[GCE kube-up] Don't provision kubeconfig file for kube-proxy service account

[MrHohn]

What this PR does / why we need it:

Offloading the burden of provisioning kubeconfig file for kube-proxy service account from GCE startup scripts. This also helps us decoupling kube-proxy daemonset upgrade from node upgrade.

Previous attempt on #51172, using InClusterConfig for kube-proxy based on discussions on kubernetes/client-go#281.

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): fixes #NONE

Special notes for your reviewer:
/assign @bowei @thockin
cc @luxas @murali-reddy

Release note:

NONE

[MrHohn]

Forgot to note, this doesn't change how kube-proxy static pods are deployed.

[MrHohn]

Ref #23225.

[luxas]

If we want to keep backwards-compat, we can't do this.
--master only currently means "I can run anywhere, and I will connect insecurely (via 8080 port) to the API server"
I guess we need to add yet an other --use-service-account-credentials or similar flag :/

[MrHohn]

I guess we need to add yet an other --use-service-account-credentials or similar flag :/

Thanks, I think you are right...

[MrHohn]

Added a flag --service-account-master-url. PTAL, thanks!

[luxas]

This isn't targeted for v1.8, right?

[thockin]

Assign back to me once it is LGTM'ed and ready for approval.

[MrHohn]

This isn't targeted for v1.8, right?

Nope, let's do it for v1.9 :)

[MrHohn]

/retest

[MrHohn]

/retest

[MrHohn]

Tests passed, code is ready for review.

cc @ncdc for kube-proxy config API changes
cc @mikedanese for kubeconfig changes in GCE kube-up

[ncdc]

Would you be willing to do this without adding a new command line flag to kube-proxy? I'd really prefer to avoid adding new flags since we have a config file now.

[MrHohn]

Would you be willing to do this without adding a new command line flag to kube-proxy? I'd really prefer to avoid adding new flags since we have a config file now.

I would like to do so. What is the timeline of componentconfig API (enabled by default already)? I'm a bit lost after reading kubernetes/enhancements#115. Would be great to have some guidelines for converting flags to config file.

[ncdc]

The kube-proxy config is functional right now (you can do kube-proxy --config FILE), but the structs/fields are still alpha and subject to change. One example of a change I'd like to make is part of #52198 where I've adjusted some of the json field names.

Ultimately we need to move the kube-proxy config structs into their own api group, and componentconfig needs to go away.

I would recommend converting to a config file soon, but one concern I do have is about upgrades: if we roll out a cluster with version n, then later we adjust the config file format, how do we handle upgrades to n+1 as well as downgrades back to n?

cc @mikedanese @mtaufen

[MrHohn]

I would recommend converting to a config file soon, but one concern I do have is about upgrades: if we roll out a cluster with version n, then later we adjust the config file format, how do we handle upgrades to n+1 as well as downgrades back to n?

Is populating config file content via configmap (like what kubeadm alread did for kubeconfig) and making sure configmap is updated during upgrade/downgrade be feasible?

[ncdc]

As long as you can get a file on disk in a path that kube-proxy has access to, it can come from anywhere.

[mtaufen]

I would recommend converting to a config file soon, but one concern I do have is about upgrades: if we roll out a cluster with version n, then later we adjust the config file format, how do we handle upgrades to n+1 as well as downgrades back to n?

What is blocking stabilizing the config structure, other than moving it out of componentconfig and making your desired changes? Why not just do that now and move it out of alpha, so that you have API stability across upgrades?

[mtaufen]

With the Kubelet, we won't convert to using the config file until the kubeletconfig API group is out of alpha, and the loading-from-a-file mechanism will remain behind an alpha gate until then.

[ncdc]

What is blocking stabilizing the config structure, other than moving it out of componentconfig and making your desired changes? Why not just do that now and move it out of alpha, so that you have API stability across upgrades?

Nothing, other than time 😄

[MrHohn]

@liggitt Thanks for the comment.

That would keep InClusterConfig() behavior intact and avoid an odd mix of flag+envvar client building

Good point. No I don't have a compelling reason now. I was thinking by making it a flag/config we could make kube-proxy binary self-contained, though that isn't really true as by using InClusterConfig() we already assume kube-proxy runs as a pod.

[MrHohn]

Revised PR a bit to keep InClusterConfig() behavior intact.

Pushed as separate commits and hopefully keeping review simple.

• Changes to kube-proxy are on 9d1be35.
• Changes to GCE kube-up are on 8317a4f.

The last commit tweaks KUBE_PROXY_DAEMONSET to prove this is working. Will remove later.

Sorry for the last minute changes @mikedanese @ncdc

[MrHohn]

/retest

[liggitt]

thanks, the client building looks more coherent now
/hold cancel

[MrHohn]

Rebased. @mikedanese @ncdc any chance to take another look? Thanks!

[ncdc]

The go code changes lgtm, although I have a question if we could do this without adding a flag.

[ncdc]

@liggitt @deads2k what if we just did this instead?

loader := clientcmd.NewDefaultClientConfigLoadingRules()
loader.ExplicitPath = config.KubeConfigFile
kubeConfig, err := clientcmd.BuildConfigFromKubeconfigGetter(masterOverride, loader.Load)

I believe this would allow us to skip adding a "use service account" flag:

1. Use the kubeconfig file, if it's specified in the kube-proxy config
2. Support the master url override
3. Use the in-cluster config if the kubeconfig file is not specified

WDYT? If this is too big or risky of a change, then we can certainly keep what's here in this PR

[MrHohn]

In fact, seems like BuildConfigFromFlags() has supported this use case?

kubernetes/staging/src/k8s.io/client-go/tools/clientcmd/client_config.go

Lines 522 to 539 in 4ee72eb

	// BuildConfigFromFlags is a helper function that builds configs from a master
	// url or a kubeconfig filepath. These are passed in as command line flags for cluster
	// components. Warnings should reflect this usage. If neither masterUrl or kubeconfigPath
	// are passed in we fallback to inClusterConfig. If inClusterConfig fails, we fallback
	// to the default config.
	func BuildConfigFromFlags(masterUrl, kubeconfigPath string) (*restclient.Config, error) {
	if kubeconfigPath == "" && masterUrl == "" {
	glog.Warningf("Neither --kubeconfig nor --master was specified. Using the inClusterConfig. This might not work.")
	kubeconfig, err := restclient.InClusterConfig()
	if err == nil {
	return kubeconfig, nil
	}
	glog.Warning("error creating inClusterConfig, falling back to default config: ", err)
	}
	return NewNonInteractiveDeferredLoadingClientConfig(
	&ClientConfigLoadingRules{ExplicitPath: kubeconfigPath},
	&ConfigOverrides{ClusterInfo: clientcmdapi.Cluster{Server: masterUrl}}).ClientConfig()
	}

If using InClusterConfig() when neither kubeconfig nor masterUrl is specified for kube-proxy is not considered breaking backwards-compat, I'd happy to do it this way. The current behavior is using default API client. cc @luxas

[MrHohn]

Took another look, using BuildConfigFromFlags() seems valid here. As when none of masterUrl nor kubeconfigPath is defined, it will call InClusterConfig(). Then when InClusterConfig() fails, it then falls back to default config. This seems to match the current behavior.

[liggitt]

loader := clientcmd.NewDefaultClientConfigLoadingRules()

That would make kube-proxy honor $KUBECONFIG and $HOME/.kube/config, which seems problematic. Traditionally, we've had server components use explicit flags to specify connection config files, rather than picking up env-based config like $KUBECONFIG.

InClusterConfig() falls somewhere between an explicit --kubeconfig and an implicit $KUBECONFIG or homedir behavior, since it is using paths and envs only intended to be set in a containerized environment.

[ncdc]

The kubeconfig is going to be specific in the config file via --config. We won't support --kubeconfig any more.

Maybe if the kubeconfig in the config file is blank, we fall back to in cluster?

[liggitt]

specific file falling back to InClusterConfig() if unspecified seems ok. Just make sure we don't pull in $KUBECONFIG or $HOME/.kube/config

[ncdc]

K

[ncdc]

@MrHohn can you make the change such that if config.KubeConfigFile is empty, we use the in-cluster config?

[MrHohn]

@ncdc Sounds good, will ping again when ready.

[MrHohn]

@MrHohn can you make the change such that if config.KubeConfigFile is empty, we use the in-cluster config?

Tests passed, PR is ready for review. @ncdc PTAL thanks!

[ncdc]

Do you want to log that it's using in-cluster config?

[liggitt]

+1 on logging why it is falling back to in cluster config. LGTM otherwise

[MrHohn]

Sounds good. Added a log line for this.

[ncdc]

LGTM. @liggitt please check the in-cluster setup.

[MrHohn]

Thanks for reviewing! Removed the dummy commit.

[mikedanese]

cluster changes still looks good.

/lgtm

[k8s-github-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bowei, mikedanese, MrHohn

Associated issue: 281

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

• cluster/addons/kube-proxy/OWNERS [MrHohn,bowei,mikedanese]
• cluster/gce/OWNERS [bowei,mikedanese]
• cmd/OWNERS [mikedanese]

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

[k8s-github-robot]

/test all [submit-queue is verifying that this PR is safe to merge]

[k8s-github-robot]

Automatic merge from submit-queue (batch tested with PRs 52883, 52183, 53915, 53848). If you want to cherry-pick this change to another branch, please follow the instructions here.