Deprecate control-plane labels #1061
Comments
|
+1 for deprecation, however since deployment |
|
What is the normal upgrade path for something like this? Deleting the deployment and recreating? |
|
Could someone clarify why the deprecation of the It seems to me that the We are about to contribute a PR to kubespray to add said label to all clusters created with kubespray. Would it be possible to keep the |
|
TBH I have no strong feelings about the existence (or lack thereof) of a I do think that the label being under-defined is a problem. What should the significance of From a security standpoint, I'm not in love with the idea of using labels to control which resources are subject to a webhook and which are not. This makes the ability to set labels equivalent to the ability to bypass policy checks. It can make sense, but needs to be done carefully to avoid unintended consequences. Historically, Gatekeeper had that label because it was auto-generated by Kubebuilder v1. I think it was then applied to the As I said, I am kind of "meh" about the label with a lean toward removing it just to avoid bikeshedding over label values, etc. If there is an emerging standard that should be something to consider. Curious to hear others' opinions. |
I think we're talking about several different changes all in one.
The My 2c. |
|
+1 on phased approach to deprecate this. We can also introduce a new field in the helm chart to allow users to provide this label via helm values.yaml. It can initially default to |
|
I see your point. The |
This has been removed starting with v3.1.0: #758 |
|
Closed via #758 |
|
This issue has been automatically marked as stale because it has not had recent activity. It will be closed in 14 days if no further activity occurs. Thank you for your contributions. |
|
Hi, is it currently safe as an end user to remove Edit: I believe this may also be causing https://issuetracker.google.com/issues/204835306?pli=1 |
If you already have the I think we have waited long enough to remove the |
|
I am having admission.gatekeeper.sh/ignore: no-self-managing and control-plane=controller-manager label in gatekeeper-system namespace. For testing, to fix the TLS handshake error, I tied to remove the control-plane label from gatekeeper-system namespace and its deployments. After the rolling restart of the gatekeeper deployments the control-plane labels got added automatically back to gatekeeper namespace and deployments. Do we need to update some where to make it permanent gatekeeper version - v3.8.1 |
|
Hi @sri53 how do you deploy Gatekeeper? Is it by Helm, or by K8S manifests, or by some other method? Also what version of Gatekeeper and Kubernetes do you deploy to? |
|
Hi @tspearconquest |
|
I believe Azure Policy Add-on enforces the label in your case, so if that's correct then removing it for your gatekeeper instance won't be possible until it has been removed in upstream and Azure Policy upgrades to a version which has it removed. |
|
Hi @ritazh - It seems my suspicion was not correct, and removing the It's really interesting that this is only affecting Gatekeeper, as we do have other tools with MWH and VWH which do not see this problem, and the traffic causing the errors is 100% coming from the I also took a look in konnectivity configmap and deployment manifest in one of our clusters to see if I could find a log format option, but I'm afraid I couldn't find any. My main concern is that these are not coming in json format, so it causes a lot of spam for our fluentd instance to try to parse non-json log outputs as json. |
|
Thanks for the update @tspearconquest! I can dig into this a bit later and report back. |
Describe the solution you'd like
[A clear and concise description of what you want to happen.]
control-planelabels are leftovers from kubebuilder 1.0. They can be deprecated but we should give users time to move off using these labels.Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]
Environment:
kubectl version):The text was updated successfully, but these errors were encountered: