Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add support for minimumKubeletVersion #1754

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

add support for minimumKubeletVersion #1754

wants to merge 4 commits into from

Conversation

haircommander
Copy link
Member

No description provided.

@openshift-ci openshift-ci bot requested review from benluddy and p0lyn0mial October 14, 2024 16:28
@haircommander haircommander force-pushed the min-kubelet-version branch 5 times, most recently from 5aa38d0 to 0b6e63b Compare October 21, 2024 19:32
@haircommander haircommander changed the title Min kubelet version WIP add support for minimumKubeletVersion Oct 21, 2024
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Oct 21, 2024
@haircommander
Copy link
Member Author

/retest

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 25, 2024
@haircommander haircommander mentioned this pull request Oct 28, 2024
Merged
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 30, 2024
@haircommander haircommander mentioned this pull request Nov 20, 2024
Merged
@p0lyn0mial
Copy link
Contributor

How are we planning to test this observer? Are we going to have an integration test? At the very least, we could check if the configuration contains the current node version, right? I think we could have a more end-to-end test in origin.

@haircommander
Copy link
Member Author

I was planning on doing an e2e test in origin. I'm not seeing integration tests in this repository, do you have a pointer @p0lyn0mial ?

@openshift-merge-robot openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 21, 2024
@openshift-merge-robot openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 21, 2024
benluddy
benluddy reviewed Nov 25, 2024
View reviewed changes
...com/openshift/library-go/pkg/operator/configobserver/node/observe_minimum_kubelet_version.go Outdated
var minimumKubeletVersionConfigPath = "minimumKubeletVersion"

// ObserveKubeletMinimumVersion watches the node configuration and generates the minimumKubeletVersion
func ObserveMinimumKubeletVersion(genericListers configobserver.Listers, _ events.Recorder, existingConfig map[string]interface{}) (ret map[string]interface{}, errs []error) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be feature gated too (and will now need to be aware of the new authorization-mode in the carry patch).

@haircommander haircommander force-pushed the min-kubelet-version branch 2 times, most recently from 2c99747 to 5f87e9b Compare November 26, 2024 18:58
@haircommander haircommander changed the title WIP add support for minimumKubeletVersion add support for minimumKubeletVersion Nov 26, 2024
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 26, 2024
@haircommander haircommander mentioned this pull request Nov 26, 2024
Merged
@haircommander
Copy link
Member Author

I decided to take config observation from library-go as iterating is tricky and AFAIU this code won't be used elsewhere

@haircommander
Copy link
Member Author

/retest

1 similar comment
@haircommander
Copy link
Member Author

/retest

@haircommander haircommander mentioned this pull request Dec 6, 2024
Open
p0lyn0mial
p0lyn0mial reviewed Dec 9, 2024
View reviewed changes
bindata/config.go Outdated Show resolved Hide resolved
pkg/operator/configobservation/node/listers.go Outdated Show resolved Hide resolved
pkg/operator/configobservation/node/observe_minimum_kubelet_version.go Outdated Show resolved Hide resolved
pkg/operator/configobservation/node/observe_minimum_kubelet_version.go Show resolved Hide resolved
pkg/operator/configobservation/node/observe_minimum_kubelet_version.go Outdated Show resolved Hide resolved
pkg/cmd/render/render.go Outdated Show resolved Hide resolved
pkg/operator/configobservation/node/observe_minimum_kubelet_version.go Outdated Show resolved Hide resolved
pkg/operator/configobservation/node/observe_minimum_kubelet_version.go Outdated Show resolved Hide resolved
pkg/operator/configobservation/node/observe_minimum_kubelet_version.go Outdated
if on {
defaultAuthModes = append(defaultAuthModes, ModeMinimumKubeletVersion)
}
sort.Sort(sort.StringSlice(defaultAuthModes))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if the list is hardcoded and we always append at the end then maybe we don't have to sort.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it was initially added at the suggestion of @benluddy I'm fine either way

pkg/operator/configobservation/node/observe_minimum_kubelet_version.go Outdated
// removes it instead.
// This function assumes MinimumKubeletVersion auth mode isn't present by default,
// and should likely be removed when it is.
func SetAPIServerArgumentsToEnforceMinimumKubeletVersion(defaultAuthModes []string, newConfig map[string]interface{}, on bool) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we also rename this method to AddMinimumKubeletVersionAuthorizationMode or something like that?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

went for AddAuthorizationModes as suggested above

@p0lyn0mial
Copy link
Contributor

BTW: do we want to merge this pr before openshift/kubernetes#2104 ?

@haircommander haircommander force-pushed the min-kubelet-version branch 2 times, most recently from f51e26e to 3b1fb7d Compare December 9, 2024 17:49
@haircommander
Copy link
Member Author

BTW: do we want to merge this pr before openshift/kubernetes#2104 ?

I think I'd actually prefer o/k first

p0lyn0mial
p0lyn0mial reviewed Dec 9, 2024
View reviewed changes
pkg/operator/configobservation/node/observe_authorization_mode.go
// removes it instead.
// This function assumes MinimumKubeletVersion auth mode isn't present by default,
// and should likely be removed when it is.
func AddAuthorizationModes(observedConfig map[string]interface{}, isMinimumKubeletVersionEnabled bool) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ok, please double-check if we need to call this method on a default configuration from somewhere here.

cluster-kube-apiserver-operator/pkg/operator/targetconfigcontroller/targetconfigcontroller.go

Line 227 in 992114a

defaultConfig := bindata.MustAsset("assets/config/defaultconfig.yaml")

just in case the observer won't be executed/flags weren't initialised.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we could split this method into two, one that accepts the value from the FG and another that adds hardcoded/default values.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hm the approach taken for pod security (the other featuregated observer) is to set an invalid config in the default so we know it's overridden. I'll do that instead I think

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you have a link? I think that most of the time it will work. I just want to ensure it will always work even if something is wrong with the observer ...

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

cluster-kube-apiserver-operator/bindata/assets/config/defaultconfig.yaml

Lines 17 to 22 in 992114a

enforce: "invalid-to-force-substitution"
enforce-version: "invalid-to-force-substitution"
audit: "invalid-to-force-substitution"
audit-version: "invalid-to-force-substitution"
warn: "invalid-to-force-substitution"
warn-version: "invalid-to-force-substitution"
which is then unconditionally overridden by

cluster-kube-apiserver-operator/pkg/cmd/render/render.go

Lines 350 to 357 in 992114a

if !featureGates.Enabled(features.FeatureGateOpenShiftPodSecurityAdmission) {
if err := auth.SetPodSecurityAdmissionToEnforcePrivileged(defaultConfig); err != nil {
return nil, err
}
} else {
if err := auth.SetPodSecurityAdmissionToEnforceRestricted(defaultConfig); err != nil {
return nil, err
}

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that the render command creates the bootstrap manifest, and the target controller creates a manifest for each revision. We need to ensure that the target controller also applies the default set of the auth methods (just in case). WDYT ?

@p0lyn0mial
Copy link
Contributor

BTW: do we want to merge this pr before openshift/kubernetes#2104 ?

I think I'd actually prefer o/k first

should we merge the origin tests before the o/k PR?

@haircommander
Copy link
Member Author

I wouldn't expect it to pass without the tests, but if we're okay with a window where techpreview serial jobs fail then I'm open. If I were to choose the order I'd say o/k, o/ckaso, o/origin. Since the feature is gated in both implementation PRs there shouldn't be a risk to merging without a test

@haircommander
Copy link
Member Author

as expected openshift/origin#29353 failed

@haircommander
Copy link
Member Author

/retest

@p0lyn0mial
Copy link
Contributor

I wouldn't expect it to pass without the tests, but if we're okay with a window where techpreview serial jobs fail then I'm open

We cannot afford it. Is there a way to test these three PRs to ensure everything works as expected?
Could you also get a review on the test and maybe even a tag, so that all PRs can land roughly at the same time?
We could put a hold on the test PR until the other two PRs land.

p0lyn0mial
p0lyn0mial reviewed Dec 12, 2024
View reviewed changes
bindata/assets/config/defaultconfig.yaml Outdated
- SystemMasters
- RBAC
- Node
invalidMap: invalidToForceSubstitution
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would remove it and add the default set to the target controller

xref: #1754 (comment)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I ended up doing so in the last commit

pkg/operator/configobservation/node/observe_minimum_kubelet_version.go Outdated Show resolved Hide resolved
pkg/operator/configobservation/node/observe_authorization_mode.go Outdated Show resolved Hide resolved
pkg/operator/configobservation/node/observe_minimum_kubelet_version.go Outdated Show resolved Hide resolved
@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Dec 13, 2024

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: haircommander
Once this PR has been reviewed and has the lgtm label, please assign tkashem for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@haircommander
Copy link
Member Author

/retest

1 similar comment
@haircommander
Copy link
Member Author

/retest

p0lyn0mial
p0lyn0mial reviewed Dec 17, 2024
View reviewed changes
Copy link
Contributor

@p0lyn0mial p0lyn0mial left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

not tagging because we want to merge the other PR(s) first.

pkg/operator/targetconfigcontroller/targetconfigcontroller.go
@@ -228,12 +229,21 @@ func manageKubeAPIServerConfig(ctx context.Context, client coreclientv1.ConfigMa
configOverrides := bindata.MustAsset("assets/config/config-overrides.yaml")
specialMergeRules := map[string]resourcemerge.MergeFunc{}

// Guarantee the authorization-mode will be present in the base config, regardless of whether the observer is running
authModeOverride := map[string]interface{}{}
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: technically, this is our default configuration, so I would rename it to defaultAuthModes.

@openshift-ci OpenShift CI
Copy link
Contributor

openshift-ci bot commented Dec 19, 2024

@haircommander: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-gcp-operator-encryption-rotation-aesgcm 0481182 link false /test e2e-gcp-operator-encryption-rotation-aesgcm
ci/prow/e2e-gcp-operator-encryption-rotation-single-node 0481182 link false /test e2e-gcp-operator-encryption-rotation-single-node
ci/prow/e2e-gcp-operator-encryption-single-node 0481182 link false /test e2e-gcp-operator-encryption-single-node
ci/prow/e2e-gcp-operator-encryption-perf-single-node 0481182 link false /test e2e-gcp-operator-encryption-perf-single-node
ci/prow/e2e-gcp-operator-encryption-aescbc 0481182 link false /test e2e-gcp-operator-encryption-aescbc
ci/prow/e2e-gcp-operator 2d97288 link true /test e2e-gcp-operator
ci/prow/e2e-gcp-operator-single-node 2d97288 link false /test e2e-gcp-operator-single-node
ci/prow/unit 2d97288 link true /test unit
ci/prow/e2e-aws-ovn-single-node 2d97288 link false /test e2e-aws-ovn-single-node
ci/prow/e2e-aws-operator-disruptive-single-node 2d97288 link false /test e2e-aws-operator-disruptive-single-node

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@p0lyn0mial p0lyn0mial p0lyn0mial left review comments

@benluddy benluddy benluddy left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@haircommander @p0lyn0mial @benluddy @openshift-merge-robot