Remove ro service #8155
Remove ro service #8155
Conversation
lavalamp
force-pushed
the
no-ro
branch
2 times, most recently
from
0fffc10 to
9182b08
Compare
| @@ -59,8 +54,7 @@ variety of uses cases: | |||
|
|
|||
| ## Expected changes | |||
| - Policy will limit the actions kubelets can do via the authed port. | |||
| - Kube-proxy currently uses the readonly port to read services and endpoints, | |||
| but will eventually use the auth port. | |||
| - Kube-proxy uses the authenticated port. | |||
|
LGTM, but title says WIP |
lavalamp
force-pushed
the
no-ro
branch
2 times, most recently
from
f79002b to
31b2152
Compare
|
I think I have e2e passing now. Work items I still have to do before we merge this:
@erictune I'm thinking about punting on 3, there's no good way to test it yet. I want to run a registry on the cluster and push stuff to it and use pull secrets, but it'll require a lot of work in our build scripts to get it going. I don't know if we want to block on it. Unfortunately, this means there'd be no solution for things like the prometheus example, for which there's no obvious way to plug authentication in. I suppose I could make it work and worry about testing later when we get registries in... |
|
I just removed the kube2sky change; I don't think it's necessary anyway. |
Just to be clear, this isn't going to suck a token in from the KubeEnv in the metadata server, but will grab it from a service account, right? |
Yes, it'll use the token from the service accounts, and later we'll make it also check the master's certs. |
|
So the only thing left here is making kubectl work from a container. Still figuring out that long list of config merging thingies. |
|
OK, I have kubectl running in a container. I'm going to run e2e again to make sure it (still) works. |
|
Looks like heapster is broken with this, so I should fix that before we merge. |
|
Heapster was not broken-- I got bit by the DNS problem. I've now got every e2e test working with this. |
lavalamp
force-pushed
the
no-ro
branch
2 times, most recently
from
c14ab32 to
dd3caa9
Compare
|
rebased |
|
This should be ready to go now. |
| } | ||
|
|
||
| c, err := client.New(config) | ||
| c, err := client.NewInCluster() |
There was a problem hiding this comment.
Fine for this PR, but I don't think we want to encourage a pattern where a program has to be in a cluster to run. Should be some way to fall back to kubeconfig from a file, such as when doing ad-hoc testing.
There was a problem hiding this comment.
Yeah-- in another commit I have changes to kubectl code; people that use the same code path should be covered, but that is a very confusing bit of excessive overriding.
But this bit of code has essentially no usefulness outside of a cluster, so I think it's OK.
@satnam6502 you may want to glance at this.
There was a problem hiding this comment.
Right, this code is designed to only run in a cluster. What's wrong with that? I thought this would be a not totally uncommon pattern?
|
LGTM |
erictune
added
the
lgtm
|
All commits except first moved to #9211. |
|
still lgtm |
|
Rebased & ready to go |
|
Waiting on Shippable. |
|
And e2e, if you'd like #8155 to not be rolled back in the case that this breaks e2e |
|
Yes absolutely wait for e2e :) |
|
#8155 passed e2e, but I need to merge another rollback PR first. |
Fixes #4567
Fixes #7963