Feat: Conditional CSR controller spawning #84
Conversation
Signed-off-by: yue9944882 <291271447@qq.com>
Signed-off-by: yue9944882 <291271447@qq.com>
|
|
||
| // IsCSRSupported checks whether the cluster supports v1 or v1beta1 csr api. | ||
| func IsCSRSupported(nativeClient kubernetes.Interface) (bool, bool, error) { | ||
| mapper := restmapper.NewDeferredDiscoveryRESTMapper(memory.NewMemCacheClient(nativeClient.Discovery())) |
There was a problem hiding this comment.
this will add additional rbac requirement for addon controller
There was a problem hiding this comment.
the system:discovery clusterrole will be bound to all the authenticated users. so no additional permission is required.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:discovery
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
| @@ -76,6 +78,11 @@ func (a *addonManager) Start(ctx context.Context) error { | |||
| return err | |||
| } | |||
|
|
|||
| v1CSRSupported, _, err := utils.IsCSRSupported(kubeClient) | |||
There was a problem hiding this comment.
could we add an additional flag for addon to check this? the v1CSRSupported could be true initially, but the value is set if the flag for the manager is enabled. I am concerned about addition rbac requirement for addon controller.
There was a problem hiding this comment.
i believe there's no worry in the RBAC compatibility. i was thinking about having a flag to manually switch between enabling/disabling CSR controllers, but by leveraging rest mapper the detection of v1 CSR api can be done completely automatically. so we dont need the flag, wdyt?
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: qiujian16, yue9944882 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
No description provided.