Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow custom service account names to be used for cloud controllers #103178

Merged
merged 1 commit into from
Aug 24, 2021
Merged

Allow custom service account names to be used for cloud controllers #103178

merged 1 commit into from
Aug 24, 2021

Conversation

nckturner
Copy link
Contributor

What type of PR is this?

/kind feature

What this PR does / why we need it:

Allow custom client/service account names to be used for cloud controllers. This allows a cloud controller to use cloud provider managed RBAC when --use-service-account-credentials is set, rather than the in-tree default RBAC that is bootstrapped by the API server (like the node-controller).

Which issue(s) this PR fixes:

Fixes kubernetes/cloud-provider#48

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Cloud providers can set service account names for cloud controllers.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/feature Categorizes issue or PR as related to a new feature. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels Jun 25, 2021
@nckturner
Copy link
Contributor Author

/sig cloud-provider

@k8s-ci-robot k8s-ci-robot added sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Jun 25, 2021
@k8s-ci-robot k8s-ci-robot requested review from rootfs and vishh June 25, 2021 07:46
@nckturner
Copy link
Contributor Author

/cc @cheftako

@k8s-ci-robot k8s-ci-robot requested a review from cheftako June 25, 2021 07:46
@nckturner nckturner mentioned this pull request Jun 25, 2021
Closed
@wongma7
Copy link
Contributor

wongma7 commented Jun 29, 2021

need gofmt https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/103178/pull-kubernetes-verify/1408330617036214272

@nckturner nckturner force-pushed the custom-cloud-controller-client-names branch from 0c643eb to b7a8502 Compare July 7, 2021 20:32
@nckturner
Copy link
Contributor Author

/triage accepted
/cc @andrewsykim

@k8s-ci-robot k8s-ci-robot requested a review from andrewsykim July 7, 2021 20:33
@k8s-ci-robot k8s-ci-robot added triage/accepted Indicates an issue or PR is ready to be actively worked on. and removed needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Jul 7, 2021
@nckturner nckturner force-pushed the custom-cloud-controller-client-names branch from b7a8502 to a3d566b Compare July 8, 2021 06:05
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jul 8, 2021
@nckturner nckturner force-pushed the custom-cloud-controller-client-names branch from a3d566b to 8643261 Compare July 8, 2021 19:22
andrewsykim
andrewsykim reviewed Jul 8, 2021
View reviewed changes
Copy link
Member

@andrewsykim andrewsykim left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/assign @cheftako @cici37

staging/src/k8s.io/cloud-provider/app/controllermanager.go Outdated
"route": startRouteControllerWrapper,
var DefaultInitFuncConstructors = map[string]ControllerInitializerConstructor{
"cloud-node": {
ClientName: "node-controller",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this probably deserves a comment that it's node-controller for historical reasons

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1

staging/src/k8s.io/cloud-provider/app/controllermanager.go Outdated
Constructor: StartCloudNodeControllerWrapper,
},
"cloud-node-lifecycle": {
ClientName: "node-controller",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same here this probably deserves a comment that it's node-controller for historical reasons

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also that if you want to over-ride this is an example of where you should make the override.

@cheftako
Copy link
Member

cheftako commented Jul 8, 2021

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 8, 2021
@cheftako
Copy link
Member

cheftako commented Jul 8, 2021

/test pull-kubernetes-integration

@nckturner
Copy link
Contributor Author

/hold

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Jul 8, 2021
@nckturner
Copy link
Contributor Author

Addressing comments.

@k8s-ci-robot k8s-ci-robot removed the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 15, 2021
@nckturner
Copy link
Contributor Author

nckturner commented Jul 15, 2021
edited
Loading

Also added examples to kubernetes/cmd/cloud-controller-manager/main.go and kubernetes/staging/src/k8s.io/cloud-provider/sample, and added comments.

@cheftako
Copy link
Member

/approve

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 21, 2021
@cheftako
Copy link
Member

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jul 23, 2021
@dims
Copy link
Member

dims commented Aug 5, 2021

/ok-to-test

@k8s-ci-robot k8s-ci-robot added the ok-to-test Indicates a non-member PR verified by an org member that is safe to test. label Aug 5, 2021
@dims
Copy link
Member

dims commented Aug 6, 2021

@nckturner needs rebase. PTAL

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 6, 2021
@nckturner
Allow custom client names to be used for cloud controllers
a5b47f7 
* This allows a controller to use cloud provider managed RBAC
  when --use-service-account-credentials is set.
* Create ControllerInitFuncConstructor to pass to init funcs to avoid
  future function signature growth.
* Add comments for context around legacy naming of node controllers.
* Add example for setting client names from cloud controller manager.
@nckturner nckturner force-pushed the custom-cloud-controller-client-names branch from a5f84b3 to a5b47f7 Compare August 24, 2021 00:52
@k8s-ci-robot k8s-ci-robot removed lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Aug 24, 2021
@cheftako
Copy link
Member

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Aug 24, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: cheftako, nckturner, wongma7

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@nckturner
Copy link
Contributor Author

/remove-hold

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Aug 24, 2021
@k8s-ci-robot k8s-ci-robot merged commit 0c9bb96 into kubernetes:master Aug 24, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.23 milestone Aug 24, 2021
@nckturner nckturner mentioned this pull request Mar 2, 2022
Closed
@nckturner nckturner mentioned this pull request Apr 20, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@andrewsykim andrewsykim andrewsykim left review comments

@cheftako cheftako cheftako left review comments

@wongma7 wongma7 wongma7 approved these changes

@rootfs rootfs Awaiting requested review from rootfs

@vishh vishh Awaiting requested review from vishh

Assignees

@cheftako cheftako

@cici37 cici37

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/cloudprovider cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note Denotes a PR that will be considered when it comes time to generate release notes. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. triage/accepted Indicates an issue or PR is ready to be actively worked on.
Projects
None yet
Milestone
v1.23
Development

Successfully merging this pull request may close these issues.

Cloud controllers should not reuse names and cluster roles of KCM controllers
7 participants
@nckturner @wongma7 @cici37 @cheftako @dims @k8s-ci-robot @andrewsykim