Skip to content

feat: add trigger to restart kube-apiserver when config files change #12172

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
May 15, 2025
Merged

feat: add trigger to restart kube-apiserver when config files change #12172

merged 3 commits into from
May 15, 2025

Conversation

hhk7734
Copy link
Contributor

@hhk7734 hhk7734 commented Apr 28, 2025
edited
Loading

What type of PR is this?

/kind feature

What this PR does / why we need it:

When the kube-apiserver config files change, some users may not realize that they need to manually restart the kube-apiserver because the manifest itself remains unchanged and kubelet does not automatically restart the Pod.

With this PR, even if the manifest is not modified, the kube-apiserver will be restarted whenever related config files change.

For example, if audit_policy_custom_rules is modified and ansible-playbook upgrade-cluster.yml --tags master is run, the kube-apiserver will be automatically restarted to apply the updated audit policies.

Which issue(s) this PR fixes:

Fixes #

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

None

@k8s-ci-robot k8s-ci-robot added release-note-none Denotes a PR that doesn't merit a release note. kind/feature Categorizes issue or PR as related to a new feature. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Apr 28, 2025
@k8s-ci-robot
Copy link
Contributor

Welcome @hhk7734!

It looks like this is your first PR to kubernetes-sigs/kubespray 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/kubespray has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

@k8s-ci-robot k8s-ci-robot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels Apr 28, 2025
@k8s-ci-robot
Copy link
Contributor

Hi @hhk7734. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@hhk7734 hhk7734 mentioned this pull request Apr 28, 2025
Closed
@VannTen
Copy link
Contributor

VannTen commented May 10, 2025

Are you sure the kube-apiserver isn't reloading changed config file dynamically ? If I recall correctly, I was told that at least for structured authentication.
If not, you should use an handler instead of register + when.

@hhk7734
Copy link
Contributor Author

hhk7734 commented May 11, 2025

Here's how I tested it:

kubernetes_audit: true
audit_policy_custom_rules: |
  - level: Metadata
ansible-playbook -i inventory -b -e "@kubespray_vars.yaml" cluster.yml

After creating a cluster, I confirmed that auditing was working by checking /var/log/kubernetes/audit/kube-apiserver-audit.log.
The log file was created and contained audit records as expected.

kubernetes_audit: true
audit_policy_custom_rules: |
  - level: None
ansible-playbook -i inventory -b -e "@kubespray_vars.yaml" upgrade-cluster.yml --tags master

After applying the changes, I noticed that although the /etc/kubernetes/audit-policy/apiserver-audit-policy.yaml file was updated, the new settings were not applied. Events were still being logged in /var/log/kubernetes/audit/kube-apiserver-audit.log.

After applying this PR, I deleted the contents of /etc/kubernetes/audit-policy/apiserver-audit-policy.yaml and ran the following command again:

ansible-playbook -i inventory -b -e "@kubespray_vars.yaml" upgrade-cluster.yml --tags master

This time, the changes were applied correctly.

@hhk7734
Copy link
Contributor Author

hhk7734 commented May 11, 2025

Should I change it to this?

- name: Write api audit policy yaml
  template:
    src: apiserver-audit-policy.yaml.j2
    dest: "{{ audit_policy_file }}"
    mode: "0640"
  register: apiserver_audit_policy_update
  when: kubernetes_audit | default(false) or kubernetes_audit_webhook | default(false)
  notify: Control plane | Restart apiserver

@VannTen
Copy link
Contributor

VannTen commented May 12, 2025

Ok, thanks for testing 👍
Yeah looks fine, just unless the apiserver_audit_policy_update is used you can scrap it.

@k8s-ci-robot k8s-ci-robot added needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. and removed size/S Denotes a PR that changes 10-29 lines, ignoring generated files. labels May 12, 2025
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 12, 2025
@VannTen
Copy link
Contributor

VannTen commented May 12, 2025

/ok-to-test
I had forgot about that, sry

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 12, 2025
@yankay
Copy link
Member

yankay commented May 14, 2025

/retest-failed

@hhk7734
Copy link
Contributor Author

hhk7734 commented May 14, 2025

/retest

@VannTen
Copy link
Contributor

VannTen commented May 15, 2025

This looks fine, thanks !
/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label May 15, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: hhk7734, VannTen

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 15, 2025
@k8s-ci-robot k8s-ci-robot merged commit 2c3b6c9 into kubernetes-sigs:master May 15, 2025
46 checks passed
@hhk7734 hhk7734 deleted the apiserver branch May 15, 2025 15:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cyclinder cyclinder Awaiting requested review from cyclinder

@tico88612 tico88612 Awaiting requested review from tico88612

Assignees

@VannTen VannTen

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/feature Categorizes issue or PR as related to a new feature. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. release-note-none Denotes a PR that doesn't merit a release note. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@hhk7734 @k8s-ci-robot @VannTen @yankay