Adding OpenShift SCC clusterController, removing hostPort #3677
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Commit auto-generated by release script. Signed-off-by: Cliff Colvin (release bot variant) <[email protected]>
Bump in-code version of v2.4 branch for 2.4.0-rc.0
bump kubecost-modeling for cve fixes
bump kubecost-modeling for cve fixes (cherry-pick #3606)
…7592 bump modeling 0.1.15 CVE-2024-7592
bump modeling 0.1.15 CVE-2024-7592 (cherry-pick #3615)
Commit auto-generated by release script. Signed-off-by: Cliff Colvin (release bot variant) <[email protected]>
Bump in-code version of v2.4 branch for 2.4.0-rc.1
bump network costs to 0.17.5
bump network costs to 0.17.5 (cherry-pick #3629)
Commit auto-generated by release script. Signed-off-by: Cliff Colvin (release bot variant) <[email protected]>
Bump in-code version of v2.4 branch for 2.4.0-rc.2
switch grafana image for cve resolution (cherry-pick #3627)
update prometheus to chainguard for CVE-2024-41110
update prometheus to chainguard for CVE-2024-41110 (cherry-pick #3625)
* fix diagnostics and federatedStorageConfig * Few more places that needed to reference federatedStorageConfig * Simplify logic for MultiClusterDiagnostics in costmodel. --------- Co-authored-by: Jesse Goodier <[email protected]> Co-authored-by: thomasvn <[email protected]>
Commit auto-generated by release script. Signed-off-by: Cliff Colvin (release bot variant) <[email protected]>
Bump in-code version of v2.4 branch for 2.4.0-rc.3
Co-authored-by: Jesse Goodier <[email protected]>
…vingsRecommendationsAllowLists (#3645) (#3650) * [ENG-2729] Add resource reference files for kubecostProductConfigs.savingsRecommendationsAllowLists Co-authored-by: Bianca Burtoiu <[email protected]>
* bump cluster-controller 0.16.9 Signed-off-by: Cliff Colvin <[email protected]> * remove inadvertent checkin Signed-off-by: Cliff Colvin <[email protected]>
bump cluster-controller 0.16.9 (cherry-pick #3652)
bump kubecost-modeling 0.1.16
bump kubecost-modeling 0.1.16 (cherry-pick #3655)
* remove helm rollout restarter Co-authored-by: Jesse Goodier <[email protected]>
…#3660) (#3661) * add GPU utilization widget * Update cost-analyzer/grafana-dashboards/pod-utilization.json --------- Signed-off-by: chipzoller <[email protected]> Co-authored-by: Chip Zoller <[email protected]> Co-authored-by: Jesse Goodier <[email protected]>
bump network-costs 0.17.6
bump network-costs 0.17.6 (cherry-pick #3662)
* Add new container costs and resources endpoints to nginx * Add value for configuring container resource usage retention in days Co-authored-by: Niko Kovacevic <[email protected]>
Commit auto-generated by release script. Signed-off-by: Cliff Colvin (release bot variant) <[email protected]>
Bump in-code version of v2.4 branch for 2.4.0-rc.4
Commit auto-generated by release script. Signed-off-by: Cliff Colvin (release bot variant) <[email protected]>
Bump in-code version of v2.4 branch for 2.4.0-rc.5
Signed-off-by: Cliff Colvin <[email protected]>
bump k8s-sidcar to cgr for cve
Commit auto-generated by release script. Signed-off-by: Cliff Colvin (release bot variant) <[email protected]>
Bump in-code version of v2.4 branch for 2.4.0-rc.6
aggregator custom labels template Co-authored-by: Jesse Goodier <[email protected]>
Commit auto-generated by release script. Signed-off-by: Cliff Colvin (release bot variant) <[email protected]>
Bump in-code version of v2.4 branch for 2.4.0
…terController Adding OpenShift SCC for clusterController, removing hostPort on clusterController
| @@ -256,7 +256,6 @@ spec: | |||
| ports: | |||
| - name: http-server | |||
| containerPort: 9731 | |||
| hostPort: 9731 | |||
There was a problem hiding this comment.
@alexkubecost I can dig here, but do you know off hand why we would need hostPort?
I don't understand why anything would be connecting to the clusterController that doesn't know the service name.
There was a problem hiding this comment.
I can't currently think of any reason why hostPort would be needed. @ameijer ?
There was a problem hiding this comment.
I'll bet you that this yaml was written from an example where they exposed an http port on a node and the ingress controller routed to that. I agree there is rarely if ever a use case for a host port on non daemon set controllers. I think getting rid of it is a great idea
| - hostPath | ||
| - projected | ||
| - configMap | ||
| hostPorts: |
There was a problem hiding this comment.
You can kill these hostPort lines if Alex is good with removing hostPort.
|
Once this is approved, let's make sure this is merged into both |
Add space to fix linting error to allow CI to complete against the remainder of these changes. Co-authored-by: Jesse Goodier <[email protected]>
|
Changed branch to |
chipzoller
reviewed
Sep 29, 2024
| @@ -1425,7 +1425,7 @@ data: | |||
| "carbonEstimatesEnabled": "{{ template "carbonEstimatesEnabled" . }}", | |||
| "clusterControllerEnabled": "{{ template "clusterControllerEnabled" . }}", | |||
| "forecastingEnabled": "{{ template "forecastingEnabled" . }}", | |||
| "chartVersion": "DEVELOP_BRANCH", | |||
| "chartVersion": "2.4.0", | |||
There was a problem hiding this comment.
I don't think we want to change this now it's targeting develop.
| allowPrivilegedContainer: true | ||
| allowHostDirVolumePlugin: true | ||
| allowHostNetwork: true | ||
| allowHostPorts: true |
There was a problem hiding this comment.
So this would now be false, right, if there are no hostPorts?
| @@ -12,14 +12,11 @@ global: | |||
| scc: | |||
| nodeExporter: false # Creates an SCC for Prometheus Node Exporter. This requires Node Exporter be enabled. | |||
| networkCosts: false # Creates an SCC for Kubecost network-costs. This requires network-costs be enabled. | |||
| clusterController: false # Creates an SCC for Kubecost clusterContoller. This requires clusterController be enabled. | |||
There was a problem hiding this comment.
Suggested change
| clusterController: false # Creates an SCC for Kubecost clusterContoller. This requires clusterController be enabled. | |
| clusterController: false # Creates an SCC for Kubecost clusterController. This requires clusterController be enabled. |
| @@ -247,6 +247,7 @@ global: | |||
| scc: | |||
| nodeExporter: false # Creates an SCC for Prometheus Node Exporter. This requires Node Exporter be enabled. | |||
| networkCosts: false # Creates an SCC for Kubecost network-costs. This requires network-costs be enabled. | |||
| clusterController: false # Creates an SCC for Kubecost clusterContoller. This requires clusterController be enabled. | |||
There was a problem hiding this comment.
Suggested change
| clusterController: false # Creates an SCC for Kubecost clusterContoller. This requires clusterController be enabled. | |
| clusterController: false # Creates an SCC for Kubecost clusterController. This requires clusterController be enabled. |
|
Hi all, after further testing, it seems all that is needed it the removal of the hostport from kubecost-cluster-controller-template.yaml. Once that is done, no specific SCCs will be needed. Maybe the Platforms.Openshift.True can remove hostport if we want to leave it on for other deployments? Either way, the SCC file is not needed. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Adding OpenShift SCC for clusterController, removing hostPort on clusterController
What does this PR change?
Does this PR rely on any other PRs?
How does this PR impact users? (This is the kind of thing that goes in release notes!)
Links to Issues or tickets this PR addresses or fixes
What risks are associated with merging this PR? What is required to fully test this PR?
How was this PR tested?
Ran on Openshift cluster successfully
Have you made an update to documentation? If so, please provide the corresponding PR.