🌱 Support for kube-api-access volume mount #348
Conversation
k8s-ci-robot
added
kind/feature
k8s-ci-robot
added
the
size/L
|
This is looking great so far, this doesn’t do the TokenManagement aspects but I see your note that this can come later. |
|
Ok, I will do it. If adding a new gate, I will prefer separate out a new file. I actually thought about doing that. |
k8s-ci-robot
added
size/XS
|
PTAL, thanks. |
| } | ||
| for _, secret := range secrets.Items { | ||
| if secret.Type != corev1.SecretTypeOpaque { | ||
| klog.Infof("type") |
virtualcluster/pkg/syncer/resources/pod/mutatorplugin/podkubeapiaccessmutator.go
Outdated
Show resolved
Hide resolved
virtualcluster/pkg/syncer/resources/pod/mutatorplugin/podkubeapiaccessmutator.go
Outdated
Show resolved
Hide resolved
virtualcluster/pkg/syncer/resources/pod/mutatorplugin/podkubeapiaccessmutator.go
Outdated
Show resolved
Hide resolved
| for i, container := range pod.Spec.Containers { | ||
| for j := 0; j < len(container.VolumeMounts); j++ { | ||
| if container.VolumeMounts[j].Name == old { | ||
| klog.V(6).Infof("mutate containers %s volumeMount.name from %s to %s", container.Name, old, new) |
virtualcluster/pkg/syncer/resources/pod/mutatorplugin/podrootcacertmutator.go
Outdated
Show resolved
Hide resolved
wondywang
force-pushed
the
kube-root-ca
branch
from
70b7d65
to
f1813b1
Compare
|
LGTM. @christopherhein, take another look? |
| } | ||
|
|
||
| // Could not find in cache, attempt to look up directly | ||
| numAttempts := 1 |
There was a problem hiding this comment.
nit: You can use something like this here: https://github.com/kubernetes/apimachinery/blob/v0.27.4/pkg/util/wait/poll.go#L45
There was a problem hiding this comment.
thx @ravisantoshgudimetla. I suddenly found that the retry logic here is unnecessary. So it was removed directly.
| return fmt.Errorf("error looking up secret of serviceAccount %s/%s: %v", targetNamespace, p.PPod.Spec.ServiceAccountName, err) | ||
| } | ||
|
|
||
| if shouldAutomount(serviceAccount, p.PPod) { |
There was a problem hiding this comment.
Can we use automountServiceAccountToken on the pod spec?
There was a problem hiding this comment.
We explicitly override this from vc-syncer so the value in the pPod should always be false, seems like if we have the vPod object we could get that value.
| tests := []struct { | ||
| name string | ||
| pPod *corev1.Pod | ||
| existingObjectInSuper []runtime.Object |
There was a problem hiding this comment.
It'd be easier if you add an expected Pod after mutation as a field in this struct.
There was a problem hiding this comment.
hi, @ravisantoshgudimetla. I thought about it. This is not easy to implement, because the names kube-api-access-xxxx here are randomly generated by names.SimpleNameGenerator.GenerateName.
There was a problem hiding this comment.
I see. No issues then. I was actually referring to the contents not the name.
| func TestPodKubeAPIAccessMutatorPlugin_Mutator(t *testing.T) { | ||
| defer util.SetFeatureGateDuringTest(t, featuregate.DefaultFeatureGate, featuregate.KubeAPIAccessSupport, true)() | ||
|
|
||
| tests := []struct { |
There was a problem hiding this comment.
Can you add 2 more test cases with auto mount enable and disabled and if possible can we check the content of this secret(token matches what we expect it to be?)
There was a problem hiding this comment.
|
Overall looks great, @Fei-Guo & @ravisantoshgudimetla added the same feedback I would. Thank you @wondywang for taking the lead on this. |
@christopherhein @ravisantoshgudimetla That's great, thanks! I will make some change later. |
k8s-ci-robot
added
the
needs-rebase
k8s-ci-robot
removed
the
needs-rebase
|
@wondywang - go-imports are failing. Can you fix and push the commit. LGTM from code standpoint. |
Sorry, I've been a little busy lately. I will get it done as soon as possible. @ravisantoshgudimetla |
|
@Fei-Guo @christopherhein PTAL. And I also update serviceAccount token manager in this commit. This part of the logic is an idea of mine (maybe not complete). Can be used as a reference. I plan not to mention PR for now. Wait for @ravisantoshgudimetla to finish it. What do you think? |
k8s-ci-robot
added
the
lgtm
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Fei-Guo, wondywang The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
What this PR does / why we need it:
This PR continue to improve the feature gated support for VirtualCluster to work with any Kubernetes version 1.21+ and when the RootCACertConfigMap feature is enabled in 1.20 clusters. To achieve this, before creating the pPod, the content in the kube-api-access volume is changed. Change it to directly mount the tenant cluster secret instead of applying the token of the super cluster.
Before:
After:
Here is the reference to the implementation in the Kubernetes: https://github.com/kubernetes/kubernetes/blob/master/plugin/pkg/admission/serviceaccount/admission.go
Follow-up needs to be considered: After Kubernetes version 1.24+, KCM will no longer distribute ServiceAccount tokens. I plan to add a token manager in the ServiceAccount sync controller to create ServiceAccount tokens and keep them in the validity period.
Which issue(s) this PR fixes:
#282
/kind feature