New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug 1883458: switch to CRD for rangeallocation #39
Conversation
@@ -4,6 +4,8 @@ import ( | |||
"math/big" | |||
"testing" | |||
|
|||
securityinternalv1 "github.com/openshift/api/securityinternal/v1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
order
A nit. Plus needs real bump. /lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@deads2k: This pull request references Bugzilla bug 1883458, which is valid. The bug has been updated to refer to the pull request using the external bug tracker. 3 validation(s) were run on this bug
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@@ -29,7 +29,8 @@ import ( | |||
coreapi "k8s.io/kubernetes/pkg/apis/core" | |||
|
|||
securityv1 "github.com/openshift/api/security/v1" | |||
securityv1client "github.com/openshift/client-go/security/clientset/versioned/typed/security/v1" | |||
securityinternalv1 "github.com/openshift/api/securityinternal/v1" | |||
securityv1client "github.com/openshift/client-go/securityinternal/clientset/versioned/typed/securityinternal/v1" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: since you're using both security and securityinternal, I'd prefer this have securityinternalv1client - long but clear it's the internal
New changes are detected. LGTM label has been removed. |
/retest |
made the bump real. relabelling. |
@deads2k: All pull requests linked via external trackers have merged:
Bugzilla bug 1883458 has been moved to the MODIFIED state. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
based on openshift/api#751
We see numerous SCC pod failures across many namespaces: openshift/origin#25544 .
In the cluster-policy-controller, we see failures about an inability to manage rangeallocations. This is because it is served as an aggregated API from openshift-apiserver. We moved SCC to a CRD, but forgot it's dependencies. This PR creates a new RangeAllocation CRD that is schematically identical to the existing one, but now in the
security.internal.openshift.io
group. This does two thingsIn 4.6, we can change to the CRD without intermediate migration. This is possible because the cluster-policy-controller runs using a leader elected lease and its first act is to reconcile the rangeallocations with the namespaces that currently exist. See
cluster-policy-controller/pkg/security/controller/namespace_scc_allocation_controller.go
Lines 92 to 95 in eda513e
we
The change is relatively low risk.