-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: idea to provide robot nodes without robot credentials #603
Conversation
Hey @pmdroid, thank you for your proposal! You are right that with the labels you provided, the Node can be succesfully initialized without talking the the Robot API. There are three things that currently require ongoing access to the Robot API:
The info that is provided through labels in your proposal would be used to initialize the Node and set some fields on it.
metadata:
annotations:
# Stable Annotations
+ node.kubernetes.io/instance-type: {{ .Metadata.InstanceType }}
+ topology.kubernetes.io/region: {{ .Metadata.Region }}
+ topology.kubernetes.io/zone: {{ .Metadata.Zone }}
# Beta Annotations
+ beta.kubernetes.io/instance-type: {{ .Metadata.InstanceType }}
+ failure-domain.beta.kubernetes.io/region: {{ .Metadata.Region }}
+ failure-domain.beta.kubernetes.io/zone: {{ .Metadata.Zone }}
spec:
+ providerID: {{ .Metadata.ProviderID }}
taints:
- - Key: "node.cloudprovider.kubernetes.io/uninitialized"
- Effect: "NoSchedule"
- Value: "true"
status:
+ addresses: {{ .Metadata.Addresses }} Instance (
|
While talking to someone from the Robot Team I learned that you can also configure a special "Webservice User" which only has access to the Robot Webservice, not your full Hetzner Account. Perhaps this is also a good alternative for you. (See #608) |
hey @apricote, thanks for the answer! I implement this to prevent the HCCM from removing a node from the cluster that is ready just not managed by the cloud provider. This happens because the HCCM cannot find any Node that matches the name. It might be nice to have something similar to this that makes it possble to use the Cloud Nodes and other Nodes together but keep the other Nodes away from the Cloud Provider maybe with a Flag "instance.hetzner.cloud/self-managed"? Thanks for the information about the "Webservice User" but even this is still to verbose when i comes to the permission, but the same applies also to the Cloud Token. It would be nice if its possible to create token that are limited to function, for example to read metadata and create and delete nodes (autoscaling). |
This PR has been marked as stale because it has not had recent activity. The bot will close the PR if no further action occurs. |
This is not a complete implementation just a MVP and idea.
With the mock server a customer that does not want the cluster to know his robots credentials can use the cloud controller.
All needed information for the cloud controller are already assigned to the node when its started.
If you consider this or a similar idea please let me know i am easily can adjust the implementation and add docs for this use case.