Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: k8s 1.21+ bounded service account token on backup subcontroller #303

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: k8s 1.21+ bounded service account token on backup subcontroller #303

wants to merge 1 commit into from

Conversation

michaellee8
Copy link

In k8s 1.21+, bounded service account token are enfoced which requries a different prefix for service account token mounts, and are not removed in reconcile_subcontroller.go. My patch fixes the issue which allows the subcontroller to work.

Closes #302

@vitess-bot
Copy link

vitess-bot bot commented Aug 12, 2022

Review Checklist

Hello reviewers! 👋 Please follow this checklist when reviewing this Pull Request.

General

  • Ensure that the Pull Request has a descriptive title.
  • If this is a change that users need to know about, please apply the release notes (needs details) label so that merging is blocked unless the summary release notes document is included.
  • If a new flag is being introduced, review whether it is really needed. The flag names should be clear and intuitive (as far as possible), and the flag's help should be descriptive.
  • If a workflow is added or modified, each items in Jobs should be named in order to mark it as required. If the workflow should be required, the GitHub Admin should be notified.

Bug fixes

  • There should be at least one unit or end-to-end test.
  • The Pull Request description should either include a link to an issue that describes the bug OR an actual description of the bug and how to reproduce, along with a description of the fix.

Non-trivial changes

  • There should be some code comments as to why things are implemented the way they are.

New/Existing features

  • Should be documented, either by modifying the existing documentation or creating new documentation.
  • New features should have a link to a feature request issue or an RFC that documents the use cases, corner cases and test cases.

Backward compatibility

  • Protobuf changes should be wire-compatible.
  • Changes to _vt tables and RPCs need to be backward compatible.
  • vtctl command output order should be stable and awk-able.

@michaellee8 michaellee8 changed the title fix: k8s 1.21+ bounded service account token fix: k8s 1.21+ bounded service account token on backup subcontroller Aug 12, 2022
@michaellee8 michaellee8 marked this pull request as draft August 12, 2022 03:29
@michaellee8
Copy link
Author

Still got the problem after this patch, no idea why, investigating.

@michaellee8 michaellee8 marked this pull request as ready for review August 12, 2022 04:47
@michaellee8
fix: for bounded service account token
1af5268 
Signed-off-by: michaellee8 <ckmichael8@gmail.com>
@michaellee8 michaellee8 force-pushed the fix/k8s-121-bounded-service-account-token branch from a978940 to 1af5268 Compare August 12, 2022 04:51
@deepthi
Copy link
Collaborator

deepthi commented Aug 12, 2022

@michaellee8 let us know once you have a working fix. At that time we can review and run CI.

@michaellee8
Copy link
Author

michaellee8 commented Aug 13, 2022
edited

@deepthi It seems that even with my patch it still doesn't work, are you familiar with other places in the codebase that may cause the issue?

Edit: Seems like the issue is GKE Autopilot specific, but I think the patch would still be useful since it prevents the serice account volume being mounted,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

backup pod unable to start with failed to fetch service account token
2 participants
@michaellee8 @deepthi