Cherry-pick #3908: Fix the requirement for VAP #3977
Conversation
k8s-ci-robot
added
release-note-none
varshaprasad96
changed the title
k8s-ci-robot
added
the
size/XXL
✅ Deploy Preview for kubernetes-sigs-kueue canceled.
|
|
It looks suspiciously many files updated compared to the original fix. Can you double check |
varshaprasad96
force-pushed
the
fix-vap
branch
from
68ee180 to
123a4ee
Compare
varshaprasad96
changed the title
|
@mimowo k8s/apiserver was a dependency added for the kube-rbac deprecation. The original PR did not require adding that dependency since it was already in 0.10. The vendor package was added due to the plugins requiring apiserver. |
|
The two commit squares to one which makes confuse to review. Maybe cherry-picking two commits independently would be good. |
|
I see, so the dependency was added here when removing the plugins from the visibility server: #3923. In that case, I want to split the PR into two, mostly to have the commit history consistent in main, release-0.10 and release-0.9. Also, note that this PR proposes to cherry-pick to 0.9 code which has not yet been cherry-picked to 0.10. We need to first decide on cherry-picking #3923 to 0.10 before going to 0.9 directly. @tenzen-y should we say that #3923 is part of #3496 and cherry-pick it to 0.10 and 0.9? |
|
OTOH, #3923 feels more like a drive-by improvement rather than part of the bugfix to #3496. So, IIUC I would suggest to only limit the cherry-pick to bugfix for #3496. #3923 seems like a nice follow up but it remains unclear to me if it fixes any practical problem. If this is the case I would suggest to just keep it in main. |
|
/hold |
k8s-ci-robot
added
the
do-not-merge/hold
I don't think this is accurate since #3923 hasn't been cherry-picked to 0.10 branch. I don't see the depencencies on the release-0.10 branch in the modules.txt |
varshaprasad96
force-pushed
the
fix-vap
branch
from
123a4ee to
96ebb1d
Compare
k8s-ci-robot
added
size/S
varshaprasad96
changed the title
|
@mimowo @bobsongplus Updated to be only the cherry-pick #3908 |
|
Looking into the failures 👀 |
+1 on Michal. IIUC, #3923 is performance improvements. So, I recommended doing that as a follow-up to the original PR. |
pkg/visibility/server.go
Outdated
| @@ -19,6 +19,7 @@ package visibility | |||
| import ( | |||
| "context" | |||
| "fmt" | |||
| validatingadmissionpolicy "k8s.io/apiserver/pkg/admission/plugin/policy/validating" | |||
There was a problem hiding this comment.
Move to the group with Line 27-32.
varshaprasad96
force-pushed
the
fix-vap
branch
from
96ebb1d to
f3e2dc2
Compare
| @@ -37,9 +37,6 @@ const ( | |||
|
|
|||
| // +kubebuilder:rbac:groups="",resources=secrets,verbs=get;list;watch;update | |||
| // +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=mutatingwebhookconfigurations,verbs=get;list;watch;update | |||
| // +kubebuilder:rbac:groups="admissionregistration.k8s.io",resources=validatingwebhookconfigurations,verbs=get;list;watch;update | |||
There was a problem hiding this comment.
@varshaprasad96 this probably should not be removed, looking here: https://github.com/kubernetes-sigs/kueue/pull/3908/files#diff-d8800d9157feef2105fa59914df47a17ec8145a3242396fe47657894ac591241R40
| @@ -73,21 +73,11 @@ rules: | |||
| - admissionregistration.k8s.io | |||
| resources: | |||
| - mutatingwebhookconfigurations | |||
| - validatingwebhookconfigurations | |||
There was a problem hiding this comment.
Looking at the PR https://github.com/kubernetes-sigs/kueue/pull/3908/files# this should not be removed.
config/components/rbac/role.yaml
Outdated
| @@ -72,21 +72,11 @@ rules: | |||
| - admissionregistration.k8s.io | |||
| resources: | |||
| - mutatingwebhookconfigurations | |||
| - validatingwebhookconfigurations | |||
There was a problem hiding this comment.
Looking at the PR https://github.com/kubernetes-sigs/kueue/pull/3908/files# this should not be removed.
There was a problem hiding this comment.
Yep, that was the issue for getting stuck at waitForKueueReady. Just pushed the changes, I think it should work now.
There was a problem hiding this comment.
This one yet: https://github.com/kubernetes-sigs/kueue/pull/3977/files#r1920444008, right?
There was a problem hiding this comment.
Ah! my bad! Sorry!
varshaprasad96
force-pushed
the
fix-vap
branch
from
f3e2dc2 to
ed51e9f
Compare
VAP is a default admission plugin enabled while starting an API server for visibility. The Kueue controller has additional permissions to watch those GVKs even though it is not required. Disabling the plugin from api server helps in keeping it minimal and maintaining compatibility with previous versions of K8s. Signed-off-by: Varsha Prasad Narsing <[email protected]>
varshaprasad96
force-pushed
the
fix-vap
branch
from
ed51e9f to
756da95
Compare
|
/release-note-edit |
k8s-ci-robot
added
release-note
|
/hold cancel |
k8s-ci-robot
removed
the
do-not-merge/hold
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
LGTM label has been added. Git tree hash: 7000c8db6eb8159037ffaf45199000193a7ca16f
|
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mimowo, varshaprasad96 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
|
/kind bug |
What type of PR is this?
Cherry-pick: #3908
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?