Adding OpenShift SCC clusterController, removing hostPort #3677
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Commit auto-generated by release script. Signed-off-by: Cliff Colvin (release bot variant) <ccolvin@kubecost.com>
Bump in-code version of v2.4 branch for 2.4.0-rc.0
bump kubecost-modeling for cve fixes
bump kubecost-modeling for cve fixes (cherry-pick #3606)
…7592 bump modeling 0.1.15 CVE-2024-7592
bump modeling 0.1.15 CVE-2024-7592 (cherry-pick #3615)
Commit auto-generated by release script. Signed-off-by: Cliff Colvin (release bot variant) <ccolvin@kubecost.com>
Bump in-code version of v2.4 branch for 2.4.0-rc.1
bump network costs to 0.17.5
bump network costs to 0.17.5 (cherry-pick #3629)
Commit auto-generated by release script. Signed-off-by: Cliff Colvin (release bot variant) <ccolvin@kubecost.com>
Bump in-code version of v2.4 branch for 2.4.0-rc.2
switch grafana image for cve resolution (cherry-pick #3627)
update prometheus to chainguard for CVE-2024-41110
update prometheus to chainguard for CVE-2024-41110 (cherry-pick #3625)
* fix diagnostics and federatedStorageConfig * Few more places that needed to reference federatedStorageConfig * Simplify logic for MultiClusterDiagnostics in costmodel. --------- Co-authored-by: Jesse Goodier <31039225+jessegoodier@users.noreply.github.com> Co-authored-by: thomasvn <thomasnguyen96@gmail.com>
Commit auto-generated by release script. Signed-off-by: Cliff Colvin (release bot variant) <ccolvin@kubecost.com>
Bump in-code version of v2.4 branch for 2.4.0-rc.3
* bump cluster-controller 0.16.9 Signed-off-by: Cliff Colvin <ccolvin@kubecost.com> * remove inadvertent checkin Signed-off-by: Cliff Colvin <ccolvin@kubecost.com>
bump cluster-controller 0.16.9 (cherry-pick #3652)
bump kubecost-modeling 0.1.16
bump kubecost-modeling 0.1.16 (cherry-pick #3655)
bump network-costs 0.17.6
bump network-costs 0.17.6 (cherry-pick #3662)
Commit auto-generated by release script. Signed-off-by: Cliff Colvin (release bot variant) <ccolvin@kubecost.com>
Bump in-code version of v2.4 branch for 2.4.0-rc.4
Commit auto-generated by release script. Signed-off-by: Cliff Colvin (release bot variant) <ccolvin@kubecost.com>
Bump in-code version of v2.4 branch for 2.4.0-rc.5
Signed-off-by: Cliff Colvin <ccolvin@kubecost.com>
bump k8s-sidcar to cgr for cve
Commit auto-generated by release script. Signed-off-by: Cliff Colvin (release bot variant) <ccolvin@kubecost.com>
Bump in-code version of v2.4 branch for 2.4.0-rc.6
aggregator custom labels template Co-authored-by: Jesse Goodier <31039225+jessegoodier@users.noreply.github.com>
Commit auto-generated by release script. Signed-off-by: Cliff Colvin (release bot variant) <ccolvin@kubecost.com>
Bump in-code version of v2.4 branch for 2.4.0
…terController Adding OpenShift SCC for clusterController, removing hostPort on clusterController
| @@ -256,7 +256,6 @@ spec: | |||
| ports: | |||
| - name: http-server | |||
| containerPort: 9731 | |||
| hostPort: 9731 | |||
There was a problem hiding this comment.
@alexkubecost I can dig here, but do you know off hand why we would need hostPort?
I don't understand why anything would be connecting to the clusterController that doesn't know the service name.
There was a problem hiding this comment.
I can't currently think of any reason why hostPort would be needed. @ameijer ?
There was a problem hiding this comment.
I'll bet you that this yaml was written from an example where they exposed an http port on a node and the ingress controller routed to that. I agree there is rarely if ever a use case for a host port on non daemon set controllers. I think getting rid of it is a great idea
| - hostPath | ||
| - projected | ||
| - configMap | ||
| hostPorts: |
There was a problem hiding this comment.
You can kill these hostPort lines if Alex is good with removing hostPort.
|
Once this is approved, let's make sure this is merged into both |
Add space to fix linting error to allow CI to complete against the remainder of these changes. Co-authored-by: Jesse Goodier <31039225+jessegoodier@users.noreply.github.com>
|
Changed branch to |
chipzoller
reviewed
Sep 29, 2024
| @@ -1425,7 +1425,7 @@ data: | |||
| "carbonEstimatesEnabled": "{{ template "carbonEstimatesEnabled" . }}", | |||
| "clusterControllerEnabled": "{{ template "clusterControllerEnabled" . }}", | |||
| "forecastingEnabled": "{{ template "forecastingEnabled" . }}", | |||
| "chartVersion": "DEVELOP_BRANCH", | |||
| "chartVersion": "2.4.0", | |||
There was a problem hiding this comment.
I don't think we want to change this now it's targeting develop.
| allowPrivilegedContainer: true | ||
| allowHostDirVolumePlugin: true | ||
| allowHostNetwork: true | ||
| allowHostPorts: true |
There was a problem hiding this comment.
So this would now be false, right, if there are no hostPorts?
| @@ -12,14 +12,11 @@ global: | |||
| scc: | |||
| nodeExporter: false # Creates an SCC for Prometheus Node Exporter. This requires Node Exporter be enabled. | |||
| networkCosts: false # Creates an SCC for Kubecost network-costs. This requires network-costs be enabled. | |||
| clusterController: false # Creates an SCC for Kubecost clusterContoller. This requires clusterController be enabled. | |||
There was a problem hiding this comment.
Suggested change
| clusterController: false # Creates an SCC for Kubecost clusterContoller. This requires clusterController be enabled. | |
| clusterController: false # Creates an SCC for Kubecost clusterController. This requires clusterController be enabled. |
| @@ -247,6 +247,7 @@ global: | |||
| scc: | |||
| nodeExporter: false # Creates an SCC for Prometheus Node Exporter. This requires Node Exporter be enabled. | |||
| networkCosts: false # Creates an SCC for Kubecost network-costs. This requires network-costs be enabled. | |||
| clusterController: false # Creates an SCC for Kubecost clusterContoller. This requires clusterController be enabled. | |||
There was a problem hiding this comment.
Suggested change
| clusterController: false # Creates an SCC for Kubecost clusterContoller. This requires clusterController be enabled. | |
| clusterController: false # Creates an SCC for Kubecost clusterController. This requires clusterController be enabled. |
|
Hi all, after further testing, it seems all that is needed it the removal of the hostport from kubecost-cluster-controller-template.yaml. Once that is done, no specific SCCs will be needed. Maybe the Platforms.Openshift.True can remove hostport if we want to leave it on for other deployments? Either way, the SCC file is not needed. |
|
So what's the plan here? |
|
This can be closed with no action needed for this specific PR. Maybe a
clusterController.hostPort=false or removing it all together would do the
trick.
Andrew Dawson
Solutions Engineer / Book Some Time
<https://calendly.com/stackwatch-adawson/15min>
…On Mon, Oct 14, 2024 at 10:50 AM Chip Zoller ***@***.***> wrote:
So what's the plan here?
—
Reply to this email directly, view it on GitHub
<#3677 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AYEDC7RCP47MLDKUR55PPKTZ3PK23AVCNFSM6AAAAABOQXHFMSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMJRGQ4DSMZVGY>
.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adding OpenShift SCC for clusterController, removing hostPort on clusterController
What does this PR change?
Does this PR rely on any other PRs?
How does this PR impact users? (This is the kind of thing that goes in release notes!)
Links to Issues or tickets this PR addresses or fixes
What risks are associated with merging this PR? What is required to fully test this PR?
How was this PR tested?
Ran on Openshift cluster successfully
Have you made an update to documentation? If so, please provide the corresponding PR.