-
Notifications
You must be signed in to change notification settings - Fork 449
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support for Multiarch Manager Operator #1417
Conversation
/cc @aleskandro |
46dcb80
to
c4e4a16
Compare
the`/etc/containers/policy.json` and `/etc/containers/registries.conf` files in the pod placement controller according | ||
to the settings of the `image.config.openshift.io/cluster` object's registrySources fields |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(BTW callers of the containers/image library can point it at other locations, so the code does not necessarily need root inside the container to be able to overwrite files in /etc
.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We will not leverage a privileged/rooted pod for changing this folder and will address the actual location of the files at implementation time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think identifying the outcome of the question I had about ExcludedNamespaces
vs a MatchExpressions
is currently blocking any further API review, read through the rest of the enhancement though and only found a couple of things to comment on
f8be040
to
69fcb65
Compare
@JoelSpeed @ingvagabund could you PTAL the updates and let us know if you have more concerns or if all have been addressed? |
@Prashanth684 this mostly looks ready for approval, but:
e.g.:
and
|
@bparees most open conversations have been resolved except for the one about the deletion of the CR which I believe can be resolved as well. We went through the open questions section and updated it to remove some of them which we have found to not be necessary - for example the one you highlighted around investigating if disconnected installs have a special way of accessing pull secrets. After experimenting with the poc code, we found that to not be the case. The questions in the open questions section relate mainly to performance which we will only find as we experiment with the feature and collect data as it is being used. I believe there are no "blocker" questions which still need to be addressed. As for
I don't think we need this in the open questions as it can be seen as an "add-on" to the base feature which we can consider when the feature evolves and if we see a need when users start adopting it. |
All discussions appear to be resolved with the only remaining objection/question being about the global secrets permission requirement. I don't think there's a way for this to move forward w/o read permission on global secrets, so i think we need to accept that, but the fact that the operator will have those permissions definitely needs to be taken into consideration during implementation to ensure the permission cannot be abused by users to access/use secrets they can't normally use(including using this operator to fetch metadata about images they do not have access to themselves) /approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bparees The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/lgtm |
the only other person i'd like to take a look is @joelanford from the OLM perspective to see if there are any concerns (I don't expect any). I've asked him to take a look. |
Left a few comments, but nothing blocking. /lgtm |
This enhancement proposes a multiarch manager operator which will be a secondary OLM managed operator installable through OperatorHub. The operator will expose functionality which when configured, would allow pods to be scheduled on the appropriate architecture nodes based on the architecture of the container images. The name of the operator is chosen as such in case future functionality would need to be added that relates to multi-architectural workings. xref: https://issues.redhat.com/browse/MIXEDARCH-215 Co-authored-by: Alessandro Di Stefano <aleskandro@redhat.com>
@Prashanth684: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/lgtm |
/hold cancel |
This enhancement proposes a multiarch manager operator which will be a secondary OLM managed operator installable through OperatorHub. The operator will expose functionality that when configured, would allow pods to be scheduled on the appropriate architecture nodes based on the architecture of the container images.
The operator's name is chosen as such in case future functionality would need to be added related to multi-architectural workings.
xref: https://issues.redhat.com/browse/MIXEDARCH-215
Co-authored-by: Alessandro Di Stefano aleskandro@redhat.com