istio-ecosystem / sail-operator Goto Github PK
View Code? Open in Web Editor NEWThe Sail Operator is able to install and manage the lifecycle of the Istio control plane in an Kubernetes & OpenShift cluster.
License: Apache License 2.0
The Sail Operator is able to install and manage the lifecycle of the Istio control plane in an Kubernetes & OpenShift cluster.
License: Apache License 2.0
Is important to update the information under both of our read me files information to share the complete information about how it works, How can be used and best practices
The bundle-push
target calls the docker-push
target, which in turn depends on docker-build
.
The effect of this is that when running make bundle-push
, the operator image is built and pushed under the -bundle
tag.
As part of primary-remote support, the operator should be able to run / reconcile the sail CRDs without the istio CRDs installed in the cluster.
No response
The Sail Operator creates an istiod
for the remote
profile but there should only be the injection webhook and the reader service account/roles on the remote cluster.
It looks like the openshift
profile is broken.
Deploying workloads fails during injection:
2m7s Warning FailedCreate replicaset/productpage-v1-78dd566f6f Error creating: pods "productpage-v1-78dd566f6f-" is forbidden: unable to validate against any security context constraint: [provider "anyuid": Forbidden: not usable by user or serviceaccount, provider restricted-v2: .initContainers[0].runAsUser: Invalid value: 0: must be in the ranges: [1000680000, 1000689999], provider restricted-v2: .initContainers[0].capabilities.add: Invalid value: "NET_ADMIN": capability may not be added, provider restricted-v2: .initContainers[0].capabilities.add: Invalid value: "NET_RAW": capability may not be added, provider "restricted": Forbidden: not usable by user or serviceaccount, provider "nonroot-v2": Forbidden: not usable by user or serviceaccount, provider "nonroot": Forbidden: not usable by user or serviceaccount, provider "hostmount-anyuid": Forbidden: not usable by user or serviceaccount, provider "machine-api-termination-handler": Forbidden: not usable by user or serviceaccount, provider "hostnetwork-v2": Forbidden: not usable by user or serviceaccount, provider "hostnetwork": Forbidden: not usable by user or serviceaccount, provider "hostaccess": Forbidden: not usable by user or serviceaccount, provider "hostpath-provisioner": Forbidden: not usable by user or serviceaccount, provider "node-exporter": Forbidden: not usable by user or serviceaccount, provider "privileged": Forbidden: not usable by user or serviceaccount]
It looks like istio_cni.enabled
is not set to true
tbd
In the past, we performed a SubjectAccessReview on behalf of the user who created/modified the CR in order to find out whether they have the required privileges. We don't currently do this in sail-operator, which is a potential security issue as it could enable privilege escalation.
Whenever we create a release, we'll also want to create a helm chart tarball that we can release e.g. here on GitHub releases
Acceptance Criteria:
As part of primary-remote support, the sail operator needs a way to be installed without the istio CRDs.
No response
Now we have some debug information when the e2e test run fails, but we need to improve and add more information that can be helpful to detect earlier the failure.
Current debug information:
We need to add more debugging information as:
There needs to be e2e tests to ensure you can use the Sail operator and APIs to setup a multicluster istio deployment. The tests need to cover setting up:
These e2e tests should:
istioctl install ...
: https://istio.io/latest/docs/setup/install/multicluster/multi-primary/
We need to create the documentation and update the information about how to work and make contributions in this project
Current state of support for multi-cluster deployments should be added to the user docs along with installation instructions for what is currently supported (primary-primary).
No response
Instead of 3.0.0 (the downstream version), the version should be set to 0.1.0.
This should also include making sure that the nightly builds will go to a 0.1-nightly channel going forward.
We'll need some free-form text under docs/
that explains our API concepts and how our CRDs are supposed to be used
The job is currently executed in the fork because that was easy to setup - credentials for pushing images and the GitHub bot account were already present. We should move this job to this repository though.
Most of the user facing information for what the sail operator is and how to use it is located in the bundle/README
. Whereas the information under the main README
is focused more towards developers of the operator. The user facing information should be moved (or at least copied) to the main README
and the developer focused information can either move to its own section in the README
or can move to a separate README
.
No response
Currently, we do not support the use of the istio-injection label when using the RevisionBased updateStrategy type. Instead, users have to use the istio.io/rev
label to select workloads or namespaces for injection. We should make sure that the operator sets the default revision to the currently active revision so that the istio-injection
label can be used.
We need to add templates to define the different types of issues that we want to add to this project. Initially, we will create templates for feature requests, bugs and Epics
We need to update the information in the repository about the Ways to Work in the project. This will be based in the documentation that we already agree and adding valuable information that is already created in the upstream documentation for Istio
We currently default to in-place updates. Once we're happy with revision-based updates, we should make it the default.
Currently blocked by #86
We will need to verify that the user has the required privileges to run an instance of Istio. In the past, we verified this using a SubjectAccessReview check. We might have to do something similar.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.