bindata/bootkube: use loopback kubeconfig to talk to API#270
bindata/bootkube: use loopback kubeconfig to talk to API#270jhixson74 wants to merge 1 commit intoopenshift:masterfrom
Conversation
openshift-ci-robot
added
the
size/XS
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: jhixson74 The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
~~Why is it bad to talk to the bootstrap note during bootstrapping? Why should these control plane operators be different than any other client in the cluster?~~~ Misunderstood the intent. |
|
This misses the kubeconfig in bindata/bootkube/bootstrap-manifests/kube-controller-manager-pod.yaml |
jhixson74
force-pushed
the
master_azure_restrict_bootstrap_clients
branch
from
f7b0f03 to
140a2a6
Compare
jhixson74
changed the title
|
@sttts I have updated the PR description to reflect the problem. I've also updated the pod yaml file. Thanks for catching that. |
|
Lgtm. Why are tests red? |
|
/retest |
|
@jhixson74: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
It looks like this PR is not necessary now so I am closing it. |
4 participants
This code modifies cluster-kube-controller-manager-operator to use a kubeconfig configured for localhost API access.
This is necessary due to a limitation with Azure internal load balancers. See limitation #2 here: https://docs.microsoft.com/en-us/azure/load-balancer/load-balancer-overview#limitations
"Unlike public Load Balancers which provide outbound connections when transitioning from private IP addresses inside the virtual network to public IP addresses, internal Load Balancers do not translate outbound originated connections to the frontend of an internal Load Balancer as both are in private IP address space. This avoids potential for SNAT port exhaustion inside unique internal IP address space where translation is not required. The side effect is that if an outbound flow from a VM in the backend pool attempts a flow to frontend of the internal Load Balancer in which pool it resides and is mapped back to itself, both legs of the flow don't match and the flow will fail."
kubeconfig-loopback is generated by the installer.
https://jira.coreos.com/browse/CORS-1094