Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[occm] Set --use-service-account-credentials=false #2572

Merged
merged 1 commit into from
Apr 25, 2024
Merged

[occm] Set --use-service-account-credentials=false #2572

merged 1 commit into from
Apr 25, 2024

Conversation

dulek
Copy link
Contributor

@dulek dulek commented Apr 10, 2024

What this PR does / why we need it:
The above option seems to be causing CCM to create clients using ServiceAccount from the kube-system namespace, so requires users to either run in kube-system namespace, or manage 2 ServiceAccounts, one in kube-system and other in regular CCM namespace. See [1].

This commit changes this setting.

/hold

[1] https://github.com/kubernetes/cloud-provider/blob/c3862938334ba18226098015193374fda40ab7a9/options/options.go#L230-L237

Which issue this PR fixes(if applicable):
fixes #2560

Special notes for reviewers:

Release note:

OCCM is by default no longer run with `--use-service-account-credentials=true`, meaning that it will use the ServiceAccount specified in the DaemonSet. This means that you can stop managing the additional ServiceAccount in the `kube-system` namespace.

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Apr 10, 2024
@k8s-ci-robot k8s-ci-robot requested review from mdbooth and zetaab April 10, 2024 15:12
@k8s-ci-robot k8s-ci-robot added the size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. label Apr 10, 2024
@dulek
Set --use-service-account-credentials=false
2a4131a 
The above option seems to be causing CCM to create clients using
ServiceAccount from the `kube-system` namespace, so requires users to
either run in `kube-system` namespace, or manage 2 ServiceAccounts, one
in `kube-system` and other in regular CCM namespace. See [1].

This commit changes this setting.

[1] https://github.com/kubernetes/cloud-provider/blob/c3862938334ba18226098015193374fda40ab7a9/options/options.go#L230-L237
@dulek dulek force-pushed the separate-sa-false branch from 199e9b4 to 2a4131a Compare April 10, 2024 15:13
@dulek
Copy link
Contributor Author

dulek commented Apr 10, 2024

I still have to validate that this is the culprit, but there's a high chance it is. We've copied AWS manifest, blindly copying this option, but AWS manifest seems to override it in a patch: https://github.com/kubernetes/cloud-provider-aws/blob/234a39835a0ef28eea15424f83e9cb96be37d386/examples/existing-cluster/overlays/superset-role/aws-cloud-controller-manager-daemonset-patch.yaml#L16

@dulek
Copy link
Contributor Author

dulek commented Apr 10, 2024

/hold cancel

I just validated that this makes sense for OpenShift.

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 10, 2024
@jichenjc
Copy link
Contributor

/approve

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 12, 2024
@dulek
Copy link
Contributor Author

dulek commented Apr 12, 2024

/hold

I have some more discussions about this internally, might have more information next week when colleague is back from vacations.

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 12, 2024
@dulek
Copy link
Contributor Author

dulek commented Apr 22, 2024

/hold cancel

Okay, this might be the way to go upstream here.

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Apr 22, 2024
zetaab
zetaab approved these changes Apr 25, 2024
View reviewed changes
Copy link
Member

@zetaab zetaab left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/approve

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: jichenjc, zetaab

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@zetaab
Copy link
Member

zetaab commented Apr 25, 2024

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Apr 25, 2024
@dulek
Copy link
Contributor Author

dulek commented Apr 25, 2024

/retest

@dulek
Copy link
Contributor Author

dulek commented Apr 25, 2024

/test pull-cloud-provider-openstack-check

@k8s-ci-robot k8s-ci-robot merged commit 59963c8 into kubernetes:master Apr 25, 2024
5 checks passed
This was referenced Jun 14, 2024
Closed
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zetaab zetaab zetaab approved these changes

@mdbooth mdbooth Awaiting requested review from mdbooth

Assignees

@zetaab zetaab

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

service account cloud-controller-manager cannot patch service object
4 participants
@dulek @jichenjc @k8s-ci-robot @zetaab