Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Specify node taint on node join #209

Closed
andrewrynhard opened this issue Mar 24, 2017 · 9 comments
Closed

Specify node taint on node join #209

andrewrynhard opened this issue Mar 24, 2017 · 9 comments
Assignees
@timothysc @fabriziopandini
Labels
priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Milestone
v1.11

Comments

@andrewrynhard
Copy link

Similar to #202, we should have an option to taint a node on join. One use case is when a cluster would have a set of nodes dedicated for ingress-controllers. A DaemonSet could be deployed that can use the label option in #202, and the taint option here. Otherwise this is a manual process.
@fabriziopandini fabriziopandini mentioned this issue May 20, 2017
Closed
@fabriziopandini
Copy link
Member

I'm working on a PR on this and #202

@luxas
Copy link
Member

luxas commented May 21, 2017

See my comment: #202 (comment)

@fabriziopandini fabriziopandini mentioned this issue May 26, 2017
Closed
@jamiehannaford jamiehannaford added kind/enhancement priority/backlog Higher priority than priority/awaiting-more-evidence. labels Oct 10, 2017
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 8, 2018
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

1 similar comment
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

@errordeveloper
Copy link
Member

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 22, 2018
@timothysc timothysc added help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. triaged labels Jan 31, 2018
@timothysc timothysc added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed help wanted Denotes an issue that needs help from a contributor. Must meet "help wanted" guidelines. priority/backlog Higher priority than priority/awaiting-more-evidence. triaged labels Apr 7, 2018
@timothysc timothysc added this to the v1.11 milestone Apr 7, 2018
@timothysc
Copy link
Member

/assign @fabriziopandini @timothysc

@fabriziopandini Is there anything left todo.

@fabriziopandini
Copy link
Member

fabriziopandini commented Apr 9, 2018
edited
Loading

@timothysc this is still not addressed.

Following options were considered and then discarded:

  1. generate systemd drop-ins and restart kubelet
  2. use dynamic kubelet config

The only option left on the table is to wait for the node to join and then send labels to the apiserver, but it is kind of risky for worker nodes - were the only identity you get is the token - (see #202 (comment) from JBeda).

IMO we can create all the necessary facilities and the let the user explicitly opt-in:

  • create a new phase that generates a new RBAC role that allows to taint/label and nodes (but not assign tokens to this rule)
  • let the user to use kubeadm create token to create additional tokens assigned to the above role
  • modify kubeadm join for applying labels/taint or fail gracefully if the token doesn't have necessary grants.

WDYT?

@timothysc
Copy link
Member

timothysc commented Apr 25, 2018
edited
Loading

So the auth folks have ki-boshed this idea as a sec-hole.

kubernetes/kubernetes#63167

I think we're going to have to admin control.

@luxas luxas mentioned this issue May 22, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@timothysc timothysc

@fabriziopandini fabriziopandini

Labels
priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
None yet
Milestone
v1.11
Development

No branches or pull requests
8 participants
@timothysc @errordeveloper @jamiehannaford @andrewrynhard @fabriziopandini @luxas @k8s-ci-robot @fejta-bot