From 046a7da0866a67112b82e124ad13c44446b132be Mon Sep 17 00:00:00 2001 From: Clark Boylan Date: Wed, 6 Apr 2022 09:29:44 -0700 Subject: [PATCH] Support K8s 1.22.0 and newer. The rbac.authorization.k8s.io/v1beta1 API was deprecated and replaced with rbac.authorization.k8s.io/v1. Version 1.22.0 of Kuberenetes removes the deprecated API which means Nodepool needs to stop using it. According to the docs [0] version 1.8 and newer support the new APIs. To address this we update our RBAC client instance to use the non beta version client and update our version specification in the manifests to drop the beta version. Add a release note indicating that K8s 1.8 and newer is now required. Additionally we unpin minikube in testing to ensure we have test coverage of this change against newer Kuberentes. [0] https://kubernetes.io/docs/reference/using-api/deprecation-guide/#rbac-resources-v122 Story: 2009974 Change-Id: Ic21725efc8088e7dfb0777c2c96c742182cdbf93 --- .zuul.yaml | 2 -- nodepool/driver/kubernetes/provider.py | 8 ++++---- .../notes/handle-new-k8s-rbac-api-a2fa70f67c4b5362.yaml | 6 ++++++ 3 files changed, 10 insertions(+), 6 deletions(-) create mode 100644 releasenotes/notes/handle-new-k8s-rbac-api-a2fa70f67c4b5362.yaml diff --git a/.zuul.yaml b/.zuul.yaml index 274d50787..a5bd40c21 100644 --- a/.zuul.yaml +++ b/.zuul.yaml @@ -7,8 +7,6 @@ post-run: playbooks/nodepool-functional-k8s/post.yaml required-projects: - zuul/nodepool - vars: - minikube_version: v1.22.0 # NOTE(corvus): 1.23.0 failed with 404 on create_namespaced_role - job: description: | diff --git a/nodepool/driver/kubernetes/provider.py b/nodepool/driver/kubernetes/provider.py index 07d4a21a6..ed5ede416 100644 --- a/nodepool/driver/kubernetes/provider.py +++ b/nodepool/driver/kubernetes/provider.py @@ -39,7 +39,7 @@ class KubernetesProvider(Provider, QuotaSupport): self._zk = None self.ready = False _, _, self.k8s_client, self.rbac_client = get_client( - self.log, provider.context, k8s_client.RbacAuthorizationV1beta1Api) + self.log, provider.context, k8s_client.RbacAuthorizationV1Api) self.namespace_names = set() for pool in provider.pools.values(): self.namespace_names.add(pool.name) @@ -181,7 +181,7 @@ class KubernetesProvider(Provider, QuotaSupport): role_name = "zuul-restricted" role_body = { 'kind': 'Role', - 'apiVersion': 'rbac.authorization.k8s.io/v1beta1', + 'apiVersion': 'rbac.authorization.k8s.io/v1', 'metadata': { 'name': role_name, }, @@ -207,7 +207,7 @@ class KubernetesProvider(Provider, QuotaSupport): role_name = "zuul" role_body = { 'kind': 'Role', - 'apiVersion': 'rbac.authorization.k8s.io/v1beta1', + 'apiVersion': 'rbac.authorization.k8s.io/v1', 'metadata': { 'name': role_name, }, @@ -225,7 +225,7 @@ class KubernetesProvider(Provider, QuotaSupport): # Give service account admin access role_binding_body = { - 'apiVersion': 'rbac.authorization.k8s.io/v1beta1', + 'apiVersion': 'rbac.authorization.k8s.io/v1', 'kind': 'RoleBinding', 'metadata': {'name': 'zuul-role'}, 'roleRef': { diff --git a/releasenotes/notes/handle-new-k8s-rbac-api-a2fa70f67c4b5362.yaml b/releasenotes/notes/handle-new-k8s-rbac-api-a2fa70f67c4b5362.yaml new file mode 100644 index 000000000..ab67d824f --- /dev/null +++ b/releasenotes/notes/handle-new-k8s-rbac-api-a2fa70f67c4b5362.yaml @@ -0,0 +1,6 @@ +--- +other: + - | + Kubernetes 1.8 or newer is required by the Kubernetes driver. + This was necessary to support Kubernetes 1.22.0 and newer which + requires using APIs that are not supported before version 1.8.