-
Notifications
You must be signed in to change notification settings - Fork 527
chore: remove apiserver /etc/kubernetes/certs mount #3808
Conversation
Codecov Report
@@ Coverage Diff @@
## master #3808 +/- ##
=======================================
Coverage 73.20% 73.20%
=======================================
Files 148 148
Lines 25385 25385
=======================================
Hits 18583 18583
Misses 5666 5666
Partials 1136 1136
Continue to review full report at Codecov.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, /etc/ssl
host mount should be removable for v1.19+ clusters for kube-proxy and kube-apiserver too (needs to be tested).
1f0f928
to
3a91897
Compare
New changes are detected. LGTM label has been removed. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jackfrancis, mboersma The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Reason for Change:
In our haste to unblock AAD scenarios, we added an unnecessary
/etc/kubernetes/certs
mountPath
to the apiserver spec. In fact, the needed mount was at/etc/ssl/certs
, added in #3800.We are already mounting
/etc/kubernetes
, and thus have access to/etc/kubernetes/certs
recursively. E.g. from a cluster built with this changeset:Observe above that we have local access from the apiserver container to
/etc/kubernetes/certs
without that explicitmountPath
, because we inherit that access by having amountPath
to the parent directory.Issue Fixed:
Requirements:
Notes: