-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feat: Conditional CSR controller spawning #84
Feat: Conditional CSR controller spawning #84
Conversation
Signed-off-by: yue9944882 <291271447@qq.com>
Signed-off-by: yue9944882 <291271447@qq.com>
|
||
// IsCSRSupported checks whether the cluster supports v1 or v1beta1 csr api. | ||
func IsCSRSupported(nativeClient kubernetes.Interface) (bool, bool, error) { | ||
mapper := restmapper.NewDeferredDiscoveryRESTMapper(memory.NewMemCacheClient(nativeClient.Discovery())) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this will add additional rbac requirement for addon controller
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the system:discovery
clusterrole will be bound to all the authenticated users. so no additional permission is required.
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: system:discovery
subjects:
- apiGroup: rbac.authorization.k8s.io
kind: Group
name: system:authenticated
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah ok
@@ -76,6 +78,11 @@ func (a *addonManager) Start(ctx context.Context) error { | |||
return err | |||
} | |||
|
|||
v1CSRSupported, _, err := utils.IsCSRSupported(kubeClient) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could we add an additional flag for addon to check this? the v1CSRSupported could be true initially, but the value is set if the flag for the manager is enabled. I am concerned about addition rbac requirement for addon controller.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i believe there's no worry in the RBAC compatibility. i was thinking about having a flag to manually switch between enabling/disabling CSR controllers, but by leveraging rest mapper the detection of v1 CSR api can be done completely automatically. so we dont need the flag, wdyt?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/approve
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: qiujian16, yue9944882 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
No description provided.