Remove dependency of the API onto the typed cluster-api client #2914
Conversation
Upstream removed the triple package[0], in order to be able to upgrade client-go we need to have a downsream version. [0] kubernetes/kubernetes#70966
* split kubermatic alerts into master and seed * rebuild outdated alerting rules
kubermatic-bot
added
release-note-none
| func findMachineAndNode(name string, machineClient clusterv1alpha1clientset.Interface, kubeClient kubernetes.Interface) (*clusterv1alpha1.Machine, *corev1.Node, error) { | ||
| machineList, err := machineClient.ClusterV1alpha1().Machines(metav1.NamespaceSystem).List(metav1.ListOptions{IncludeUninitialized: true}) | ||
| if err != nil { | ||
| func findMachineAndNode(ctx context.Context, name string, client ctrlruntimeclient.Client) (*clusterv1alpha1.Machine, *corev1.Node, error) { |
There was a problem hiding this comment.
What has to be noted here is that so far the machineClient was sometimes an impersoanted client and sometimes not, but the kubeClient has always been an admin client. I am not completely sure if its okay to change it like this but then again, why should one of the clients have more permissions than the user?
There was a problem hiding this comment.
only the legacy endpoints should use admin machineClient, the new endpoints must use impersonated version. kubeClient is only used (node_v1) by nodes endpoints to find corresponding machines and as we don't add RBAC Roles/Bindings to nodes we use the admin client.
There was a problem hiding this comment.
I dont follow. So is it okay to use or not use the same impersonation for the kubeClient as for the machineClient?
There was a problem hiding this comment.
no, no impersonation for kubeClient - there are no RBAC Roles/Bindings in place for node resources.
There was a problem hiding this comment.
Any objections against extending the existing roles to allow a get on node resources?
There was a problem hiding this comment.
sure go ahead, we were planing to add RBAC to more resources if not all in the future.
alvaroaleman
changed the title
|
/retest |
1 similar comment
|
/retest |
|
/retest |
|
/assign @zreigz |
|
I think something is missing here. I have errors |
|
yes, it's my internal problem for @p0lyn0mial everything works fine. Also @maciaszczykm has the same problem with running our system locally. For him also usercluster-controller can not start. I will investigate it later. |
|
LGTM label has been added. Git tree hash: 48b7a70d0a197b3a3674f9b851b1a868f2e7be03
|
| GetApiextensionsClient(*kubermaticv1.Cluster, ...ConfigOption) (apiextensionsclientset.Interface, error) | ||
| GetAdmissionRegistrationClient(*kubermaticv1.Cluster, ...ConfigOption) (admissionregistrationclientset.AdmissionregistrationV1beta1Interface, error) | ||
| GetKubeAggregatorClient(*kubermaticv1.Cluster, ...ConfigOption) (aggregationclientset.Interface, error) | ||
| GetDynamicClient(*kubermaticv1.Cluster, ...ConfigOption) (ctrlruntimeclient.Client, error) |
There was a problem hiding this comment.
this is really nice, the interface for interacting with API is clean :) What's the current status of the library (controller-runtime/pkg/client) ? Isn't in alpha ? Are there any known limitations ?
There was a problem hiding this comment.
Isn't in alpha ?
No, where did you get that from?
We already use it in various places like e.G.:
- User Cluster Controller and User Cluster RBAC controller
- Openshift controller
- Partly in the cluster controller (dynamic cache from controller-runtime)
We plan to eventually make all controllers controller-runtime based because it is a lot easier to use than direct client-go and also reduces the amount of boilerplate needed for controllers drastically, making the code faster to read and the actual business logic easier to find. So if there are actual issues I would vote to just fix them upstream.
It is also used by e.G. the cluster-api project. I can't find anything in the docs that says it was alpha.
Are there any known limitations ?
The fake client seems to be a bit more limited and there is no DeleteCollection although there is a open WIP PR for that. Other than that none that I am aware of.
There was a problem hiding this comment.
Usually major number of 0 is used to indicate pre release versions, see https://github.com/kubernetes-sigs/controller-runtime/releases
other than that it looks really nice :)
ack, tested on my local machine and it actually works ! :) |
|
/lgtm |
|
/approve |
api/cmd/kubermatic-api/main.go
Outdated
| @@ -114,9 +114,14 @@ func createInitProviders(options serverRunOptions) (providers, error) { | |||
| kubermaticSeedInformerFactory := kubermaticinformers.NewSharedInformerFactory(kubermaticSeedClient, informer.DefaultInformerResyncPeriod) | |||
| defaultImpersonationClientForSeed := kubernetesprovider.NewKubermaticImpersonationClient(cfg) | |||
|
|
|||
| userClusterConnectionProvider, err := client.NewExternal(kubeInformerFactory.Core().V1().Secrets().Lister()) | |||
| if err != nil { | |||
| glog.Fatalf("failed to get usreClusterConnectionProvider: %v", err) | |||
There was a problem hiding this comment.
typo + return an error here. Only die with a fatal inside the main func
| @@ -25,6 +25,7 @@ type reconciler struct { | |||
|
|
|||
| // Reconcile creates and updates ClusterRoles and ClusterRoleBinding to achieve the desired state | |||
| func (r *reconciler) Reconcile(resourceName string) error { | |||
| glog.Infof("Reconciling RBAC for %s", resourceName) | |||
There was a problem hiding this comment.
this might rather be a glog.V(4) ? WDYT?
|
/approve |
kubermatic-bot
added
the
approved
| @@ -58,6 +58,11 @@ func GenerateRBACClusterRole(resourceName string) (*rbacv1.ClusterRole, error) { | |||
| Resources: []string{machinedeployments, machines}, | |||
| Verbs: verbs, | |||
| }, | |||
| { | |||
| APIGroups: []string{""}, | |||
| Resources: []string{"nodes"}, | |||
There was a problem hiding this comment.
i'm going to add an issue to our backlog to create different verbs for different groups as we do for other resources.
/cc @zreigz
There was a problem hiding this comment.
I don't follow. This is a per-resource setting, not a per-group one. And what's the advantage of factoring it out?
There was a problem hiding this comment.
no, this is per-group (this method will be called for each group we have - owners, editors, viewers), see: https://github.com/kubermatic/kubermatic/blob/master/api/pkg/controller/rbac-user-cluster/controller.go#L24
the advantage is a unified access to a cluster, for example readers can only view resources.
|
/lgtm |
|
LGTM label has been added. Git tree hash: 8969734a4c19f3390f0de534a91e8fa712c22c57
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kron4eg, mrIncompetent, p0lyn0mial The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
Sorry for the delay! |
|
LGTM label has been added. Git tree hash: 6414cb692a3f710a22ddba9c73fe9c93fba08191
|
What this PR does / why we need it:
Removes the dependency to the typed cluster api clientset from everywhere except the IPAM controller. The purpose of this effort is to reduce the transient dependency on the client-go version that is used by the cluster-api project.
IMHO the code also gets easier as we don't need a variety of typed clients but instead can use just one client for everything.
Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #
Special notes for your reviewer:
Documentation:
Release note: