profile
viewpoint
If you are wondering where the data of this site comes from, please visit https://api.github.com/users/jyotimahapatra/events. GitMemory does not store any data, but only uses NGINX to cache data for a period of time. The idea behind GitMemory is simply to give users a better reading experience.

jyotimahapatra/amazon-eks-pod-identity-webhook 0

Amazon EKS Pod Identity Webhook

jyotimahapatra/aws-sdk-go 0

AWS SDK for the Go programming language.

jyotimahapatra/eks-distro 0

Amazon EKS Distro (EKS-D) is a Kubernetes distribution based on and used by Amazon Elastic Kubernetes Service (EKS) to create reliable and secure Kubernetes clusters.

jyotimahapatra/eks-distro-prow-jobs 0

This repository contains Prow Job configuration for the EKS Distro installation of Prow, which is available at https://prow.eks.amazonaws.com/.

jyotimahapatra/eks-efa-examples 0

Running High Performance Computing (HPA) applications on EKS using Elastic Fabric Adapter (EFA).

jyotimahapatra/go-control-plane 0

Go implementation of data-plane-api

jyotimahapatra/k8s-conformance 0

🧪CNCF K8s Conformance Working Group

jyotimahapatra/kubernetes 0

Production-Grade Container Scheduling and Management

jyotimahapatra/nghttp2 0

nghttp2 - HTTP/2 C Library and tools

jyotimahapatra/xds-relay 0

Caching, aggregation, and relaying for xDS compliant clients and origin servers

pull request commentkubernetes/kubernetes

exec credential provider: handle wrapped exec errors

Hi 👋 I'm the bug triage shadow. I wanted to check in and see if this PR is targeted for milestone 1.23 .

ankeesler

comment created time in 3 days

pull request commentkubernetes/kubernetes

Adds Windows support for etcd image

Hi 👋 I'm the bug triage shadow. I wanted to check in and see if this is targeted for 1.23 milestone.

Attempting to nudge the conversation forward, @claudiubelu I wanted to bring attention to a question asked earlier in the thread https://github.com/kubernetes/kubernetes/pull/92433#issuecomment-889326571 .

claudiubelu

comment created time in 3 days

issue commentkubernetes/kubernetes

Update systemd in debian-base:buster-v1.8.0 (latest) to patch CVE-2021-33910

Hi 👋 I'm the bug triage shadow for release 1.23. The associated PRs on this issue seem to have been merged. I would like to learn if this issue needs further follow up.

vinayakankugoyal

comment created time in 3 days

issue commentkubernetes/kubernetes

The apiserver image (v1.21.0-rc.0) needs CAP_NET_BIND_SERVICE

Hi 👋 I'm the bug triage shadow. I wanted to nudge the conversation again in the context of 1.23 release. Do we need to follow this up in 1.23?

mcorbin

comment created time in 3 days

PullRequestReviewEvent

Pull request review commentkubernetes-sigs/aws-encryption-provider

pkg/plugin: handle "AccessDeniedException" as user-induced

 func ParseError(err error) (errorType KMSErrorType) { 	// ref. https://docs.aws.amazon.com/kms/latest/developerguide/requests-per-second.html 	case kms.ErrCodeLimitExceededException: 		return KMSErrorTypeThrottled++	// AWS SDK Go for KMS does not "yet" define specific error code for a case where a customer specifies the deleted key+	// "AccessDeniedException" error code may be returned when (1) CMK does not exist (not pending delete),+	// or (2) corresponding IAM role is not allowed to access the key.+	// Thus we only want to mark "AccessDeniedException" as user-induced for the case (1).+	// e.g., "AccessDeniedException: The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access."+	// KMS service may change the error message, so we do the string match.+	case "AccessDeniedException":+		if strings.Contains(ev.Message(), "customer master key that does not exist") ||

Is AccessDeniedException not enough to detect a user induced error? String match is not a great way to handle this. I think AccessDeniedException is a good enough case to call an error user induced https://docs.aws.amazon.com/kms/latest/APIReference/CommonErrors.html

gyuho

comment created time in 8 days

issue openedkubernetes/org

REQUEST: New membership for jyotimahapatra

GitHub Username

jyotimahapatra

Organization you are requesting membership in

kubernetes

Requirements

Sponsor 1

voigt

Sponsor 2

reylejano

List of contributions to the Kubernetes project

  • SIG release team(bug triage shadow)

created time in 23 days

issue openedkubernetes/client-go

Question about version compatibility of go-client with k8s api server

Hi ! I've a question about the compatibility matrix between go-client and k8s apiserver.

Description of issue: We recently faced an issue where the k8s apiserver version was 1.20 and go-client version was 1.10. K8s 1.20 removed the deprecated unsecure port 8080 from apiserver, as a result all communication from go-client to apiserver was switched to TLS based. Without TLS, communication between go-client and apiserver was based on http1. After switching to TLS(by updating certs in kube-config), the apiserver forced protocol negotiation(ALPN) during connection creation. This forced go-client to use http2 connection with apiserver. The http2 library used in go-client version 1.10 probably had bugs, which caused the go-client watch with k8s apiserver to terminate and not be able to reestablish connection with an error message http2: no cached connection was available . We fixed the issue by upgrading the go-client to 1.16 (probably an earlier version could have worked too).

Question:: The client-go documentation states We will backport bugfixes--but not new features--into older versions of client-go. . How far back are the bug fixes back ported. I wanted to understand the processes so that i can keep the client-go version updated when we change apiserver versions.

The compatibility matrix shows a matrix for apiserver and client-go versions 1.15 to 1.20. Does that mean its safe to assume client-go can work with apiserver drift as much as 5 versions? I understand not all features would be available across versions, but want to understand from a perspective of bug fixes.

created time in 25 days

Pull request review commentkubernetes-sigs/aws-encryption-provider

Add "Check" API with "/livez" endpoint to discard user-induced errors

+package livez++import (+	"errors"+	"fmt"+	"io/ioutil"+	"math/rand"+	"net/http"+	"net/http/httptest"+	"os"+	"testing"+	"time"++	"github.com/aws/aws-sdk-go/aws/awserr"+	"github.com/aws/aws-sdk-go/service/kms"+	"go.uber.org/zap"+	"sigs.k8s.io/aws-encryption-provider/pkg/cloud"+	"sigs.k8s.io/aws-encryption-provider/pkg/plugin"+	"sigs.k8s.io/aws-encryption-provider/pkg/server"+)++// TestLivez tests livez handlers.+func TestLivez(t *testing.T) {+	zap.ReplaceGlobals(zap.NewExample())++	tt := []struct {+		path          string+		kmsEncryptErr error+		shouldSucceed bool+	}{+		{+			path:          "/test-livez-default",+			kmsEncryptErr: nil,+			shouldSucceed: true,+		},+		{+			path:          "/test-livez-fail",+			kmsEncryptErr: errors.New("fail encrypt"),+			shouldSucceed: false,+		},+		{+			path:          "/test-livez-fail-with-internal-error",+			kmsEncryptErr: awserr.New(kms.ErrCodeInternalException, "test", errors.New("fail")),+			shouldSucceed: false,+		},++		// user-induced+		{+			path:          "/test-livez-fail-with-user-induced-invalid-key-state",+			kmsEncryptErr: awserr.New(kms.ErrCodeInvalidStateException, "test", errors.New("fail")),+			shouldSucceed: true,+		},+		{+			path:          "/test-livez-fail-with-user-induced-invalid-grant",+			kmsEncryptErr: awserr.New(kms.ErrCodeInvalidGrantTokenException, "test", errors.New("fail")),+			shouldSucceed: true,+		},+	}+	for i, entry := range tt {+		func() {+			// create temporary unix socket file+			f, err := ioutil.TempFile(os.TempDir(), fmt.Sprintf("%x", rand.Int63()))

is the tempfile used?

gyuho

comment created time in a month

PullRequestReviewEvent
PullRequestReviewEvent

Pull request review commentkubernetes-sigs/aws-encryption-provider

Add "Check" API with "/livez" endpoint to discard user-induced errors

+package livez++import (+	"errors"+	"fmt"+	"io/ioutil"+	"math/rand"+	"net/http"+	"net/http/httptest"+	"os"+	"testing"+	"time"++	"github.com/aws/aws-sdk-go/aws/awserr"+	"github.com/aws/aws-sdk-go/service/kms"+	"go.uber.org/zap"+	"sigs.k8s.io/aws-encryption-provider/pkg/cloud"+	"sigs.k8s.io/aws-encryption-provider/pkg/plugin"+	"sigs.k8s.io/aws-encryption-provider/pkg/server"+)++// TestLivez tests livez handlers.+func TestLivez(t *testing.T) {+	zap.ReplaceGlobals(zap.NewExample())++	tt := []struct {+		path          string+		kmsEncryptErr error+		shouldSucceed bool+	}{+		{+			path:          "/test-livez-default",+			kmsEncryptErr: nil,+			shouldSucceed: true,+		},+		{+			path:          "/test-livez-fail",+			kmsEncryptErr: errors.New("fail encrypt"),+			shouldSucceed: false,+		},+		{+			path:          "/test-livez-fail-with-internal-error",+			kmsEncryptErr: awserr.New(kms.ErrCodeInternalException, "test", errors.New("fail")),+			shouldSucceed: false,+		},++		// user-induced+		{+			path:          "/test-livez-fail-with-user-induced-invalid-key-state",+			kmsEncryptErr: awserr.New(kms.ErrCodeInvalidStateException, "test", errors.New("fail")),+			shouldSucceed: true,+		},+		{+			path:          "/test-livez-fail-with-user-induced-invalid-grant",+			kmsEncryptErr: awserr.New(kms.ErrCodeInvalidGrantTokenException, "test", errors.New("fail")),+			shouldSucceed: true,+		},+	}+	for i, entry := range tt {+		func() {+			// create temporary unix socket file+			f, err := ioutil.TempFile(os.TempDir(), fmt.Sprintf("%x", rand.Int63()))+			if err != nil {+				t.Fatal(err)+			}+			addr := f.Name()+			f.Close()+			os.RemoveAll(addr)

duplicate lines?

gyuho

comment created time in a month

Pull request review commentkubernetes-sigs/aws-encryption-provider

Add "Check" API with "/livez" endpoint to discard user-induced errors

 func (p *Plugin) Health() error { 		return err 	} 	if err != nil {-		zap.L().Warn("health check fail", zap.Error(err))+		zap.L().Warn("health check failed", zap.Error(err)) 	} else { 		zap.L().Debug("health check success") 	} 	return err } +// Checks the liveness of KMS API.+// If the error returned from KMS is user-induced, the function returns nil.+func (p *Plugin) Check() error {

+1

gyuho

comment created time in a month

Pull request review commentkubernetes-sigs/aws-encryption-provider

Add "Check" API with "/livez" endpoint to discard user-induced errors

 func WaitForReady(client pb.KeyManagementServiceClient, duration time.Duration) 	return nil } -// Check validates the availability of the server using the provided client-func Check(client pb.KeyManagementServiceClient) (string, error) {

i didnt find a removed reference. Was this method not used?

gyuho

comment created time in a month

Pull request review commentkubernetes-sigs/aws-encryption-provider

Add "Check" API with "/livez" endpoint to discard user-induced errors

 func getStatusLabel(err error) string { 		return statusFailure 	} }++type KMS_ERROR_TYPE int

nit: put the type and const at the top of file

gyuho

comment created time in a month

Pull request review commentkubernetes-sigs/aws-encryption-provider

Add "Check" API with "/livez" endpoint to discard user-induced errors

+// Package livez implements livez handlers.+package livez++import (+	"fmt"+	"net/http"++	"sigs.k8s.io/aws-encryption-provider/pkg/plugin"+)++// NewHandler returns a new livez handler.+func NewHandler(p *plugin.Plugin) http.Handler {+	return &handler{p: p}+}++type handler struct {+	p *plugin.Plugin+}++func (hd *handler) ServeHTTP(rw http.ResponseWriter, req *http.Request) {+	err := hd.p.Check()+	if err != nil {+		rw.WriteHeader(http.StatusInternalServerError)+		fmt.Fprint(rw, err)

Is it possible to also log in a higher trace level?

gyuho

comment created time in a month

PullRequestReviewEvent
PullRequestReviewEvent

push eventjyotimahapatra/amazon-eks-pod-identity-webhook

Jyoti Mahapatra

commit sha 761947b30795bb1227a27fcd80281c977f084f6d

update comment

view details

push time in a month

PullRequestReviewEvent

Pull request review commentaws/amazon-eks-pod-identity-webhook

add metrics for knowing adoption

 type serviceAccountCache struct { 	defaultAudience        string 	defaultRegionalSTS     bool 	defaultTokenExpiration int64+	webhookUsage           prometheus.Gauge+}++// We need a way to know if the webhook is used in a cluster to drive changes.+// We could perform more interesting operations by knowing how many service accounts are being annotated.

I brainstormed a bit about this. The number of pods injected is a good metrics, but that doesn't give us details about usage if the pods don't churn. We could add that as well, but we decided we don't have a usecase for the information. The number of annotated service accounts is a good metric, but we it needs a bit of refactoring to make sure resync and update don't cause noise in the number. We chose to stick closer to what we need, know about usage in the clusters we operate.

jyotimahapatra

comment created time in a month

push eventjyotimahapatra/amazon-eks-pod-identity-webhook

Jyoti Mahapatra

commit sha c9635eb8fb3c0719b88c0688f8ede3fa1f7417dc

mustRegister

view details

push time in a month

push eventjyotimahapatra/amazon-eks-pod-identity-webhook

Jyoti Mahapatra

commit sha a772a6e9ca9e38d6d57d28d7578cdb5a52f63ea5

add tests

view details

push time in a month

push eventjyotimahapatra/amazon-eks-pod-identity-webhook

Jyoti Mahapatra

commit sha b33e19549c56a1a4f7d1f1280574bdbc3d6df50f

Revert "add metrics for number of SA annotations being used" This reverts commit 3efdb9ff775f9c8046e393b409f0a1a95f709cbc.

view details

Jyoti Mahapatra

commit sha ef89f58b6cb9ae70b17e61b48e3b5daed1dc9cf1

know only usage

view details

push time in a month

Pull request review commentaws/amazon-eks-pod-identity-webhook

add metrics for number of SA annotations being used

 func New(defaultAudience, prefix string, defaultRegionalSTS bool, defaultTokenEx 						return 					} 				}+				if _, ok := sa.Annotations[c.annotationPrefix+"/"+pkg.RoleARNAnnotation]; ok {

changed the approach.

jyotimahapatra

comment created time in a month

PullRequestReviewEvent

Pull request review commentaws/amazon-eks-pod-identity-webhook

add metrics for number of SA annotations being used

 func (c *serviceAccountCache) addSA(sa *v1.ServiceAccount) { 				resp.TokenExpiration = pkg.ValidateMinTokenExpiration(tokenExpiration) 			} 		}+		c.saCount.Inc()

makes sense..made the change

jyotimahapatra

comment created time in a month

PullRequestReviewEvent

push eventjyotimahapatra/amazon-eks-pod-identity-webhook

Jyoti Mahapatra

commit sha 1e41db6594525f37a94c687c28239f1d3e3385a5

Revert "add metrics for number of SA annotations being used" This reverts commit d27514468c929307d236540b58592e4262f49b92.

view details

Jyoti Mahapatra

commit sha d83418a054629db6c292f5d30a4036c616217da0

Revert "add metrics for number of SA annotations being used" This reverts commit 019d1ba3137fc48ce5c75f1e5b0f1f5dd679aed7.

view details

Jyoti Mahapatra

commit sha 3efdb9ff775f9c8046e393b409f0a1a95f709cbc

add metrics for number of SA annotations being used

view details

push time in a month

push eventjyotimahapatra/amazon-eks-pod-identity-webhook

Jyoti Mahapatra

commit sha d27514468c929307d236540b58592e4262f49b92

add metrics for number of SA annotations being used

view details

push time in a month