Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Identify Pod's OS during API Server admission #2803

Merged
merged 10 commits into from
Sep 8, 2021
Merged

Identify Pod's OS during API Server admission #2803

merged 10 commits into from
Sep 8, 2021

Conversation

ravisantoshgudimetla
Copy link
Contributor

#2802

  • One-line PR description:
  • Issue link:
  • Other comments:

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Jun 28, 2021
@k8s-ci-robot k8s-ci-robot added kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/windows Categorizes an issue or PR as relevant to SIG Windows. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Jun 28, 2021
@k8s-ci-robot k8s-ci-robot added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Jun 28, 2021
@ravisantoshgudimetla ravisantoshgudimetla changed the title Identify Windows Pods during API Server admission [WIP] Identify Windows Pods during API Server admission Jun 28, 2021
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jun 28, 2021
aravindhp
aravindhp reviewed Jun 28, 2021
View reviewed changes
Copy link
Contributor

@aravindhp aravindhp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for opening this enhancement, @ravisantoshgudimetla

keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
@marosset
Copy link
Contributor

So far this looks good.

I'd like to see more details about which all specific plugins will be aware of this feature flag and what specific behavior will change if pods get identified as targeting Windows.

ravisantoshgudimetla
ravisantoshgudimetla commented Jul 15, 2021
View reviewed changes
Copy link
Contributor Author

@ravisantoshgudimetla ravisantoshgudimetla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the reviews @aravindhp @marosset. I tried answering questions in comments. Let me know if you are fine with the approach. I'll proceed to update the KEP along with sample implementation.

keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
ravisantoshgudimetla
ravisantoshgudimetla commented Jul 19, 2021
View reviewed changes
Copy link
Contributor Author

@ravisantoshgudimetla ravisantoshgudimetla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the review @tallclair.

keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
@marosset marosset mentioned this pull request Jul 22, 2021
Closed
ravisantoshgudimetla
ravisantoshgudimetla commented Jul 23, 2021
View reviewed changes
Copy link
Contributor Author

@ravisantoshgudimetla ravisantoshgudimetla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Updated to include feedback

@liggitt liggitt mentioned this pull request Jul 23, 2021
Merged
liggitt
liggitt reviewed Jul 27, 2021
View reviewed changes
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated
## Design Details


We can piggyback on the existing RuntimeClass admission controller to query for the RuntimeClass and see if it has
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's unclear what this is proposing the existing RuntimeClass admission plugin do... forbid pods which set a kubernetes.io/os: windows spec.nodeSelector and don't set a runtimeClassName?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can update this section to make it clear.

ravisantoshgudimetla
ravisantoshgudimetla commented Aug 2, 2021
View reviewed changes
Copy link
Contributor Author

@ravisantoshgudimetla ravisantoshgudimetla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for the review @liggitt. I tried answering your questions. PTAL and let me know your thoughts.

keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated
## Design Details


We can piggyback on the existing RuntimeClass admission controller to query for the RuntimeClass and see if it has
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can update this section to make it clear.

liggitt
liggitt reviewed Sep 8, 2021
View reviewed changes
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated
and need not necessarily express the user intention fully.
- The pod may target Windows node but pod OS may be linux or windows
as Linux Containers on Windows(LCOW) can be supported in future.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the actual proposal starts here

derekwaynecarr
derekwaynecarr requested changes Sep 8, 2021
View reviewed changes
Copy link
Member

@derekwaynecarr derekwaynecarr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

aside from the updates requested by @liggitt and my request that we ensure the pod validation for windows correlates to an e2e test that demonstrates the function on windows, this lgtm from a sig-node perspective.

keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated
// We're making this a struct for possible future expansion.
type OS struct {
// Name of the OS. The values supported are available at:
// https://github.com/opencontainers/runtime-spec/blob/master/config.md#platform-specific-configuration
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the node platforms are distinct from supported operating system value. i had linked @ravisantoshgudimetla to the OCI spec for reference as a potential future set, but we should only support linux or windows at this time which maps to present support.

keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Show resolved Hide resolved
keps/sig-windows/2802-identify-windows-pods-apiserver-admission/README.md Outdated Show resolved Hide resolved
@deads2k
Copy link
Contributor

deads2k commented Sep 8, 2021

the PRR lgtm

/approve

@liggitt
Copy link
Member

liggitt commented Sep 8, 2021

API and PodSecurity bits lgtm

@marosset
Copy link
Contributor

marosset commented Sep 8, 2021

/lgtm
/approve
/hold
Adding a hold to make sure all of the feedback from @derekwaynecarr is addressed (I still see his review status as changes requested but he gave an LGTM for node / kubelet changes)

@k8s-ci-robot k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 8, 2021
@k8s-ci-robot k8s-ci-robot added lgtm "Looks good to me", indicates that a PR is ready to be merged. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Sep 8, 2021
@marosset
Copy link
Contributor

marosset commented Sep 8, 2021

/label tide/merge-method-squash

@k8s-ci-robot k8s-ci-robot added the tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges. label Sep 8, 2021
@derekwaynecarr
Copy link
Member

/approve for sig-node

@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, derekwaynecarr, marosset, ravisantoshgudimetla

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

1 similar comment
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: deads2k, derekwaynecarr, marosset, ravisantoshgudimetla

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@derekwaynecarr
Copy link
Member

I think all requests were satisfied.

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 8, 2021
@k8s-ci-robot k8s-ci-robot merged commit d6a724c into kubernetes:master Sep 8, 2021
@k8s-ci-robot k8s-ci-robot added this to the v1.23 milestone Sep 8, 2021
@ravisantoshgudimetla ravisantoshgudimetla mentioned this pull request Sep 9, 2021
Merged
@marosset marosset mentioned this pull request Sep 10, 2021
Closed
26 tasks
@ravisantoshgudimetla ravisantoshgudimetla mentioned this pull request Sep 29, 2021
Closed
rikatz pushed a commit to rikatz/enhancements that referenced this pull request Feb 1, 2022
@ravisantoshgudimetla @jayunit100
@Huang-Wei @rikatz
Identify Pod's OS during API Server admission (kubernetes#2803)
019b16b 
* Identify Windows Pods during API Server admission

* Address reviewers comments

* Apply suggestions from code review

Co-authored-by: jay vyas <jayunit100.github@gmail.com>

* Apply suggestions from code review

Co-authored-by: jay vyas <jayunit100.github@gmail.com>
Co-authored-by: Wei Huang <weih@hey.com>

* Address reviewers comments

* Address reviewers comments

* Apply suggestions from code review

Co-authored-by: jay vyas <jayunit100.github@gmail.com>

* Address reviewers comments

* Address reviewers comments

* Address reviewers comments

Co-authored-by: jay vyas <jayunit100.github@gmail.com>
Co-authored-by: Wei Huang <weih@hey.com>
@palnabarun palnabarun mentioned this pull request Jun 12, 2022
Closed
@palnabarun palnabarun mentioned this pull request Jul 26, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tallclair tallclair tallclair left review comments

@marosset marosset marosset left review comments

@aravindhp aravindhp aravindhp left review comments

@deads2k deads2k deads2k left review comments

@Huang-Wei Huang-Wei Huang-Wei left review comments

@liggitt liggitt liggitt left review comments

@jayunit100 jayunit100 jayunit100 requested changes

@s-urbaniak s-urbaniak s-urbaniak left review comments

@sebsoto sebsoto sebsoto requested changes

@derekwaynecarr derekwaynecarr derekwaynecarr approved these changes

@ddebroy ddebroy Awaiting requested review from ddebroy

@mikedanese mikedanese Awaiting requested review from mikedanese

Assignees

@jayunit100 jayunit100

@deads2k deads2k

@marosset marosset

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/kep Categorizes KEP tracking issues and PRs modifying the KEP directory lgtm "Looks good to me", indicates that a PR is ready to be merged. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/scheduling Categorizes an issue or PR as relevant to SIG Scheduling. sig/windows Categorizes an issue or PR as relevant to SIG Windows. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. tide/merge-method-squash Denotes a PR that should be squashed by tide when it merges.
Projects
SIG Auth
Archived in project
Milestone
v1.23
Development

Successfully merging this pull request may close these issues.