[Fix] Remove the requirement for VAP #3908
Conversation
k8s-ci-robot
added
do-not-merge/release-note-label-needed
k8s-ci-robot
added
the
size/S
✅ Deploy Preview for kubernetes-sigs-kueue canceled.
|
| @@ -77,7 +78,7 @@ func applyVisibilityServerOptions(config *genericapiserver.RecommendedConfig) er | |||
| o.SecureServing.BindPort = 8082 | |||
| // The directory where TLS certs will be created | |||
| o.SecureServing.ServerCert.CertDirectory = "/tmp" | |||
|
|
|||
| o.Admission.DisablePlugins = []string{validatingadmissionpolicy.PluginName} | |||
There was a problem hiding this comment.
Ideally the visibility server can be minimal and any other plugins which are not required can be disabled. I believe the only plugin we would need would be NamespaceLifecycle, ServiceAccount, ResourceQuota.
There was a problem hiding this comment.
That is interesting. What are your motivations for trying to get rid of only the VAP plugin?
What if when we enable only NamespaceLifecycle, ServiceAccount, and RersourceQuota?
Additionally, why do we need ResourceQuota plugin? IIUC, the visibility server doesn't touch ResourceQuta everywhere.
There was a problem hiding this comment.
What are your motivations for trying to get rid of only the VAP plugin?
There are 2 benefits to this:
- Latest releases of Kueue would become compatible with previous versions of K8s - (like 1.29) where VAP is not enabled by default in the admission plugin.
- Currently Kueue has CRUD perms for VAP API which is not required by the controller at all. So this would reduce unnecessary privileges being given to the controller.
Additionally, why do we need ResourceQuota plugin? IIUC, the visibility server doesn't touch ResourceQuta everywhere.
Fair. Ideally it would be good to spawn the visibility server with just what's required rather than enabling all the plugins by default. If ResourceQuota isn't required we can remove it from the list too.
There was a problem hiding this comment.
Nice find! Makes sense to me to enable just the features we are using.
There was a problem hiding this comment.
Fair. Ideally it would be good to spawn the visibility server with just what's required rather than enabling all the plugins by default. If ResourceQuota isn't required we can remove it from the list too.
@varshaprasad96 That makes sense. Could you open an issue for that?
| @@ -38,8 +38,6 @@ const ( | |||
| // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;update | |||
| // +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=mutatingwebhookconfigurations,verbs=get;list;watch;update | |||
| // +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingwebhookconfigurations,verbs=get;list;watch;update | |||
| // +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingadmissionpolicies,verbs=get;list;watch | |||
There was a problem hiding this comment.
Any reason why these roles were put in cert rotations?
There was a problem hiding this comment.
This was added to give Kueue controller permissions when errors were coming with k8s 1.31. Turns out the root cause for it is from the API server rather than cert controller (ref).
|
/release-note-none |
k8s-ci-robot
added
release-note-none
varshaprasad96
force-pushed
the
visibility-server-minimal
branch
from
aff35fd to
26a6b55
Compare
VAP is a default admission plugin enabled while starting an API server for visibility. The Kueue controller has additional permissions to watch those GVKs even though it is not required. Disabling the plugin from api server helps in keeping it minimal and maintaining compatibility with previous versions of K8s. Signed-off-by: Varsha Prasad Narsing <[email protected]>
varshaprasad96
force-pushed
the
visibility-server-minimal
branch
from
26a6b55 to
81ec4ac
Compare
|
This should fix #3496 |
k8s-ci-robot
added
the
kind/cleanup
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 3093dbda981fd855113fcaaa556f831f49e7c53e
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: tenzen-y, varshaprasad96 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
@mimowo We might be able to consider this PR as a bug fix and cherry-pick this to the release-0.10 branch since this PR tries to remove the unnecessary permissions. WDYT? |
|
@tenzen-y could we back port this to v0.10.x and v0.9.x too? Both the versions would have this bug. |
Before we backport this to older versions, as I mentioned #3908 (comment), let me have an agreement with Michal. |
Thank you for investigating the issue, I'm good to cherry-pick this back to 0.9 and 0.10 as a bugfix. |
|
/kind bug IIUC it also fixes #3496. @varshaprasad96 please add a release note, and add a note "Fixes #3496" to indicate that. As for the release note maybe: |
|
/cherry-pick release-0.10 |
|
@kannon92: new pull request created: #3940 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@kannon92 any particular reason to close the cherry-pick PR? |
|
@mimowo Done, thank you! |
|
/cherry-pick release-0.9 |
|
@tenzen-y: new pull request created: #3946 In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@tenzen-y: #3908 failed to apply on top of branch "release-0.9": In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
@varshaprasad96 Could you manually create a cherry pick PR against release-0.9 branch? |
VAP is a default admission plugin enabled while starting an API server for visibility. The Kueue controller has additional permissions to watch those GVKs even though it is not required. Disabling the plugin from api server helps in keeping it minimal and maintaining compatibility with previous versions of K8s. Signed-off-by: Varsha Prasad Narsing <[email protected]>
VAP is a default admission plugin enabled while starting an API server for visibility. The Kueue controller has additional permissions to watch those GVKs even though it is not required. Disabling the plugin from api server helps in keeping it minimal and maintaining compatibility with previous versions of K8s. Signed-off-by: Varsha Prasad Narsing <[email protected]>
VAP is a default admission plugin enabled while starting an API server for visibility. The Kueue controller has additional permissions to watch those GVKs even though it is not required. Disabling the plugin from api server helps in keeping it minimal and maintaining compatibility with previous versions of K8s. Signed-off-by: Varsha Prasad Narsing <[email protected]>
|
@varshaprasad96 @ChristianZaccaria I see some commits on your branch, are there some unforeseen complications for cherry-picking to 0.9? Asking cause I would like to release 0.10.1 along with 0.9.2 this week. |
VAP is a default admission plugin enabled while starting an API server for visibility. The Kueue controller has additional permissions to watch those GVKs even though it is not required. Disabling the plugin from api server helps in keeping it minimal and maintaining compatibility with previous versions of K8s. Signed-off-by: Varsha Prasad Narsing <[email protected]>
|
@tenzen-y Sorry, missed your message last week. I can create a cherry-pick PR now. @mimowo Are you referring to these? Backporting to v0.9.x shouldn't be an issue afaik. We cherry-picked this commit and back ported it to 0.10.x in downstream because of internal release deadlines and were planning to use 0.10 directly instead of 0.9. |
|
Thank you! Cool, yeah I was referring to the commits as they are referenced by GH, wasn't sure why they are displayed. |
|
#3977 -> cherry pick of this fix in 0.9 |
What type of PR is this?
Fixes: #3496
What this PR does / why we need it:
VAP is a default admission plugin enabled while starting an API server for visibility (ref). The Kueue
controller has additional permissions to watch those GVKs even though it is not required. Disabling the plugin from api server helps in keeping it minimal and maintaining compatibility with previous versions of K8s.
For details:
By default, the admission server enables the default set of admission plugins while starting an API server in K8s: https://github.com/kubernetes/kubernetes/blob/e85c72d4177fba224cb1baa1b5abfb5980e6d867/pkg/kubeapiserver/options/admission.go#L59. However, all the plugins are not necessary, as the visibility server is publishing metrics though read-only APIs, rather than modifying/validating the request.
Does this PR introduce a user-facing change?