Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't try to migrate to new roles and rolebinding within 1.7 upgrades #53338

Merged
merged 1 commit into from
Oct 10, 2017

Conversation

kad
Copy link
Member

@kad kad commented Oct 2, 2017

What this PR does / why we need it:

If user uses kubeadm 1.8.0 to upgrade within 1.7.x versions, don't try to migrate to new RBAC rules and names. It will lead to errors like described in kubernetes/kubeadm#475

Which issue this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close that issue when PR gets merged): kubernetes/kubeadm#475

Special notes for your reviewer:

Release note:

kubeadm 1.8 now properly handles upgrades from to 1.7.x to newer release in 1.7 branch

@k8s-ci-robot k8s-ci-robot added release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Oct 2, 2017
@k8s-github-robot k8s-github-robot added the do-not-merge/cherry-pick-not-approved Indicates that a PR is not yet approved to merge into a release branch. label Oct 2, 2017
@kad
Copy link
Member Author

kad commented Oct 2, 2017

cc @luxas

if err := clusterinfo.CreateClusterInfoRBACRules(client); err != nil {
errs = append(errs, err)
// Not needed for 1.7 upgrades
if k8sVersion.AtLeast(constants.UseEnableBootstrapTokenAuthFlagVersion) {
Copy link
Member

@liggitt liggitt Oct 3, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is incorrect... we still need this permission set up for 1.7 installs. this version constant just controls whether we use the --enable-bootstrap-token-auth or --experimental-bootstrap-token-auth flag. In either case, we require the RBAC permissions.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It exists if 1.7.x was initialized with kubeadm. Only with different roleRef than expected in 1.8.
Not running it, means cluster will be in the same state as it was expected within 1.7.x (no role/bindings migrations to 1.8 naming schema).

That's what @luxas suggested. First version of that PR had migration to 1.8 naming schema even in cases of 1.7.x->1.7.x upgrade.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ah, this is just the upgrade path. this still seems like a fragile way to determine what changes are needed, but I'll defer to @luxas.

were all currently supported upgrade paths tested with this change?
1.7.x -> 1.7.y upgrade
1.7.x -> 1.8.x upgrade
1.8.0 -> 1.8.0 "upgrade"

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I've tested following on my development cluster:

  • install fresh cluster version 1.7.3 using kubeadm 1.7.5
    • old roles/bindings naming schema
  • upgrade 1.7.3 to 1.7.7 using modified kubeadm 1.8.0
    • no roles/binding changes, old names/values
  • upgrade 1.7.7 to 1.8.0-rc.1 using modified kubeadm 1.8.0
    • roles/bindings migrated to 1.8 schema
  • upgrade 1.8.0-rc.1 to 1.8.0 using modified kubeadm 1.8.0
    • roles/bindings in 1.8 naming schema

@jpbetz
Copy link
Contributor

jpbetz commented Oct 9, 2017

Heads up- We're planning to cut 1.8.1 early this week. If this is a critical fix that will need to be in 1.8.1 please let me know, otherwise we can aim for 1.8.2.

Copy link
Member

@luxas luxas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 9, 2017
@k8s-github-robot
Copy link

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kad, luxas

Associated issue: 475

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these OWNERS Files:

You can indicate your approval by writing /approve in a comment
You can cancel your approval by writing /approve cancel in a comment

@k8s-github-robot k8s-github-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 9, 2017
@luxas
Copy link
Member

luxas commented Oct 9, 2017

@jpbetz Yes, I'd really like this to make v1.8.1, it's a bug in one upgrade case.
Is that possible?

@luxas
Copy link
Member

luxas commented Oct 9, 2017

@jpbetz FWIW; the kubeadm e2e job is broken due to some test-infra bazel stuff; but CI jobs are passing, so please ignore the PR job e2e failure above. Currently the job fails fast and doesn't even start testing anything. We're looking into it and working on it.

@jpbetz
Copy link
Contributor

jpbetz commented Oct 9, 2017

@luxas Is this 1.8.1 only or has it also been committed to master? If it's 1.8.1 only, I'd like to make sure the e2e tests are healthy since I don't have the master branch tests to give me more confidence. Can you provide any more detail on what exactly about the test-infra is failing?

And it looks like only pull-kubernetes-e2e-kubeadm-gce is failing... maybe just retest it?

/test pull-kubernetes-e2e-kubeadm-gce

@jpbetz jpbetz added cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. cherrypick-candidate labels Oct 9, 2017
@k8s-github-robot k8s-github-robot removed the do-not-merge/cherry-pick-not-approved Indicates that a PR is not yet approved to merge into a release branch. label Oct 9, 2017
@k8s-cherrypick-bot
Copy link

Removing label cherrypick-candidate because no release milestone was set. This is an invalid state and thus this PR is not being considered for cherry-pick to any release branch. Please add an appropriate release milestone and then re-add the label.

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to @fejta).

Review the full test history for this PR.

1 similar comment
@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to @fejta).

Review the full test history for this PR.

@jpbetz
Copy link
Contributor

jpbetz commented Oct 10, 2017

/test pull-kubernetes-unit

@kad
Copy link
Member Author

kad commented Oct 10, 2017

@jpbetz it is 1.8.1 only. This fix is for case 1.7.x->1.7.x upgrade issue, and master (1.9) already dropped support for 1.7.x.

@luxas
Copy link
Member

luxas commented Oct 10, 2017

Unit tests seem to be flaky.
/retest

@jpbetz it's only the presubmit that for some day now hasn't been able to start. But things are green on the v1.8 e2e postsubmit, which is the real indicator: https://k8s-testgrid.appspot.com/sig-cluster-lifecycle#periodic-kubeadm-gce-1.8
So we'll get this merged, verify that things are green in that job, and then proceed

@fejta-bot
Copy link

/retest
This bot automatically retries jobs that failed/flaked on approved PRs (send feedback to @fejta).

Review the full test history for this PR.

@k8s-github-robot
Copy link

/test all [submit-queue is verifying that this PR is safe to merge]

@k8s-github-robot
Copy link

Automatic merge from submit-queue.

@k8s-github-robot k8s-github-robot merged commit 3a1e695 into kubernetes:release-1.8 Oct 10, 2017
@k8s-cherrypick-bot
Copy link

Commit found in the "release-1.8" branch appears to be this PR. Removing the "cherrypick-candidate" label. If this is an error find help to get your PR picked.

@k8s-ci-robot
Copy link
Contributor

@kad: The following test failed, say /retest to rerun them all:

Test name Commit Details Rerun command
pull-kubernetes-e2e-kubeadm-gce c24087a link /test pull-kubernetes-e2e-kubeadm-gce

Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

10 participants