kubeadm: Make kubeadm use the right CSR approver for the right version #46864
Conversation
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://github.com/kubernetes/kubernetes/wiki/CLA-FAQ to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
2 similar comments
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://github.com/kubernetes/kubernetes/wiki/CLA-FAQ to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://github.com/kubernetes/kubernetes/wiki/CLA-FAQ to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
cncf-cla: no
luxas
force-pushed
the
kubeadm_fix_v16_csrs
branch
from
0bcdcb8 to
3da0f28
Compare
k8s-ci-robot
added
cncf-cla: yes
k8s-github-robot
added
approved
luxas
force-pushed
the
kubeadm_fix_v16_csrs
branch
from
3da0f28 to
ead8e40
Compare
|
@luxas Cool, but as a heads-up, our CI job was failing because of quota issues (fixed now), but hasn't rerun in a while because the submit queue is a little broken now (it seems that someone manually merged some commits that broke verification). No new commits have been merged into kubernetes for 16 hours or so, so it hasn't run in that long. That's not to say there weren't also other regressions caused by #45619 that might appear now, though. I believe @spxtr is the test-infra on-call and is looking into unblocking the submit queue. |
|
Actually, looks like #46863 should take care of it. |
|
@luxas: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
it wasn't a merge that broke master, it was a new git tag :-/ |
| if k8sVersion.LessThan(kubeadmconstants.MinimumCSRSARApproverVersion) { | ||
| // enable the former CSR group approver for v1.6 clusters. | ||
| // TODO(luxas): Remove this once we're targeting v1.8 at HEAD | ||
| defaultArguments["insecure-experimental-approve-all-kubelet-csrs-for-group"] = bootstrapapi.BootstrapGroup |
There was a problem hiding this comment.
@liggitt It was being set unconditionally in the defaultArguments slice initializer above. Now only for v1.6
There was a problem hiding this comment.
ah, and got removed by the SAR PR. ok.
|
this LGTM, but bazel is very unhappy |
|
I'll fixup the tests tomorrow or so, late here now. |
|
@pipejakob Is there a way to invoke the kubeadm CI with a (@)k8s-bot command btw? |
|
@k8s-bot pull-kubernetes-e2e-kubeadm-gce test this |
|
Oh, the kubeadm pull job actually depends on a successful completion of the bazel pull job (that's the step that builds/uploads the .debs we use), so I can't successfully trigger it until you have |
cmd/kubeadm/app/master/manifests.go
Outdated
| @@ -54,7 +55,7 @@ const ( | |||
| ) | |||
|
|
|||
| var ( | |||
| v170 = version.MustParseSemantic("v1.7.0-alpha.0") | |||
| v170alpha0 = version.MustParseSemantic("v1.7.0-alpha.0") | |||
There was a problem hiding this comment.
I actually prefer the v170 b/c we should only support released versions, correct?
k8s-github-robot
removed
the
approved
|
@luxas are you able to update this to fix bazel and tests? |
|
@liggitt Will do in a couple of hours. Sorry for the slight delay, am partially/have been OOO. |
liggitt
added
sig/cluster-lifecycle
luxas
force-pushed
the
kubeadm_fix_v16_csrs
branch
from
ead8e40 to
de2ef8f
Compare
|
@k8s-bot pull-kubernetes-e2e-kubeadm-gce test this |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
would like to see a green CI run for kubeadm - https://k8s-gubernator.appspot.com/pr/46864 |
|
/approve no-issue I must do this due to kubernetes/test-infra#2975 |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: liggitt, luxas No associated issue. Update pull-request body to add a reference to an issue, or get approval with The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
luxas
added
the
approved
|
Automatic merge from submit-queue (batch tested with PRs 46897, 46899, 46864, 46854, 46875) |
Automatic merge from submit-queue kubeadm: Enable the Node Authorizer/Admission plugin in v1.7 **What this PR does / why we need it**: This is similar to #46796, but for kubeadm. Basically it was a part of #46796, but there were some other upgradability and compability concerns for kubeadm I took care of while working today. Example: ```console $ kubeadm init --kubernetes-version v1.7.0-beta.0 [kubeadm] WARNING: kubeadm is in beta, please do not use it for production clusters. [init] Using Kubernetes version: v1.7.0-beta.0 [init] Using Authorization mode: [RBAC Node] ... $ sudo kubectl --kubeconfig=/etc/kubernetes/kubelet.conf get secret foo Error from server (Forbidden): User "system:node:thegopher" cannot get secrets in the namespace "default".: "no path found to object" (get secrets foo) $ echo '{"apiVersion":"v1","kind":"Node","metadata":{"name":"foo"}}' | sudo kubectl create -f - --kubeconfig=/etc/kubernetes/kubelet.conf Error from server (Forbidden): error when creating "STDIN": nodes "foo" is forbidden: node thegopher cannot modify node foo ``` **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: Depends on #46864 (uses that PR as a base, will rebase once it's merged) Please only review the second commit. Will also fix tests in a minute. **Release note**: ```release-note kubeadm: Enable the Node Authorizer/Admission plugin in v1.7 ``` @mikedanese @liggitt @pipejakob @roberthbailey @jbeda @timothysc
What this PR does / why we need it:
fixes regression caused in: #45619
Which issue this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close that issue when PR gets merged): fixes #Fixes: kubernetes/kubeadm#289
Special notes for your reviewer:
cc @pipejakob our e2e CI should probably go green after this change
Release note:
@mikedanese @pipejakob @timothysc @liggitt