Fix errors in configure-multiple-schedulers.md #8540
Conversation
yujunz
commented
May 15, 2018
•
yujunz
commented
- Failed to push docker image
- Errors found in my-scheduler logs
- Failed to push docker image - Errors found in my-scheduler logs ``` ... E0515 06:36:28.180428 1 reflector.go:205] k8s.io/kubernetes/vendor/k8s.io/client-go/informers/factory.go:130: Failed to list *v1beta1.ReplicaSet: replicasets.extensions is forbidden: User "system:serviceaccount:kube-system:default" cannot list replicasets.extensions at the cluster scope ```
k8s-ci-robot
added
cncf-cla: yes
|
Deploy preview for kubernetes-io-master-staging ready! Built with commit 7bed674 https://deploy-preview-8540--kubernetes-io-master-staging.netlify.com |
|
/assign |
| @@ -123,6 +123,14 @@ $ kubectl edit clusterrole system:kube-scheduler | |||
| - update | |||
| ``` | |||
|
|
|||
| my-scheduler runs as the “default” service account in the “kube-system” namespace. To allow it run with super-user access, grant cluster-admin permissions to the “default” service account in the “kube-system” namespace. | |||
There was a problem hiding this comment.
s/"default"/default
s/"kube-system"/kube-system
in other words, replace quotation marks with backticks so that these strings are formatted as code. We use quotation marks in the docs only for strings where strings must be programmatically denoted as such. (There are many violations, but we're trying to clean up ;) )
|
/approve for doc review @kubernetes/sig-scheduling-pr-reviews are y'all the right ones for tech review? |
k8s-ci-robot
added
the
sig/scheduling
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Bradamant3 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
| ``` shell | ||
| kubectl create clusterrolebinding my-scheduler-cluster-admin \ | ||
| --clusterrole=cluster-admin \ | ||
| --serviceaccount=kube-system:default |
There was a problem hiding this comment.
curious why we are not using the system:kube-scheduler clusterole?
There was a problem hiding this comment.
In general, you should not give elevated privileges of cluster-admin to default unless absolutely needed. Did you add my-scheduler to resourceNames of kube-scheduler clusterrole?
There was a problem hiding this comment.
Yes, added. And I also agree that binding cluster-admin is not a good idea.
Changed to system:kube-scheduler
| @@ -44,7 +44,7 @@ For more details, please read the GCR | |||
| [documentation](https://cloud.google.com/container-registry/docs/). | |||
|
|
|||
| ```shell | |||
| docker build -t my-kube-scheduler:1.0 . | |||
| docker build -t gcr.io/my-gcp-project/my-kube-scheduler:1.0 . | |||
There was a problem hiding this comment.
Not sure, if you are pushing it to google cloud container registry. If you are pushing to google container registry the build command seems correct.
There was a problem hiding this comment.
The next line in the document is $ gcloud docker -- push gcr.io/my-gcp-project/my-kube-scheduler:1.0
It will result in the following error:
The push refers to repository [gcr.io/my-gcp-project/my-kube-scheduler]
An image does not exist locally with the tag: gcr.io/my-gcp-project/my-kube-scheduler
|
@tengqm does this look OK now? |
| ``` shell | ||
| kubectl create clusterrolebinding my-scheduler-kube-scheduler \ | ||
| --clusterrole=system:kube-scheduler \ | ||
| --serviceaccount=kube-system:default |
There was a problem hiding this comment.
This could work but ... it is creating another security issue. I'm not a fan of changing the built in accounts. Instead I'd suggest we create a new service account for this.
yujunz
force-pushed
the
patch-1
branch
3 times, most recently
from
bd5504a to
32a6784
Compare
k8s-ci-robot
added
size/M
k8s-ci-robot
added
size/S
| apiVersion: v1 | ||
| kind: ServiceAccount | ||
| metadata: | ||
| name: my-scheduler |
There was a problem hiding this comment.
this is a valid service account name, though ... funny
k8s-ci-robot
added
the
lgtm
