Kubelet & API changes for Windows GMSA support by wk8 · Pull Request #75459 · kubernetes/kubernetes

wk8 · 2019-03-19T00:28:35Z

What type of PR is this?
/kind feature

What this PR does / why we need it:
This patch comprises the kubelet & API changes outlined in the Windows GMSA KEP
(https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20181221-windows-group-managed-service-accounts-for-container-identity.md)
to add GMSA support to Windows workloads.

This essentially means moving the GMSA cred spec names & contents
from annotations to dedicated API fields.
More specifically, this is affecting PodSecurityContext and SecurityContext
structs, adding a WindowsOptions object to both.

Updated tests.

Special notes for your reviewer:
Still a WIP, will also update the webhook
(https://github.com/kubernetes-sigs/windows-gmsa)
to ensure all is in order before merging.

Does this PR introduce a user-facing change?:

API changes and deprecating the use of special annotations for Windows GMSA support (version beta)

wk8 · 2019-03-19T00:30:06Z

Putting on hold until the webhook is upated too.

wk8 · 2019-03-19T00:31:16Z

/hold

wk8 · 2019-03-19T00:31:56Z

/sig windows

ddebroy

Overall looks good. Once comment about removing the feature flag. While the link to the KEP is useful, can you update the PR description please with the API objects changed: PodSecurityContext and SecurityContext) and the new fields introduced?

pkg/features/kube_features.go

ddebroy · 2019-03-19T00:57:59Z

/assign @liggitt @yujuhong

ddebroy · 2019-03-19T06:08:44Z

Looks like the following will need to be run:
https://github.com/kubernetes/kubernetes/blob/master/hack/update-generated-protobuf.sh
https://github.com/kubernetes/kubernetes/blob/master/hack/update-generated-swagger-docs.sh
https://github.com/kubernetes/kubernetes/blob/master/hack/update-openapi-spec.sh
and the changes need to be part of the PR.

michmike · 2019-03-19T16:58:47Z

/milestone v1.15
/sig windows

wk8 · 2019-05-13T21:56:11Z

@liggitt : thanks for the review, amended as requested.

liggitt

thanks for the update. you can squash the Review comment: renaming GMSA go variables files into the right commits.

found a couple potential NPEs in pkg/securitycontext/util.go

the update to dropDisabledFields() (#75459 (comment)) is still outstanding as well

looking good otherwise

pkg/apis/core/validation/validation.go

pkg/securitycontext/util.go

This patch comprises the API changes outlined in the Windows GMSA KEP (https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20181221-windows-group-managed-service-accounts-for-container-identity.md) to add GMSA support to Windows workloads. It includes validation, as well as dropping fields if the `WindowsGMSA` feature flag is not set, both with unit tests. Signed-off-by: Jean Rouge <rougej+github@gmail.com>

Signed-off-by: Jean Rouge <rougej+github@gmail.com>

This patch comprises the auto-generated changes for the API changes outlined in the Windows GMSA KEP (https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20181221-windows-group-managed-service-accounts-for-container-identity.md) to add GMSA support to Windows workloads. Signed-off-by: Jean Rouge <rougej+github@gmail.com>

wk8 · 2019-05-16T22:37:19Z

@liggitt @ddebroy : amended as requested, including #75459 (comment), could you please take another look?

This patch comprises the kubelet changes outlined in the Windows GMSA KEP (https://github.com/kubernetes/enhancements/blob/master/keps/sig-windows/20181221-windows-group-managed-service-accounts-for-container-identity.md) to add GMSA support to Windows workloads. Updated tests. Signed-off-by: Jean Rouge <rougej+github@gmail.com>

liggitt · 2019-05-17T15:53:35Z

/lgtm
/approve

liggitt · 2019-05-17T15:54:22Z

/priority important-soon

liggitt · 2019-05-17T15:54:43Z

/cc @yujuhong

for cri approval

yujuhong · 2019-05-17T23:44:34Z

staging/src/k8s.io/cri-api/pkg/apis/runtime/v1alpha2/api.proto

    string run_as_username = 1;
+
+    // The contents of the GMSA credential spec to use to run this container.
+    string credential_spec = 2;


The API change LGTM. We may need to change the comment to make it clear if we ever supports non-GMSA spects.

@yujuhong : sorry if I'm misunderstanding, but that field's name was requested to not include "GMSA" in #75459 (comment), and the comment makes it clear it's for GMSA for now; so not sure what else we should do here?

I think this is fine for now. The field name matches the oci field name, and the description is reasonably consistent with the oci doc.

PatrickLang · 2019-05-20T08:54:34Z

@yujuhong - can you approve or find one from SIG-Node?

yujuhong · 2019-05-21T17:04:41Z

/lgtm
/approve

k8s-ci-robot · 2019-05-21T17:08:52Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: liggitt, wk8, yujuhong

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~api/OWNERS~~ [liggitt]
~~pkg/OWNERS~~ [liggitt]
~~pkg/api/OWNERS~~ [liggitt]
~~staging/src/k8s.io/api/OWNERS~~ [liggitt]
~~staging/src/k8s.io/cri-api/pkg/OWNERS~~ [yujuhong]
~~test/e2e/windows/OWNERS~~ [liggitt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

wk8 changed the title ~~Kubelet & API changes for GMSA support - version beta~~ Kubelet & API changes for Windows GMSA support - version beta Mar 19, 2019

k8s-ci-robot added kind/feature Categorizes issue or PR as related to a new feature. and removed needs-kind Indicates a PR lacks a `kind/foo` label and requires one. labels Mar 19, 2019

k8s-ci-robot requested review from dchen1107 and dineshgovindasamy March 19, 2019 00:29

k8s-ci-robot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Mar 19, 2019

k8s-ci-robot added the sig/windows Categorizes an issue or PR as relevant to SIG Windows. label Mar 19, 2019

ddebroy reviewed Mar 19, 2019

View reviewed changes

pkg/features/kube_features.go Outdated Show resolved Hide resolved

k8s-ci-robot assigned liggitt and yujuhong Mar 19, 2019

wk8 force-pushed the wk8/gmsa_beta branch from 3782b17 to 335b5d0 Compare March 19, 2019 16:42

wk8 force-pushed the wk8/gmsa_beta branch 4 times, most recently from 690c0c2 to c74cdad Compare May 15, 2019 19:18

liggitt reviewed May 15, 2019

View reviewed changes

pkg/apis/core/validation/validation.go Outdated Show resolved Hide resolved

pkg/securitycontext/util.go Outdated Show resolved Hide resolved

wk8 force-pushed the wk8/gmsa_beta branch from c74cdad to 2002833 Compare May 15, 2019 19:32

k8s-ci-robot added size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. and removed size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels May 16, 2019

wk8 added 3 commits May 16, 2019 15:32

GRPC changes for GMSA support

794176f

Signed-off-by: Jean Rouge <rougej+github@gmail.com>

wk8 force-pushed the wk8/gmsa_beta branch from 1432a2a to 2e4850d Compare May 16, 2019 22:35

wk8 force-pushed the wk8/gmsa_beta branch from 2e4850d to b39d8f4 Compare May 17, 2019 02:07

k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 17, 2019

k8s-ci-robot added priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed needs-priority Indicates a PR lacks a `priority/foo` label and requires one. labels May 17, 2019

k8s-ci-robot requested a review from yujuhong May 17, 2019 15:54

yujuhong reviewed May 17, 2019

View reviewed changes

k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 21, 2019

k8s-ci-robot merged commit ae2a162 into kubernetes:master May 21, 2019

rhockenbury mentioned this pull request Jun 20, 2019

SecurityContext: windowsOptions support kubernetes-sigs/windows-gmsa#11

Closed

Conversation

wk8 commented Mar 19, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

wk8 commented Mar 19, 2019 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

wk8 commented Mar 19, 2019

Uh oh!

wk8 commented Mar 19, 2019

Uh oh!

ddebroy left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

ddebroy commented Mar 19, 2019

Uh oh!

ddebroy commented Mar 19, 2019

Uh oh!

michmike commented Mar 19, 2019

Uh oh!

wk8 commented May 13, 2019

Uh oh!

liggitt left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

wk8 commented May 16, 2019

Uh oh!

liggitt commented May 17, 2019

Uh oh!

liggitt commented May 17, 2019

Uh oh!

liggitt commented May 17, 2019

Uh oh!

yujuhong May 17, 2019

Choose a reason for hiding this comment

Uh oh!

wk8 May 20, 2019

Choose a reason for hiding this comment

Uh oh!

liggitt May 20, 2019

Choose a reason for hiding this comment

Uh oh!

PatrickLang commented May 20, 2019

Uh oh!

yujuhong commented May 21, 2019

Uh oh!

k8s-ci-robot commented May 21, 2019

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

7 participants

wk8 commented Mar 19, 2019 •

edited

Loading

wk8 commented Mar 19, 2019 •

edited

Loading