mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 03:41:45 +00:00
Merge pull request #84351 from wojtek-t/promote_node_lease_to_GA
Promote node lease to GA
This commit is contained in:
commit
ae15368355
@ -576,13 +576,12 @@ func run(s *options.KubeletServer, kubeDeps *kubelet.Dependencies, stopCh <-chan
|
|||||||
// make a separate client for heartbeat with throttling disabled and a timeout attached
|
// make a separate client for heartbeat with throttling disabled and a timeout attached
|
||||||
heartbeatClientConfig := *clientConfig
|
heartbeatClientConfig := *clientConfig
|
||||||
heartbeatClientConfig.Timeout = s.KubeletConfiguration.NodeStatusUpdateFrequency.Duration
|
heartbeatClientConfig.Timeout = s.KubeletConfiguration.NodeStatusUpdateFrequency.Duration
|
||||||
// if the NodeLease feature is enabled, the timeout is the minimum of the lease duration and status update frequency
|
// The timeout is the minimum of the lease duration and status update frequency
|
||||||
if utilfeature.DefaultFeatureGate.Enabled(features.NodeLease) {
|
leaseTimeout := time.Duration(s.KubeletConfiguration.NodeLeaseDurationSeconds) * time.Second
|
||||||
leaseTimeout := time.Duration(s.KubeletConfiguration.NodeLeaseDurationSeconds) * time.Second
|
if heartbeatClientConfig.Timeout > leaseTimeout {
|
||||||
if heartbeatClientConfig.Timeout > leaseTimeout {
|
heartbeatClientConfig.Timeout = leaseTimeout
|
||||||
heartbeatClientConfig.Timeout = leaseTimeout
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
heartbeatClientConfig.QPS = float32(-1)
|
heartbeatClientConfig.QPS = float32(-1)
|
||||||
kubeDeps.HeartbeatClient, err = clientset.NewForConfig(&heartbeatClientConfig)
|
kubeDeps.HeartbeatClient, err = clientset.NewForConfig(&heartbeatClientConfig)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -17,7 +17,6 @@ go_library(
|
|||||||
importpath = "k8s.io/kubernetes/cmd/kubemark",
|
importpath = "k8s.io/kubernetes/cmd/kubemark",
|
||||||
deps = [
|
deps = [
|
||||||
"//pkg/api/legacyscheme:go_default_library",
|
"//pkg/api/legacyscheme:go_default_library",
|
||||||
"//pkg/features:go_default_library",
|
|
||||||
"//pkg/kubelet/cadvisor/testing:go_default_library",
|
"//pkg/kubelet/cadvisor/testing:go_default_library",
|
||||||
"//pkg/kubelet/cm:go_default_library",
|
"//pkg/kubelet/cm:go_default_library",
|
||||||
"//pkg/kubelet/dockershim:go_default_library",
|
"//pkg/kubelet/dockershim:go_default_library",
|
||||||
@ -28,7 +27,6 @@ go_library(
|
|||||||
"//pkg/util/sysctl/testing:go_default_library",
|
"//pkg/util/sysctl/testing:go_default_library",
|
||||||
"//staging/src/k8s.io/api/core/v1:go_default_library",
|
"//staging/src/k8s.io/api/core/v1:go_default_library",
|
||||||
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
|
"//staging/src/k8s.io/apimachinery/pkg/util/sets:go_default_library",
|
||||||
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
|
|
||||||
"//staging/src/k8s.io/client-go/kubernetes:go_default_library",
|
"//staging/src/k8s.io/client-go/kubernetes:go_default_library",
|
||||||
"//staging/src/k8s.io/client-go/rest:go_default_library",
|
"//staging/src/k8s.io/client-go/rest:go_default_library",
|
||||||
"//staging/src/k8s.io/client-go/tools/clientcmd:go_default_library",
|
"//staging/src/k8s.io/client-go/tools/clientcmd:go_default_library",
|
||||||
|
@ -30,7 +30,6 @@ import (
|
|||||||
|
|
||||||
v1 "k8s.io/api/core/v1"
|
v1 "k8s.io/api/core/v1"
|
||||||
"k8s.io/apimachinery/pkg/util/sets"
|
"k8s.io/apimachinery/pkg/util/sets"
|
||||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
|
||||||
clientset "k8s.io/client-go/kubernetes"
|
clientset "k8s.io/client-go/kubernetes"
|
||||||
restclient "k8s.io/client-go/rest"
|
restclient "k8s.io/client-go/rest"
|
||||||
"k8s.io/client-go/tools/clientcmd"
|
"k8s.io/client-go/tools/clientcmd"
|
||||||
@ -42,7 +41,6 @@ import (
|
|||||||
"k8s.io/component-base/version"
|
"k8s.io/component-base/version"
|
||||||
"k8s.io/component-base/version/verflag"
|
"k8s.io/component-base/version/verflag"
|
||||||
"k8s.io/kubernetes/pkg/api/legacyscheme"
|
"k8s.io/kubernetes/pkg/api/legacyscheme"
|
||||||
"k8s.io/kubernetes/pkg/features"
|
|
||||||
cadvisortest "k8s.io/kubernetes/pkg/kubelet/cadvisor/testing"
|
cadvisortest "k8s.io/kubernetes/pkg/kubelet/cadvisor/testing"
|
||||||
"k8s.io/kubernetes/pkg/kubelet/cm"
|
"k8s.io/kubernetes/pkg/kubelet/cm"
|
||||||
"k8s.io/kubernetes/pkg/kubelet/dockershim"
|
"k8s.io/kubernetes/pkg/kubelet/dockershim"
|
||||||
@ -180,13 +178,12 @@ func run(config *hollowNodeConfig) {
|
|||||||
|
|
||||||
heartbeatClientConfig := *clientConfig
|
heartbeatClientConfig := *clientConfig
|
||||||
heartbeatClientConfig.Timeout = c.NodeStatusUpdateFrequency.Duration
|
heartbeatClientConfig.Timeout = c.NodeStatusUpdateFrequency.Duration
|
||||||
// if the NodeLease feature is enabled, the timeout is the minimum of the lease duration and status update frequency
|
// The timeout is the minimum of the lease duration and status update frequency
|
||||||
if utilfeature.DefaultFeatureGate.Enabled(features.NodeLease) {
|
leaseTimeout := time.Duration(c.NodeLeaseDurationSeconds) * time.Second
|
||||||
leaseTimeout := time.Duration(c.NodeLeaseDurationSeconds) * time.Second
|
if heartbeatClientConfig.Timeout > leaseTimeout {
|
||||||
if heartbeatClientConfig.Timeout > leaseTimeout {
|
heartbeatClientConfig.Timeout = leaseTimeout
|
||||||
heartbeatClientConfig.Timeout = leaseTimeout
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
heartbeatClientConfig.QPS = float32(-1)
|
heartbeatClientConfig.QPS = float32(-1)
|
||||||
heartbeatClient, err := clientset.NewForConfig(&heartbeatClientConfig)
|
heartbeatClient, err := clientset.NewForConfig(&heartbeatClientConfig)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -55,7 +55,6 @@ import (
|
|||||||
"k8s.io/kubernetes/pkg/controller"
|
"k8s.io/kubernetes/pkg/controller"
|
||||||
"k8s.io/kubernetes/pkg/controller/nodelifecycle/scheduler"
|
"k8s.io/kubernetes/pkg/controller/nodelifecycle/scheduler"
|
||||||
nodeutil "k8s.io/kubernetes/pkg/controller/util/node"
|
nodeutil "k8s.io/kubernetes/pkg/controller/util/node"
|
||||||
"k8s.io/kubernetes/pkg/features"
|
|
||||||
kubefeatures "k8s.io/kubernetes/pkg/features"
|
kubefeatures "k8s.io/kubernetes/pkg/features"
|
||||||
kubeletapis "k8s.io/kubernetes/pkg/kubelet/apis"
|
kubeletapis "k8s.io/kubernetes/pkg/kubelet/apis"
|
||||||
utilnode "k8s.io/kubernetes/pkg/util/node"
|
utilnode "k8s.io/kubernetes/pkg/util/node"
|
||||||
@ -537,12 +536,7 @@ func NewNodeLifecycleController(
|
|||||||
})
|
})
|
||||||
|
|
||||||
nc.leaseLister = leaseInformer.Lister()
|
nc.leaseLister = leaseInformer.Lister()
|
||||||
if utilfeature.DefaultFeatureGate.Enabled(features.NodeLease) {
|
nc.leaseInformerSynced = leaseInformer.Informer().HasSynced
|
||||||
nc.leaseInformerSynced = leaseInformer.Informer().HasSynced
|
|
||||||
} else {
|
|
||||||
// Always indicate that lease is synced to prevent syncing lease.
|
|
||||||
nc.leaseInformerSynced = func() bool { return true }
|
|
||||||
}
|
|
||||||
|
|
||||||
nc.nodeLister = nodeInformer.Lister()
|
nc.nodeLister = nodeInformer.Lister()
|
||||||
nc.nodeInformerSynced = nodeInformer.Informer().HasSynced
|
nc.nodeInformerSynced = nodeInformer.Informer().HasSynced
|
||||||
@ -1103,17 +1097,14 @@ func (nc *Controller) tryUpdateNodeHealth(node *v1.Node) (time.Duration, v1.Node
|
|||||||
readyTransitionTimestamp: transitionTime,
|
readyTransitionTimestamp: transitionTime,
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
var observedLease *coordv1.Lease
|
// Always update the probe time if node lease is renewed.
|
||||||
if utilfeature.DefaultFeatureGate.Enabled(features.NodeLease) {
|
// Note: If kubelet never posted the node status, but continues renewing the
|
||||||
// Always update the probe time if node lease is renewed.
|
// heartbeat leases, the node controller will assume the node is healthy and
|
||||||
// Note: If kubelet never posted the node status, but continues renewing the
|
// take no action.
|
||||||
// heartbeat leases, the node controller will assume the node is healthy and
|
observedLease, _ := nc.leaseLister.Leases(v1.NamespaceNodeLease).Get(node.Name)
|
||||||
// take no action.
|
if observedLease != nil && (savedLease == nil || savedLease.Spec.RenewTime.Before(observedLease.Spec.RenewTime)) {
|
||||||
observedLease, _ = nc.leaseLister.Leases(v1.NamespaceNodeLease).Get(node.Name)
|
nodeHealth.lease = observedLease
|
||||||
if observedLease != nil && (savedLease == nil || savedLease.Spec.RenewTime.Before(observedLease.Spec.RenewTime)) {
|
nodeHealth.probeTimestamp = nc.now()
|
||||||
nodeHealth.lease = observedLease
|
|
||||||
nodeHealth.probeTimestamp = nc.now()
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
if nc.now().After(nodeHealth.probeTimestamp.Add(gracePeriod)) {
|
if nc.now().After(nodeHealth.probeTimestamp.Add(gracePeriod)) {
|
||||||
|
@ -1747,8 +1747,6 @@ func TestMonitorNodeHealthUpdateStatus(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func TestMonitorNodeHealthUpdateNodeAndPodStatusWithLease(t *testing.T) {
|
func TestMonitorNodeHealthUpdateNodeAndPodStatusWithLease(t *testing.T) {
|
||||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeLease, true)()
|
|
||||||
|
|
||||||
nodeCreationTime := metav1.Date(2012, 1, 1, 0, 0, 0, 0, time.UTC)
|
nodeCreationTime := metav1.Date(2012, 1, 1, 0, 0, 0, 0, time.UTC)
|
||||||
fakeNow := metav1.Date(2015, 1, 1, 12, 0, 0, 0, time.UTC)
|
fakeNow := metav1.Date(2015, 1, 1, 12, 0, 0, 0, time.UTC)
|
||||||
testcases := []struct {
|
testcases := []struct {
|
||||||
|
@ -335,6 +335,7 @@ const (
|
|||||||
// owner: @mtaufen
|
// owner: @mtaufen
|
||||||
// alpha: v1.12
|
// alpha: v1.12
|
||||||
// beta: v1.14
|
// beta: v1.14
|
||||||
|
// GA: v1.17
|
||||||
//
|
//
|
||||||
// Kubelet uses the new Lease API to report node heartbeats,
|
// Kubelet uses the new Lease API to report node heartbeats,
|
||||||
// (Kube) Node Lifecycle Controller uses these heartbeats as a node health signal.
|
// (Kube) Node Lifecycle Controller uses these heartbeats as a node health signal.
|
||||||
@ -555,7 +556,7 @@ var defaultKubernetesFeatureGates = map[featuregate.Feature]featuregate.FeatureS
|
|||||||
CSIBlockVolume: {Default: true, PreRelease: featuregate.Beta},
|
CSIBlockVolume: {Default: true, PreRelease: featuregate.Beta},
|
||||||
CSIInlineVolume: {Default: true, PreRelease: featuregate.Beta},
|
CSIInlineVolume: {Default: true, PreRelease: featuregate.Beta},
|
||||||
RuntimeClass: {Default: true, PreRelease: featuregate.Beta},
|
RuntimeClass: {Default: true, PreRelease: featuregate.Beta},
|
||||||
NodeLease: {Default: true, PreRelease: featuregate.Beta},
|
NodeLease: {Default: true, PreRelease: featuregate.GA, LockToDefault: true},
|
||||||
SCTPSupport: {Default: false, PreRelease: featuregate.Alpha},
|
SCTPSupport: {Default: false, PreRelease: featuregate.Alpha},
|
||||||
VolumeSnapshotDataSource: {Default: false, PreRelease: featuregate.Alpha},
|
VolumeSnapshotDataSource: {Default: false, PreRelease: featuregate.Alpha},
|
||||||
ProcMountType: {Default: false, PreRelease: featuregate.Alpha},
|
ProcMountType: {Default: false, PreRelease: featuregate.Alpha},
|
||||||
|
@ -873,13 +873,10 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
|
|||||||
klet.appArmorValidator = apparmor.NewValidator(containerRuntime)
|
klet.appArmorValidator = apparmor.NewValidator(containerRuntime)
|
||||||
klet.softAdmitHandlers.AddPodAdmitHandler(lifecycle.NewAppArmorAdmitHandler(klet.appArmorValidator))
|
klet.softAdmitHandlers.AddPodAdmitHandler(lifecycle.NewAppArmorAdmitHandler(klet.appArmorValidator))
|
||||||
klet.softAdmitHandlers.AddPodAdmitHandler(lifecycle.NewNoNewPrivsAdmitHandler(klet.containerRuntime))
|
klet.softAdmitHandlers.AddPodAdmitHandler(lifecycle.NewNoNewPrivsAdmitHandler(klet.containerRuntime))
|
||||||
|
|
||||||
if utilfeature.DefaultFeatureGate.Enabled(features.NodeLease) {
|
|
||||||
klet.nodeLeaseController = nodelease.NewController(klet.clock, klet.heartbeatClient, string(klet.nodeName), kubeCfg.NodeLeaseDurationSeconds, klet.onRepeatedHeartbeatFailure)
|
|
||||||
}
|
|
||||||
|
|
||||||
klet.softAdmitHandlers.AddPodAdmitHandler(lifecycle.NewProcMountAdmitHandler(klet.containerRuntime))
|
klet.softAdmitHandlers.AddPodAdmitHandler(lifecycle.NewProcMountAdmitHandler(klet.containerRuntime))
|
||||||
|
|
||||||
|
klet.nodeLeaseController = nodelease.NewController(klet.clock, klet.heartbeatClient, string(klet.nodeName), kubeCfg.NodeLeaseDurationSeconds, klet.onRepeatedHeartbeatFailure)
|
||||||
|
|
||||||
// Finally, put the most recent version of the config on the Kubelet, so
|
// Finally, put the most recent version of the config on the Kubelet, so
|
||||||
// people can see how it was configured.
|
// people can see how it was configured.
|
||||||
klet.kubeletConfiguration = *kubeCfg
|
klet.kubeletConfiguration = *kubeCfg
|
||||||
@ -1420,9 +1417,7 @@ func (kl *Kubelet) Run(updates <-chan kubetypes.PodUpdate) {
|
|||||||
go kl.fastStatusUpdateOnce()
|
go kl.fastStatusUpdateOnce()
|
||||||
|
|
||||||
// start syncing lease
|
// start syncing lease
|
||||||
if utilfeature.DefaultFeatureGate.Enabled(features.NodeLease) {
|
go kl.nodeLeaseController.Run(wait.NeverStop)
|
||||||
go kl.nodeLeaseController.Run(wait.NeverStop)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
go wait.Until(kl.updateRuntimeUp, 5*time.Second, wait.NeverStop)
|
go wait.Until(kl.updateRuntimeUp, 5*time.Second, wait.NeverStop)
|
||||||
|
|
||||||
|
@ -434,7 +434,7 @@ func (kl *Kubelet) tryUpdateNodeStatus(tryNumber int) error {
|
|||||||
kl.setNodeStatus(node)
|
kl.setNodeStatus(node)
|
||||||
|
|
||||||
now := kl.clock.Now()
|
now := kl.clock.Now()
|
||||||
if utilfeature.DefaultFeatureGate.Enabled(features.NodeLease) && now.Before(kl.lastStatusReportTime.Add(kl.nodeStatusReportFrequency)) {
|
if now.Before(kl.lastStatusReportTime.Add(kl.nodeStatusReportFrequency)) {
|
||||||
if !podCIDRChanged && !nodeStatusHasChanged(&originalNode.Status, &node.Status) {
|
if !podCIDRChanged && !nodeStatusHasChanged(&originalNode.Status, &node.Status) {
|
||||||
// We must mark the volumes as ReportedInUse in volume manager's dsw even
|
// We must mark the volumes as ReportedInUse in volume manager's dsw even
|
||||||
// if no changes were made to the node status (no volumes were added or removed
|
// if no changes were made to the node status (no volumes were added or removed
|
||||||
|
@ -43,14 +43,11 @@ import (
|
|||||||
"k8s.io/apimachinery/pkg/util/strategicpatch"
|
"k8s.io/apimachinery/pkg/util/strategicpatch"
|
||||||
"k8s.io/apimachinery/pkg/util/uuid"
|
"k8s.io/apimachinery/pkg/util/uuid"
|
||||||
"k8s.io/apimachinery/pkg/util/wait"
|
"k8s.io/apimachinery/pkg/util/wait"
|
||||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
|
||||||
clientset "k8s.io/client-go/kubernetes"
|
clientset "k8s.io/client-go/kubernetes"
|
||||||
"k8s.io/client-go/kubernetes/fake"
|
"k8s.io/client-go/kubernetes/fake"
|
||||||
"k8s.io/client-go/rest"
|
"k8s.io/client-go/rest"
|
||||||
core "k8s.io/client-go/testing"
|
core "k8s.io/client-go/testing"
|
||||||
featuregatetesting "k8s.io/component-base/featuregate/testing"
|
|
||||||
"k8s.io/component-base/version"
|
"k8s.io/component-base/version"
|
||||||
"k8s.io/kubernetes/pkg/features"
|
|
||||||
kubeletapis "k8s.io/kubernetes/pkg/kubelet/apis"
|
kubeletapis "k8s.io/kubernetes/pkg/kubelet/apis"
|
||||||
cadvisortest "k8s.io/kubernetes/pkg/kubelet/cadvisor/testing"
|
cadvisortest "k8s.io/kubernetes/pkg/kubelet/cadvisor/testing"
|
||||||
"k8s.io/kubernetes/pkg/kubelet/cm"
|
"k8s.io/kubernetes/pkg/kubelet/cm"
|
||||||
@ -786,8 +783,6 @@ func TestUpdateNodeStatusError(t *testing.T) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func TestUpdateNodeStatusWithLease(t *testing.T) {
|
func TestUpdateNodeStatusWithLease(t *testing.T) {
|
||||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeLease, true)()
|
|
||||||
|
|
||||||
testKubelet := newTestKubelet(t, false /* controllerAttachDetachEnabled */)
|
testKubelet := newTestKubelet(t, false /* controllerAttachDetachEnabled */)
|
||||||
defer testKubelet.Cleanup()
|
defer testKubelet.Cleanup()
|
||||||
clock := testKubelet.fakeClock
|
clock := testKubelet.fakeClock
|
||||||
@ -1020,116 +1015,7 @@ func TestUpdateNodeStatusWithLease(t *testing.T) {
|
|||||||
assert.IsType(t, core.GetActionImpl{}, actions[9])
|
assert.IsType(t, core.GetActionImpl{}, actions[9])
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestUpdateNodeStatusAndVolumesInUseWithoutNodeLease(t *testing.T) {
|
|
||||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeLease, false)()
|
|
||||||
|
|
||||||
cases := []struct {
|
|
||||||
desc string
|
|
||||||
existingVolumes []v1.UniqueVolumeName // volumes to initially populate volumeManager
|
|
||||||
existingNode *v1.Node // existing node object
|
|
||||||
expectedNode *v1.Node // new node object after patch
|
|
||||||
expectedReportedInUse []v1.UniqueVolumeName // expected volumes reported in use in volumeManager
|
|
||||||
}{
|
|
||||||
{
|
|
||||||
desc: "no volumes and no update",
|
|
||||||
existingNode: &v1.Node{ObjectMeta: metav1.ObjectMeta{Name: testKubeletHostname}},
|
|
||||||
expectedNode: &v1.Node{ObjectMeta: metav1.ObjectMeta{Name: testKubeletHostname}},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
desc: "volumes inuse on node and volumeManager",
|
|
||||||
existingVolumes: []v1.UniqueVolumeName{"vol1"},
|
|
||||||
existingNode: &v1.Node{
|
|
||||||
ObjectMeta: metav1.ObjectMeta{Name: testKubeletHostname},
|
|
||||||
Status: v1.NodeStatus{
|
|
||||||
VolumesInUse: []v1.UniqueVolumeName{"vol1"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
expectedNode: &v1.Node{
|
|
||||||
ObjectMeta: metav1.ObjectMeta{Name: testKubeletHostname},
|
|
||||||
Status: v1.NodeStatus{
|
|
||||||
VolumesInUse: []v1.UniqueVolumeName{"vol1"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
expectedReportedInUse: []v1.UniqueVolumeName{"vol1"},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
desc: "volumes inuse on node but not in volumeManager",
|
|
||||||
existingNode: &v1.Node{
|
|
||||||
ObjectMeta: metav1.ObjectMeta{Name: testKubeletHostname},
|
|
||||||
Status: v1.NodeStatus{
|
|
||||||
VolumesInUse: []v1.UniqueVolumeName{"vol1"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
expectedNode: &v1.Node{ObjectMeta: metav1.ObjectMeta{Name: testKubeletHostname}},
|
|
||||||
},
|
|
||||||
{
|
|
||||||
desc: "volumes inuse in volumeManager but not on node",
|
|
||||||
existingVolumes: []v1.UniqueVolumeName{"vol1"},
|
|
||||||
existingNode: &v1.Node{ObjectMeta: metav1.ObjectMeta{Name: testKubeletHostname}},
|
|
||||||
expectedNode: &v1.Node{
|
|
||||||
ObjectMeta: metav1.ObjectMeta{Name: testKubeletHostname},
|
|
||||||
Status: v1.NodeStatus{
|
|
||||||
VolumesInUse: []v1.UniqueVolumeName{"vol1"},
|
|
||||||
},
|
|
||||||
},
|
|
||||||
expectedReportedInUse: []v1.UniqueVolumeName{"vol1"},
|
|
||||||
},
|
|
||||||
}
|
|
||||||
|
|
||||||
for _, tc := range cases {
|
|
||||||
t.Run(tc.desc, func(t *testing.T) {
|
|
||||||
// Setup
|
|
||||||
testKubelet := newTestKubelet(t, false /* controllerAttachDetachEnabled */)
|
|
||||||
defer testKubelet.Cleanup()
|
|
||||||
|
|
||||||
kubelet := testKubelet.kubelet
|
|
||||||
kubelet.kubeClient = nil // ensure only the heartbeat client is used
|
|
||||||
kubelet.containerManager = &localCM{ContainerManager: cm.NewStubContainerManager()}
|
|
||||||
kubelet.lastStatusReportTime = kubelet.clock.Now()
|
|
||||||
kubelet.nodeStatusReportFrequency = time.Hour
|
|
||||||
kubelet.machineInfo = &cadvisorapi.MachineInfo{}
|
|
||||||
|
|
||||||
// override test volumeManager
|
|
||||||
fakeVolumeManager := kubeletvolume.NewFakeVolumeManager(tc.existingVolumes)
|
|
||||||
kubelet.volumeManager = fakeVolumeManager
|
|
||||||
|
|
||||||
// Only test VolumesInUse setter
|
|
||||||
kubelet.setNodeStatusFuncs = []func(*v1.Node) error{
|
|
||||||
nodestatus.VolumesInUse(kubelet.volumeManager.ReconcilerStatesHasBeenSynced,
|
|
||||||
kubelet.volumeManager.GetVolumesInUse),
|
|
||||||
}
|
|
||||||
|
|
||||||
kubeClient := testKubelet.fakeKubeClient
|
|
||||||
kubeClient.ReactionChain = fake.NewSimpleClientset(&v1.NodeList{Items: []v1.Node{*tc.existingNode}}).ReactionChain
|
|
||||||
|
|
||||||
// Execute
|
|
||||||
assert.NoError(t, kubelet.updateNodeStatus())
|
|
||||||
|
|
||||||
// Validate
|
|
||||||
actions := kubeClient.Actions()
|
|
||||||
if tc.expectedNode != nil {
|
|
||||||
assert.Len(t, actions, 2)
|
|
||||||
assert.IsType(t, core.GetActionImpl{}, actions[0])
|
|
||||||
assert.IsType(t, core.PatchActionImpl{}, actions[1])
|
|
||||||
patchAction := actions[1].(core.PatchActionImpl)
|
|
||||||
|
|
||||||
updatedNode, err := applyNodeStatusPatch(tc.existingNode, patchAction.GetPatch())
|
|
||||||
require.NoError(t, err)
|
|
||||||
assert.True(t, apiequality.Semantic.DeepEqual(tc.expectedNode, updatedNode), "%s", diff.ObjectDiff(tc.expectedNode, updatedNode))
|
|
||||||
} else {
|
|
||||||
assert.Len(t, actions, 1)
|
|
||||||
assert.IsType(t, core.GetActionImpl{}, actions[0])
|
|
||||||
}
|
|
||||||
|
|
||||||
reportedInUse := fakeVolumeManager.GetVolumesReportedInUse()
|
|
||||||
assert.True(t, apiequality.Semantic.DeepEqual(tc.expectedReportedInUse, reportedInUse), "%s", diff.ObjectDiff(tc.expectedReportedInUse, reportedInUse))
|
|
||||||
})
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestUpdateNodeStatusAndVolumesInUseWithNodeLease(t *testing.T) {
|
func TestUpdateNodeStatusAndVolumesInUseWithNodeLease(t *testing.T) {
|
||||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeLease, true)()
|
|
||||||
|
|
||||||
cases := []struct {
|
cases := []struct {
|
||||||
desc string
|
desc string
|
||||||
existingVolumes []v1.UniqueVolumeName // volumes to initially populate volumeManager
|
existingVolumes []v1.UniqueVolumeName // volumes to initially populate volumeManager
|
||||||
|
@ -30,11 +30,9 @@ import (
|
|||||||
"k8s.io/apimachinery/pkg/util/runtime"
|
"k8s.io/apimachinery/pkg/util/runtime"
|
||||||
"k8s.io/apimachinery/pkg/util/wait"
|
"k8s.io/apimachinery/pkg/util/wait"
|
||||||
genericapiserver "k8s.io/apiserver/pkg/server"
|
genericapiserver "k8s.io/apiserver/pkg/server"
|
||||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
|
||||||
corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
|
corev1client "k8s.io/client-go/kubernetes/typed/core/v1"
|
||||||
"k8s.io/client-go/rest"
|
"k8s.io/client-go/rest"
|
||||||
"k8s.io/klog"
|
"k8s.io/klog"
|
||||||
"k8s.io/kubernetes/pkg/features"
|
|
||||||
"k8s.io/kubernetes/pkg/master/reconcilers"
|
"k8s.io/kubernetes/pkg/master/reconcilers"
|
||||||
"k8s.io/kubernetes/pkg/registry/core/rangeallocation"
|
"k8s.io/kubernetes/pkg/registry/core/rangeallocation"
|
||||||
corerest "k8s.io/kubernetes/pkg/registry/core/rest"
|
corerest "k8s.io/kubernetes/pkg/registry/core/rest"
|
||||||
@ -92,10 +90,7 @@ func (c *completedConfig) NewBootstrapController(legacyRESTStorage corerest.Lega
|
|||||||
klog.Fatalf("failed to get listener address: %v", err)
|
klog.Fatalf("failed to get listener address: %v", err)
|
||||||
}
|
}
|
||||||
|
|
||||||
systemNamespaces := []string{metav1.NamespaceSystem, metav1.NamespacePublic}
|
systemNamespaces := []string{metav1.NamespaceSystem, metav1.NamespacePublic, corev1.NamespaceNodeLease}
|
||||||
if utilfeature.DefaultFeatureGate.Enabled(features.NodeLease) {
|
|
||||||
systemNamespaces = append(systemNamespaces, corev1.NamespaceNodeLease)
|
|
||||||
}
|
|
||||||
|
|
||||||
return &Controller{
|
return &Controller{
|
||||||
ServiceClient: serviceClient,
|
ServiceClient: serviceClient,
|
||||||
|
@ -151,10 +151,7 @@ func (p *Plugin) Admit(ctx context.Context, a admission.Attributes, o admission.
|
|||||||
return nil
|
return nil
|
||||||
|
|
||||||
case leaseResource:
|
case leaseResource:
|
||||||
if p.features.Enabled(features.NodeLease) {
|
return p.admitLease(nodeName, a)
|
||||||
return p.admitLease(nodeName, a)
|
|
||||||
}
|
|
||||||
return admission.NewForbidden(a, fmt.Errorf("disabled by feature gate %s", features.NodeLease))
|
|
||||||
|
|
||||||
case csiNodeResource:
|
case csiNodeResource:
|
||||||
if p.features.Enabled(features.CSINodeInfo) {
|
if p.features.Enabled(features.CSINodeInfo) {
|
||||||
|
@ -48,8 +48,6 @@ import (
|
|||||||
var (
|
var (
|
||||||
trEnabledFeature = featuregate.NewFeatureGate()
|
trEnabledFeature = featuregate.NewFeatureGate()
|
||||||
trDisabledFeature = featuregate.NewFeatureGate()
|
trDisabledFeature = featuregate.NewFeatureGate()
|
||||||
leaseEnabledFeature = featuregate.NewFeatureGate()
|
|
||||||
leaseDisabledFeature = featuregate.NewFeatureGate()
|
|
||||||
csiNodeInfoEnabledFeature = featuregate.NewFeatureGate()
|
csiNodeInfoEnabledFeature = featuregate.NewFeatureGate()
|
||||||
csiNodeInfoDisabledFeature = featuregate.NewFeatureGate()
|
csiNodeInfoDisabledFeature = featuregate.NewFeatureGate()
|
||||||
)
|
)
|
||||||
@ -61,12 +59,6 @@ func init() {
|
|||||||
if err := trDisabledFeature.Add(map[featuregate.Feature]featuregate.FeatureSpec{features.TokenRequest: {Default: false}}); err != nil {
|
if err := trDisabledFeature.Add(map[featuregate.Feature]featuregate.FeatureSpec{features.TokenRequest: {Default: false}}); err != nil {
|
||||||
panic(err)
|
panic(err)
|
||||||
}
|
}
|
||||||
if err := leaseEnabledFeature.Add(map[featuregate.Feature]featuregate.FeatureSpec{features.NodeLease: {Default: true}}); err != nil {
|
|
||||||
panic(err)
|
|
||||||
}
|
|
||||||
if err := leaseDisabledFeature.Add(map[featuregate.Feature]featuregate.FeatureSpec{features.NodeLease: {Default: false}}); err != nil {
|
|
||||||
panic(err)
|
|
||||||
}
|
|
||||||
if err := csiNodeInfoEnabledFeature.Add(map[featuregate.Feature]featuregate.FeatureSpec{features.CSINodeInfo: {Default: true}}); err != nil {
|
if err := csiNodeInfoEnabledFeature.Add(map[featuregate.Feature]featuregate.FeatureSpec{features.CSINodeInfo: {Default: true}}); err != nil {
|
||||||
panic(err)
|
panic(err)
|
||||||
}
|
}
|
||||||
@ -1148,64 +1140,49 @@ func Test_nodePlugin_Admit(t *testing.T) {
|
|||||||
err: "",
|
err: "",
|
||||||
},
|
},
|
||||||
// Node leases
|
// Node leases
|
||||||
{
|
|
||||||
name: "disallowed create lease - feature disabled",
|
|
||||||
attributes: admission.NewAttributesRecord(lease, nil, leaseKind, lease.Namespace, lease.Name, leaseResource, "", admission.Create, &metav1.DeleteOptions{}, false, mynode),
|
|
||||||
features: leaseDisabledFeature,
|
|
||||||
err: "forbidden: disabled by feature gate NodeLease",
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
name: "disallowed create lease in namespace other than kube-node-lease - feature enabled",
|
name: "disallowed create lease in namespace other than kube-node-lease - feature enabled",
|
||||||
attributes: admission.NewAttributesRecord(leaseWrongNS, nil, leaseKind, leaseWrongNS.Namespace, leaseWrongNS.Name, leaseResource, "", admission.Create, &metav1.CreateOptions{}, false, mynode),
|
attributes: admission.NewAttributesRecord(leaseWrongNS, nil, leaseKind, leaseWrongNS.Namespace, leaseWrongNS.Name, leaseResource, "", admission.Create, &metav1.CreateOptions{}, false, mynode),
|
||||||
features: leaseEnabledFeature,
|
|
||||||
err: "forbidden: ",
|
err: "forbidden: ",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "disallowed update lease in namespace other than kube-node-lease - feature enabled",
|
name: "disallowed update lease in namespace other than kube-node-lease - feature enabled",
|
||||||
attributes: admission.NewAttributesRecord(leaseWrongNS, leaseWrongNS, leaseKind, leaseWrongNS.Namespace, leaseWrongNS.Name, leaseResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
|
attributes: admission.NewAttributesRecord(leaseWrongNS, leaseWrongNS, leaseKind, leaseWrongNS.Namespace, leaseWrongNS.Name, leaseResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
|
||||||
features: leaseEnabledFeature,
|
|
||||||
err: "forbidden: ",
|
err: "forbidden: ",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "disallowed delete lease in namespace other than kube-node-lease - feature enabled",
|
name: "disallowed delete lease in namespace other than kube-node-lease - feature enabled",
|
||||||
attributes: admission.NewAttributesRecord(nil, nil, leaseKind, leaseWrongNS.Namespace, leaseWrongNS.Name, leaseResource, "", admission.Delete, &metav1.DeleteOptions{}, false, mynode),
|
attributes: admission.NewAttributesRecord(nil, nil, leaseKind, leaseWrongNS.Namespace, leaseWrongNS.Name, leaseResource, "", admission.Delete, &metav1.DeleteOptions{}, false, mynode),
|
||||||
features: leaseEnabledFeature,
|
|
||||||
err: "forbidden: ",
|
err: "forbidden: ",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "disallowed create another node's lease - feature enabled",
|
name: "disallowed create another node's lease - feature enabled",
|
||||||
attributes: admission.NewAttributesRecord(leaseWrongName, nil, leaseKind, leaseWrongName.Namespace, leaseWrongName.Name, leaseResource, "", admission.Create, &metav1.CreateOptions{}, false, mynode),
|
attributes: admission.NewAttributesRecord(leaseWrongName, nil, leaseKind, leaseWrongName.Namespace, leaseWrongName.Name, leaseResource, "", admission.Create, &metav1.CreateOptions{}, false, mynode),
|
||||||
features: leaseEnabledFeature,
|
|
||||||
err: "forbidden: ",
|
err: "forbidden: ",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "disallowed update another node's lease - feature enabled",
|
name: "disallowed update another node's lease - feature enabled",
|
||||||
attributes: admission.NewAttributesRecord(leaseWrongName, leaseWrongName, leaseKind, leaseWrongName.Namespace, leaseWrongName.Name, leaseResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
|
attributes: admission.NewAttributesRecord(leaseWrongName, leaseWrongName, leaseKind, leaseWrongName.Namespace, leaseWrongName.Name, leaseResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
|
||||||
features: leaseEnabledFeature,
|
|
||||||
err: "forbidden: ",
|
err: "forbidden: ",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "disallowed delete another node's lease - feature enabled",
|
name: "disallowed delete another node's lease - feature enabled",
|
||||||
attributes: admission.NewAttributesRecord(nil, nil, leaseKind, leaseWrongName.Namespace, leaseWrongName.Name, leaseResource, "", admission.Delete, &metav1.DeleteOptions{}, false, mynode),
|
attributes: admission.NewAttributesRecord(nil, nil, leaseKind, leaseWrongName.Namespace, leaseWrongName.Name, leaseResource, "", admission.Delete, &metav1.DeleteOptions{}, false, mynode),
|
||||||
features: leaseEnabledFeature,
|
|
||||||
err: "forbidden: ",
|
err: "forbidden: ",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "allowed create node lease - feature enabled",
|
name: "allowed create node lease - feature enabled",
|
||||||
attributes: admission.NewAttributesRecord(lease, nil, leaseKind, lease.Namespace, lease.Name, leaseResource, "", admission.Create, &metav1.CreateOptions{}, false, mynode),
|
attributes: admission.NewAttributesRecord(lease, nil, leaseKind, lease.Namespace, lease.Name, leaseResource, "", admission.Create, &metav1.CreateOptions{}, false, mynode),
|
||||||
features: leaseEnabledFeature,
|
|
||||||
err: "",
|
err: "",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "allowed update node lease - feature enabled",
|
name: "allowed update node lease - feature enabled",
|
||||||
attributes: admission.NewAttributesRecord(lease, lease, leaseKind, lease.Namespace, lease.Name, leaseResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
|
attributes: admission.NewAttributesRecord(lease, lease, leaseKind, lease.Namespace, lease.Name, leaseResource, "", admission.Update, &metav1.UpdateOptions{}, false, mynode),
|
||||||
features: leaseEnabledFeature,
|
|
||||||
err: "",
|
err: "",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "allowed delete node lease - feature enabled",
|
name: "allowed delete node lease - feature enabled",
|
||||||
attributes: admission.NewAttributesRecord(nil, nil, leaseKind, lease.Namespace, lease.Name, leaseResource, "", admission.Delete, &metav1.DeleteOptions{}, false, mynode),
|
attributes: admission.NewAttributesRecord(nil, nil, leaseKind, lease.Namespace, lease.Name, leaseResource, "", admission.Delete, &metav1.DeleteOptions{}, false, mynode),
|
||||||
features: leaseEnabledFeature,
|
|
||||||
err: "",
|
err: "",
|
||||||
},
|
},
|
||||||
// CSINode
|
// CSINode
|
||||||
|
@ -116,10 +116,7 @@ func (r *NodeAuthorizer) Authorize(ctx context.Context, attrs authorizer.Attribu
|
|||||||
}
|
}
|
||||||
return authorizer.DecisionNoOpinion, fmt.Sprintf("disabled by feature gate %s", features.TokenRequest), nil
|
return authorizer.DecisionNoOpinion, fmt.Sprintf("disabled by feature gate %s", features.TokenRequest), nil
|
||||||
case leaseResource:
|
case leaseResource:
|
||||||
if r.features.Enabled(features.NodeLease) {
|
return r.authorizeLease(nodeName, attrs)
|
||||||
return r.authorizeLease(nodeName, attrs)
|
|
||||||
}
|
|
||||||
return authorizer.DecisionNoOpinion, fmt.Sprintf("disabled by feature gate %s", features.NodeLease), nil
|
|
||||||
case csiNodeResource:
|
case csiNodeResource:
|
||||||
if r.features.Enabled(features.CSINodeInfo) {
|
if r.features.Enabled(features.CSINodeInfo) {
|
||||||
return r.authorizeCSINode(nodeName, attrs)
|
return r.authorizeCSINode(nodeName, attrs)
|
||||||
|
@ -43,8 +43,6 @@ import (
|
|||||||
var (
|
var (
|
||||||
trEnabledFeature = featuregate.NewFeatureGate()
|
trEnabledFeature = featuregate.NewFeatureGate()
|
||||||
trDisabledFeature = featuregate.NewFeatureGate()
|
trDisabledFeature = featuregate.NewFeatureGate()
|
||||||
leaseEnabledFeature = featuregate.NewFeatureGate()
|
|
||||||
leaseDisabledFeature = featuregate.NewFeatureGate()
|
|
||||||
csiNodeInfoEnabledFeature = featuregate.NewFeatureGate()
|
csiNodeInfoEnabledFeature = featuregate.NewFeatureGate()
|
||||||
csiNodeInfoDisabledFeature = featuregate.NewFeatureGate()
|
csiNodeInfoDisabledFeature = featuregate.NewFeatureGate()
|
||||||
)
|
)
|
||||||
@ -56,12 +54,6 @@ func init() {
|
|||||||
if err := trDisabledFeature.Add(map[featuregate.Feature]featuregate.FeatureSpec{features.TokenRequest: {Default: false}}); err != nil {
|
if err := trDisabledFeature.Add(map[featuregate.Feature]featuregate.FeatureSpec{features.TokenRequest: {Default: false}}); err != nil {
|
||||||
panic(err)
|
panic(err)
|
||||||
}
|
}
|
||||||
if err := leaseEnabledFeature.Add(map[featuregate.Feature]featuregate.FeatureSpec{features.NodeLease: {Default: true}}); err != nil {
|
|
||||||
panic(err)
|
|
||||||
}
|
|
||||||
if err := leaseDisabledFeature.Add(map[featuregate.Feature]featuregate.FeatureSpec{features.NodeLease: {Default: false}}); err != nil {
|
|
||||||
panic(err)
|
|
||||||
}
|
|
||||||
if err := csiNodeInfoEnabledFeature.Add(map[featuregate.Feature]featuregate.FeatureSpec{features.CSINodeInfo: {Default: true}}); err != nil {
|
if err := csiNodeInfoEnabledFeature.Add(map[featuregate.Feature]featuregate.FeatureSpec{features.CSINodeInfo: {Default: true}}); err != nil {
|
||||||
panic(err)
|
panic(err)
|
||||||
}
|
}
|
||||||
@ -226,106 +218,84 @@ func TestAuthorizer(t *testing.T) {
|
|||||||
expect: authorizer.DecisionNoOpinion,
|
expect: authorizer.DecisionNoOpinion,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "disallowed node lease - feature disabled",
|
name: "disallowed get lease in namespace other than kube-node-lease - feature enabled",
|
||||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node0", Namespace: corev1.NamespaceNodeLease},
|
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node0", Namespace: "foo"},
|
||||||
features: leaseDisabledFeature,
|
expect: authorizer.DecisionNoOpinion,
|
||||||
expect: authorizer.DecisionNoOpinion,
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "disallowed get lease in namespace other than kube-node-lease - feature enabled",
|
name: "disallowed create lease in namespace other than kube-node-lease - feature enabled",
|
||||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node0", Namespace: "foo"},
|
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "create", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node0", Namespace: "foo"},
|
||||||
features: leaseEnabledFeature,
|
expect: authorizer.DecisionNoOpinion,
|
||||||
expect: authorizer.DecisionNoOpinion,
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "disallowed create lease in namespace other than kube-node-lease - feature enabled",
|
name: "disallowed update lease in namespace other than kube-node-lease - feature enabled",
|
||||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "create", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node0", Namespace: "foo"},
|
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "update", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node0", Namespace: "foo"},
|
||||||
features: leaseEnabledFeature,
|
expect: authorizer.DecisionNoOpinion,
|
||||||
expect: authorizer.DecisionNoOpinion,
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "disallowed update lease in namespace other than kube-node-lease - feature enabled",
|
name: "disallowed patch lease in namespace other than kube-node-lease - feature enabled",
|
||||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "update", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node0", Namespace: "foo"},
|
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "patch", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node0", Namespace: "foo"},
|
||||||
features: leaseEnabledFeature,
|
expect: authorizer.DecisionNoOpinion,
|
||||||
expect: authorizer.DecisionNoOpinion,
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "disallowed patch lease in namespace other than kube-node-lease - feature enabled",
|
name: "disallowed delete lease in namespace other than kube-node-lease - feature enabled",
|
||||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "patch", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node0", Namespace: "foo"},
|
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "delete", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node0", Namespace: "foo"},
|
||||||
features: leaseEnabledFeature,
|
expect: authorizer.DecisionNoOpinion,
|
||||||
expect: authorizer.DecisionNoOpinion,
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "disallowed delete lease in namespace other than kube-node-lease - feature enabled",
|
name: "disallowed get another node's lease - feature enabled",
|
||||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "delete", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node0", Namespace: "foo"},
|
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node1", Namespace: corev1.NamespaceNodeLease},
|
||||||
features: leaseEnabledFeature,
|
expect: authorizer.DecisionNoOpinion,
|
||||||
expect: authorizer.DecisionNoOpinion,
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "disallowed get another node's lease - feature enabled",
|
name: "disallowed update another node's lease - feature enabled",
|
||||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node1", Namespace: corev1.NamespaceNodeLease},
|
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "update", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node1", Namespace: corev1.NamespaceNodeLease},
|
||||||
features: leaseEnabledFeature,
|
expect: authorizer.DecisionNoOpinion,
|
||||||
expect: authorizer.DecisionNoOpinion,
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "disallowed update another node's lease - feature enabled",
|
name: "disallowed patch another node's lease - feature enabled",
|
||||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "update", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node1", Namespace: corev1.NamespaceNodeLease},
|
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "patch", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node1", Namespace: corev1.NamespaceNodeLease},
|
||||||
features: leaseEnabledFeature,
|
expect: authorizer.DecisionNoOpinion,
|
||||||
expect: authorizer.DecisionNoOpinion,
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "disallowed patch another node's lease - feature enabled",
|
name: "disallowed delete another node's lease - feature enabled",
|
||||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "patch", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node1", Namespace: corev1.NamespaceNodeLease},
|
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "delete", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node1", Namespace: corev1.NamespaceNodeLease},
|
||||||
features: leaseEnabledFeature,
|
expect: authorizer.DecisionNoOpinion,
|
||||||
expect: authorizer.DecisionNoOpinion,
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "disallowed delete another node's lease - feature enabled",
|
name: "disallowed list node leases - feature enabled",
|
||||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "delete", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node1", Namespace: corev1.NamespaceNodeLease},
|
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "list", Resource: "leases", APIGroup: "coordination.k8s.io", Namespace: corev1.NamespaceNodeLease},
|
||||||
features: leaseEnabledFeature,
|
expect: authorizer.DecisionNoOpinion,
|
||||||
expect: authorizer.DecisionNoOpinion,
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "disallowed list node leases - feature enabled",
|
name: "disallowed watch node leases - feature enabled",
|
||||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "list", Resource: "leases", APIGroup: "coordination.k8s.io", Namespace: corev1.NamespaceNodeLease},
|
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "watch", Resource: "leases", APIGroup: "coordination.k8s.io", Namespace: corev1.NamespaceNodeLease},
|
||||||
features: leaseEnabledFeature,
|
expect: authorizer.DecisionNoOpinion,
|
||||||
expect: authorizer.DecisionNoOpinion,
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "disallowed watch node leases - feature enabled",
|
name: "allowed get node lease - feature enabled",
|
||||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "watch", Resource: "leases", APIGroup: "coordination.k8s.io", Namespace: corev1.NamespaceNodeLease},
|
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node0", Namespace: corev1.NamespaceNodeLease},
|
||||||
features: leaseEnabledFeature,
|
expect: authorizer.DecisionAllow,
|
||||||
expect: authorizer.DecisionNoOpinion,
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "allowed get node lease - feature enabled",
|
name: "allowed create node lease - feature enabled",
|
||||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "get", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node0", Namespace: corev1.NamespaceNodeLease},
|
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "create", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node0", Namespace: corev1.NamespaceNodeLease},
|
||||||
features: leaseEnabledFeature,
|
expect: authorizer.DecisionAllow,
|
||||||
expect: authorizer.DecisionAllow,
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "allowed create node lease - feature enabled",
|
name: "allowed update node lease - feature enabled",
|
||||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "create", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node0", Namespace: corev1.NamespaceNodeLease},
|
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "update", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node0", Namespace: corev1.NamespaceNodeLease},
|
||||||
features: leaseEnabledFeature,
|
expect: authorizer.DecisionAllow,
|
||||||
expect: authorizer.DecisionAllow,
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "allowed update node lease - feature enabled",
|
name: "allowed patch node lease - feature enabled",
|
||||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "update", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node0", Namespace: corev1.NamespaceNodeLease},
|
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "patch", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node0", Namespace: corev1.NamespaceNodeLease},
|
||||||
features: leaseEnabledFeature,
|
expect: authorizer.DecisionAllow,
|
||||||
expect: authorizer.DecisionAllow,
|
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "allowed patch node lease - feature enabled",
|
name: "allowed delete node lease - feature enabled",
|
||||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "patch", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node0", Namespace: corev1.NamespaceNodeLease},
|
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "delete", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node0", Namespace: corev1.NamespaceNodeLease},
|
||||||
features: leaseEnabledFeature,
|
expect: authorizer.DecisionAllow,
|
||||||
expect: authorizer.DecisionAllow,
|
|
||||||
},
|
|
||||||
{
|
|
||||||
name: "allowed delete node lease - feature enabled",
|
|
||||||
attrs: authorizer.AttributesRecord{User: node0, ResourceRequest: true, Verb: "delete", Resource: "leases", APIGroup: "coordination.k8s.io", Name: "node0", Namespace: corev1.NamespaceNodeLease},
|
|
||||||
features: leaseEnabledFeature,
|
|
||||||
expect: authorizer.DecisionAllow,
|
|
||||||
},
|
},
|
||||||
// CSINode
|
// CSINode
|
||||||
{
|
{
|
||||||
|
@ -143,6 +143,9 @@ func NodeRules() []rbacv1.PolicyRule {
|
|||||||
// for it to be signed. This allows the kubelet to rotate it's own certificate.
|
// for it to be signed. This allows the kubelet to rotate it's own certificate.
|
||||||
rbacv1helpers.NewRule("create", "get", "list", "watch").Groups(certificatesGroup).Resources("certificatesigningrequests").RuleOrDie(),
|
rbacv1helpers.NewRule("create", "get", "list", "watch").Groups(certificatesGroup).Resources("certificatesigningrequests").RuleOrDie(),
|
||||||
|
|
||||||
|
// Leases
|
||||||
|
rbacv1helpers.NewRule("get", "create", "update", "patch", "delete").Groups("coordination.k8s.io").Resources("leases").RuleOrDie(),
|
||||||
|
|
||||||
// CSI
|
// CSI
|
||||||
rbacv1helpers.NewRule("get").Groups(storageGroup).Resources("volumeattachments").RuleOrDie(),
|
rbacv1helpers.NewRule("get").Groups(storageGroup).Resources("volumeattachments").RuleOrDie(),
|
||||||
}
|
}
|
||||||
@ -171,11 +174,6 @@ func NodeRules() []rbacv1.PolicyRule {
|
|||||||
nodePolicyRules = append(nodePolicyRules, csiNodeInfoRule)
|
nodePolicyRules = append(nodePolicyRules, csiNodeInfoRule)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Node leases
|
|
||||||
if utilfeature.DefaultFeatureGate.Enabled(features.NodeLease) {
|
|
||||||
nodePolicyRules = append(nodePolicyRules, rbacv1helpers.NewRule("get", "create", "update", "patch", "delete").Groups(coordinationGroup).Resources("leases").RuleOrDie())
|
|
||||||
}
|
|
||||||
|
|
||||||
// RuntimeClass
|
// RuntimeClass
|
||||||
if utilfeature.DefaultFeatureGate.Enabled(features.RuntimeClass) {
|
if utilfeature.DefaultFeatureGate.Enabled(features.RuntimeClass) {
|
||||||
nodePolicyRules = append(nodePolicyRules, rbacv1helpers.NewRule("get", "list", "watch").Groups("node.k8s.io").Resources("runtimeclasses").RuleOrDie())
|
nodePolicyRules = append(nodePolicyRules, rbacv1helpers.NewRule("get", "list", "watch").Groups("node.k8s.io").Resources("runtimeclasses").RuleOrDie())
|
||||||
|
@ -910,6 +910,16 @@ items:
|
|||||||
- get
|
- get
|
||||||
- list
|
- list
|
||||||
- watch
|
- watch
|
||||||
|
- apiGroups:
|
||||||
|
- coordination.k8s.io
|
||||||
|
resources:
|
||||||
|
- leases
|
||||||
|
verbs:
|
||||||
|
- create
|
||||||
|
- delete
|
||||||
|
- get
|
||||||
|
- patch
|
||||||
|
- update
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- storage.k8s.io
|
- storage.k8s.io
|
||||||
resources:
|
resources:
|
||||||
@ -948,16 +958,6 @@ items:
|
|||||||
- get
|
- get
|
||||||
- patch
|
- patch
|
||||||
- update
|
- update
|
||||||
- apiGroups:
|
|
||||||
- coordination.k8s.io
|
|
||||||
resources:
|
|
||||||
- leases
|
|
||||||
verbs:
|
|
||||||
- create
|
|
||||||
- delete
|
|
||||||
- get
|
|
||||||
- patch
|
|
||||||
- update
|
|
||||||
- apiGroups:
|
- apiGroups:
|
||||||
- node.k8s.io
|
- node.k8s.io
|
||||||
resources:
|
resources:
|
||||||
|
@ -56,9 +56,6 @@ func TestNodeAuthorizer(t *testing.T) {
|
|||||||
// Enable DynamicKubeletConfig feature so that Node.Spec.ConfigSource can be set
|
// Enable DynamicKubeletConfig feature so that Node.Spec.ConfigSource can be set
|
||||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DynamicKubeletConfig, true)()
|
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.DynamicKubeletConfig, true)()
|
||||||
|
|
||||||
// Enable NodeLease feature so that nodes can create leases
|
|
||||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.NodeLease, true)()
|
|
||||||
|
|
||||||
// Enable CSINodeInfo feature so that nodes can create CSINode objects.
|
// Enable CSINodeInfo feature so that nodes can create CSINode objects.
|
||||||
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSINodeInfo, true)()
|
defer featuregatetesting.SetFeatureGateDuringTest(t, utilfeature.DefaultFeatureGate, features.CSINodeInfo, true)()
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user