New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add feature gate to disable in-tree credential providers #102507
Add feature gate to disable in-tree credential providers #102507
Conversation
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Welcome @ostrain! |
Hi @ostrain. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
I believe the CLA should be all set now, commenting to trigger the bot again. |
/ok-to-test |
/sig cloud-provider |
/retest |
49f16ae
to
8571113
Compare
@@ -142,7 +145,17 @@ func onGCEVM() bool { | |||
|
|||
// Enabled implements DockerConfigProvider for all of the Google implementations. | |||
func (g *MetadataProvider) Enabled() bool { | |||
return onGCEVM() | |||
if credentialprovider.AreLegacyCloudCredentialProvidersDisabled() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure I agree with this ordering. I agree about the relative costs but if we need to enter either switch the system is miconfigured. At the point the cost seems like a non issue. For the good case you need to pass both switched anyway. In this case we may have a misleading error message suggesting you are on GCP. I think it would be better to put back the original order and add a warning you are attempting to use a GCP credential provider on a non GCP VM to the !onGCEVM case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Avoiding the misleading error message was my original thinking, happy to switch it back.
I'm not sure if the other warning you propose would add much value though: IIUC these credential providers are on by default (thus the need for this PR) so it's not like the user misconfigured something if we're getting this far on a non-GCP VM. The warning would just get logged all the time and wouldn't be actionable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought we would only have this on if it was configured. If thats not true, then I think its even more important to switch back. (As you say to avoid the misleading error message)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Switched this back around.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not following the logic here to switch the order back to run onGCEVM
first. If the feature gate is enabled (i.e. disabled), then there's no reason to ever call onGCEVM, because the plugin is explicitly disabled. In this case, the warning message makes sense too, because the plugin is disabled anyways. When it is disabled, why bother running onGCEVM
which is a relatively expensive operation that reads a file from disk?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With the in-tree cloud providers, you have to pass --cloud-provider=foo
to enable them so it makes sense to print a warning if you pass that flag while the feature gate that disables them is turned on, since that's obviously a misconfiguration of either the flag or the feature gate.
With the in-tree credential providers OTOH, there's no flag to enable them (as far as I'm aware) -- we just rely on the onGCEVM
check alone. So if the feature gate is turned on but we're not on a GCP VM, there's no reason to print a warning about the GCP provider being disabled... Nothing is misconfigured in that case, the warning is just confusing and unactionable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Gotcha, thanks for clarifying.
/retest |
8571113
to
5932233
Compare
/retest |
/lgtm |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/assign @liggitt
5932233
to
16ce57f
Compare
16ce57f
to
c1515ad
Compare
/retest |
2 similar comments
/retest |
/retest |
c1515ad
to
a947c32
Compare
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: andrewsykim, Danil-Grigorev, liggitt, ostrain The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
@@ -595,6 +595,12 @@ const ( | |||
// Disable any functionality in kube-apiserver, kube-controller-manager and kubelet related to the `--cloud-provider` component flag. | |||
DisableCloudProviders featuregate.Feature = "DisableCloudProviders" | |||
|
|||
// owner: @andrewsykim | |||
// alpha: v1.22 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
NIT: just see this: it would be 1.23
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What type of PR is this?
/kind feature
What this PR does / why we need it:
Implementing DisableKubeletCloudCredentialProviders FG according to proposal kubernetes/enhancements#2443
Which issue(s) this PR fixes:
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: