kubeadm icon indicating copy to clipboard operation
kubeadm copied to clipboard
verified publisher icon kubernetes

annotate the kube-system namespace to allow kubeadm managed static Pod labels

Open neolit123 opened this issue 6 years ago • 12 comments

update for the 1.23 cycle: https://github.com/kubernetes/enhancements/issues/1314#issuecomment-902256245 looks like the design is going in a different direction. i have closed the PR to change kubeadm that follows it, but we should keep this issue open until a KEP update follows related to https://github.com/kubernetes/enhancements/issues/1314

annotate the kube-system namespace to allow kubeadm managed static Pod labels, such as "tier" and "component".

this change is landing as alpha in 1.17 and by 1.19 it will be on by default (beta).

see: https://github.com/kubernetes/enhancements/blob/master/keps/sig-auth/20190916-noderestriction-pods.md

tracking issue in k/e:

  • https://github.com/kubernetes/enhancements/issues/1314

tracking issue for k/k:

  • https://github.com/kubernetes/kubernetes/issues/83977

The k8s-app label is used to match controllers for system components, and therefore should be explicitly disallowed.

looks like we also use the k8s-app label in the upgrade process, which should be revisited: https://github.com/kubernetes/kubernetes/blob/3758426884e3c82cbd99c72e8015f4396f21fde2/cmd/kubeadm/app/phases/upgrade/prepull.go#L83

neolit123 avatar Oct 15 '19 21:10 neolit123

it's not a high priority for this cycle, but i have a WIP PR for this. one decision we have to make is in which "kubeadm init" phase we want this annotation to happen. ~my vote is the "control-plane" phase, before writing static pods.~ EDIT: my mistake, this needs to happen after the "wait-control-plane" phase.

neolit123 avatar Oct 15 '19 21:10 neolit123

/cc

ereslibre avatar Oct 16 '19 16:10 ereslibre

/cc

SataQiu avatar Oct 17 '19 04:10 SataQiu

the work in on hold for 1.18 https://github.com/kubernetes/enhancements/issues/1314#issuecomment-575805238 moving to 1.19

neolit123 avatar Jan 20 '20 23:01 neolit123

@neolit123 is this something we should work on for v1.19?

fabriziopandini avatar Apr 18 '20 17:04 fabriziopandini

depends if https://github.com/kubernetes/enhancements/issues/1314 is worked on for 1.19.

neolit123 avatar Apr 18 '20 17:04 neolit123

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta. /lifecycle stale

fejta-bot avatar Oct 25 '20 18:10 fejta-bot

/remove-lifecycle stale

neolit123 avatar Oct 25 '20 19:10 neolit123

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale

fejta-bot avatar Mar 02 '21 16:03 fejta-bot

/remove-lifecycle stale

neolit123 avatar Mar 02 '21 17:03 neolit123

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale

fejta-bot avatar Jun 07 '21 15:06 fejta-bot

/remove-lifecycle stale

I think sig auth is looking for alternatives to this, but i need to check.

neolit123 avatar Jun 07 '21 16:06 neolit123