-
Notifications
You must be signed in to change notification settings - Fork 49
Conversation
1888ae5
to
85c1a11
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the PR!
In general it looks fine to me but I know some others were a bit hesitant about adding this kind of logic to lokoctl so I'd like to hear more opinions.
I also added some comments.
4bf8ebd
to
f42c175
Compare
f42c175
to
830fb3d
Compare
Updated |
9f93c2a
to
1a45671
Compare
1a45671
to
7935baf
Compare
Updated @iaguis. Regarding https://github.com/kinvolk/lokomotive/pull/704/files#diff-ce65c7c95a7f9d631a0a13b7ae8f1835R90. CI for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think patching the manifests and also reporting those patches upstream would be simple and better.
The point of this is to have the default ServiceAccount in all namespaces we create to not get mounted automatically in pods. Did you mean patching all the pod templates with I was thinking that a better solution might be to have a mutating admission controller that ensures default ServiceAccounts for all namespaces have |
Yes @iaguis. Chart templates seem fine to me. And as for solution by karydia, I saw it a couple days back and wanted to try it. Let me try and implement it |
8f2cd53
to
4cd7a49
Compare
Updated |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, Thanks @knrt10 for your patience and effort.
As this is a significant change, 2nd person should have a thorough look at it before merging.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some small comments. Otherwise it looks pretty nice!
assets/lokomotive-kubernetes/bootkube/resources/charts/lokomotive/templates/03-deployment.yaml
Outdated
Show resolved
Hide resolved
assets/lokomotive-kubernetes/bootkube/resources/charts/lokomotive/templates/03-deployment.yaml
Outdated
Show resolved
Hide resolved
assets/lokomotive-kubernetes/aws/flatcar-linux/kubernetes/cl/controller.yaml.tmpl
Show resolved
Hide resolved
9ba63a1
to
77aa0ea
Compare
Updated @iaguis |
77aa0ea
to
49c2669
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
Lokomotive now has admission webhook which adds security to existing components and any new namespace created by user, by preventing Pods to automount default service account Add tests for components Fixes #669 Signed-off-by: knrt10 <kautilya@kinvolk.io>
Signed-off-by: knrt10 <kautilya@kinvolk.io>
Signed-off-by: knrt10 <kautilya@kinvolk.io>
Previously we had upgradeComponent for releases in kube-system namespace, but now after introduction for lokomotive's own webhook and namespace, this will fix and upgrade release according to their own namespaces. Signed-off-by: knrt10 <kautilya@kinvolk.io>
With this change, we are adding a feature where helm can create namespace while bootstraping. Signed-off-by: knrt10 <kautilya@kinvolk.io>
Earlier while re-applying cluster if a release did not exist, an empty map was passed as values due to which helm got null value and upgrading of release failed. Signed-off-by: knrt10 <kautilya@kinvolk.io>
49c2669
to
1ae44f6
Compare
Merging this, as Mateusz already approved it before. Thank you all for your reviews. |
Add security to components and new namespace created by the user by preventing user to mount default ServiceAccount to their pods.
Add tests for components.
My findings trying to solve this issue were
lokomotive-system
namespace and is bootstrapped by bootkube during cluster creation.Fixes #669
Signed-off-by: knrt10 kautilya@kinvolk.io