Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix Cilium permissions #5923

Merged
merged 4 commits into from
Apr 11, 2020
Merged

Fix Cilium permissions #5923

merged 4 commits into from
Apr 11, 2020

Conversation

chgl
Copy link
Contributor

@chgl chgl commented Apr 9, 2020

What type of PR is this?

/kind bug

What this PR does / why we need it:

The cluster role for Cilium included in kubespray lacks permissions required to make it work with the latest releases. In particular, read-access to EndpointSlices and some Cilium CRDs is missing.

This also bumps the Cilium version to v1.7.2

Which issue(s) this PR fixes:

Fixes #5901

Special notes for your reviewer:

I've removed read-access to the ComponentStatus resource which was removed in Cilium 1.7 (see cilium/cilium@dfd389f). This could potentially be a breaking change if someone were to install (upgrade?) a pre v1.7 Cilium installation using the CRs in this later version of kubespray. I'm not sure if this is a serious concern and since it's on its way to be deprecated (kubernetes/enhancements#553) maybe the right time to update here as well.

Does this PR introduce a user-facing change?:

NONE

@k8s-ci-robot k8s-ci-robot added the kind/bug Categorizes issue or PR as related to a bug. label Apr 9, 2020
@k8s-ci-robot
Copy link
Contributor

Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA.

It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

@k8s-ci-robot k8s-ci-robot added the cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. label Apr 9, 2020
@k8s-ci-robot
Copy link
Contributor

Welcome @chgl!

It looks like this is your first PR to kubernetes-sigs/kubespray 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/kubespray has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Apr 9, 2020
@k8s-ci-robot
Copy link
Contributor

Hi @chgl. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot requested review from bozzo and holmsten April 9, 2020 16:22
@k8s-ci-robot k8s-ci-robot added the size/L Denotes a PR that changes 100-499 lines, ignoring generated files. label Apr 9, 2020
@chgl chgl changed the title Fix cilium permissions Fix Cilium permissions Apr 9, 2020
@chgl
Copy link
Contributor Author

chgl commented Apr 9, 2020

I signed it.

@k8s-ci-robot k8s-ci-robot added cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. and removed cncf-cla: no Indicates the PR's author has not signed the CNCF CLA. labels Apr 9, 2020
@Miouge1
Copy link
Contributor

Miouge1 commented Apr 10, 2020

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Apr 10, 2020
@floryut floryut mentioned this pull request Apr 10, 2020
Closed
@floryut
Copy link
Member

floryut commented Apr 10, 2020
edited
Loading

This will also fix #5723

@Miouge1
Copy link
Contributor

Miouge1 commented Apr 11, 2020

Thank you @chgl

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 11, 2020
@Miouge1 Miouge1 mentioned this pull request Apr 11, 2020
Closed
@Miouge1
Copy link
Contributor

Miouge1 commented Apr 11, 2020

Forgot to approve

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: chgl, Miouge1

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 11, 2020
@k8s-ci-robot k8s-ci-robot merged commit 883194a into kubernetes-sigs:master Apr 11, 2020
LuckySB pushed a commit to southbridgeio/kubespray that referenced this pull request Apr 18, 2020
@chgl @LuckySB
Fix Cilium permissions (kubernetes-sigs#5923)
4569ab7 
* added required permissions for querying endpointslice resources

* copy-pasted role permissions from cilium install manifests

* bumped cilium version to v1.7.2
spaced pushed a commit to spaced/kubespray that referenced this pull request Jun 10, 2024
task-14786 Upgrade ingress-controller to 0.35.0
1a03633 
New Features:

NGINX 1.19.2
New configmap option enable-real-ip to enable realip_module
Use k8s.gcr.io vanity domain
Go 1.15
client-go v0.18.6
Migrate to klog v2
Changes:

 kubernetes-sigs#5887 Add force-enable-realip-module
 kubernetes-sigs#5888 Update dev-env.sh script
 kubernetes-sigs#5923 Fix error in grpcbin deployment and enable e2e test
 kubernetes-sigs#5924 Validate endpoints are ready in e2e tests
 kubernetes-sigs#5931 Add opentracing operation name settings
 kubernetes-sigs#5933 Update opentracing nginx module
 kubernetes-sigs#5946 Do not add namespace to cluster-scoped resources
 kubernetes-sigs#5951 Use env expansion to provide namespace in container args
 kubernetes-sigs#5952 Refactor shutdown e2e tests
 kubernetes-sigs#5957 bump fsnotify to v1.4.9
 kubernetes-sigs#5958 Disable enable-access-log-for-default-backend e2e test
 kubernetes-sigs#5984 Fix panic in ingress class validation
 kubernetes-sigs#5986 Migrate to klog v2
 kubernetes-sigs#5987 Fix wait times in e2e tests
 kubernetes-sigs#5990 Fix nginx command env variable reference
 kubernetes-sigs#6004 Update nginx to 1.19.2
 kubernetes-sigs#6006 Update nginx image
 kubernetes-sigs#6007 Update e2e-test-runner image
 kubernetes-sigs#6008 Rollback update of Jaeger library to 0.5.0 and update datadog to 1.2.0
 kubernetes-sigs#6014 Update go dependencies
 kubernetes-sigs#6039 Add configurable serviceMonitor metricRelabelling and targetLabels
 kubernetes-sigs#6046 Add new Dockerfile label org.opencontainers.image.revision
 kubernetes-sigs#6047 Increase wait times in e2e tests
 kubernetes-sigs#6049 Improve docs and logging for --ingress-class usage
 kubernetes-sigs#6052 Fix flaky e2e test
 kubernetes-sigs#6056 Rollback to Poll instead of PollImmediate
 kubernetes-sigs#6062 Adjust e2e timeouts
 kubernetes-sigs#6063 Remove file system paths executables
 kubernetes-sigs#6080 Use k8s.gcr.io vanity domain
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bozzo bozzo Awaiting requested review from bozzo

@holmsten holmsten Awaiting requested review from holmsten

Assignees

@Miouge1 Miouge1

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/bug Categorizes issue or PR as related to a bug. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Cilium Permission error "cannot list resource endpointslices in API group discovery.k8s.io"
4 participants
@chgl @k8s-ci-robot @Miouge1 @floryut