clean up k8s starter manifests#132
clean up k8s starter manifests#132mfreeman451 wants to merge 1 commit intoGoogleCloudPlatform:mainfrom
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces a Kubernetes deployment for Scion, including Kustomize manifests, RBAC configurations, and comprehensive documentation. Additionally, it refactors the metadata server to skip iptables interception when running as a non-root user, which is common in hosted Kubernetes environments. Feedback focuses on improving the deployment's reliability by adjusting the image pull policy for the latest tag, ensuring the RBAC role has necessary permissions for secret management, and exposing the broker port in the service definition.
hack/k8s/deployment.yaml
Outdated
| containers: | ||
| - name: scion | ||
| image: scion-server:latest | ||
| imagePullPolicy: IfNotPresent |
There was a problem hiding this comment.
Using imagePullPolicy: IfNotPresent with the :latest tag is generally discouraged in Kubernetes. The default behavior for :latest is Always, which ensures the node checks for a newer version of the image on every pod start. Explicitly setting it to IfNotPresent can cause the pod to run an outdated version of the image if a new one was pushed to the registry with the same tag. For a starter manifest, it's safer to use Always or omit the field.
imagePullPolicy: Always| - list | ||
| - delete | ||
| --- |
There was a problem hiding this comment.
The secrets resource is missing the get verb. If the runtime manager needs to check for the existence of a secret before creating it, or if it needs to read secret metadata, the get permission is required. Without it, operations that rely on checking state before acting (like idempotency checks) will fail.
- create
- get
- list
- delete| - name: http | ||
| port: 80 | ||
| targetPort: http | ||
| protocol: TCP |
There was a problem hiding this comment.
The service only exposes the HTTP port (80). Since the deployment also runs a runtime broker on port 9800, this port should be included in the service definition to allow agents or other cluster components to reach the broker via the service DNS name.
- name: http
port: 80
targetPort: http
protocol: TCP
- name: broker
port: 9800
targetPort: broker
protocol: TCP
mfreeman451
changed the title
mfreeman451
force-pushed
the
fix/k8s-generic-manifests
branch
from
480613f to
1cdf6c3
Compare
|
Addressed the follow-up cleanup here as well. Changes:
Current head: |
mfreeman451
force-pushed
the
fix/k8s-generic-manifests
branch
from
ecf5988 to
d520003
Compare
|
This branch has been rebuilt and narrowed on top of current The earlier metadata-helper cleanup is already effectively in
Current branch scope:
Current head: |
1 participant
What changed
This replaces the environment-specific
hack/k8sdeployment snapshot with a generic Kubernetes starter for Scion.The new base:
ClusterIPservice pluskubectl port-forwardas the default access pathscion-authsecret for stable sessions and OAuth credentialsIt also removes the CarverAuto-specific ingress, Gateway API, telemetry, sealed secret, pull secret, template seeding, and network policy assumptions.
Why
The previous manifests were tied to one production deployment and were not suitable for upstream use. They encoded private registry paths, sealed secrets, company-specific hostnames, OTLP mTLS wiring, cluster-specific Gateway resources, and node scheduling details.
That made
hack/k8shard to reuse and hard to document as a supported starting point for other Kubernetes users.User impact
Users now get a smaller starter that can be applied with
kubectl apply -k hack/k8safter setting their image and registry values.Clusters with custom ingress, TLS, private registries, OAuth, or network policy requirements can layer those concerns on top of the base instead of having to unwind an opinionated deployment snapshot first.
Validation
kubectl kustomize hack/k8skubectl kustomize hack/k8s | kubectl apply --dry-run=client -f -