Make leader-election configurable: default endpoints object namespace to controller's instead of kube-system #957
Conversation
k8s-ci-robot
added
cncf-cla: yes
wongma7
force-pushed
the
leader-election-config
branch
4 times, most recently
from
b418a7b to
6038002
Compare
k8s-ci-robot
added
size/XL
wongma7
force-pushed
the
leader-election-config
branch
2 times, most recently
from
1d9af79 to
7fec192
Compare
wongma7
changed the title
wongma7
force-pushed
the
leader-election-config
branch
from
7fec192 to
9dc43ca
Compare
|
/cc @verult |
|
@wongma7: GitHub didn't allow me to request PR reviews from the following users: verult. Note that only kubernetes-incubator members and repo collaborators can review this PR, and authors cannot review their own PRs. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
… to controller's instead of kube-system
wongma7
force-pushed
the
leader-election-config
branch
from
9dc43ca to
8e3bfd3
Compare
|
/cc @jsafrane who's familiar with leader election in external-attacher |
|
With this PR, every CSI driver deployment has to have its own leader-election role and rolebinding to the controller service account, right? Just want to make sure we don't need to update k8s default bootstrapped RBAC policies. |
|
@verult yes. same as external-attacher |
This in turn throws a error when gluster-block pod is provisioned. So, add ClusterRole to perform read/write with endpoint. Note: endpoint is added in glusterblock-provisioner as part of the PR: kubernetes-retired/external-storage#957 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1723366 Signed-off-by: Saravanakumar Arumugam <sarumuga@redhat.com>
endpoint is missing as part of ClusterRole rule. This in turn throws a error when gluster-block pod is provisioned. So, add ClusterRole to perform read/write with endpoint. Note: endpoint is added in glusterblock-provisioner as part of the PR: kubernetes-retired/external-storage#957 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1723366 Signed-off-by: Saravanakumar <sarumuga@redhat.com>
…a error when gluster-block pod is provisioned. So, add ClusterRole to perform read/write with endpoint. Note: endpoint is added in glusterblock-provisioner as part of the PR: kubernetes-retired/external-storage#957 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1723366 Signed-off-by: Saravanakumar Arumugam <sarumuga@redhat.com>
…a error when gluster-block pod is provisioned. So, add ClusterRole to perform read/write with endpoint. Note: endpoint is added in glusterblock-provisioner as part of the PR: kubernetes-retired/external-storage#957 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1723366 Signed-off-by: Saravanakumar Arumugam <sarumuga@redhat.com>
…a error when gluster-block pod is provisioned. So, add ClusterRole to perform read/write with endpoint. Note: endpoint is added in glusterblock-provisioner as part of the PR: kubernetes-retired/external-storage#957 Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1723366 Signed-off-by: Saravanakumar Arumugam <sarumuga@redhat.com>
Technically this will not break anything. The worst that will happen is users may have useless endpoints objects left over in the namespace
kube-systemwhen they update to this version of the controller. If they've already given cluster permissions over endpoints, they will not see any disruption. However, the purpose of this change is to make it so that they don't have to give cluster permissions over endpoints in the first place, and ideally they will at some point reduce those permissions to a single provisioner-isolated namespace.