Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable node to update CNI kubeconfig as needed #344

Merged

Conversation

@caseydavenport
Copy link
Member

caseydavenport commented Oct 10, 2019

When using projected serviceaccount tokens, the kubelet will rotate the token file periodically. This invalidates the one in use by the Calico CNI plugin.

This PR enabled node to detect when the token has changed, and update the CNI plugin's kubeconfig file with the new information in response so long as the following is true:

  • CALICO_MANAGE_CNI is set

  • The CNI network directory is mounted into calico/node.

  • Tests

  • Documentation

  • Release note

calico/node now updates CNI kubeconfig when credentials change
Copy link
Member

tmjd left a comment

This feels odd to me when we use to have a CNI pod that ran to monitor certificates. Do we just need that re-instated to monitor this also?

pkg/cni/token_watch.go Outdated Show resolved Hide resolved
pkg/cni/token_watch.go Show resolved Hide resolved
@caseydavenport

This comment has been minimized.

Copy link
Member Author

caseydavenport commented Oct 10, 2019

This feels odd to me when we use to have a CNI pod that ran to monitor certificates. Do we just need that re-instated to monitor this also?

@tmjd We could, fundamentally. I think this is simpler and nicer (the old approach was some janky bash script). The old approach was also just for etcd secrets, not the k8s API access credentials.

@caseydavenport caseydavenport force-pushed the caseydavenport:manage-cni-config branch 2 times, most recently from 92b18d5 to eeae432 Oct 10, 2019
@tmjd
tmjd approved these changes Oct 10, 2019
Copy link
Member

tmjd left a comment

LGTM
Two minor concerns but if I'm just being paranoid then feel free to go with this.

pkg/cni/token_watch.go Show resolved Hide resolved
pkg/cni/token_watch.go Outdated Show resolved Hide resolved
@caseydavenport caseydavenport force-pushed the caseydavenport:manage-cni-config branch from ee60bda to 22fbecc Oct 10, 2019
@caseydavenport caseydavenport merged commit d231045 into projectcalico:master Oct 10, 2019
2 checks passed
2 checks passed
license/cla Contributor License Agreement is signed.
Details
semaphoreci The build passed on Semaphore.
Details
@caseydavenport caseydavenport deleted the caseydavenport:manage-cni-config branch Oct 10, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.