migrate service account volume to a projected volume when BoundServiceAccountTokenVolumes are enabled #69848
Conversation
k8s-ci-robot
added
release-note
|
Will add a backwards compatibility test but we are covered by the (mount over default token path) hack already. I would like to do this without a feature flag since it is fully backwards compatible and built on GA APIs. |
mikedanese
force-pushed
the
projadmission
branch
from
0074fa0 to
1a686e4
Compare
k8s-ci-robot
added
size/L
|
/retest |
There was a problem hiding this comment.
Use createVolume here instead, this is just maintenance burden and won't catch any failures
There was a problem hiding this comment.
This is a v1 type and is post defaulting. Admission works on the internal type pre-defaulting.
There was a problem hiding this comment.
Admission works on the internal type pre-defaulting.
Not sure it matters for this discussion, but by the time an object gets to admission, it was read in external form, defaulted, and converted to internal form, so defaulting was already done
There was a problem hiding this comment.
In general, it's nuanced. Objects passed in via the request have undergone defaulting and conversion. In this specific instance, the internal volume type is created in the admission controller, not passed in from the request, so it has not undergone defaulting.
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/retest |
|
Need to add back compat tests. /hold |
k8s-ci-robot
added
the
do-not-merge/hold
|
cc @wojtek-t for visibility on switching to projected volumes. looks like secrets via projected volume make use of the same caching secretmanager bits, which is good. cc @kubernetes/sig-storage-pr-reviews - are there any behavior differences with projected volumes around updating live values, files being read-only, etc? |
k8s-ci-robot
added
the
sig/storage
@liggitt @mikedanese - can you point me where do use the manager for projected volumes? Also - we switched secrets/configmaps to WatchingSecretManager in 1.12, so going back to CachingManager, would be a regression. /hold |
|
sorry... I meant it uses the kubelet's secret manager, whichever one is configured: https://github.com/kubernetes/kubernetes/blob/master/pkg/volume/projected/projected.go#L74-L76 |
ok - thanks for the pointer Jordan! |
mikedanese
force-pushed
the
projadmission
branch
from
1a686e4 to
329c929
Compare
k8s-ci-robot
removed
the
lgtm
mikedanese
removed
the
kind/api-change
k8s-ci-robot
added
size/XL
mikedanese
force-pushed
the
projadmission
branch
from
e3be294 to
4496e52
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mikedanese The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
mikedanese
force-pushed
the
projadmission
branch
from
4496e52 to
3051185
Compare
mikedanese
removed
the
do-not-merge/hold
|
/retest |
When BoundServiceAccountTokenVolume feature is enabled.
mikedanese
force-pushed
the
projadmission
branch
from
3051185 to
1244ee6
Compare
|
/retest |
|
Change the title and the description + release note so this doesn't scare everybody. E.g.: |
mikedanese
changed the title
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
Please add the appropriate priority label. |
mikedanese
added
priority/important-soon
|
Adding labels per https://kubernetes.slack.com/archives/C2C40FMNF/p1542418440380400 |
|
/test pull-kubernetes-e2e-gce-100-performance |
|
/retest |
10 participants
This should be safe now that projected volumes have been around since 1.6 and it allows us to migrate the ca.crt to a configmap and the token to a service account token volume projection once these features are ready.
Projected volumes were added in 8fb1b71
Part of #70679
@kubernetes/sig-auth-api-reviews
@kubernetes/sig-auth-pr-reviews