Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
Kubernetes / Kubernetes AWS Provider Subproject / 29 Oct 2021
Kubernetes / Kubernetes AWS Provider Subproject / 29 Oct 2021
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: Kubernetes - AWS Provider - Meeting 20211029

Description

Recording of the AWS Provider subproject meeting held on 20211029

Issue Triage: https://github.com/kubernetes/cloud-provider-aws/pull/272, https://github.com/kubernetes/cloud-provider-aws/issues/282, https://github.com/kubernetes/cloud-provider-aws/issues/281

A

Okay, yeah.

B

uh Hello, everybody. uh This is the bi-weekly aws cloud provider meeting. I am your moderator facilitator for today. Just in santa barbara, I work at google a reminder. This meeting is being recorded and we put on the internet and therefore, please be mindful of our code of conduct, which boils down to being a good person. We have a couple of items on the agenda. uh Please do feel free to add your name and any other items.

B

We actually talked about one before we got the recording started here today, which was around filtering clb, classical balance, for instance by the cluster tag peter previously sent to pr and suggested that we could actually just close that out as nick had sent an alternative pr, which we think is uh a reasonable option.

B

um So we've just closed that out and then we were just looking at some of the other issues that were opened and I think the the first one I thought was sort of interesting, well they're, all interesting, but I thought the first one was particularly interesting, which was uh it's number 282 uh saying uh that we should remove the hard requirements the hostname matches the ecr pattern.

B

So as as I understand it, uh we are careful to only provide credentials to the appropriate, um uh the appropriate uh registry, so we won't try to send your aws credentials to docker hub, for example, um and the way that works today is there is a regex rejects that matches against the host name, and it sounds like this user chaos puppy.

B

uh I'm glad the name isn't two.

B

Yes, a chaos, puppy uh has decided, has set up a mirror, and so now the uh the the image is docker.io busybox in their example, but they are redirecting it using container d mirroring to uh to their ecr registry, but of course, we're not going to pass the credentials because, as far as kubernetes knows when it's pulling the image, it looks like a docker uh image, and I I think we definitely don't want to be passing your adverse tokens to docker hub uh in or in general, like that pattern would be bad.

B

uh It sounds like and it sounds like there is currently a flag so or I can't I can't tell if they're asking for a flag or want a flag, but it seems like a reasonable feature.

B

I can't I don't know whether anyone is is doing this like peter, or are you doing this or jay? Have you heard of people doing this.

A

No, and in fact I'm I'm actually a little confused.

A

When, when the poster is asking for it not to be a hard requirement, um what would a what would the behavior of a soft requirement? Look like, I guess, and what benefit would that have.

B

Yeah I mean I guess what they're saying is that they would want to.

B

Be able to specify the host name or host names and be able to say actually docker.io, I'm going to mirror all of it to ecr.

B

It's actually pretty dangerous. I think because I think, there's no way to say don't go to docker.

B

In other words,.

A

Because it's the default fallback.

B

Right, I mean correct and I so I think I mean I don't know how much yeah I mean. These are your aws tokens, so they are they're, not nothing. uh I think I think they might be downscoped tokens, but they're still.

B

Or actually it is ecr, so it's not a full token. Is it right? It's uh no.

A

It's I mean, there's a there's, a it's a docker, login credentials. Token thing.

B

Right, there's an exchange that happens first right, so it's not the end of the world. um I think I'll.

A

Just it just wouldn't work, obviously on docker, because those aren't.

B

Yeah and.

A

It doesn't mean that I don't think I see what they're saying.

B

If, if docker was evil, they could take that token and pull your images on gcr on google's container registry, you use a a google token, a full, a full authenticated token. So stealing that token is even higher consequence than stealing your images.

A

So I'm wondering whether the the feature request here is is actually for the container d mirror or whether it's um for the.

B

Mutating admission.

A

Web hook.

B

I don't think they, I think they're currently using mutating admission web hook and they don't love.

A

That solution, yeah right.

B

I I think you're right, it might be that this is better done at the container d mirror level and there I there might be such a thing. I don't know I mean.

A

That would be the transparent way of uh transparent to kubla way of dealing with this right, which would basically just be like a rewrite of the image uris.

A

um

A

I'll add a little note in here asking.

B

Yeah that'd be great: okay,.

A

It might be, but.

B

That's a good good handle. uh Yes,.

B

I don't know where there is such a plug-in, for I imagine there is a plug-in for container dvd pull from ecr, welcome out alexandr alexander.

B

We're just uh going through some of the uh open or recent open issues.

C

Hey hello, everyone.

B

If you want to say hi, introduce yourself you're very welcome to but you're, not under an obligation too.

C

Oh.

B

uh Yeah no worries.

C

um So hey there, um I'm alexander uh sizzle season in uh it's a french translation of off season in english, I'm french! Then um I I work as a devops uh in a in a small company called innerex in france and and yeah, I'm the only one, I'm the only devops uh in the team uh trying my best uh to um so.

A

You're, a devop.

C

Yeah yeah kind of well, and um so I am trying every every day uh to maintain um all the infrastructure, all the applications and everything and helps people better understand. uh What do devops means like uh what is the cic pipelines and how to better handle things.

C

And yeah, it's it's been a long time uh since the last time I went on this zoom meeting, so sorry about that and also the first time I got the opportunity to to talk about myself. So a huge thing. Thank you.

B

Awesome well welcome back and thank you for saying hello.

C

You're welcome and thanks for asking and sorry for being late, also.

B

No worries, if you do have anything you want to discuss, feel free to add it to the agenda or just I guess, bring it up verbally, but.

C

Yeah and I was about to throw about dogs to know what is the subject of today. If there is.

B

uh We're mostly just going through the open issues, making sure that uh sort of aware of uh what's going on in terms of things.

D

That.

B

People have discovered, and particularly open issues on the cloud provider at us, repo, okay, this one, oh.

C

Oops, I see the issue in the in the in the docs, and so I see you typing also yes occasion: um okay,.

B

Let's, but did you say you had another issue? Another thing you wanted to talk about today.

C

um Not specially, generally speaking, just I'm allowed to to to be part of the the debate and and see.

B

Yes, I think we just wanted to. I just want to make sure you had the opportunity. That's all so! Thank you. Yeah.

C

Thank you. Thank you. A lot.

B

um All right, well, uh so uh jay, are you gonna comment on the vcr, or did you do it? Sorry? I need to refresh.

A

I haven't yet because I'm still trying to uh figure out what actually would be the best solution for uh chaos puppy um in this particular uh case.

A

So uh no sorry, I have not yet.

B

No.

A

It's fine, I think.

B

uh So we're talking here about issue 282, where, um when a user is using an ecr uh docker registry as a mirror for, for example, docker hub uh they can, they can configure that in container d, um however, uh container d by default won't uh pass any past the credentials to the uh to the registry and ecr with all will say. No. um Thus, I think the request here was to allow ecr to pass it to docker hub or some other, like uh list of registries, that the user could provide.

B

um One of the downsides that we think might be a problem is we're not sure that a fullback wouldn't send the token then to dockerhub, and then uh I think, jay suggested. Perhaps a better option might be to just configure container d2.

B

um Do the same ecr exchange to be able to authenticate to ecr, um I don't know whether there's any per pod or per namespace like credentials in the ecr credential provider, or whether it's just.

B

Like.

D

Is it for the read only or like we also want to upload, because if it's read only then we should be able to allow. I am policies for that right.

B

I I I'm pretty sure it's it we're only. I think we're going to read only here. I uh it's a good question. I think we're only talking about read only.

D

Right should also be possible so uh like we can use im policies and we can like that's how we uh allow access to all the ecrs right uh for our cases as well. So yeah.

B

Right I mean I just I think I think here we're just pulling.

A

Yeah, I don't think chaos puppy is looking for the ability to write um anything. It's just. um It's sort of an odd situation actually.

A

What they're trying to do, I guess I'm a little well.

B

It's a it's a reasonable idea right. It's like uh you, have a registry that often goes down and why not back it with one that is local and uh you know presumably faster yeah.

A

Could I completely get that, but why not just um remove the.

A

Why not just remove the the registry part from the image where I and rely on.

A

Never mind I'm just never mind yeah.

B

I mean they have. They have said like they can do that right. They can change the like sort of manually rewrite the mirror, but it's a bit of a pain or needs that admission web hook. Yeah.

B

um I think if there was a, I think we should ask chaos puppy. If container d could do the ecr authentication- which I imagine is a solved problem somehow uh then, um would that solve their problem and then we wouldn't have to change like it would only be the node credentials. So if they're, if they're, somehow doing anything more advanced than that, then we need to rethink, but.

B

I I imagine, based on what I imagine they're doing, that that no credit is what they want.

A

Perhaps you could write that because I'm I I guess, I'm still, I will okay uh groking.

B

Yeah so.

D

I'll write that.

B

And then we can, we can talk about the next one. I think uh the next one up is add support for elb session sickness, so I'm glad you've joined kishore, because I think this is probably something you'll have an opinion on. uh So this is 281 uh user.

B

Even.

D

Did you share your screen or I'm not seeing it here.

B

uh I'm not showing my screen today. Oh.

D

God my screen.

B

Is just going way too slowly, like I, I think I've overloaded, my poor gpu and I don't want to uh push it anymore, but.

D

I'm putting it in chat sure.

B

um

B

Which is around so the request is, I think, very simple, which is on elb to enable session stickiness.

B

So I can comment without definitely everyone on the 282 pcr one.

B

I assume this isn't in there today um is this.

A

Something that we support in the aws load, balancer controller, sure.

D

We do supporting the load band as a controller correct for nlb.

B

uh Yeah, I don't know if, when the user says elb what I mean classic right.

D

I don't know for sure if classic supports it or not, I know nlp does and we support nlp in the load. Balancer contract.

A

uh Classic supports it, but.

A

I'm not sure if we want to sort of go out of our way to support to support any clb specific things right.

D

Correct correct because clv is also.

A

Going to be deprecated.

D

Right eventually, so it's in the path of like going to nlp route and for nlp. We have load balancer controller for now, where we do support it, so we at least provide some solution to the users. uh Of course, uh we have to like have a good story for the cloud provider as well like the ccm eventually. So that's the next step that we need to work on.

B

Looking at the cli commands, it looks like it's sort of additive, and if we, if it's not in, if it's not supported by the controller, it looks like it's something that the user, for example, could run the cli commands on after the load answer was created, and I think that ties nicely into uh jay. Your work on the operators like is this: what is the status of the operators? Is this something we can configure with the operators.

D

um

A

The it potentially could be, although we we don't, really have a whole lot of plans to do uh uh elb um or elbv2 uh ack controllers, just because the load, you know the aws load. Balancer controller is already um able to program um load balancer resources in a kubernetes native way, as opposed to a crd based way.

A

The the thing that I can yeah- I I just don't know if, if doing it on a classic load, balancer is, is going to be something where we're willing to spend resources on um again, just because it's in the deprecation path.

A

And especially since it's it's supported for uh sticky sessions, supported for alb by the aws load, bouncer controller right.

D

Yes,.

D

I was looking at the aws console, it says: stickiness option is not available for tcp protocols, so I don't even know like if there are any limitations uh or what are the issues with uh clb with stickiness. I need to read the documentation for further details.

A

Well, he's.

D

uh The.

A

The original poster is asking for cookie based sticky sessions, so I'm assuming it's gonna, be albee.

B

um

D

Https, okay, I got it so yeah.

C

Yeah, okay,.

D

Not for tcp.

C

Right.

D

And alv would have it uh if lv supports it. We definitely support from the load balancer controller, but they have to have a different way to expose it rather.

A

Than service, I I tell you what I I'll I'll go ahead and um uh respond on this particular issue and just say it's not something that we plan to support for classic load balancers at this point and to use the aws load balancer controller with alvs is our recommended approach.

A

Kishore. Are you good with that? Yes,.

B

Awesome, I'm just finishing up the comment here on the on the prior one.

B

We only have one or two more issues, so that's we're doing. Okay,.

B

Let's see so the next issue that was opened recently as in like since our last uh meetings are, is number 280 which I will place a link to, and this is around no something called node impairment, which I'm not sure what that means, but I'm going to paste it first uh node with impaired volume, sorry taint applied when volume attach error is recoverable.

B

So in issue 280, which I will place, a link to uh user austin, berry says that they.

B

Had a node with impaired volumes, taint applied to a node um and then the disk immediately attached itself, and so the this taint seems excessive and in fact they say they have never had a case where the tank was applied and the error was not recoverable.

B

Okay, uh I'm actually not very familiar with this uh tank. Is anyone familiar with.

D

This.

B

It looks like they're all are some stream or some other issues, a couple of instances that one from 2020.

B

Not a lot of documentation is one of the complaints.

B

uh Okay, it looks like this is the original pr.

B

uh Let's see so.

B

Original pr.

B

It's introducing future.

B

And.

B

So if a node is attached is us stuck in the attaching state for too long, then we mark it as at least going in the original code, uh then they mark the whole node on sk unschedulable so that no more no more pods go to that node.

B

And.

B

Doesn't look like when we've set that we ever clear it, which is also a little so like? Presumably it's not a terrible thing to do if um a while, while the volume is taking a long time to go onto a node, if we, you know after five minutes, say, hey stop putting more pods on here, but then once it attaches, we should probably say keep going.

B

um I'm just looking at the logic here apply, unscheduled taint happens after timeout and the timeout is.

A

Justin I apologize. I need to drop um okay thanks, jake good, to see you you as well justin, sorry for uh being late. I'm sorry for dropping early, no worries. Thank you. Thank you. Later, bye.

B

Yeah, we'll probably wrap up here in a minute or two anyway. I think, um unless anyone has any context on this particular bug, uh I guess we'll just tag. Sig storage, I'm guessing uh in that. I think this is a generic. I don't think this is specific to aws. Oh, it is specifically addressed.

C

I I once had the opportunity to to have that kind of thing: the the same aws version, um but um the the thing is. It was related to ebs storage uh that was taken by some other nodes in some other regions and.

C

Since that time it was not, uh and if I remember well, it's still not possible to have read and write access on pvcs and, and it was kind of an error making the node kind of crush.

C

But yeah, as as you mentioned it um after that yeah 1.14 cube version was fixed.

C

So.

B

Yes,.

C

I think.

B

The only.

C

Thing I can share is that it has been fixed like year, a year and a half ago at least.

B

uh It sounds like you're, the one you hit was uh well. It sounds like the one the the reporter. The bug reporter hit uh was just that. The time I was too aggressive was too short. It sounds like the one you hit is more complicated where another node had it locked somehow was that right, yeah kind of.

C

But yeah it.

D

Has been fixed.

C

Years ago,.

B

Would you mind, would you mind commenting on the on the issue saying like that? You also hit this in this other scenario, but it does sound like it does sound like what they're saying is.

B

um That the disc was immediately detached and so we're just we're just unnecessarily applying these taints and never removing them, and uh I think I kind of agree, I think, that's I think, that's too aggressive.

C

Yeah, there's something I can do.

B

Thank you.

B

And then I guess, I think we can tag yeah, I'm sort of surprised this is in the well. I guess this is going to land up in the um awf csi driver.

C

um

B

uh It feels like it should be more in the storage in the csi driver itself, but I can have a look and see where this, where this code is still all there and has moved around because it feels like it should have moved over the years yeah.

B

Obviously, the.

B

um But yeah, I don't have a ton of context on it and I don't think anyone else here I mean sounds like alexandria. You have background, you have the most uh context, um yeah.

C

Kind of trying my best here to respond.

B

Thank you.

C

I hope will be way enough and I'm fine.

B

Oh, it's about continuing the conversation right. It's about uh like trying to get more information, understand things better. So even anything anything is great.

B

uh I think those are the items, those are only open or newly opened prs and issues. I don't know if anyone else has anything they want to talk about today.

C

um I didn't got enough time yet to prepare that meeting sorry um and yeah most of the time. I find a way to fix it so and starting to be more um available and trying to to improve my skills, also in colleen to to be able to participate just kind of off of debates and trying my best to one.

D

Day, I hope.

C

uh The small contributor of two.

B

Would be good, that'd be cool, it is fun.

C

So yeah it is fun.

B

uh Anyone else have any other things they want to bring up.

B

Or people want an extra 20 minutes of their friday.

D

Thanks justin thanks everybody thanks kishore thanks.

B

Thanks peter.

B

I'm gonna stop the recording.