ☝️ |
I started looking at this issue, and From the docs here, A I also started looking at the sp-validator and proxy-injector webhooks, I don't see any side-effects i.e creation of any other resources, by both of the webhooks. If that is the case, I should be able to submit a PR containing the field |
@Pothulapati Setting Per slack convo, the other thing I will look out for is that the |
Hmm, I was working on the issue, and I was trying the Now, working on the PR. |
For Kubernetes versions <1.12.0, The installation fails as If supporting 1.11.0 is a hard requirement, we can have the check during the rendering as we already talk to the cluster during |
@Pothulapati I believe the currently support k8s versions are 1.12, 1.13 and 1.14 (https://kubernetes.io/docs/setup/version-skew-policy/). We should add a check that fails for unsupported cluster versions if we go that route though. |
@Pothulapati didn't this merge? |
@grampelberg I had the PR ready of getting the version and adding the flag only if the version is >= 1.12 but @ihcsim and I were discussing, as the checking version comes in the middle of install, should it proceed when we can't connect to a kubernetes API? As right now, when With all these paths, @ihcsim suggested to discuss with the team and check if this is really needed as 1.11 will not be supported somewhere down the line. WDYT? |
@grampelberg There was a question on how to handle this with the |
Officially supported k8s is now 1.13+, so my prefered solution would be to always include it and add a flag to remove it as part of Maybe as a separate PR bump the supported version in |
@Pothulapati Does that sound good to you? So we set |
Feature Request
What problem are you trying to solve?
Kubernetes >=1.12 added the new
--server-dry-run
flag (alpha in 1.12, beta in 1.13), which allows to test manifests against the apiserver and all the admission controllers. This is a great utility to fully test the integrity of a deployment as part CI and avoid any pitfalls caused by multiple admission controllers.Furthermore the
--server-dry-run
can be used along with--output
/-o
to retrieve the computed result.How should the problem be solved?
The admission controller should support
--server-dry-run
. An introductory post can be found here: https://kubernetes.io/blog/2019/01/14/apiserver-dry-run-and-kubectl-diff/If I understand the issue correctly only a minimal change to linkerd's
admissionregistration.k8s.io/v1beta1.Webhook
is necessary, it needs to specify thesideEffects
-field to indicate that it does not have side-effects on dry-runs.If there are side-effects I am unaware of (e.g. admission controller creates tls identities), the admission controller needs to disable the side-effects for workloads marked as dry-run.
How would users interact with this feature?
The user can then use the
--server-dry-run
to test deployments utilizing the linkerd admision controller, e.g.:The text was updated successfully, but these errors were encountered: