-
Notifications
You must be signed in to change notification settings - Fork 386
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
inject clusterrolebinding for apiserver in pool-coordinator to enable kubectl logs
within nodepool scope
#1384
Conversation
… kubectl logs Signed-off-by: Congrool <chpzhangyifei@zju.edu.cn>
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Congrool The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Kudos, SonarCloud Quality Gate passed!
|
Codecov Report
@@ Coverage Diff @@
## master #1384 +/- ##
=======================================
Coverage 51.48% 51.48%
=======================================
Files 125 125
Lines 15021 15021
=======================================
Hits 7733 7733
Misses 6589 6589
Partials 699 699
Flags with carried forward coverage won't be shown. Click here to find out more. |
/hold Need to solve the situation that node is disconnected from network. The pool-coordinator may fail to restart. |
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions. |
Kudos, SonarCloud Quality Gate passed!
|
New PR to solve this problem #1637 , close this one now. |
/close |
@Congrool: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
/kind enhancement
What this PR does / why we need it:
Currently,
kubectl logs
to poolcoordinator cannot work because the apiserver in pool-coordinator is not authorized to access the kubelet server, in other words it cannot get sub-resourcesproxy/logs
. This pr will inject relative rbac rule to enable the apiserver to access the kubelet server.It works in the following step:
initContainer
, which isalpine:3.14
, to get necessary tools that are used to inject rbac. Tools includebusybox.static
, which is a statically linked busybox that can run in kube-apiserver container without any dynamic link lib, andkubectl
which is actually used to send request to apiserver to create rbac rules.why not use postStart hook of kube-apiserver container:
After adding postStart hook, the kube-apiserver is too slow to be ready(typically over 20s) and will exit when exceeding the internal dial timeout(20s used to dial to etcd and it's unconfigurable). It will cause the pool-coordinator cannot be ready and, of course, the postStart hook cannot get successfully executed.
I've not figured out why adding postStart hook has influence on kube-apiserver.
other Note
TODOs:
Currently the test
kubeclt logs can work within nodepool
has not got done yet, but I think it can work since we tested it through manually creating rbac into pool-coordinator before releasing openyurt v1.12.