Allow a flag that forces kubelet to have a valid kubeconfig #30798
+66
−34
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
smarterclayton
force-pushed
the
fix_kubeconfig
branch
from
3b023aa to
77ac7e1
Compare
k8s-github-robot
added
size/M
smarterclayton
added
the
priority/important-soon
|
Matching priority of issue. |
smarterclayton
force-pushed
the
fix_kubeconfig
branch
from
77ac7e1 to
bd84689
Compare
|
Thanks @smarterclayton, LGTM! |
| } | ||
| } | ||
|
|
||
| cfg, err := UnsecuredKubeletConfig(s) |
There was a problem hiding this comment.
We want the bootstrapping path to return a single error, so I moved this below so we don't get extraneous output from this part before we check the config (in bootstrapping it'll be common not to have a kube config)
--require-kubeconfig forces the kubelet to use the kubeconfig for all APIserver communication, and exit cleanly.
smarterclayton
force-pushed
the
fix_kubeconfig
branch
from
bd84689 to
a66828d
Compare
k8s-github-robot
added
size/L
| @@ -314,9 +313,6 @@ func run(s *options.KubeletServer, kcfg *KubeletConfig) (err error) { | |||
| if s.ExitOnLockContention && s.LockFilePath == "" { | |||
| return errors.New("cannot exit on lock file contention: no lock file specified") | |||
| } | |||
| if err := checkPermissions(); err != nil { | |||
There was a problem hiding this comment.
Just to get the error message to be below the kubeconfig message, so that if we are in a crash loop we don't print that message before we exit.
mikedanese
added
the
lgtm
|
Please add a release note. |
|
@k8s-bot ok to test, issue: #IGNORE tests never started. |
k8s-github-robot
removed
the
lgtm
smarterclayton
added
release-note
1 similar comment
| fs.Var(&s.AuthPath, "auth-path", "Path to .kubernetes_auth file, specifying how to authenticate to API server.") | ||
| fs.MarkDeprecated("auth-path", "will be removed in a future version") | ||
| fs.StringSliceVar(&s.APIServerList, "api-servers", []string{}, "List of Kubernetes API servers for publishing events, and reading pods and services. (ip:port), comma separated.") | ||
| fs.MarkDeprecated("api-servers", "Use --kubeconfig instead. Will be removed in a future version.") |
There was a problem hiding this comment.
Last I checked auth-path has been deprecated since 1.2 (two releases). Can we just remove it in 1.4? (I already did this in #29216, let me know if I shouldn't).
There was a problem hiding this comment.
Please do
|
GCE e2e build/test passed for commit a66828d. |
|
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
|
GCE e2e build/test passed for commit a66828d. |
|
Automatic merge from submit-queue |
|
@smarterclayton the release note calls it |
|
Thanks for doing this btw! |
k8s-github-robot
pushed a commit
that referenced
this pull request
Sep 6, 2016
Automatic merge from submit-queue Do not go into standalone mode when `--require-kubeconfig` is passed **What this PR does / why we need it**: We have change how missing `--api-servers` is treated with introduction of `--require-kubeconfig` (#30798), however we haven't introduced explicit `--standalone` flag for backwards-compatibility reasons. Right now, setting `--kubeconfig` and`--require-kubeconfig` still gets kubelet into standalone mode. In practice this means that it doesn't get to update `nodeInfo` and thereby may refuse to admit pods which had been assigned to it by the scheduler. For example, if you update labels for that given node, and try to use affinity or `NodeLabels` on a pod, it won't get to run. **Which issue this PR fixes**: fixes #32085 **Special notes for your reviewer**: This fix is only until we introduce `--standalone` flag. **Release note**: <!-- Steps to write your release note: 1. Use the release-note-* labels to set the release note state (if you have access) 2. Enter your extended release note in the below block; leaving it blank means using the PR title as the release note. If no release note is required, just write `NONE`. --> ```release-note NONE ```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
--require-kubeconfigforces the kubelet to use the kubeconfig for allAPIserver communication, and exit cleanly. Allows cluster lifecycle to loop waiting for config to be available.
Fixes #30515
A follow up PR will handle the issue discovered where the DefaultCluster rules applied to kubeconfig allow a malicious party who can bind to localhost:8080 to take advantage of an admin misconfiguration.
@lukemarsden @mikedanese
This change is