-
Notifications
You must be signed in to change notification settings - Fork 302
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
use sts regional endpoint for aws session #283
Conversation
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: jyotimahapatra The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
||
// Environment Variable to create sts session with regional endpoint | ||
// If unset or false, uses global sts endpoint | ||
useRegionalSts = "USE_REGIONAL_STS" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the switch should be the opposite because 1. we want everyone to use regional STS endpoints and 2. we are still publishing alpha containers, and we can document in the upgrade notes that if you have STS regional endpoints disabled in your AWS account, you need to change this setting. Also, I think it should be a flag instead of an environment variable (and/or a cloud config option). We can do something more complicated, like a feature gate of sorts that initially is opt-in but when it moves to beta becomes opt-out (I.e. the feature gate is called "UseRegionalSTS" and is false in alpha, but true in beta, and eventually is removed and cannot be opted out of). Whatever we end up with though, we should have users opt-out of regional endpoints, rather than opt-in to them, because STS wants to move traffic off the global endpoint.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
i generally agree, but a few things i wanted to discuss about how we make the changes that could affect users.
Since sts has an ability to disable regional endpoints, shifting the default to regional could be a breaking change. I propose that we keep the original behavior intact and deprecate over a release. In the next release of ccm, we could shift the default to regional and put a release note(included in PR description)
From my investigation so far, using a flag is difficult because of the how the cloud provider is instatiated. The kube controller passes no configurations while initializing the cloud provider. Looking at the signature cloudprovider.RegisterCloudProvider(ProviderName, func(config io.Reader) (cloudprovider.Interface, error) {
there is no other config apart from CloudConfig file reader. It would take a refactoring in k/k to pass additional flagset. Do you find this explanation correct? If so we'll have to use an env var until flagset can be passed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
flag can be added to https://github.com/kubernetes/cloud-provider-aws/blame/master/cmd/aws-cloud-controller-manager/main.go no problem
@jyotimahapatra: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
@jyotimahapatra: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Replaced by #313 /close |
@nckturner: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
What this PR does / why we need it:
STS suggests using regional endpoints.
The PR creates a way for CCM users to set an env var
USE_REGIONAL_STS
to use regional endpoints. The default when the flag is unset is false. Only when the flag is explicitlytrue
/TRUE
the regional endpoint is chosen.Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: