You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There is an implicitly bound dependency between the control-plane and kleidi when its deployed as a daemonset. If the entirety of the daemonset is disrupted, it can and will deadlock the controlplane because kube-apiserver depends on kleidi for etcd decrypt, and kleidi depends on the control-plane availability to launch as a daemonset.
Static pods, or as a host-bound co-service (think systemd-unit) will thwart this dependency allowing kleidi to operate independent of the control-plane. Depending on path chosen - this can also break the binding with kube-auth vault backend. I had to extend kleidi to support AppRole authentication in this model so we could break the dependency chain.
I have a few diagrams and other assets to help illustrate the concern here.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
Uh oh!
There was an error while loading. Please reload this page.
-
There is an implicitly bound dependency between the control-plane and kleidi when its deployed as a daemonset. If the entirety of the daemonset is disrupted, it can and will deadlock the controlplane because kube-apiserver depends on kleidi for etcd decrypt, and kleidi depends on the control-plane availability to launch as a daemonset.
Static pods, or as a host-bound co-service (think systemd-unit) will thwart this dependency allowing kleidi to operate independent of the control-plane. Depending on path chosen - this can also break the binding with kube-auth vault backend. I had to extend kleidi to support AppRole authentication in this model so we could break the dependency chain.
I have a few diagrams and other assets to help illustrate the concern here.
Beta Was this translation helpful? Give feedback.
All reactions