Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

🌱 Support admin config for Kubeadm v1.29 #9682

Merged
merged 1 commit into from
Nov 7, 2023
Merged

🌱 Support admin config for Kubeadm v1.29 #9682

merged 1 commit into from
Nov 7, 2023

Conversation

killianmuldoon
Copy link
Contributor

Add support to the Kubeadm Control Plane provider for the new Kubeadm ClusterRoles to use the super-admin config introduced in the v1.29 cycle.

Part of #9578
Fixes #9633

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Nov 7, 2023
@killianmuldoon killianmuldoon changed the title 🌱 Support super-admin config for Kubeadm v1.29 [WIP] 🌱 Support super-admin config for Kubeadm v1.29 Nov 7, 2023
@k8s-ci-robot k8s-ci-robot added do-not-merge/needs-area PR is missing an area label do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Nov 7, 2023
@k8s-ci-robot k8s-ci-robot added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Nov 7, 2023
killianmuldoon
killianmuldoon commented Nov 7, 2023
View reviewed changes
Copy link
Contributor Author

@killianmuldoon killianmuldoon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/area provider/controlplane-kubeadm

@k8s-ci-robot
Copy link
Contributor

@killianmuldoon: The label(s) area/provider/controlplane-kubeadm cannot be applied, because the repository doesn't have them.

In response to this:

/area provider/controlplane-kubeadm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@killianmuldoon
Copy link
Contributor Author

/area provider/control-plane-kubeadm

@k8s-ci-robot k8s-ci-robot added area/provider/control-plane-kubeadm Issues or PRs related to KCP and removed do-not-merge/needs-area PR is missing an area label labels Nov 7, 2023
killianmuldoon
killianmuldoon commented Nov 7, 2023
View reviewed changes
Copy link
Contributor Author

@killianmuldoon killianmuldoon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/test

controlplane/kubeadm/internal/workload_cluster_rbac.go Outdated
@@ -35,6 +36,14 @@ const (
// GetNodesClusterRoleName defines the name of the ClusterRole and ClusterRoleBinding to get nodes.
GetNodesClusterRoleName = "kubeadm:get-nodes"

// SuperAdminKubeConfigFileName defines name for the kubeconfig aimed to be used by the super-admin of the cluster.
SuperAdminKubeConfigFileName = "super-admin.conf"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should be able to import these constants once 1.29 is released, but for now we copy them like these other constants. Not sure if it's worth the import.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if we can import from this part of k/k without getting a dependency on k/k itself

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This specific constant seems to be unused, let's delete it if we don't use it

@k8s-ci-robot
Copy link
Contributor

@killianmuldoon: The /test command needs one or more targets.
The following commands are available to trigger required jobs:

  • /test pull-cluster-api-build-main
  • /test pull-cluster-api-e2e-full-dualstack-and-ipv6-main
  • /test pull-cluster-api-e2e-full-main
  • /test pull-cluster-api-e2e-main
  • /test pull-cluster-api-e2e-mink8s-main
  • /test pull-cluster-api-e2e-workload-upgrade-1-28-latest-main
  • /test pull-cluster-api-test-main
  • /test pull-cluster-api-test-mink8s-main
  • /test pull-cluster-api-verify-main

The following commands are available to trigger optional jobs:

  • /test pull-cluster-api-apidiff-main
  • /test pull-cluster-api-e2e-scale-main-experimental

Use /test all to run the following jobs that were automatically triggered:

  • pull-cluster-api-apidiff-main
  • pull-cluster-api-build-main
  • pull-cluster-api-e2e-main
  • pull-cluster-api-test-main
  • pull-cluster-api-verify-main

In response to this:

/test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@killianmuldoon
Copy link
Contributor Author

/test pull-cluster-api-e2e-workload-upgrade-1-28-latest-main

@killianmuldoon
Copy link
Contributor Author

/test pull-cluster-api-e2e-workload-upgrade-1-28-latest-main

@killianmuldoon killianmuldoon mentioned this pull request Nov 7, 2023
Closed
14 tasks
@killianmuldoon killianmuldoon changed the title [WIP] 🌱 Support super-admin config for Kubeadm v1.29 🌱 Support super-admin config for Kubeadm v1.29 Nov 7, 2023
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Nov 7, 2023
@killianmuldoon killianmuldoon changed the title 🌱 Support super-admin config for Kubeadm v1.29 🌱 Support admin config for Kubeadm v1.29 Nov 7, 2023
@killianmuldoon
Copy link
Contributor Author

/test pull-cluster-api-e2e-workload-upgrade-1-28-latest-main

@killianmuldoon
Copy link
Contributor Author

/test pull-cluster-api-e2e-full-main

@killianmuldoon
Copy link
Contributor Author

/hold

Let's keep this back until after we create the release branch for v1.6.0

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 7, 2023
@killianmuldoon
Copy link
Contributor Author

/test pull-cluster-api-e2e-full-main
/test pull-cluster-api-e2e-workload-upgrade-1-28-latest-main

neolit123
neolit123 reviewed Nov 7, 2023
View reviewed changes
controlplane/kubeadm/internal/workload_cluster_rbac.go Outdated
// AddClusterAdminRoleBinding creates ClusterRoleBinding rules to use the kubeadm:cluster-admins Cluster Role created in Kubeadm v1.29.
func (w *Workload) AddClusterAdminRoleBinding(ctx context.Context, version semver.Version) error {
// If the upgrade is not to a Cluster of version v1.29.0 or higher this is a no-op
if !version.GTE(semver.MustParse("1.29.0")) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

if you are running this code in CI against kubeadm CI artifacts, the exact version where this feature was somehow useable and the RBAC was needed is:
v1.29.0-alpha.2.188+05076de57fc49f

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated to use the CAPI util that ignores preRelease versions for checks like these. Thanks for catching this!

controlplane/kubeadm/internal/workload_cluster.go Outdated Show resolved Hide resolved
@killianmuldoon
Copy link
Contributor Author

/test pull-cluster-api-e2e-full-main
/test pull-cluster-api-e2e-workload-upgrade-1-28-latest-main

sbueringer
sbueringer reviewed Nov 7, 2023
View reviewed changes
Copy link
Member

@sbueringer sbueringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some minor findings

controlplane/kubeadm/internal/workload_cluster_rbac.go Outdated
@@ -35,6 +36,14 @@ const (
// GetNodesClusterRoleName defines the name of the ClusterRole and ClusterRoleBinding to get nodes.
GetNodesClusterRoleName = "kubeadm:get-nodes"

// SuperAdminKubeConfigFileName defines name for the kubeconfig aimed to be used by the super-admin of the cluster.
SuperAdminKubeConfigFileName = "super-admin.conf"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if we can import from this part of k/k without getting a dependency on k/k itself

controlplane/kubeadm/internal/workload_cluster_rbac.go Outdated
@@ -35,6 +36,14 @@ const (
// GetNodesClusterRoleName defines the name of the ClusterRole and ClusterRoleBinding to get nodes.
GetNodesClusterRoleName = "kubeadm:get-nodes"

// SuperAdminKubeConfigFileName defines name for the kubeconfig aimed to be used by the super-admin of the cluster.
SuperAdminKubeConfigFileName = "super-admin.conf"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This specific constant seems to be unused, let's delete it if we don't use it

controlplane/kubeadm/internal/controllers/upgrade.go Outdated
@@ -68,6 +68,11 @@ func (r *KubeadmControlPlaneReconciler) upgradeControlPlane(
return ctrl.Result{}, errors.Wrap(err, "failed to set role and role binding for kubeadm")
}

// Ensure kubeadm clusterRole & Bindings for v1.29+ as per https://github.com/kubernetes/kubernetes/pull/121305
if err := workloadCluster.AllowClusterAdminPermissions(ctx, parsedVersion); err != nil {
return ctrl.Result{}, errors.Wrap(err, "failed to set role and role binding for kubeadm")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the error text seems to be misleading / a copy&paste error

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

error message is more specific now

@killianmuldoon
Support super-admin config for Kubeadm v1.29
67c222e 
Signed-off-by: killianmuldoon <kmuldoon@vmware.com>
@killianmuldoon
Copy link
Contributor Author

/test pull-cluster-api-e2e-full-main
/test pull-cluster-api-e2e-workload-upgrade-1-28-latest-main

@sbueringer
Copy link
Member

Thx

/lgtm
/approve

Feel free to hold cancel when you want to merge

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 7, 2023
@k8s-ci-robot
Copy link
Contributor

LGTM label has been added.

Git tree hash: 9ab2c962607bef49b2d277425df1fa3bb2ade6dc

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: sbueringer

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 7, 2023
@killianmuldoon
Copy link
Contributor Author

Feel free to hold cancel when you want to merge

IMO let's leave this open until after the 1.6.0 RC is cut next Tuesday. Would prefer to get as clean a test signal as possible, and 1.29 support won't make the 1.6.0 release in any case. But up to you 😅

g-gaston
g-gaston reviewed Nov 7, 2023
View reviewed changes
Copy link
Contributor

@g-gaston g-gaston left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@sbueringer
Copy link
Member

I think merging on main shouldn't affect 1.6.

I also think a cherry pick would be good to already unblock other providers running tests against Kubernetes 1.29. I think a cherry pick is okay as the change is very straightforward

@killianmuldoon
Copy link
Contributor Author

Fair enough - I'm just a little nervous with the state of the CI signal this close to release.

/hold cancel

/cherry-pick release-1.5

@k8s-infra-cherrypick-robot
Copy link

@killianmuldoon: once the present PR merges, I will cherry-pick it on top of release-1.5 in a new PR and assign it to you.

In response to this:

Fair enough - I'm just a little nervous with the state of the CI signal this close to release.

/hold cancel

/cherry-pick release-1.5

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 7, 2023
@killianmuldoon
Copy link
Contributor Author

/cherry-pick release-1.5

@k8s-infra-cherrypick-robot
Copy link

@killianmuldoon: once the present PR merges, I will cherry-pick it on top of release-1.5 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.5

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@killianmuldoon
Copy link
Contributor Author

/cherry-pick release-1.4

@k8s-infra-cherrypick-robot
Copy link

@killianmuldoon: once the present PR merges, I will cherry-pick it on top of release-1.4 in a new PR and assign it to you.

In response to this:

/cherry-pick release-1.4

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@killianmuldoon
Copy link
Contributor Author

I think merging on main shouldn't affect 1.6.

Just to be clear - main is 1.6 right now, but let's merge. I don't think this is going to have a negative impact really. I was just mentally starting the code freeze early 😬

@k8s-ci-robot k8s-ci-robot merged commit 6384395 into kubernetes-sigs:main Nov 7, 2023
22 checks passed
@k8s-ci-robot k8s-ci-robot added this to the v1.6 milestone Nov 7, 2023
@k8s-infra-cherrypick-robot
Copy link

@killianmuldoon: new pull request created: #9684

In response to this:

/cherry-pick release-1.5

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

This was referenced Nov 7, 2023
Merged
Merged
@k8s-infra-cherrypick-robot
Copy link

@killianmuldoon: new pull request created: #9685

In response to this:

/cherry-pick release-1.4

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@sbueringer
Copy link
Member

Thank you

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@neolit123 neolit123 neolit123 left review comments

@sbueringer sbueringer sbueringer left review comments

@g-gaston g-gaston g-gaston left review comments

@stmcginnis stmcginnis Awaiting requested review from stmcginnis

Assignees

@sbueringer sbueringer

@g-gaston g-gaston

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/provider/control-plane-kubeadm Issues or PRs related to KCP cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.6
Development

Successfully merging this pull request may close these issues.

Test capi-e2e-main-1-28-latest is failing
6 participants
@killianmuldoon @k8s-ci-robot @sbueringer @k8s-infra-cherrypick-robot @neolit123 @g-gaston