kubeadm: Fetching kube-proxy's config map is now optional

rosti · rosti · commit 31b4c782c753 · 2019-09-05T18:25:22.000+03:00
Whenever kubeadm needs to fetch its configuration from the cluster, it gets
the component configuration of all supported components (currently only kubelet
and kube-proxy). However, kube-proxy is deemed an optional component and its
installation may be skipped (by skipping the addon/kube-proxy phase on init).
When kube-proxy's installation is skipped, its config map is not created and
all kubeadm operations, that fetch the config from the cluster, are bound to
fail with "not found" or "forbidden" (because of missing RBAC rules) errors.

To fix this issue, we have to ignore the 403 and 404 errors, returned on an
attempt to fetch kube-proxy's component config from the cluster.
The `GetFromKubeProxyConfigMap` function now supports returning nil for both
error and object to indicate just such a case.

Signed-off-by: Rostislav M. Georgiev &lt;rostislavg@vmware.com&gt;
diff --git a/cmd/kubeadm/app/componentconfigs/BUILD b/cmd/kubeadm/app/componentconfigs/BUILD
@@ -24,6 +24,7 @@ go_library(
         "//pkg/proxy/apis/config:go_default_library",
         "//pkg/proxy/apis/config/v1alpha1:go_default_library",
         "//pkg/proxy/apis/config/validation:go_default_library",
+        "//staging/src/k8s.io/apimachinery/pkg/api/errors:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/runtime:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/runtime/schema:go_default_library",
diff --git a/cmd/kubeadm/app/componentconfigs/config.go b/cmd/kubeadm/app/componentconfigs/config.go
@@ -18,7 +18,9 @@ package componentconfigs
 
 import (
 	"github.com/pkg/errors"
+	"k8s.io/klog"
 
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/util/version"
@@ -63,6 +65,13 @@ func GetFromKubeProxyConfigMap(client clientset.Interface, version *version.Vers
 	// Read the ConfigMap from the cluster
 	kubeproxyCfg, err := apiclient.GetConfigMapWithRetry(client, metav1.NamespaceSystem, kubeadmconstants.KubeProxyConfigMap)
 	if err != nil {
+		// The Kube-Proxy config map may be non-existent, because the user has decided to manage it by themselves
+		// or to use other proxy solution. It may also be forbidden - if the kube-proxy phase was skipped we have neither
+		// the config map, nor the RBAC rules allowing join access to it.
+		if apierrors.IsNotFound(err) || apierrors.IsForbidden(err) {
+			klog.Warningf("Warning: No kube-proxy config is loaded. Continuing without it: %v", err)
+			return nil, nil
+		}
 		return nil, err
 	}
 
diff --git a/cmd/kubeadm/app/componentconfigs/config_test.go b/cmd/kubeadm/app/componentconfigs/config_test.go
@@ -47,6 +47,7 @@ func TestGetFromConfigMap(t *testing.T) {
 		component     RegistrationKind
 		configMap     *fakeConfigMap
 		expectedError bool
+		expectedNil   bool
 	}{
 		{
 			name:      "valid kube-proxy",
@@ -59,10 +60,10 @@ func TestGetFromConfigMap(t *testing.T) {
 			},
 		},
 		{
-			name:          "invalid kube-proxy - missing ConfigMap",
-			component:     KubeProxyConfigurationKind,
-			configMap:     nil,
-			expectedError: true,
+			name:        "valid kube-proxy - missing ConfigMap",
+			component:   KubeProxyConfigurationKind,
+			configMap:   nil,
+			expectedNil: true,
 		},
 		{
 			name:      "invalid kube-proxy - missing key",
@@ -123,8 +124,8 @@ func TestGetFromConfigMap(t *testing.T) {
 				return
 			}
 
-			if obj == nil {
-				t.Error("unexpected nil return value")
+			if rt.expectedNil != (obj == nil) {
+				t.Error("unexpected return value")
 			}
 		})
 	}
diff --git a/cmd/kubeadm/app/util/config/cluster.go b/cmd/kubeadm/app/util/config/cluster.go
@@ -203,6 +203,11 @@ func getComponentConfigs(client clientset.Interface, clusterConfiguration *kubea
 			return err
 		}
 
+		// Some components may not be installed or managed by kubeadm, hence GetFromConfigMap won't return an error or an object
+		if obj == nil {
+			continue
+		}
+
 		if ok := registration.SetToInternalConfig(obj, clusterConfiguration); !ok {
 			return errors.Errorf("couldn't save componentconfig value for kind %q", string(kind))
 		}
diff --git a/cmd/kubeadm/app/util/config/cluster_test.go b/cmd/kubeadm/app/util/config/cluster_test.go
@@ -449,7 +449,6 @@ func TestGetComponentConfigs(t *testing.T) {
 					},
 				},
 			},
-			expectedError: true,
 		},
 	}
 
@@ -483,9 +482,6 @@ func TestGetComponentConfigs(t *testing.T) {
 			if cfg.ComponentConfigs.Kubelet == nil {
 				t.Errorf("invalid cfg.ComponentConfigs.Kubelet")
 			}
-			if cfg.ComponentConfigs.KubeProxy == nil {
-				t.Errorf("invalid cfg.ComponentConfigs.KubeProxy")
-			}
 		})
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -47,6 +47,7 @@ func TestGetFromConfigMap(t *testing.T) {`
`47`	`47`	`component RegistrationKind`
`48`	`48`	`configMap *fakeConfigMap`
`49`	`49`	`expectedError bool`
	`50`	`+ expectedNil bool`
`50`	`51`	`}{`
`51`	`52`	`{`
`52`	`53`	`name: "valid kube-proxy",`
`@@ -59,10 +60,10 @@ func TestGetFromConfigMap(t *testing.T) {`
`59`	`60`	`},`
`60`	`61`	`},`
`61`	`62`	`{`
`62`		`- name: "invalid kube-proxy - missing ConfigMap",`
`63`		`- component: KubeProxyConfigurationKind,`
`64`		`- configMap: nil,`
`65`		`- expectedError: true,`
	`63`	`+ name: "valid kube-proxy - missing ConfigMap",`
	`64`	`+ component: KubeProxyConfigurationKind,`
	`65`	`+ configMap: nil,`
	`66`	`+ expectedNil: true,`
`66`	`67`	`},`
`67`	`68`	`{`
`68`	`69`	`name: "invalid kube-proxy - missing key",`
`@@ -123,8 +124,8 @@ func TestGetFromConfigMap(t *testing.T) {`
`123`	`124`	`return`
`124`	`125`	`}`
`125`	`126`
`126`		`- if obj == nil {`
`127`		`- t.Error("unexpected nil return value")`
	`127`	`+ if rt.expectedNil != (obj == nil) {`
	`128`	`+ t.Error("unexpected return value")`
`128`	`129`	`}`
`129`	`130`	`})`
`130`	`131`	`}`
Original file line number	Diff line number	Diff line change
`@@ -203,6 +203,11 @@ func getComponentConfigs(client clientset.Interface, clusterConfiguration *kubea`
`203`	`203`	`return err`
`204`	`204`	`}`
`205`	`205`
	`206`	`+ // Some components may not be installed or managed by kubeadm, hence GetFromConfigMap won't return an error or an object`
	`207`	`+ if obj == nil {`
	`208`	`+ continue`
	`209`	`+ }`
	`210`	`+`
`206`	`211`	`if ok := registration.SetToInternalConfig(obj, clusterConfiguration); !ok {`
`207`	`212`	`return errors.Errorf("couldn't save componentconfig value for kind %q", string(kind))`
`208`	`213`	`}`
Original file line number	Diff line number	Diff line change
`@@ -449,7 +449,6 @@ func TestGetComponentConfigs(t *testing.T) {`
`449`	`449`	`},`
`450`	`450`	`},`
`451`	`451`	`},`
`452`		`- expectedError: true,`
`453`	`452`	`},`
`454`	`453`	`}`
`455`	`454`
`@@ -483,9 +482,6 @@ func TestGetComponentConfigs(t *testing.T) {`
`483`	`482`	`if cfg.ComponentConfigs.Kubelet == nil {`
`484`	`483`	`t.Errorf("invalid cfg.ComponentConfigs.Kubelet")`
`485`	`484`	`}`
`486`		`- if cfg.ComponentConfigs.KubeProxy == nil {`
`487`		`- t.Errorf("invalid cfg.ComponentConfigs.KubeProxy")`
`488`		`- }`
`489`	`485`	`})`
`490`	`486`	`}`
`491`	`487`	`}`