-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
static pods #27
Comments
If we name the unit right, |
Ok, you need to be a MirrorClient, https://github.com/kubernetes/kubernetes/blob/cea1d4e20b4a7886d8ff65f34c6d4f95efcb4742/pkg/kubelet/pod/mirror_client.go to be able to do this. uhuh, this most def. seems to pull in kubernetes/kubernetes, but maybe we can copy it into our repo. |
A small problem I foresee is how to distinguish a static pod from a normal pod? I think it needs to be named differently, otherwise we will try to mirror actual pods (after a restart). Yes, probably want to word So we start up and if we see unit names with this prefix it's considered a static pod and we create the pod in the api-server (if allowed). |
another thing to note is that we don't care how these units come into existence, it just that they are there and match the naming for static pods |
https://twitter.com/miekg/status/1359436562476449795 |
So doing this from the viewpoint of systemk is hard and fragile. What can be done is the following:
so for these pods systemk will try to mirror in the API (if allowed) and further more watch (namespace? pods?) for the annotation So for bootstrapping with e.g. Note this sidesteps a lot of thorny problems, it basically boils down to starting/tearing down a static pod when instructed to do so. How state is transferred from the static pod to the deployment is left out. But a |
So, I'm looking into this again. and I'm taking a normal systemd managed unit as an example. We basically want to turn this:
into this (never mind it's diff. binary, that's a detail we don't care about here):
Needless to say, that's impossible. Another idea is to be able to create a pod the normal way and then replace a systemd managed unit (maybe with an annotation?), then we don't have to do anything fancy to convert unit files. The steps would then become:
error handling might be trickier, but on pod creation failure we may restart the original unit? Or maybe we should not care and let the cluster deal with this outage. This does imply systemk has access to the systemd system unit files on the host. Keep in mind the end goal here is to have everything systemk managed, including the bootstrap bits that are need to get the cluster up and running. Stopping a system service and taking it over with one started from the k8s control plane opens a security hole: you can now stop any system service - this probably not what you want. We could add a X-Kubernetes like section to the original unit, saying it's allowed to be interrupted... Or have same back reference in there for some rbac rule or some such. Note: systemk already accessed the system systemd, so it can pretty much do what it wants. |
We can just add a
Where the current user wielding kubectl will need to be allowed to delete the resource |
This won't work, the kubelet doesn't have any concept of who called "into" it. Any validation on objects has already happened. And a unit on a disk somewhere isn't a k8s object. We can make it into one, but then we have 2 things: createPod and some k8s object with RBAC protection. Such a CRD should then be almost like a pod object so we know what to do?? That's looks to get messy quickly... |
ok, this can work, but the unit needs to tell systemk what kind of objects there need to be created in the API. Easiest would be to include the yaml in the unit file. Specify a new section and list the yaml as base64 encoded lines in there. Upon starting up and seeing a specially named unit with this section it will setup these objects in the API. Possible things that can go wrong:
|
Should do something like static pods? Can probably use k3s server for this, but something needs to mirror it in the api server, and systemk must do that.
Would simplify a bunch of things as we can just throw some yaml in a directory and stuff will happen.
The text was updated successfully, but these errors were encountered: