liggitt

liggitt

Member Since 10 years ago

Google, United States

Experience Points
818
follower
Lessons Completed
1
follow
Lessons Completed
26
stars
Best Reply Awards
131
repos

1759 contributions in the last year

Pinned
⚡ Production-Grade Container Scheduling and Management
⚡ Autogenerate RBAC policies based on Kubernetes audit logs
⚡ Drop in replacement for https://golang.org/pkg/text/tabwriter with additional features
⚡ clientgofix rewrites calls to old k8s.io/client-go methods to use newer invocations
⚡ Read-only tool to check metadata.ownerReferences.
Activity
May
21
2 days ago
open pull request

liggitt wants to merge kubernetes/kubernetes

liggitt
liggitt

non-blocking, but if you want, could simplify to

initializers := admission.PluginInitializers{
  genericadmissioninitializer.New(...
  kubeapiserveradmission.NewPluginInitializer(...
}
Activity icon
issue

liggitt issue comment kubernetes/cloud-provider-gcp

liggitt
liggitt

Fix bug in comparing IPv6 addresses on the instance

Comparing the string form of IPv6 address could be incorrect depending on how the IPv6 address was normalized. Instead, we change the logic to compare the net.IP values. Also fixed the log message to print out the instance IP addresses.

Activity icon
issue

liggitt issue comment kubernetes/kubernetes

liggitt
liggitt

Fix edit/patch error when imagePullSecrets contains empty item

What type of PR is this?

/kind bug

What this PR does / why we need it:

We can use kubectl create to create deployment with imagePullSecrets: - {}, but failed on kubectl edit, in that case user won't be able to update the spec unless they delete the empty imagePullSecrets, which causes the confusion to user, so we should keep the consistency.

This PR allows user to edit spec with empty imagePullSecrets item

Which issue(s) this PR fixes:

Fixes #109953

Special notes for your reviewer:

Does this PR introduce a user-facing change?

Allow user to edit spec with empty imagePullSecrets item

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:


liggitt
liggitt

It was a validation gap in pods that didn't enforce presence of the name. Since it produced pods that could successfully run, tightening validation to forbid it was considered too breaking of a change. The warning was added to alert users to the weird config that was probably a mistake.

I haven't reviewed this change, so this isn't a comment about it in particular, but I'd be extremely cautious about making changes to the guts of strategic merge patch code… the side effects can be really hard to reason about and we don't want to break compatibility with any current successful invocations.

May
20
3 days ago
open pull request

liggitt wants to merge kubernetes/kubernetes

liggitt
liggitt

Restricted Pod E2E tests

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

  1. Add a new MixinRestrictedPodSecurity and corresponding MustMixinRestrictedPodSecurity utilities which set the required fields to pass the restricted pod security checks, and verify that the given pod does in fact meet the requirements. These are complementary to the existing GetRestricted{Pod,Container}SecurityContext functions, but in most cases require fewer changes.
  2. Update the test/e2e/common/node/pods.go tests to set the restricted namespace label and use the new utilities.

Does this PR introduce a user-facing change?

NONE

/area test /assign @liggitt @s-urbaniak

liggitt
liggitt

Ok, fair enough. Make sure the docs don't claim to produce a minimal valid restricted securityContext and doc the uid chosen

pull request

liggitt merge to kubernetes/kubernetes

liggitt
liggitt

Restricted Pod E2E tests

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

  1. Add a new MixinRestrictedPodSecurity and corresponding MustMixinRestrictedPodSecurity utilities which set the required fields to pass the restricted pod security checks, and verify that the given pod does in fact meet the requirements. These are complementary to the existing GetRestricted{Pod,Container}SecurityContext functions, but in most cases require fewer changes.
  2. Update the test/e2e/common/node/pods.go tests to set the restricted namespace label and use the new utilities.

Does this PR introduce a user-facing change?

NONE

/area test /assign @liggitt @s-urbaniak

open pull request

liggitt wants to merge kubernetes/kubernetes

liggitt
liggitt

can you switch these to using the initializer/validate pattern to make sure our tests match reality in terms in invocation order and that they are valid?

	pluginInitializer := genericadmissioninitializer.New(...)
	pluginInitializer.Initialize(handler)
	err := admission.ValidateInitialization(handler)
  ...
Activity icon
delete
deleted time in 2 days ago
Activity icon
delete

liggitt in liggitt/kpt delete branch token

deleted time in 2 days ago
Activity icon
delete

liggitt in liggitt/community-1 delete branch patch-1

deleted time in 2 days ago
Activity icon
issue

liggitt issue comment kubernetes/cloud-provider-gcp

liggitt
liggitt

Fix bug in comparing IPv6 addresses on the instance

Comparing the string form of IPv6 address could be incorrect depending on how the IPv6 address was normalized. Instead, we change the logic to compare the net.IP values. Also fixed the log message to print out the instance IP addresses.

open pull request

liggitt wants to merge kubernetes/cloud-provider-gcp

liggitt
liggitt

Fix bug in comparing IPv6 addresses on the instance

Comparing the string form of IPv6 address could be incorrect depending on how the IPv6 address was normalized. Instead, we change the logic to compare the net.IP values. Also fixed the log message to print out the instance IP addresses.

liggitt
liggitt

do we need to check if Ipv6Address, NatIP, or ExternalIpv6 are empty before appending?

pull request

liggitt merge to kubernetes/cloud-provider-gcp

liggitt
liggitt

Fix bug in comparing IPv6 addresses on the instance

Comparing the string form of IPv6 address could be incorrect depending on how the IPv6 address was normalized. Instead, we change the logic to compare the net.IP values. Also fixed the log message to print out the instance IP addresses.

open pull request

liggitt wants to merge kubernetes/kubernetes

liggitt
liggitt

Restricted Pod E2E tests

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

  1. Add a new MixinRestrictedPodSecurity and corresponding MustMixinRestrictedPodSecurity utilities which set the required fields to pass the restricted pod security checks, and verify that the given pod does in fact meet the requirements. These are complementary to the existing GetRestricted{Pod,Container}SecurityContext functions, but in most cases require fewer changes.
  2. Update the test/e2e/common/node/pods.go tests to set the restricted namespace label and use the new utilities.

Does this PR introduce a user-facing change?

NONE

/area test /assign @liggitt @s-urbaniak

liggitt
liggitt

Is runAsUser generally needed as boilerplate, though? I thought runAsNonRoot was supposed to be sufficient.

If an e2e wanted to exercise runAsNonRoot functionality with an image that did not run as root by default and didn't want to set a runAsUser, that would mean they couldn't use GetRestrictedPodSecurityContext or MustMixinRestrictedPodSecurity to do so, because those wouldn't actually set the minimal securityContext that is compatible with the restricted PSS.

pull request

liggitt merge to kubernetes/kubernetes

liggitt
liggitt

Restricted Pod E2E tests

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

  1. Add a new MixinRestrictedPodSecurity and corresponding MustMixinRestrictedPodSecurity utilities which set the required fields to pass the restricted pod security checks, and verify that the given pod does in fact meet the requirements. These are complementary to the existing GetRestricted{Pod,Container}SecurityContext functions, but in most cases require fewer changes.
  2. Update the test/e2e/common/node/pods.go tests to set the restricted namespace label and use the new utilities.

Does this PR introduce a user-facing change?

NONE

/area test /assign @liggitt @s-urbaniak

Activity icon
issue

liggitt issue comment GoogleContainerTools/kpt

liggitt
liggitt

Fix method of obtaining service account token

The .secrets field within service accounts is only for listing secrets to be mounted into pods, not for extracting secrets for other uses. There is no guarantee the first item in the list will be a token secret.

In 1.24+, this field is not populated by default.

This unconditionally makes the test script create a dedicated secret for obtaining a token

Activity icon
issue

liggitt issue comment GoogleContainerTools/kpt

liggitt
liggitt

Fix method of obtaining service account token

The .secrets field within service accounts is only for listing secrets to be mounted into pods, not for extracting secrets for other uses. There is no guarantee the first item in the list will be a token secret.

In 1.24+, this field is not populated by default.

This unconditionally makes the test script create a dedicated secret for obtaining a token

liggitt
liggitt

to 1.0. That's always been the way to obtain a token manually

Activity icon
issue

liggitt issue comment GoogleContainerTools/kpt

liggitt
liggitt

chore: update kind to v0.13.0

  • Update e2e tests to support k8s v1.21 - v1.24
  • Update default k8s test version to v1.21 (latest GKE stable)
  • Update test workflows to all consistently use kind v0.13.0
  • Update e2e tests to the latest k8s minor releases for each major release
  • Disable e2e fast-fail to determine when errors are version specific
  • Fix e2e test failure specific to K8s 1.24: ServiceAccounts no longer immediately generate an auth token secret.
  • Use tee to print and capture output in e2e tests, to aid debugging.
liggitt
liggitt

FWIW, the secrets field in the service account object is only for listing secrets to mount into pods. There was never a guarantee the first item in the list would be a service account token secret. Opened https://github.com/GoogleContainerTools/kpt/pull/3199 to unconditionally use the mechanism of declaring a secret for the purposes of obtaining a token for use outside a pod.

Activity icon
issue

liggitt issue comment GoogleContainerTools/kpt

liggitt
liggitt

Fix method of obtaining service account token

The .secrets field within service accounts is only for listing secrets to be mounted into pods, not for extracting secrets for other uses. There is no guarantee the first item in the list will be a token secret.

In 1.24+, this field is not populated by default.

This unconditionally makes the test script create a dedicated secret for obtaining a token

pull request

liggitt pull request GoogleContainerTools/kpt

liggitt
liggitt

Fix method of obtaining service account token

The .secrets field within service accounts is only for listing secrets to be mounted into pods, not for extracting secrets for other uses. There is no guarantee the first item in the list will be a token secret.

In 1.24+, this field is not populated by default.

This unconditionally makes the test script create a dedicated secret for obtaining a token

Activity icon
created branch

liggitt in liggitt/kpt create branch token

createdAt 3 days ago
Activity icon
fork

liggitt forked google/anthos-microk8s

liggitt Apache License 2.0 Updated
fork time in 3 days ago
Activity icon
fork

liggitt forked GoogleContainerTools/kpt

⚡ A package-centric toolchain that enables a WYSIWYG configuration authoring, automation, and delivery experience, which simplifies managing Kubernetes platforms and KRM-driven infrastructure at scale by manipulating declarative Configuration as Data, separated from the code that transforms it.
liggitt Apache License 2.0 Updated
fork time in 3 days ago
pull request

liggitt pull request GoogleCloudPlatform/professional-services

liggitt
liggitt

Fix method of obtaining service account token

The .secrets field within service accounts is only for listing secrets to be mounted into pods, not for extracting secrets for other uses. There is no guarantee the first item in the list will be a token secret.

In 1.24+, this field is not populated by default.

Adapt instructions from https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#manually-create-a-service-account-api-token to obtain a token

cc @zshihang

Activity icon
created branch
createdAt 3 days ago
Previous