github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
k3s/federation
History
Kubernetes Submit Queue 3b9eb1a875 Merge pull request #43876 from caesarxuchao/blockOwnerDeletion-admission 
Automatic merge from submit-queue (batch tested with PRs 44440, 44038, 44302, 44316, 43876)

Extend the gc admission plugin to check ownerReference.blockOwnerDeletion

#Extend the gc admission plugin to prevent user who doesn't have delete permission of the *owner* from changing blockOwnerDeletion field of existing ownerReferences, or adding ownerReference with blockOwnerDeletion=true.

The plugin need a RESTMapper to translate ownerRef.Kind to Resource. It should be using a dynamic one. However, as discussed in https://github.com/kubernetes/kubernetes/pull/42615, such a RESTMapper will be built after watchable discovery API is implemented, so in this PR the plugin is using the `api.Registry.RESTMapper()`, which is also [used](https://github.com/kubernetes/kubernetes/blob/master/cmd/kube-controller-manager/app/core.go#L165-L166) by the garbage collector currently.

```release-note
Extending the gc admission plugin so that a user who doesn't have delete permission of the *owner* cannot modify blockOwnerDeletion field of existing ownerReferences, or add new ownerReference with blockOwnerDeletion=true
```

cc @lavalamp
 		2017-04-13 23:18:06 -07:00
..
apis Remove vestiges of defaulting from conversion path, switch to top-level default registration only 2017-04-12 13:36:15 -04:00
client Update client 2017-02-28 15:34:34 +01:00
cluster Merge pull request #42748 from dcbw/cfssl-localup 2017-04-10 14:27:11 -07:00
cmd add gc admission plugin that prevents user who doesn't have delete permission of the owner from setting blockOwnerDeletion 2017-04-13 11:55:22 -07:00
deploy
develop Move push-federation-images.sh to federation and implement similar functionality in jenkins build directory for presubmits. 2017-02-27 17:54:37 -08:00
docs/api-reference add singular resource names to discovery 2017-03-21 11:04:08 -04:00
manifests Release 3.0.17 etcd image 2017-02-27 16:23:44 +01:00
pkg Merge pull request #43297 from mvdan/kubectl-params 2017-04-13 04:07:21 -07:00
registry/cluster Updating the registry to return whether the resource was immediately deleted 2017-02-21 11:00:35 -08:00
BUILD fed: Add integration test for secrets 2017-03-30 12:58:39 -07:00
Makefile
OWNERS fed: Add marun as reviewer 2017-02-09 09:50:57 -08:00
README.md

README.md

Cluster Federation

Kubernetes Cluster Federation enables users to federate multiple Kubernetes clusters. Please see the user guide and the admin guide for more details about setting up and using the Cluster Federation.

Building Kubernetes Cluster Federation

Please see the Kubernetes Development Guide for initial setup. Once you have the development environment setup as explained in that guide, you also need to install jq

Building cluster federation artifacts should be as simple as running:

make build

You can specify the docker registry to tag the image using the KUBE_REGISTRY environment variable. Please make sure that you use the same value in all the subsequent commands.

To push the built docker images to the registry, run:

make push

To initialize the deployment run:

(This pulls the installer images)

make init

To deploy the clusters and install the federation components, edit the ${KUBE_ROOT}/_output/federation/config.json file to describe your clusters and run:

make deploy

To turn down the federation components and tear down the clusters run:

make destroy

Ideas for improvement

  1. Continue with destroy phase even in the face of errors.

    The bash script sets set -e errexit which causes the script to exit at the very first error. This should be the default mode for deploying components but not for destroying/cleanup.

Analytics