Check Kubelet is running with correct Windows Permissions #96616
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
|
Welcome @perithompson! |
k8s-ci-robot
added
the
needs-ok-to-test
|
Hi @perithompson. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-priority
|
@perithompson ok, next steps get your CLAs sorted internally (i.e. at vmware and sign the cla contributor stuff) |
k8s-ci-robot
added
area/kubelet
sig/node
perithompson
force-pushed
the
windows-check-permissions
branch
from
5d4a15f
to
af6a2ad
Compare
k8s-ci-robot
added
size/L
perithompson
force-pushed
the
windows-check-permissions
branch
from
bf096c6
to
0c73106
Compare
|
/sig windows |
k8s-ci-robot
added
the
sig/windows
perithompson
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
cmd/kubelet/app/BUILD
Outdated
| @@ -135,7 +137,7 @@ go_library( | |||
| ], | |||
| "@io_bazel_rules_go//go/platform:windows": [ | |||
| "//pkg/windows/service:go_default_library", | |||
| "//vendor/golang.org/x/sys/windows:go_default_library", | |||
| "//vendor/golang.org/x/sys/windows:go_default_library", | |||
There was a problem hiding this comment.
minor comments here: Extra space.
|
/test pull-kubernetes-e2e-aks-engine-azure-windows |
Not sure how you did it @marosset but it suddenly realised it was ok 🙂 |
|
/retest |
1 similar comment
|
/retest |
|
/retest |
|
@perithompson The e2e test failures looks legit failures https://prow.k8s.io/view/gs/kubernetes-jenkins/pr-logs/pull/96616/pull-kubernetes-e2e-aks-engine-azure-windows/1369474116045770752 |
From talking with some of the MSFT guys this was test infra related, but agree it does always seem like the same problem and I was thinking it was something to do with CSI that was causing it. I wouldn't have expected the kubelet to even start with where the checkPermissions function is called, if there was an error in that code then kubelet would fail to start and all the e2es would go red |
perithompson
force-pushed
the
windows-check-permissions
branch
from
ad8de38
to
23eac3c
Compare
k8s-ci-robot
removed
the
lgtm
perithompson
force-pushed
the
windows-check-permissions
branch
from
23eac3c
to
f1e2041
Compare
perithompson
force-pushed
the
windows-check-permissions
branch
from
f1e2041
to
46738b7
Compare
|
/retest |
|
/test pull-kubernetes-e2e-kind |
|
@jsturtevant guessing/hoping these are still the same failures? Mar 10 14:32:59.730: INFO:
Latency metrics for node k8s-master-36380154-0
Mar 10 14:32:59.730: INFO: Waiting up to 3m0s for all (but 0) nodes to be ready
STEP: Destroying namespace "azuredisk-9336" for this suite.
• Failure [413.600 seconds]
Dynamic Provisioning
/home/prow/go/src/sigs.k8s.io/azuredisk-csi-driver/test/e2e/dynamic_provisioning_test.go:38
[single-az]
/home/prow/go/src/sigs.k8s.io/azuredisk-csi-driver/test/e2e/dynamic_provisioning_test.go:41
should create a statefulset object, write and read to it, delete the pod and write and read to it again [kubernetes.io/azure-disk] [disk.csi.azure.com] [Windows] [It]
/home/prow/go/src/sigs.k8s.io/azuredisk-csi-driver/test/e2e/dynamic_provisioning_test.go:702
Unexpected error:
<*errors.errorString | 0xc0003a22b0>: {
s: "timed out waiting for the condition",
}
timed out waiting for the condition
occurred
/home/prow/go/src/sigs.k8s.io/azuredisk-csi-driver/test/e2e/testsuites/testsuites.go:634
------------------------------
SSSSSSSSSSSSSSSSSSS
[Fail] Dynamic Provisioning [single-az] [It] should create a statefulset object, write and read to it, delete the pod and write and read to it again [kubernetes.io/azure-disk] [disk.csi.azure.com] [Windows]
/home/prow/go/src/sigs.k8s.io/azuredisk-csi-driver/test/e2e/testsuites/testsuites.go:634
Ran 9 of 44 Specs in 1796.376 seconds
FAIL! -- 8 Passed | 1 Failed | 0 Pending | 35 Skipped
--- FAIL: TestE2E (1796.38s)
FAIL
FAIL sigs.k8s.io/azuredisk-csi-driver/test/e2e 1796.452s
FAIL
make: *** [Makefile:112: e2e-test] Error 1
2021/03/10 14:33:06 process.go:155: Step 'make e2e-test' finished in 31m43.364986236s
2021/03/10 14:33:06 aksengine_helpers.go:424: downloading /root/tmp863472555/log-dump.sh from https://raw.githubusercontent.com/kubernetes-sigs/cloud-provider-azure/master/hack/log-dump/log-dump.sh
2021/03/10 14:33:06 util.go:68: curl https://raw.githubusercontent.com/kubernetes-sigs/cloud-provider-azure/master/hack/log-dump/log-dump.sh
2021/03/10 14:33:06 process.go:153: Running: chmod +x /root/tmp863472555/log-dump.sh
Mar 10 14:16:26.559: INFO:
Latency metrics for node k8s-master-23042803-0
Mar 10 14:16:26.559: INFO: Waiting up to 3m0s for all (but 0) nodes to be ready
STEP: Destroying namespace "azurefile-5802" for this suite.
• Failure [305.802 seconds]
Dynamic Provisioning
/home/prow/go/src/sigs.k8s.io/azurefile-csi-driver/test/e2e/dynamic_provisioning_test.go:40
should create a volume on demand with useDataPlaneAPI [kubernetes.io/azure-file] [file.csi.azure.com] [Windows] [It]
/home/prow/go/src/sigs.k8s.io/azurefile-csi-driver/test/e2e/dynamic_provisioning_test.go:646
[Fail] Dynamic Provisioning [It] should create a volume on demand with useDataPlaneAPI [kubernetes.io/azure-file] [file.csi.azure.com] [Windows]
/home/prow/go/src/sigs.k8s.io/azurefile-csi-driver/test/e2e/testsuites/testsuites.go:219
Ran 7 of 28 Specs in 709.103 seconds
FAIL! -- 6 Passed | 1 Failed | 0 Pending | 21 Skipped
--- FAIL: TestE2E (709.10s)
FAIL
FAIL sigs.k8s.io/azurefile-csi-driver/test/e2e 709.155s
FAIL
make: *** [Makefile:84: e2e-test] Error 1
2021/03/10 14:16:38 process.go:155: Step 'make e2e-test' finished in 13m7.41104087s
2021/03/10 14:16:38 aksengine_helpers.go:424: downloading /root/tmp863250335/log-dump.sh from https://raw.githubusercontent.com/kubernetes-sigs/cloud-provider-azure/master/hack/log-dump/log-dump.sh
2021/03/10 14:16:38 util.go:68: curl https://raw.githubusercontent.com/kubernetes-sigs/cloud-provider-azure/master/hack/log-dump/log-dump.sh
2021/03/10 14:16:39 process.go:153: Running: chmod +x /root/tmp863250335/log-dump.sh |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/retest |
|
@perithompson: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jayunit100, mrunalp, perithompson The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
What type of PR is this?
/kind bug
What this PR does / why we need it:
This PR adds a Windows-specific permissions check on the kubelet startup. Currently, the log file outputs an error on windows stating that the UID is -1 as UID does not exist in a windows context.
Which issue(s) this PR fixes:
Fixes #96512
Special notes for your reviewer:
As part of this PR I have moved the existing checkPermissions function to server_others.go to replicate similar behaviour in kube-proxy as the checkPermissions is not linux specific it should be build whenever not running on windows.
Does this PR introduce a user-facing change?:
NONE
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
The
token.IsMember(sid)returns TRUE if the caller's process is a member of the Administrators local group. Caller is NOTexpected to be impersonating anyone and is expected to be able to open its own process and process token. In order for the process to "Run as administrator" the excuting user must be in the BUILTIN\Administrators Group so I have added a check for that too.
More information about this can be found in in the c++ implementation routine and this go issue
Release Notes