New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPNODE-2098: Add static pod for kube-rbac-proxy-crio #4175
OCPNODE-2098: Add static pod for kube-rbac-proxy-crio #4175
Conversation
16324c2
to
12bb710
Compare
@rphillips: This PR was included in a payload test run from openshift/cluster-monitoring-operator#2257
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/820f5280-c6d5-11ee-97cb-3e05c7124d92-0 |
@rphillips: This PR was included in a payload test run from openshift/cluster-monitoring-operator#2257
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/896bb770-c93d-11ee-8788-320a5f153a65-0 |
d32a2a9
to
410e914
Compare
@rphillips: This PR was included in a payload test run from openshift/cluster-monitoring-operator#2257
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/0d734920-c9ca-11ee-824a-026157b75804-0 |
410e914
to
b8995e3
Compare
@rphillips: This PR was included in a payload test run from openshift/cluster-monitoring-operator#2257
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/56f50e00-ca7c-11ee-974b-7cd8f62e7155-0 |
08b787a
to
5d99f07
Compare
@rphillips: This PR was included in a payload test run from openshift/cluster-monitoring-operator#2257
See details on https://pr-payload-tests.ci.openshift.org/runs/ci/71d442f0-d03e-11ee-95a3-a9525782e9b1-0 |
@rphillips: This pull request references OCPNODE-2098 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/cherry-pick release-4.15 |
@rphillips: once the present PR merges, I will cherry-pick it on top of release-4.15 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/hold until openshift/origin#28636 merges. |
@rphillips: This pull request references OCPNODE-2098 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
/test e2e-aws-ovn |
/hold cancel openshift/origin#28636 merged |
@rphillips: This pull request references OCPNODE-2098 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
@rphillips: This pull request references OCPNODE-2098 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
some service account and port questions. but looks good!
ports: | ||
- containerPort: 9637 | ||
args: | ||
- --secure-listen-address=:9637 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
any specific reason for this port?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The usual port is 9537. To make it easier to identify the secure port I used 9637 (100 more than the insecure one). (9637 is not in use by the /etc/services file).
- --logtostderr=true | ||
- --kubeconfig=/var/lib/kubelet/kubeconfig | ||
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 | ||
- --upstream=http://127.0.0.1:9537 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
our kube-rbac-proxy ctrs usually use a different port, I am forgetting which. Should we mimic that here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The kube-rbac-proxy is exposing a host network port (9637) and forwarding to the host's 9537 port. I slightly deviated from the usual construct due to host networking.
path: /metrics | ||
verb: get | ||
user: | ||
name: system:serviceaccount:openshift-monitoring:prometheus-k8s |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this using the openshift-monitoring SA?
In our other kube-rbac-proxy pods we specify which serviceAccountName:
we want to use. Where is that happening in this PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This new kube-rbac-proxy-crio service does not have access to service account secrets due to being a static pod. Instead, we are using client side certificate validation and only allowing the system:serviceaccount:openshift-monitoring:prometheus-k8s
user.
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cdoern, harche, rphillips The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/cherry-pick release-4.15 |
@rphillips: once the present PR merges, I will cherry-pick it on top of release-4.15 in a new PR and assign it to you. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@rphillips: The following test failed, say
Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
/test e2e-gcp-op-single-node |
a073953
into
openshift:master
@rphillips: #4175 failed to apply on top of branch "release-4.15":
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[ART PR BUILD NOTIFIER] This PR has been included in build ose-machine-config-operator-container-v4.16.0-202403081913.p0.ga073953.assembly.stream.el8 for distgit ose-machine-config-operator. |
This PR adds a static pod to the MCO to lay down a kube-rbac-proxy to secure crio's metrics port. The TLS endpoints supports cert based authentication for monitoring.
Merge information
After all the above backports are merged, then
This PR will need to be backported to EUS 4.14.