Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

federation: Adding support for namespace admission controls in federation-apiserver #31139

Merged

Conversation

nikhiljindal
Copy link
Contributor

@nikhiljindal nikhiljindal commented Aug 22, 2016

Now that we have namespaces in federation apiserver, we can support namespace admission controls.

There are 3 of these:
namespace/autoprovision, namespace/exists and namespace/lifecycle.
namespace/autoprovision, namespace/exists should be deprecated in kubernetes(#31195). Adding support for namespace/lifecycle to federation-apiserver.
As in kube-apiserver, enabling namespace/lifecycle by default.

Action required: If you have a running federation control plane, you will have to ensure that for all federation resources, the corresponding namespace exists in federation control plane.

federation-apiserver now supports NamespaceLifecycle admission control, which is enabled by default. Set the --admission-control flag on the server to change that.

cc @kubernetes/sig-cluster-federation @quinton-hoole


This change is Reviewable

@nikhiljindal
Copy link
Contributor Author

Am working on fixing the federation e2es.

@nikhiljindal nikhiljindal added area/cluster-federation release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. labels Aug 22, 2016
@nikhiljindal nikhiljindal added this to the v1.4 milestone Aug 22, 2016
@nikhiljindal
Copy link
Contributor Author

cc @derekwaynecarr

@k8s-github-robot k8s-github-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Aug 22, 2016
@ghost ghost added the priority/backlog Higher priority than priority/awaiting-more-evidence. label Aug 22, 2016
@ghost ghost assigned ghost and derekwaynecarr and unassigned spxtr Aug 22, 2016
@nikhiljindal nikhiljindal force-pushed the namespaceAdmissionControl branch 4 times, most recently from c773f64 to 7cd8664 Compare August 22, 2016 21:43
@nikhiljindal
Copy link
Contributor Author

This is now ready for review. Have fixed all federation e2es and have added a test to ensure that a request to create a namespaced resource fails if the namespace does not exist.

I have a TODO to clean up the federation namespace after each test, which I will send another PR for (need to fix #31077 before that).

ptal.

@derekwaynecarr
Copy link
Member

I think you can only add NamespaceLifecycle. The others should be marked
deprecated.

On Monday, August 22, 2016, Kubernetes Bot notifications@github.com wrote:

GCE e2e build/test passed for commit 7cd8664
7cd8664
.


You are receiving this because you were assigned.
Reply to this email directly, view it on GitHub
#31139 (comment),
or mute the thread
https://github.com/notifications/unsubscribe-auth/AF8dbOdbxo5HU1M50bX_onw8GuCKOJ1Vks5qii58gaJpZM4JqIrn
.

@nikhiljindal nikhiljindal force-pushed the namespaceAdmissionControl branch from 7cd8664 to 4ba25b3 Compare August 23, 2016 00:28
@nikhiljindal
Copy link
Contributor Author

nikhiljindal commented Aug 23, 2016

Removed the other 2 namespace admission controls and filed #31195 to keep track to deprecate it in kube-apiserver.

Updated the PR description and release-notes

@nikhiljindal nikhiljindal force-pushed the namespaceAdmissionControl branch from 4ba25b3 to db7af6c Compare August 23, 2016 04:49
@ghost ghost added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. labels Aug 23, 2016
@@ -94,7 +94,7 @@ function create-federation-api-objects {
export FEDERATION_API_NODEPORT=32111
export FEDERATION_NAMESPACE
export FEDERATION_NAME="${FEDERATION_NAME:-federation}"
export DNS_ZONE_NAME="${DNS_ZONE_NAME:-federation.example}" # See https://tools.ietf.org/html/rfc2606
export DNS_ZONE_NAME="${DNS_ZONE_NAME:-federation.example.}" # See https://tools.ietf.org/html/rfc2606
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Doesn't seem to belong in this PR?

@k8s-bot
Copy link

k8s-bot commented Aug 23, 2016

GCE e2e build/test passed for commit db7af6c.

@@ -84,8 +84,44 @@ var _ = framework.KubeDescribe("Federation apiserver [Feature:Federation]", func
framework.Logf("Verified that zero clusters remain")
})
})
Describe("Admission control", func() {
AfterEach(func() {
framework.SkipUnlessFederated(f.Client)
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Surely this belongs in BeforeEach(), not AfterEach()?

@ghost
Copy link

ghost commented Aug 23, 2016

Thanks @nikhiljindal. Comments can be addressed in a followup PR. LGTM.

@ghost ghost added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 23, 2016
@k8s-github-robot
Copy link

@k8s-bot test this [submit-queue is verifying that this PR is safe to merge]

@k8s-bot
Copy link

k8s-bot commented Aug 23, 2016

GCE e2e build/test passed for commit db7af6c.

@k8s-github-robot
Copy link

Automatic merge from submit-queue

@k8s-github-robot k8s-github-robot merged commit 13305ef into kubernetes:master Aug 23, 2016
@nikhiljindal nikhiljindal added release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. and removed release-note Denotes a PR that will be considered when it comes time to generate release notes. labels Aug 25, 2016
@ghost
Copy link

ghost commented Aug 29, 2016

@nikhiljindal One of these tests is ~perma-failing since 8/23. Could you please take a look?

https://k8s-testgrid.appspot.com/google-gce#gce-federation

@nikhiljindal
Copy link
Contributor Author

nikhiljindal commented Aug 29, 2016

Sure. Am on it: #31624

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/backlog Higher priority than priority/awaiting-more-evidence. release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants