From b81d2dcba8bc673f9ae7bbdc7c27e3a635aa7bbd Mon Sep 17 00:00:00 2001 From: Mikko Ylinen Date: Tue, 13 Sep 2022 13:18:28 +0300 Subject: [PATCH] Update SGX and FPGA webhook flags SGX Admission webhook was quickly forked from FPGA's implementation. After a bit of thinking, it turns out leader election and metrics are not necessary for a (idempotent) webhook-only functionality. For FPGA Admission webhook, the metrics isn't correctly set up so it's better to disable the functionality. Leader election is kept but the flag name is renamed to align with "kubebuilder v3 functionality" similar to how we changed it to the operator as well. Signed-off-by: Mikko Ylinen --- cmd/fpga_admissionwebhook/main.go | 6 ++-- cmd/operator/README.md | 2 +- cmd/sgx_admissionwebhook/main.go | 16 +--------- .../rbac/kustomization.yaml | 2 ++ .../rbac/leader_election_role.yaml | 32 +++++++++++++++++++ .../rbac/leader_election_role_binding.yaml | 12 +++++++ 6 files changed, 50 insertions(+), 20 deletions(-) create mode 100644 deployments/fpga_admissionwebhook/rbac/leader_election_role.yaml create mode 100644 deployments/fpga_admissionwebhook/rbac/leader_election_role_binding.yaml diff --git a/cmd/fpga_admissionwebhook/main.go b/cmd/fpga_admissionwebhook/main.go index f56cd4ad..d6303c98 100644 --- a/cmd/fpga_admissionwebhook/main.go +++ b/cmd/fpga_admissionwebhook/main.go @@ -43,12 +43,10 @@ func init() { func main() { var ( - metricsAddr string enableLeaderElection bool ) - flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.") - flag.BoolVar(&enableLeaderElection, "enable-leader-election", false, + flag.BoolVar(&enableLeaderElection, "leader-elect", false, "Enable leader election for controller manager. "+ "Enabling this will ensure there is only one active controller manager.") flag.Parse() @@ -62,7 +60,7 @@ func main() { mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ Scheme: scheme, - MetricsBindAddress: metricsAddr, + MetricsBindAddress: "0", Logger: ctrl.Log.WithName("FpgaAdmissionWebhook"), WebhookServer: webHook, LeaderElection: enableLeaderElection, diff --git a/cmd/operator/README.md b/cmd/operator/README.md index 7fee8097..d4f2214b 100644 --- a/cmd/operator/README.md +++ b/cmd/operator/README.md @@ -164,7 +164,7 @@ No upgrade is done for: ## Known issues When the operator is run with leader election enabled, that is with the option -`--enable-leader-election`, make sure the cluster is not overloaded with excessive +`--leader-elect`, make sure the cluster is not overloaded with excessive number of pods. Otherwise a heart beat used by the leader election code may trigger a timeout and crash. We are going to use different clients for the controller and leader election code to alleviate the issue. See more details in diff --git a/cmd/sgx_admissionwebhook/main.go b/cmd/sgx_admissionwebhook/main.go index 424f0a76..c7399750 100644 --- a/cmd/sgx_admissionwebhook/main.go +++ b/cmd/sgx_admissionwebhook/main.go @@ -15,7 +15,6 @@ package main import ( - "flag" "os" sgxwebhook "github.com/intel/intel-device-plugins-for-kubernetes/pkg/webhooks/sgx" @@ -36,17 +35,6 @@ func init() { } func main() { - var ( - metricsAddr string - enableLeaderElection bool - ) - - flag.StringVar(&metricsAddr, "metrics-addr", ":8080", "The address the metric endpoint binds to.") - flag.BoolVar(&enableLeaderElection, "enable-leader-election", false, - "Enable leader election for controller manager. "+ - "Enabling this will ensure there is only one active controller manager.") - flag.Parse() - ctrl.SetLogger(klogr.New()) webHook := &webhook.Server{ @@ -56,11 +44,9 @@ func main() { mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{ Scheme: scheme, - MetricsBindAddress: metricsAddr, + MetricsBindAddress: "0", Logger: ctrl.Log.WithName("SgxAdmissionWebhook"), WebhookServer: webHook, - LeaderElection: enableLeaderElection, - LeaderElectionID: "a9b71ad3.intel.com", }) if err != nil { setupLog.Error(err, "unable to start manager") diff --git a/deployments/fpga_admissionwebhook/rbac/kustomization.yaml b/deployments/fpga_admissionwebhook/rbac/kustomization.yaml index b228b96d..c887f9f6 100644 --- a/deployments/fpga_admissionwebhook/rbac/kustomization.yaml +++ b/deployments/fpga_admissionwebhook/rbac/kustomization.yaml @@ -1,3 +1,5 @@ resources: - role.yaml - role_binding.yaml +- leader_election_role.yaml +- leader_election_role_binding.yaml diff --git a/deployments/fpga_admissionwebhook/rbac/leader_election_role.yaml b/deployments/fpga_admissionwebhook/rbac/leader_election_role.yaml new file mode 100644 index 00000000..eaa79158 --- /dev/null +++ b/deployments/fpga_admissionwebhook/rbac/leader_election_role.yaml @@ -0,0 +1,32 @@ +# permissions to do leader election. +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: leader-election-role +rules: +- apiGroups: + - "" + resources: + - configmaps + verbs: + - get + - list + - watch + - create + - update + - patch + - delete +- apiGroups: + - "" + resources: + - configmaps/status + verbs: + - get + - update + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create diff --git a/deployments/fpga_admissionwebhook/rbac/leader_election_role_binding.yaml b/deployments/fpga_admissionwebhook/rbac/leader_election_role_binding.yaml new file mode 100644 index 00000000..eed16906 --- /dev/null +++ b/deployments/fpga_admissionwebhook/rbac/leader_election_role_binding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: leader-election-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: leader-election-role +subjects: +- kind: ServiceAccount + name: default + namespace: system