Run pods needing control-plane instance credentials on hostNetwork #14913
Conversation
k8s-ci-robot
added
cncf-cla: yes
k8s-ci-robot
added
the
size/L
|
many-addons broken due to cluster-autoscaler |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
johngmyers
force-pushed
the
hostnetwork-no-irsa
branch
from
a7b30fb to
e1716d2
Compare
k8s-ci-robot
removed
the
lgtm
|
I believe this has a side effect of preventing CiliumNetworkPolicies from restricting the network access for these pods |
johngmyers
force-pushed
the
hostnetwork-no-irsa
branch
4 times, most recently
from
0cec781 to
3a00712
Compare
|
@olemarkus What is with the upgrade-ab test? It's failing because the PDB is not satisfied 5 seconds after the new manifest was applied. It takes time for a Deployment to roll out. We probably need a loop around the |
|
I don't see a problem with CiliumNetworkPolicies not applying to these pods. They are privileged, after all. If they care that much about restricting their access, they can enable IRSA. |
johngmyers
force-pushed
the
hostnetwork-no-irsa
branch
from
3a00712 to
78fbaa1
Compare
|
upgrade-ab had been failing due to port conflicts. |
johngmyers
force-pushed
the
hostnetwork-no-irsa
branch
2 times, most recently
from
f06f787 to
ceb0cb3
Compare
|
/retest |
johngmyers
force-pushed
the
hostnetwork-no-irsa
branch
from
ceb0cb3 to
f035d75
Compare
|
/test pull-kops-e2e-aws-upgrade-126-ko126-to-klatest-kolatest-many-addons |
pkg/wellknownports/wellknownports.go
Outdated
| // CloudCSIDriverPort is reserved for the cloud provider's primary CSI driver. | ||
| CloudCSIDriverPort = 9808 |
There was a problem hiding this comment.
This is only needed for AWS, no need to complicate other providers with it.
| // CloudCSIDriverPort is reserved for the cloud provider's primary CSI driver. | |
| CloudCSIDriverPort = 9808 | |
| // AWSCSIDriverPort is reserved for the cloud provider's primary CSI driver. | |
| AWSCSIDriverPort = 9808 |
There was a problem hiding this comment.
The OpenStack cinder daemonset runs on host network and uses a port.
The GCP PD controller also runs on host network, though it uses three ports.
@justinsb should we not try to share port assignments across the primary CSI drivers for cloud providers?
There was a problem hiding this comment.
We should diverge from cloud provider default as little as possible.
There was a problem hiding this comment.
We should be more proactive in avoiding port conflicts. We don't have the coverage to find them all through testing.
There was a problem hiding this comment.
We probably should have a map of the ports in wellknownports.go and use that map in manifests that are using host networking. That would make it easier to discover any conflicts.
k8s-ci-robot
added
the
needs-rebase
johngmyers
force-pushed
the
hostnetwork-no-irsa
branch
from
f035d75 to
7f388bb
Compare
k8s-ci-robot
removed
the
needs-rebase
|
Making this PR minimal and leaving the avoidance of other port conflicts to future work. |
johngmyers
force-pushed
the
hostnetwork-no-irsa
branch
from
7f388bb to
70a3973
Compare
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hakman The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
…4913-upstream-release-1.26 Automated cherry pick of #14913: Run pods needing control-plane instance credentials on
…pick-of-#14913-upstream-release-1.26 Automated cherry pick of kubernetes#14913: Run pods needing control-plane instance credentials on
Allows setting IMDS hop limit to 1 on control-plane nodes.