Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix kindnet permission to support network policies #19360

Merged
merged 3 commits into from
Aug 21, 2024

Conversation

medyagh
Copy link
Member

@medyagh medyagh commented Jul 31, 2024

This PR gives "list,watch, patch" permissions for "namespaces" and "pods" to kindnet
also "get, list, watch" for "networkpolicies"

before this PR

$ kc logs kindnet-9mcm2 -n kube-system

 18:22:52.776415       1 reflector.go:547] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:232: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:kube-system:kindnet" cannot list resource "pods" in API group "" at the cluster scope
E0731 18:22:52.776465       1 reflector.go:150] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:232: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:kube-system:kindnet" cannot list resource "pods" in API group "" at the cluster scope
W0731 18:22:53.056062       1 reflector.go:547] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:232: failed to list *v1.NetworkPolicy: networkpolicies.networking.k8s.io is forbidden: User "system:serviceaccount:kube-system:kindnet" cannot list resource "networkpolicies" in API group "networking.k8s.io" at the cluster scope
E0731 18:22:53.056153       1 reflector.go:150] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:232: Failed to watch *v1.NetworkPolicy: failed to list *v1.NetworkPolicy: networkpolicies.networking.k8s.io is forbidden: User "system:serviceaccount:kube-system:kindnet" cannot list resource "networkpolicies" in API group "networking.k8s.io" at the cluster scope
I0731 18:22:57.041388       1 main.go:295] Handling node with IPs: map[192.168.58.2:{}]
I0731 18:22:57.041505       1 main.go:299] handling current node
I0731 18:23:07.041727       1 main.go:295] Handling node with IPs: map[192.168.58.2:{}]
I0731 18:23:07.041843       1 main.go:299] handling current node
W0731 18:23:08.695269       1 reflector.go:547] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:232: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:kube-system:kindnet" cannot list resource "namespaces" in API group "" at the cluster scope
E0731 18:23:08.695410       1 reflector.go:150] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:232: Failed to watch *v1.Namespace: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:kube-system:kindnet" cannot list resource "namespaces" in API group "" at the cluster scope

After this PR

$ kc logs kindnet-ncrmw -n kube-system
I0731 18:20:49.133197       1 main.go:109] connected to apiserver: https://10.96.0.1:443
I0731 18:20:49.133466       1 main.go:139] hostIP = 192.168.76.2
podIP = 192.168.76.2
I0731 18:20:49.133626       1 main.go:148] setting mtu 65535 for CNI 
I0731 18:20:49.133644       1 main.go:178] kindnetd IP family: "ipv4"
I0731 18:20:49.133652       1 main.go:182] noMask IPv4 subnets: [10.244.0.0/16]
I0731 18:20:49.445874       1 controller.go:334] Starting controller kube-network-policies
I0731 18:20:49.445896       1 controller.go:338] Waiting for informer caches to sync
I0731 18:20:49.445902       1 shared_informer.go:313] Waiting for caches to sync for kube-network-policies
I0731 18:20:49.746685       1 shared_informer.go:320] Caches are synced for kube-network-policies
I0731 18:20:49.746731       1 metrics.go:61] Registering metrics
I0731 18:20:49.746821       1 controller.go:374] Syncing nftables rules
I0731 18:20:59.447037       1 main.go:295] Handling node with IPs: map[192.168.76.2:{}]
I0731 18:20:59.447301       1 main.go:299] handling current node
I0731 18:21:09.450421       1 main.go:295] Handling node with IPs: map[192.168.76.2:{}]
I0731 18:21:09.450502       1 main.go:299] handling current node
I0731 18:21:19.454696       1 main.go:295] Handling node with IPs: map[192.168.76.2:{}]
I0731 18:21:19.454788       1 main.go:299] handling current node
I0731 18:21:29.454483       1 main.go:295] Handling node with IPs: map[192.168.76.2:{}]
I0731 18:21:29.454576       1 main.go:299] handling current node
I0731 18:21:39.448905       1 main.go:295] Handling node with IPs: map[192.168.76.2:{}]
I0731 18:21:39.448997       1 main.go:299] handling current node

might fix #19357

@k8s-ci-robot k8s-ci-robot requested review from prezha and spowelljr July 31, 2024 18:04
@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jul 31, 2024
@k8s-ci-robot k8s-ci-robot added size/S Denotes a PR that changes 10-29 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jul 31, 2024
@medyagh medyagh changed the title Fixcrioingress Fix kindnet permission issues Jul 31, 2024
@medyagh
Copy link
Member Author

medyagh commented Jul 31, 2024

/ok-to-test

@k8s-ci-robot k8s-ci-robot added the ok-to-test Indicates a non-member PR verified by an org member that is safe to test. label Jul 31, 2024
@minikube-pr-bot
Copy link

kvm2 driver with docker runtime

+----------------+----------+---------------------+
|    COMMAND     | MINIKUBE | MINIKUBE (PR 19360) |
+----------------+----------+---------------------+
| minikube start | 50.9s    | 52.0s               |
| enable ingress | 25.6s    | 26.8s               |
+----------------+----------+---------------------+

Times for minikube start: 50.2s 51.5s 50.7s 50.6s 51.7s
Times for minikube (PR 19360) start: 48.7s 51.2s 52.8s 52.0s 55.0s

Times for minikube (PR 19360) ingress: 27.0s 24.9s 28.0s 27.0s 26.9s
Times for minikube ingress: 23.4s 24.9s 28.0s 23.9s 28.0s

docker driver with docker runtime

+----------------+----------+---------------------+
|    COMMAND     | MINIKUBE | MINIKUBE (PR 19360) |
+----------------+----------+---------------------+
| minikube start | 21.5s    | 23.6s               |
| enable ingress | 21.8s    | 21.9s               |
+----------------+----------+---------------------+

Times for minikube (PR 19360) start: 25.2s 22.3s 24.7s 24.3s 21.2s
Times for minikube start: 21.3s 22.2s 21.2s 21.9s 21.0s

Times for minikube ingress: 21.8s 21.8s 22.3s 21.8s 21.3s
Times for minikube (PR 19360) ingress: 21.8s 21.8s 21.3s 21.8s 22.8s

docker driver with containerd runtime

+----------------+----------+---------------------+
|    COMMAND     | MINIKUBE | MINIKUBE (PR 19360) |
+----------------+----------+---------------------+
| minikube start | 20.6s    | 22.9s               |
| enable ingress | 45.8s    | 40.8s               |
+----------------+----------+---------------------+

Times for minikube start: 19.7s 23.1s 20.5s 19.9s 19.9s
Times for minikube (PR 19360) start: 23.3s 23.5s 22.9s 20.5s 24.0s

Times for minikube (PR 19360) ingress: 31.8s 48.3s 42.8s 33.3s 47.7s
Times for minikube ingress: 38.3s 46.8s 47.3s 48.3s 48.3s

@minikube-pr-bot
Copy link

Here are the number of top 10 failed tests in each environments with lowest flake rate.

Environment Test Name Flake Rate
Docker_Linux_crio_arm64 (3 failed) TestStartStop/group/old-k8s-version/serial/SecondStart(gopogh) 3.57% (chart)
Docker_Linux_containerd_arm64 (2 failed) TestStartStop/group/old-k8s-version/serial/SecondStart(gopogh) 46.75% (chart)

Besides the following environments also have failed tests:

To see the flake rates of all tests by environment, click here.

@medyagh medyagh changed the title Fix kindnet permission issues WIP: Fix kindnet permission issues Aug 2, 2024
@k8s-ci-robot k8s-ci-robot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 2, 2024
@@ -55,6 +57,14 @@ rules:
- configmaps
verbs:
- get
- apiGroups:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We added new functionality in Kubernetes to support network policies kubernetes-sigs/kind#3612

@medyagh medyagh changed the title WIP: Fix kindnet permission issues Fix kindnet permission to support network policies Aug 21, 2024
@k8s-ci-robot k8s-ci-robot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 21, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: medyagh, spowelljr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@medyagh medyagh merged commit 1788ab7 into kubernetes:master Aug 21, 2024
35 of 46 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

ingress not working on Crio
5 participants