search

kubernetes / minikube

Run Kubernetes locally
https://minikube.sigs.k8s.io/
Apache License 2.0
29.24k stars 4.87k forks source link

Fix kindnet permission to support network policies #19360

Closed medyagh closed 1 month ago

medyagh commented 1 month ago

This PR gives "list,watch, patch" permissions for "namespaces" and "pods" to kindnet also "get, list, watch" for "networkpolicies"

before this PR

$ kc logs kindnet-9mcm2 -n kube-system

 18:22:52.776415       1 reflector.go:547] pkg/mod/k8s.io/client-go@v0.30.2/tools/cache/reflector.go:232: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:kube-system:kindnet" cannot list resource "pods" in API group "" at the cluster scope
E0731 18:22:52.776465       1 reflector.go:150] pkg/mod/k8s.io/client-go@v0.30.2/tools/cache/reflector.go:232: Failed to watch *v1.Pod: failed to list *v1.Pod: pods is forbidden: User "system:serviceaccount:kube-system:kindnet" cannot list resource "pods" in API group "" at the cluster scope
W0731 18:22:53.056062       1 reflector.go:547] pkg/mod/k8s.io/client-go@v0.30.2/tools/cache/reflector.go:232: failed to list *v1.NetworkPolicy: networkpolicies.networking.k8s.io is forbidden: User "system:serviceaccount:kube-system:kindnet" cannot list resource "networkpolicies" in API group "networking.k8s.io" at the cluster scope
E0731 18:22:53.056153       1 reflector.go:150] pkg/mod/k8s.io/client-go@v0.30.2/tools/cache/reflector.go:232: Failed to watch *v1.NetworkPolicy: failed to list *v1.NetworkPolicy: networkpolicies.networking.k8s.io is forbidden: User "system:serviceaccount:kube-system:kindnet" cannot list resource "networkpolicies" in API group "networking.k8s.io" at the cluster scope
I0731 18:22:57.041388       1 main.go:295] Handling node with IPs: map[192.168.58.2:{}]
I0731 18:22:57.041505       1 main.go:299] handling current node
I0731 18:23:07.041727       1 main.go:295] Handling node with IPs: map[192.168.58.2:{}]
I0731 18:23:07.041843       1 main.go:299] handling current node
W0731 18:23:08.695269       1 reflector.go:547] pkg/mod/k8s.io/client-go@v0.30.2/tools/cache/reflector.go:232: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:kube-system:kindnet" cannot list resource "namespaces" in API group "" at the cluster scope
E0731 18:23:08.695410       1 reflector.go:150] pkg/mod/k8s.io/client-go@v0.30.2/tools/cache/reflector.go:232: Failed to watch *v1.Namespace: failed to list *v1.Namespace: namespaces is forbidden: User "system:serviceaccount:kube-system:kindnet" cannot list resource "namespaces" in API group "" at the cluster scope

After this PR

$ kc logs kindnet-ncrmw -n kube-system
I0731 18:20:49.133197       1 main.go:109] connected to apiserver: https://10.96.0.1:443
I0731 18:20:49.133466       1 main.go:139] hostIP = 192.168.76.2
podIP = 192.168.76.2
I0731 18:20:49.133626       1 main.go:148] setting mtu 65535 for CNI 
I0731 18:20:49.133644       1 main.go:178] kindnetd IP family: "ipv4"
I0731 18:20:49.133652       1 main.go:182] noMask IPv4 subnets: [10.244.0.0/16]
I0731 18:20:49.445874       1 controller.go:334] Starting controller kube-network-policies
I0731 18:20:49.445896       1 controller.go:338] Waiting for informer caches to sync
I0731 18:20:49.445902       1 shared_informer.go:313] Waiting for caches to sync for kube-network-policies
I0731 18:20:49.746685       1 shared_informer.go:320] Caches are synced for kube-network-policies
I0731 18:20:49.746731       1 metrics.go:61] Registering metrics
I0731 18:20:49.746821       1 controller.go:374] Syncing nftables rules
I0731 18:20:59.447037       1 main.go:295] Handling node with IPs: map[192.168.76.2:{}]
I0731 18:20:59.447301       1 main.go:299] handling current node
I0731 18:21:09.450421       1 main.go:295] Handling node with IPs: map[192.168.76.2:{}]
I0731 18:21:09.450502       1 main.go:299] handling current node
I0731 18:21:19.454696       1 main.go:295] Handling node with IPs: map[192.168.76.2:{}]
I0731 18:21:19.454788       1 main.go:299] handling current node
I0731 18:21:29.454483       1 main.go:295] Handling node with IPs: map[192.168.76.2:{}]
I0731 18:21:29.454576       1 main.go:299] handling current node
I0731 18:21:39.448905       1 main.go:295] Handling node with IPs: map[192.168.76.2:{}]
I0731 18:21:39.448997       1 main.go:299] handling current node

might fix https://github.com/kubernetes/minikube/issues/19357

medyagh commented 1 month ago

/ok-to-test

minikube-pr-bot commented 1 month ago

kvm2 driver with docker runtime

+----------------+----------+---------------------+
|    COMMAND     | MINIKUBE | MINIKUBE (PR 19360) |
+----------------+----------+---------------------+
| minikube start | 50.9s    | 52.0s               |
| enable ingress | 25.6s    | 26.8s               |
+----------------+----------+---------------------+
Times for minikube start: 50.2s 51.5s 50.7s 50.6s 51.7s Times for minikube (PR 19360) start: 48.7s 51.2s 52.8s 52.0s 55.0s Times for minikube (PR 19360) ingress: 27.0s 24.9s 28.0s 27.0s 26.9s Times for minikube ingress: 23.4s 24.9s 28.0s 23.9s 28.0s

docker driver with docker runtime

+----------------+----------+---------------------+
|    COMMAND     | MINIKUBE | MINIKUBE (PR 19360) |
+----------------+----------+---------------------+
| minikube start | 21.5s    | 23.6s               |
| enable ingress | 21.8s    | 21.9s               |
+----------------+----------+---------------------+
Times for minikube (PR 19360) start: 25.2s 22.3s 24.7s 24.3s 21.2s Times for minikube start: 21.3s 22.2s 21.2s 21.9s 21.0s Times for minikube ingress: 21.8s 21.8s 22.3s 21.8s 21.3s Times for minikube (PR 19360) ingress: 21.8s 21.8s 21.3s 21.8s 22.8s

docker driver with containerd runtime

+----------------+----------+---------------------+
|    COMMAND     | MINIKUBE | MINIKUBE (PR 19360) |
+----------------+----------+---------------------+
| minikube start | 20.6s    | 22.9s               |
| enable ingress | 45.8s    | 40.8s               |
+----------------+----------+---------------------+
Times for minikube start: 19.7s 23.1s 20.5s 19.9s 19.9s Times for minikube (PR 19360) start: 23.3s 23.5s 22.9s 20.5s 24.0s Times for minikube (PR 19360) ingress: 31.8s 48.3s 42.8s 33.3s 47.7s Times for minikube ingress: 38.3s 46.8s 47.3s 48.3s 48.3s
minikube-pr-bot commented 1 month ago

Here are the number of top 10 failed tests in each environments with lowest flake rate.

Environment Test Name Flake Rate
Docker_Linux_crio_arm64 (3 failed) TestStartStop/group/old-k8s-version/serial/SecondStart(gopogh) 3.57% (chart)
Docker_Linux_containerd_arm64 (2 failed) TestStartStop/group/old-k8s-version/serial/SecondStart(gopogh) 46.75% (chart)

Besides the following environments also have failed tests:

To see the flake rates of all tests by environment, click here.

k8s-ci-robot commented 1 month ago

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: medyagh, spowelljr

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files: - ~~[OWNERS](https://github.com/kubernetes/minikube/blob/master/OWNERS)~~ [medyagh,spowelljr] Approvers can indicate their approval by writing `/approve` in a comment Approvers can cancel approval by writing `/approve cancel` in a comment