-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Templatize KubeVirt namespace #61
Conversation
kubectl label namespace {{ .Release.Namespace }} kubevirt.io=""; | ||
kubectl label namespace {{ .Release.Namespace }} pod-security.kubernetes.io/enforce="privileged"; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These are labels which the upstream manifests are shipped with. Unfortunately, there wasn't an easier way to do this than a pre-install hook... helm/helm#3503 (comment)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
My only concern is that everything related to this is a leftover that will live in the cluster for no reason. Honestly I don't know how to fix it but maybe the container can remove "everything" after the namespace is labeled? I mean, running kubectl delete role kubevirt-namespace-modifier, etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
They won't live forever, the delete policy drops them all immediately.
root@atanas:~/charts/charts# helm install kubevirt kubevirt/0.2.0 -n kubevirt --create-namespace --debug
install.go:192: [debug] Original chart version: ""
install.go:209: [debug] CHART PATH: /root/charts/charts/kubevirt/0.2.0
client.go:128: [debug] creating 1 resource(s)
install.go:151: [debug] CRD kubevirts.kubevirt.io is already present. Skipping.
client.go:128: [debug] creating 1 resource(s)
client.go:128: [debug] creating 1 resource(s)
client.go:128: [debug] creating 1 resource(s)
client.go:128: [debug] creating 1 resource(s)
client.go:128: [debug] creating 1 resource(s)
client.go:540: [debug] Watching for changes to Job kubevirt-namespace-modifier with timeout of 5m0s
client.go:568: [debug] Add/Modify event for kubevirt-namespace-modifier: ADDED
client.go:607: [debug] kubevirt-namespace-modifier: Jobs active: 0, jobs failed: 0, jobs succeeded: 0
client.go:568: [debug] Add/Modify event for kubevirt-namespace-modifier: MODIFIED
client.go:607: [debug] kubevirt-namespace-modifier: Jobs active: 1, jobs failed: 0, jobs succeeded: 0
client.go:568: [debug] Add/Modify event for kubevirt-namespace-modifier: MODIFIED
client.go:607: [debug] kubevirt-namespace-modifier: Jobs active: 0, jobs failed: 0, jobs succeeded: 0
client.go:568: [debug] Add/Modify event for kubevirt-namespace-modifier: MODIFIED
client.go:310: [debug] Starting delete for "kubevirt-namespace-modifier" ServiceAccount
client.go:310: [debug] Starting delete for "kubevirt-namespace-modifier" Role
client.go:310: [debug] Starting delete for "kubevirt-namespace-modifier" RoleBinding
client.go:310: [debug] Starting delete for "kubevirt-namespace-modifier" Job
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can ignore my comment then :D Sorry for the noise.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changes look solid, I have concerns about the security implications that come with labelling a full namespace as pod-security.kubernetes.io/enforce="privileged"
though..
Taking into account that this is something that comes from the upstream manifests, I'll approve this.
helm install kubevirt <chart-repo> -n <namespace> --create-namespace
kubevirt
namespace was specified but it was already part of the chart itself