Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix shared subnet/vpc tags #3184

Merged
merged 2 commits into from
Nov 1, 2017
Merged

Fix shared subnet/vpc tags #3184

merged 2 commits into from
Nov 1, 2017

Conversation

justinsb
Copy link
Member

  • Stop setting the Name tag on a shared subnet/vpc

  • Stop setting the legacy KubernetesCluster tag on a shared subnet/vpc
    that is new enough (>=1.6); we rely on the shared tags instead

  • Set tags on shared subnets; i.e. we do set the shared tag on a
    shared subnet; that is important for ELBs

  • Set tags on shared VPCs; i.e. we do set the shared tag on a shared
    VPC; that is not used but consistent with subnets.

  • Add tests for shared subnet

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Aug 11, 2017
@k8s-github-robot k8s-github-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Aug 11, 2017
@justinsb justinsb force-pushed the test_does_not_change_tags branch from ec57745 to c80c051 Compare August 11, 2017 10:23
@justinsb
Copy link
Member Author

@KashifSaadat this is the PR that may make it so that we don't need #3064.

But https://github.com/kubernetes/kops/pull/3184/files#diff-ee8d33deb9549322c28a9ef65ed04473R241 is the tag we talked about that we still need on a shared subnet. It's not a conflict any more, but it does require a tag for each cluster using the subnet.

Something I think would also be a nice alternative would be to separate out the network objects into their own "thing" - likely their own top level API object like a Cluster - and then we could tag the VPCs and Subnets with a tag like k8s.io/network-id=myname, and then the instances would also reference the network in that way (i.e. we don't need a per-cluster tag on the network objects). But that requires changes in kubernetes/kubernetes, so would have to wait till 1.8 at the earliest.

Let me know if the shared tag is a problem for your use-case and we can discuss more!

KashifSaadat
KashifSaadat reviewed Aug 11, 2017
View reviewed changes
upup/pkg/fi/cloudup/awstasks/vpc.go
@@ -143,11 +144,10 @@ func (_ *VPC) RenderAWS(t *awsup.AWSAPITarget, a, e, changes *VPC) error {
if featureflag.VPCSkipEnableDNSSupport.Enabled() {
glog.Warningf("VPC did not have EnableDNSSupport=true, but ignoring because of VPCSkipEnableDNSSupport feature-flag")
} else {
// TODO: We could easily just allow kops to fix this...
Copy link
Contributor

@KashifSaadat KashifSaadat Aug 11, 2017
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be good to automatically rectify this issue but could cause issues if users are not expecting any change to occur to a shared resource. Maybe allow users to specify an auto-fix flag and cover other similar cases if there are any?

@KashifSaadat
Copy link
Contributor

KashifSaadat commented Aug 11, 2017
edited
Loading

This is excellent. The cluster tag addition shouldn't be an issue for our use-case, will give it a test. Thanks for the work @justinsb! 👍

@KashifSaadat KashifSaadat mentioned this pull request Aug 16, 2017
Closed
@KashifSaadat
Copy link
Contributor

Tested and this works really well. Couple notes:

  • The dry-run still mentions a modification will be made to the Name tag of the InternetGateway resource (when applying the changes, the Internet Gateway is not modified). This needs to be ignored, or the same behaviour applied with adding owned and shared tags.
  • If users are managing the VPC/Subnet state independently via other methods such as Terraform, those scripts may attempt to drop the newly added tags (unless manually imported into their scripts / state files).

chrislovecnm
chrislovecnm reviewed Aug 18, 2017
View reviewed changes
Copy link
Contributor

@chrislovecnm chrislovecnm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What happens when the kops install user cannot modify subnets or the vpc? i.e. add tags?

@k8s-github-robot
Copy link

@justinsb PR needs rebase

@k8s-github-robot k8s-github-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 19, 2017
@KashifSaadat KashifSaadat mentioned this pull request Aug 19, 2017
Closed
@justinsb
Copy link
Member Author

What happens when the kops install user cannot modify subnets or the vpc?

For subnets, k8s needs it if you're going to be creating ELBs. I'd like to fix this (#3191) but need to clear some of the backlog first...

@chrislovecnm
Copy link
Contributor

@justinsb on the vpc as well?

@justinsb
Copy link
Member Author

@chrislovecnm It is required on the subnet. It is not required on the VPC, but it seems inconsistent to do one but not the other. I would like to get it so that you don't need permissions on either (#3191), but until then it doesn't seem like the one permission is going to be much worse than the other...

@KashifSaadat KashifSaadat mentioned this pull request Sep 13, 2017
Closed
@k8s-github-robot k8s-github-robot removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 13, 2017
@justinsb justinsb added this to the 1.8.0 milestone Sep 25, 2017
@chrislovecnm
Copy link
Contributor

@geojaz can you take a look please? We need to work out these details

@blakebarnett
Copy link

Testing some of this now, I noticed that kops doesn't seem to respect kubernetes.io/cluster/<name>=shared on the main routing table for the cluster (the one named <cluster_name>)

Otherwise setting all the tags properly shared subnets/rtb/ngw seems to work for me.

@chrislovecnm
Copy link
Contributor

@blakebarnett the route table does not have a shared bool in the model. Bug.

@chrislovecnm
Copy link
Contributor

@KashifSaadat / @justinsb what do we need to resolve? Can we get a rebase and get this merged?

@justinsb justinsb force-pushed the test_does_not_change_tags branch from c80c051 to daabe45 Compare October 22, 2017 21:18
@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Oct 22, 2017
@k8s-github-robot k8s-github-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 22, 2017
@justinsb
Copy link
Member Author

Rebased.

AFAIK @chrislovecnm you're the only -1 on this.

@justinsb
Fix shared subnet/vpc tags
a7f82a6 
* Stop setting the Name tag on a shared subnet/vpc

* Stop setting the legacy KubernetesCluster tag on a shared subnet/vpc
that is new enough (>=1.6); we rely on the shared tags instead

* Set tags on shared subnets; i.e. we _do_ set the shared tag on a
shared subnet; that is important for ELBs

* Set tags on shared VPCs; i.e. we _do_ set the shared tag on a shared
VPC; that is not used but consistent with subnets.

* Add tests for shared subnet
@justinsb
Sort Tags consistently to avoid test flakes
9cf22ae
@justinsb justinsb force-pushed the test_does_not_change_tags branch from daabe45 to 9cf22ae Compare October 23, 2017 15:39
KashifSaadat
KashifSaadat approved these changes Nov 1, 2017
View reviewed changes
Copy link
Contributor

@KashifSaadat KashifSaadat left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, are we able to get this merged in? :)

@chrislovecnm
Copy link
Contributor

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 1, 2017
@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: chrislovecnm

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-github-robot k8s-github-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 1, 2017
@k8s-github-robot
Copy link

/test all [submit-queue is verifying that this PR is safe to merge]

@k8s-github-robot
Copy link

Automatic merge from submit-queue.

@k8s-github-robot k8s-github-robot merged commit 08c34b6 into kubernetes:master Nov 1, 2017
@kashook kashook mentioned this pull request Jan 12, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chrislovecnm chrislovecnm chrislovecnm left review comments

@KashifSaadat KashifSaadat KashifSaadat approved these changes

Assignees

@chrislovecnm chrislovecnm

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. blocks-next cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
1.8.0
Development

Successfully merging this pull request may close these issues.
6 participants
@justinsb @KashifSaadat @k8s-github-robot @chrislovecnm @blakebarnett @k8s-ci-robot