enable Node authorizer and NodeRestriction admission controller #46796
Conversation
k8s-ci-robot
added
the
cncf-cla: yes
k8s-github-robot
added
size/L
|
@mikedanese BTW, have we enabled the Node Authorizer in kubeadm? |
pkg/auth/nodeidentifier/default.go
Outdated
| nodeName := "" | ||
| if strings.HasPrefix(userName, nodeUserNamePrefix) { | ||
| nodeName = strings.TrimPrefix(userName, nodeUserNamePrefix) | ||
| if !strings.HasPrefix(userName, nodeUserNamePrefix) { |
There was a problem hiding this comment.
update godoc to match and move the username check before the loop over the groups
There was a problem hiding this comment.
also, this'll require updating unit tests
cluster/gce/gci/configure-helper.sh
Outdated
| @@ -1123,7 +1123,7 @@ function start-kube-apiserver { | |||
| fi | |||
|
|
|||
|
|
|||
| local authorization_mode="RBAC" | |||
| local authorization_mode="RBAC,Node" | |||
There was a problem hiding this comment.
I would probably put the Node authorizer first... it does almost zero work for requests that are not from nodes, and is faster for requests that are
cluster/gce/config-default.sh
Outdated
| @@ -217,7 +217,7 @@ fi | |||
|
|
|||
| # Admission Controllers to invoke prior to persisting objects in cluster | |||
| # If we included ResourceQuota, we should keep it at the end of the list to prevent incrementing quota usage prematurely. | |||
| ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota | |||
| ADMISSION_CONTROL=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota | |||
There was a problem hiding this comment.
does this apply to all the gce clusters? what about ubuntu, container-linux, etc?
There was a problem hiding this comment.
I guess with the change to treat things without a system:node:... formatted name as non-nodes, this is safe
|
/release-note-required |
| @@ -277,6 +277,7 @@ func init() { | |||
| Rules: []rbac.PolicyRule{ | |||
| rbac.NewRule("get", "list", "watch").Groups(certificatesGroup).Resources("certificatesigningrequests").RuleOrDie(), | |||
| rbac.NewRule("update").Groups(certificatesGroup).Resources("certificatesigningrequests/status", "certificatesigningrequests/approval").RuleOrDie(), | |||
| rbac.NewRule("create").Groups(authorizationGroup).Resources("subjectaccessreviews").RuleOrDie(), | |||
There was a problem hiding this comment.
needs bootstrap yaml updated (was correct in f533bf7)
liggitt
added
area/platform/gce
area/provider/gcp
mikedanese
force-pushed
the
gce-2
branch
4 times, most recently
from
e04c9a8 to
9b2540d
Compare
mikedanese
changed the title
mikedanese
added
release-note
k8s-github-robot
added
size/M
k8s-github-robot
added
size/XS
|
|
|
/retest |
mikedanese
force-pushed
the
gce-2
branch
3 times, most recently
from
85059ce to
d6202e6
Compare
|
/retest |
1 similar comment
|
/retest |
|
cc @deads2k @ncdc @derekwaynecarr @wojtek-t on the namespace deletion worker bump (c.f. #46437). I'm in favor of it... experimentally, it cut cleanup time in half on the e2e, and we saw peak times to sync individual namespaces cut in half as well, indicating the controllers had QPS (c.f. #45304) and CPU headroom and were blocking on something else. controller time to perform a single namespace syncBefore (max=215.29, median=20.92, average=26.82): e2e time to observe a namespace deletion completingBefore (max=305, median=100, average=120): |
|
+1 the worker bump to 10 |
| @@ -1288,7 +1288,7 @@ function start-kube-apiserver { | |||
| fi | |||
|
|
|||
|
|
|||
| local authorization_mode="RBAC" | |||
| local authorization_mode="Node,RBAC" | |||
There was a problem hiding this comment.
I haven't kept up with the cluster/gce/... deployments...
this line also appears in gce/container-linux, gce/cos, gce/ubuntu as well... do any of those need to be updated as well?
There was a problem hiding this comment.
gce/cos is a symlink to gce/gci. I'm not sure if gce/container-linux is tested anywhere. A quick search of testgrid didn't turn anything up. I'm not inclined to change anywhere that is not being tested.
There was a problem hiding this comment.
@roberthbailey who maintains container-linux?
There was a problem hiding this comment.
According to the OWNERS file, it's @euank, @yifan-gu, and @ethernetdan.
|
/retest |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: liggitt, mikedanese Associated issue: 46999 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
| @@ -67,7 +67,7 @@ func NewCMServer() *CMServer { | |||
| ConcurrentJobSyncs: 5, | |||
| ConcurrentResourceQuotaSyncs: 5, | |||
| ConcurrentDeploymentSyncs: 5, | |||
| ConcurrentNamespaceSyncs: 5, | |||
| ConcurrentNamespaceSyncs: 10, | |||
|
@k8s-bot pull-kubernetes-e2e-gce-etcd3 test this |
|
/retest |
|
Automatic merge from submit-queue |
Fixes #46999
Fixes #47135