-
Notifications
You must be signed in to change notification settings - Fork 715
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Install the kube-proxy main container without privileged mode #2948
Comments
/cc @danwinship @aojea @sftim |
thanks for logging this issue and sending that PR.
i see a Microsoft reviewer on the PR, so i'm going to assume it also works on Windows.
do you have estimates for that? - e.g. 20% increase on a desktop PC. and what window are we measuring - e.g. kube-proxy DS some consumers of kubeadm are quite sensitive to that, inc minikube, kind, others. my preference would be to make this the default, non-configurable path. in the incoming releases, we are about to release a new API v1beta4, and we are just about to add a new sub-struct for "proxy" configuration there. so now it would be a good time for a knob for this kube-proxy "startup-mode". if we use something common like a feature-gate we can add it in 1.29. ...some decision making is required here. |
we have a variety of tests jobs that can exercise this functionality (inc upgrade). if we add a knob it would be slightly more complex, since we have to add new targeted jobs.
we only run conformance tests in kubeadm e2e jobs. to my understanding it's all about the startup sequence and setup. if it fails...it fails. from there on the conformance suite should suffice when testing the runtime aspect? |
No, the function will not work on Windows. The |
I don't expect more than the conformance tests to test this feature. But there are some e2e tests that tests aspects of "services" (i.e. kube-proxy) that are not in the conformance suite. I have explicitly executed those I know of. |
that's a problem, because the kube-proxy manifest has no OS branching in kubeadm, currently. if we add this change there has to be a |
ok, i think we can go without extending what we test in our jobs for this feature. |
commented on the PR about using a warning instead of error: |
I actually expect a very small increase. I believe that the bulk of the startup time is to load the image, and it is only done once. Then there is an overhead to create/start the init-container of course. The actual init code should run fast, but there is an unnecessary connection setup to the API-server that may be removed in the future. It is hard to measure since it is highly environment dependent. But I can try in KinD on my PC with local image registry (which is kind of unfair). |
kubeadm does a image pre-pull so we can exclude that from the calculation. a local registry is suitable. |
I assume the added startup time would be trivial: we don't have to pull a second image, and kube-proxy barely does anything when you specify Already commented on the other two PRs, but we need distinct configs for Linux and Windows; just making Windows accept |
will comment on the initial PR where everyone else is. |
as discussed on the other issues / PRs we need two separate daemon sets to manage this: i also had a short discussion with #sig-windows, and the two DS pattern has already been required for other features. for the time being we can put a hold on this and decide what to do...in particular i'm looking for feedback from the rest of the kubeadm OWNERS. also we have this ticket from 2021, i will close it: |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
removing stale and moving to next milestone. but i don't think we have a code AI unless there is a more OS portable approach with a single DS. |
If the oom-score is set, then |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
A new flag
--init-only
was added tokube-proxy
that executes all configuration steps that required privileged mode and then exits. It is intended to be used in an initContainer to allow the main container to run with NET_ADMIN rights only.Please read the (not yet published) blog post for more info (temporary direct-link).
Kubeadm should support this installation. It will increase the startup time for
kube-proxy
, so IMO it should be optional, but perhaps be the default./kind feature
Versions
kubeadm version (use$\ge$ v1.29
kubeadm version
):Environment:
kubectl version
):uname -a
): N/AAnything else we need to know?
Regression tests are OK (of course), but I suppose the real e2e test will be with this feature enabled, which mean with an updated
kubeadm
if I understand correctly. I have however executed e2e tests inKinD
with:which actually tests more of
kube-proxy
than the conformance suite.Upgrade is not explicitly tested, but as a part of testing in KinD I have updated the
kube-proxy
manifest.The text was updated successfully, but these errors were encountered: