Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Configuring PodNodeSelector via variables #10456

Closed
wants to merge 10 commits into from
Closed

Configuring PodNodeSelector via variables #10456

wants to merge 10 commits into from

Conversation

titansmc
Copy link
Contributor

What type of PR is this?

Uncomment only one /kind <> line, hit enter to put that in a new line, and remove leading whitespaces from that line:

/kind api-change
/kind bug
/kind cleanup
/kind design
/kind documentation
/kind failing-test

/kind feature

/kind flake

What this PR does / why we need it:
Allows the users to configure the the clusterDefaultNodeSelector from the config file
Which issue(s) this PR fixes:

Fixes #10412

Special notes for your reviewer:

This will introduce a new variable `kube_apiserver_admission_plugins_podnodeselector_default_node_selector`  that can be used with `kube_apiserver_admission_plugins_needs_configuration: [PodNodeSelector]` defined. So allows the users to configure PodNodeSelector plugin.

@k8s-ci-robot k8s-ci-robot added the kind/feature Categorizes issue or PR as related to a new feature. label Sep 20, 2023
@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Sep 20, 2023
edited
Loading

CLA Missing ID CLA Not Signed

@k8s-ci-robot k8s-ci-robot added cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Sep 20, 2023
@k8s-ci-robot
Copy link
Contributor

Hi @titansmc. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Sep 20, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: titansmc
Once this PR has been reviewed and has the lgtm label, please assign mzaian for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Sep 20, 2023
@yankay
Copy link
Member

yankay commented Sep 21, 2023

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Sep 21, 2023
titansmc
titansmc commented Sep 21, 2023
View reviewed changes
Copy link
Contributor Author

@titansmc titansmc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

replace kubeadm with Kubeadm uppercase

@titansmc
Copy link
Contributor Author

@yankay can you review it, please ?

yankay
yankay reviewed Oct 8, 2023
View reviewed changes
roles/kubernetes/control-plane/defaults/main/main.yml Outdated
@@ -138,6 +138,8 @@ kube_webhook_token_auth_url_skip_tls_verify: false
kube_webhook_authorization: false
kube_webhook_authorization_url_skip_tls_verify: false

# Default podnodeselector
kube_apiserver_admission_plugins_podnodeselector_default_node_selector: {}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The clusterDefaultNodeSelector is string not a dict.

It's better to use

# Define the default node selector, by default all the workloads will be scheduled on nodes, like "network=srv1"
# kube_apiserver_admission_plugins_podnodeselector_default_node_selector: ""

docs/hardening.md Outdated
@@ -54,6 +54,11 @@ kube_apiserver_enable_admission_plugins:
- PodNodeSelector
- PodSecurity
kube_apiserver_admission_control_config_file: true
# Creates config file for PodNodeSelector
kube_apiserver_admission_plugins_needs_configuration: [PodNodeSelector]
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it not must be required, it's better to use # comment the line.

docs/hardening.md Outdated
kube_apiserver_admission_plugins_needs_configuration: [PodNodeSelector]
# Define the default node selector, by default all the workloads will be scheduled on nodes
# with label network=srv1
kube_apiserver_admission_plugins_podnodeselector_default_node_selector: "network=srv1"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If it not must be required, it's better to use # comment the line.

roles/kubernetes/control-plane/tasks/kubeadm-setup.yml Outdated
dest: "{{ kube_config_dir }}/admission-controls/podnodeselector.yaml"
mode: 0640
when:
- kube_apiserver_admission_plugins_podnodeselector_default_node_selector
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's better changed to

  when:
    - kube_apiserver_admission_plugins_podnodeselector_default_node_selector is defined
    - kube_apiserver_admission_plugins_podnodeselector_default_node_selector | length > 0

@yankay
Copy link
Member

yankay commented Oct 8, 2023

Thanks @titansmc

Nice PR, And the commit needs to be rebased to one commit :-)

titansmc and others added 5 commits October 9, 2023 12:56
@titansmc
Update main.yml
248c460 
The clusterDefaultNodeSelector is string not a dict.
@titansmc
Update hardening.md
26c04ea 
If it not must be required, it's better to use # comment the line.
@titansmc
Update kubeadm-setup.yml
3ae233b
@titansmc
Create podnodeselector.yaml.j2 template
1d24053 
Update kubeadm-setup.yml with configuration for default podnodeselector

Update hardening.md regarding podnodeselector

Update kubeadm-setup.yml with upper case Kubeadm

Update main.yml with default empty

Update main.yml

The clusterDefaultNodeSelector is string not a dict.

Update hardening.md

If it not must be required, it's better to use # comment the line.

Update kubeadm-setup.yml
Merge branch 'master' of github.com:titansmc/kubespray
8da1556
@k8s-ci-robot k8s-ci-robot added cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. and removed cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Oct 9, 2023
@titansmc
Copy link
Contributor Author

titansmc commented Oct 9, 2023

I am not very familiar with the rebase and I think I screwed it up...

@titansmc titansmc closed this by deleting the head repository Oct 9, 2023
@titansmc
Copy link
Contributor Author

titansmc commented Oct 9, 2023

#10509

@titansmc titansmc mentioned this pull request Oct 9, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yankay yankay yankay left review comments

@cyclinder cyclinder Awaiting requested review from cyclinder

@holmsten holmsten Awaiting requested review from holmsten

Assignees
No one assigned
Labels
cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Creation of kube_apiserver_admission_plugins_needs_configuration not working
3 participants
@titansmc @k8s-ci-robot @yankay