Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: kubeapi watch updates, allow configurable cidr #1075

Merged
merged 17 commits into from
Dec 5, 2024
Merged

fix: kubeapi watch updates, allow configurable cidr #1075

merged 17 commits into from
Dec 5, 2024

Conversation

mjnagel
Copy link
Contributor

@mjnagel mjnagel commented Dec 4, 2024
edited
Loading

Description

This PR contains two changes, both aimed at providing fixes for lingering issues with the KubeAPI watch:

  1. NetworkPolicy updates based on changes to KubeAPI endpoints have never actually run as expected. The label we use to select existing KubeAPI network policies was never actually applied to policies in the first place. Previously we applied a uds/generated label but selected on uds.dev/generated, so these never lined up. Additionally our apply would have failed due to the existence of managed fields on the object. This has been the main cause of the problem with our auto-update logic. Pepr watcher restarts fixed the network policies not because of watch fixes, but because we re-reconcile all packages on startup.
  2. While the watch does appear to be stable, this PR additionally adds a config option to manually set a CIDR to use instead of relying on the watch. This could be useful in some clusters (such as EKS) where the controlplane IPs update frequently to reduce churn on network policy modifications.

Related Issue

Fixes #821

Type of change

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Other (security config, docs update, etc)

Checklist before merging

@mjnagel mjnagel self-assigned this Dec 4, 2024
@mjnagel mjnagel requested a review from a team as a code owner December 4, 2024 15:36
@mjnagel mjnagel changed the title fix: allow configurable kubeapi cidr to workaround watch fix: allow configurable kubeapi cidr Dec 4, 2024
@mjnagel mjnagel changed the title fix: allow configurable kubeapi cidr fix: kubeapi watch updates, allow configurable cidr Dec 5, 2024
UnicornChance
UnicornChance previously approved these changes Dec 5, 2024
View reviewed changes
noahpb
noahpb approved these changes Dec 5, 2024
View reviewed changes
Copy link
Contributor

@noahpb noahpb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

awesome work, lgtm

@mjnagel mjnagel merged commit 3285908 into main Dec 5, 2024
25 checks passed
@mjnagel mjnagel deleted the configurable-netpol-cidr branch December 5, 2024 22:02
@github-actions github-actions bot mentioned this pull request Dec 5, 2024
Merged
mjnagel pushed a commit that referenced this pull request Dec 5, 2024
@github-actions
chore(main): release 0.32.1 (#1045)
3c65fe6 
🤖 I have created a release *beep* *boop*
---


##
[0.32.1](v0.32.0...v0.32.1)
(2024-12-05)


### Bug Fixes

* change grafana -> prometheus to https
([#1043](#1043))
([6ef3169](6ef3169))
* client timeouts
([#1062](#1062))
([e71c1da](e71c1da))
* kubeapi watch updates, allow configurable cidr
([#1075](#1075))
([3285908](3285908))
* update nightly ci timeouts
([#1058](#1058))
([2b1a440](2b1a440))
* value paths for cpu override
([#1055](#1055))
([5a21c28](5a21c28))


### Miscellaneous

* cleanup doc
([#1078](#1078))
([286feb4](286feb4))
* **deps:** update aws provider to ~> 5.77.0
([#1036](#1036))
([84fa893](84fa893))
* **deps:** update grafana to v8.6.1
([#1040](#1040))
([1454397](1454397))
* **deps:** update keycloak to v26.0.6
([#1041](#1041))
([582db22](582db22))
* **deps:** update keycloak to v26.0.7
([#1057](#1057))
([ef96ef0](ef96ef0))
* **deps:** update neuvector to 5.4.1
([#1039](#1039))
([8727675](8727675))
* **deps:** update node types to v22.9.3
([#1049](#1049))
([e454222](e454222))
* **deps:** update node types to v22.9.4
([#1051](#1051))
([0f0240a](0f0240a))
* **deps:** update support dependencies to v0.196.0
([#1054](#1054))
([67419f5](67419f5))
* **deps:** update support-deps
([#1046](#1046))
([6cf96f0](6cf96f0))
* **deps:** update support-deps
([#1048](#1048))
([d77155f](d77155f))
* **deps:** update support-deps
([#1052](#1052))
([e1cf7db](e1cf7db))
* **deps:** update support-deps
([#1056](#1056))
([abab719](abab719))
* **deps:** update vector helm chart to v0.38.0
([#1092](#1092))
([2cb4181](2cb4181))
* **deps:** update vector to v0.43.0
([#1059](#1059))
([55bf0b3](55bf0b3))
* **deps:** update velero chart to v8.1.0
([#1050](#1050))
([7b0d51b](7b0d51b))
* **deps:** update velero kubectl images to v1.31.3
([#1034](#1034))
([9bf286f](9bf286f))
* fix checkpoint to properly publish uds-core
([#1044](#1044))
([f1c54cf](f1c54cf))
* reduce default cpu requests for dev/demo bundles
([#1047](#1047))
([e0bde2f](e0bde2f))
* update cli install to use setup-uds action
([#1061](#1061))
([daebe9b](daebe9b))

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@noahpb noahpb noahpb approved these changes

@UnicornChance UnicornChance UnicornChance left review comments

Assignees

@mjnagel mjnagel

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Netpols block kubeapi in long lived EKS cluster
3 participants
@mjnagel @noahpb @UnicornChance