Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add default for ProcMountType #69694

Merged
merged 2 commits into from Oct 12, 2018
Merged

add default for ProcMountType #69694

merged 2 commits into from Oct 12, 2018

Conversation

jessfraz
Copy link
Contributor

@jessfraz jessfraz commented Oct 11, 2018
edited by liggitt

What this PR does / why we need it: This adds a default for the ProcMount feature and fixes #69647

kube-apiserver: fixes `procMount` field incorrectly being marked as required in openapi schema

@k8s-ci-robot k8s-ci-robot added size/M Denotes a PR that changes 30-99 lines, ignoring generated files. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. needs-kind Indicates a PR lacks a `kind/foo` label and requires one. needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Oct 11, 2018
@jessfraz
Copy link
Contributor Author

we should also cherry-pick this on a release

@jessfraz jessfraz added this to the v1.12 milestone Oct 11, 2018
@k8s-ci-robot k8s-ci-robot added sig/apps Categorizes an issue or PR as relevant to SIG Apps. release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. do-not-merge/release-note-label-needed Indicates that a PR should not merge because it's missing one of the release note labels. labels Oct 11, 2018
@dims
Copy link
Member

dims commented Oct 11, 2018

/assign @liggitt

Jordan, Fix for a backwards compatibility problem. Old yamls fail against 1.12.x

@jessfraz
Copy link
Contributor Author

/priority critical-urgent

@k8s-ci-robot k8s-ci-robot added the priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. label Oct 11, 2018
@jessfraz
Copy link
Contributor Author

/kind bug

@k8s-ci-robot k8s-ci-robot added kind/bug Categorizes issue or PR as related to a bug. and removed needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Oct 11, 2018
@k8s-ci-robot k8s-ci-robot added area/kubelet sig/node Categorizes an issue or PR as relevant to SIG Node. labels Oct 11, 2018
@liggitt
Copy link
Member

liggitt commented Oct 11, 2018
edited

The new field must be made optional/omitempty in types.go… setting a server side default won't fix the client side attempt to require the field in validation for old clients

liggitt
liggitt reviewed Oct 11, 2018
View reviewed changes
pkg/apis/core/v1/defaults.go Outdated
@@ -413,6 +416,13 @@ func SetDefaults_ScaleIOPersistentVolumeSource(obj *v1.ScaleIOPersistentVolumeSo
}
}

func SetDefaults_SecurityContext(obj *v1.SecurityContext) {
if obj.ProcMount == nil && utilfeature.DefaultFeatureGate.Enabled(features.ProcMountType) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I didn't expect checking feature gates in defaulting… is this feature enabled by default?

Copy link
Contributor

@MarcPow MarcPow Oct 12, 2018
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmmm. I don't understand this either. I'm the original reporter (and a bit of a newb), but I don't believe this gate is enabled.

azureuser@k8s-master-71973844-0:~$ ps aux | grep feature-gate
root 9035 3.7 1.9 671344 155776 ? Ssl Oct10 54:10 /usr/local/bin/kubelet --enable-server --node-labels=kubernetes.io/role=master,kubernetes.azure.com/cluster=ClarityOrDie18RG --v=2 --volume-plugin-dir=/etc/kubernetes/volumeplugins --address=0.0.0.0 --allow-privileged=true --anonymous-auth=false --authorization-mode=Webhook --azure-container-registry-config=/etc/kubernetes/azure.json --cgroups-per-qos=true --client-ca-file=/etc/kubernetes/certs/ca.crt --cloud-config=/etc/kubernetes/azure.json --cloud-provider=azure --cluster-dns=10.0.0.10 --cluster-domain=cluster.local --enforce-node-allocatable=pods --event-qps=0 --eviction-hard=memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5% --feature-gates=PodPriority=true --image-gc-high-threshold=85 --image-gc-low-threshold=80 --image-pull-progress-deadline=30m --keep-terminated-pod-volumes=false --kubeconfig=/var/lib/kubelet/kubeconfig --max-pods=30 --network-plugin=cni --node-status-update-frequency=10s --non-masquerade-cidr=10.240.0.0/12 --pod-infra-container-image=k8s.gcr.io/pause-amd64:3.1 --pod-manifest-path=/etc/kubernetes/manifests --pod-max-pids=100
root 11244 0.1 1.1 408860 92912 ? Ssl Oct10 2:49 /hyperkube proxy --kubeconfig=/var/lib/kubelet/kubeconfig --cluster-cidr=10.240.0.0/12 --feature-gates=ExperimentalCriticalPodAnnotation=true
root 18830 2.8 1.7 587656 145652 ? Ssl Oct11 6:29 /hyperkube controller-manager --allocate-node-cidrs=false --cloud-config=/etc/kubernetes/azure.json --cloud-provider=azure --cluster-cidr=10.240.0.0/12 --cluster-name=ClarityOrDie18 --cluster-signing-cert-file=/etc/kubernetes/certs/ca.crt --cluster-signing-key-file=/etc/kubernetes/certs/ca.key --configure-cloud-routes=false --feature-gates=ServiceNodeExclusion=true --kubeconfig=/var/lib/kubelet/kubeconfig --leader-elect=true --node-monitor-grace-period=40s --pod-eviction-timeout=5m0s --profiling=false --root-ca-file=/etc/kubernetes/certs/ca.crt --route-reconciliation-period=10s --service-account-private-key-file=/etc/kubernetes/certs/apiserver.key --terminated-pod-gc-threshold=5000 --use-service-account-credentials=true --v=2

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it is not enabled by default, but there was already the feature gate check for a volume feature in that same file so I figured it was normal, if not i can remove

@jessfraz
Copy link
Contributor Author

The new field must be made optional/omitempty in types.go… setting a server side default won't fix the client side attempt to require the field in validation for old clients

AFAICT it is set as optional am i missing something https://github.com/kubernetes/kubernetes/blob/master/pkg/apis/core/types.go#L4634

@liggitt
Copy link
Member

liggitt commented Oct 12, 2018

kubernetes/staging/src/k8s.io/api/core/v1/types.go

Lines 5217 to 5222 in b5a5010

// procMount denotes the type of proc mount to use for the containers.
// The default is DefaultProcMount which uses the container runtime defaults for
// readonly paths and masked paths.
// This requires the ProcMountType feature flag to be enabled.
// +optional
ProcMount *ProcMountType `json:"procMount,omitEmpty" protobuf:"bytes,9,opt,name=procMount"`

s/omitEmpty/omitempty/, I think. It still shows up as required in the openapi spec

@jessfraz
fix omitempty on ProcMount
5e63ef0 
Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
@k8s-ci-robot k8s-ci-robot removed the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Oct 12, 2018
@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. labels Oct 12, 2018
@jessfraz
run make update
ce6f716 
Signed-off-by: Jess Frazelle <acidburn@microsoft.com>
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Oct 12, 2018
@liggitt
Copy link
Member

liggitt commented Oct 12, 2018

/lgtm
/approve

can you cherry-pick this to release-1.12 once tests are green?

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 12, 2018
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jessfraz, liggitt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 12, 2018
@jessfraz
Copy link
Contributor Author

jessfraz commented Oct 12, 2018 via email

@jessfraz
Copy link
Contributor Author

/test pull-kubernetes-kubemark-e2e-gce-big

@jessfraz jessfraz mentioned this pull request Oct 12, 2018
Merged
@k8s-ci-robot k8s-ci-robot merged commit 74d0ef2 into kubernetes:master Oct 12, 2018
@jessfraz jessfraz deleted the 69647 branch October 12, 2018 23:02
k8s-ci-robot added a commit that referenced this pull request Oct 13, 2018
@k8s-ci-robot
Merge pull request #69744 from jessfraz/cherrypick-69694
5cda1f3 
cherrypick for #69694
@liggitt liggitt mentioned this pull request Oct 15, 2018
Merged
@liggitt
Copy link
Member

liggitt commented Oct 15, 2018

added linting test for this in kubernetes/kube-openapi#106

@AkihiroSuda AkihiroSuda mentioned this pull request Dec 27, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@MarcPow MarcPow MarcPow left review comments

@deads2k deads2k Awaiting requested review from deads2k

@nikhiljindal nikhiljindal Awaiting requested review from nikhiljindal

Assignees

@liggitt liggitt

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/kubelet cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. priority/critical-urgent Highest priority. Must be actively worked on as someone's top priority right now. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/apps Categorizes an issue or PR as relevant to SIG Apps. sig/architecture Categorizes an issue or PR as relevant to SIG Architecture. sig/node Categorizes an issue or PR as relevant to SIG Node. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
v1.12
Development

Successfully merging this pull request may close these issues.

Pod SecurityContext Changes in 1.12.0-rc2 do not have backwards compatible defaults
5 participants
@jessfraz @dims @liggitt @k8s-ci-robot @MarcPow