Add namespace for (cluster)role(binding) cloud-provider. #67224
Conversation
k8s-ci-robot
added
the
release-note-none
k8s-ci-robot
added
sig/auth
k8s-ci-robot
added
the
needs-ok-to-test
|
This is unreleased code, right? |
|
@tallclair PR#59686 is released in 1.10 and 1.11, confirmably. So it's already affecting some of the clusters by not namespacing the roles. |
k8s-ci-robot
added
release-note
|
/ok-to-test |
k8s-ci-robot
removed
the
needs-ok-to-test
|
make sure you test with all of the versions |
|
In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
/undo meow |
|
What does the addon manager do with the old roles in this case? You can test it by SSHing to the master, and manually swapping out the manifest ( |
|
Here's what happened: Everything looks working perfectly. |
|
Sure. I will test the rest of the versions in cherrypicks. |
|
I thought we discussed using the |
grayluck
force-pushed
the
namespace-cloudprovider-rbac
branch
from
ab59f7e to
f4a2e99
Compare
k8s-ci-robot
added
the
sig/cluster-lifecycle
|
I forgot to push my local change.. But the test still shows that gce:cloud-provider works with previous roles/bindings. |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/retest |
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
| # DEPRECATED: cloud-provider roles and bindings are deprecated. Use gce:cloud-provider instead. | ||
| apiVersion: rbac.authorization.k8s.io/v1 | ||
| kind: RoleBinding | ||
| metadata: |
There was a problem hiding this comment.
We discussed putting the deprecation notice in an annotation, and keeping Reconcile so the annotation is populated.
There was a problem hiding this comment.
Sorry Tim I can't find an example annotation to denote deprecation. But I did find an related (closed without fixes) issue: #38269.
| @@ -18,7 +50,7 @@ apiVersion: rbac.authorization.k8s.io/v1 | |||
| kind: ClusterRoleBinding | |||
There was a problem hiding this comment.
Actually, I'm not sure there's any reason we need to keep the old ClusterRoleBinding. The new one grants a superset of the permissions.
I think we just need to keep the old cluster role incase someone was binding it to a different service account.
There was a problem hiding this comment.
lol Good point. No, there's no reason to keep the bindings. Only the old roles need to be remained.
| kind: ClusterRoleBinding | ||
| metadata: | ||
| labels: | ||
| addonmanager.kubernetes.io/mode: Reconcile |
There was a problem hiding this comment.
Techinically there's a slight risk to this, as it would clobber another role of the same name. I think it's probably ok given the gce: prefix.
There was a problem hiding this comment.
It's not that likely that a cluster user has a role named gce:cloud-provider. Since we didn't get any reports reporting issue about roles named cloud-provider in Reconcile mode clobbering exist roles, I assume gce:cloud-provider is even safer than cloud-provider to have Reconcile.
grayluck
force-pushed
the
namespace-cloudprovider-rbac
branch
2 times, most recently
from
6edeeed to
008994b
Compare
|
where is the change to remove the old role binding? |
grayluck
force-pushed
the
namespace-cloudprovider-rbac
branch
from
008994b to
a528459
Compare
|
Re bowei@ The old bindings has been removed from cloud-provider-binding.yaml. |
|
/test pull-kubernetes-e2e-gke |
| annotations: | ||
| kubernetes.io/deprecation: 'cloud-provider role is DEPRECATED in the | ||
| concern of potential collisions. Do not refer to this role. Use | ||
| gce:cloud-provider instead.' |
There was a problem hiding this comment.
nit: We don't really want anyone to use the gce:cloud-provider role either... in generaly I would say that things in the kube-system namespace should not be used. I guess this is more of a concern with the cluster-scoped role, but the same holds true.
Also, consider declaring what release this will be removed in (probably 1.14)
There was a problem hiding this comment.
Let's do 1.16 since the minor comes every quarter. This gives the deprecated role 1 year before removed.
Change the addonmanager mode to be from reconcile to EnsureExists.
grayluck
force-pushed
the
namespace-cloudprovider-rbac
branch
from
a528459 to
bea625f
Compare
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/test pull-kubernetes-e2e-gke |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: bowei, grayluck, tallclair The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/retest Review the full test history for this PR. Silence the bot with an |
1 similar comment
|
/retest Review the full test history for this PR. Silence the bot with an |
|
/milestone v1.12 |
|
Thanks Bowei! |
|
Automatic merge from submit-queue (batch tested with PRs 65251, 67255, 67224, 67297, 68105). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md. |
…24-upstream-release-1.10 Automated cherry pick of #67224: Add namespace for (cluster)role(binding) cloud-provider.
…24-upstream-release-1.11 Automated cherry pick of #67224: Add namespace for (cluster)role(binding) cloud-provider.
What this PR does / why we need it:
Add namespace for (cluster)role(binding) cloud-provider.
Change the addonmanager mode to be from reconcile to EnsureExists.
Needs to be cherrypicked together with #59686.
Special notes for your reviewer:
/assign @bowei @tallclair
/sig auth
Release note:
Manual tested. Cluster can be created succesfully using kube-up.sh with desired (cluster)role(binding)s.