fix: Mount /usr/local/share/ca-certificates folder into kube-controller-manager #4001
Conversation
…ity timeout for Azure CNI network policy (Azure#3895)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ericsuhong, jackfrancis The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/azp run pr-e2e |
Azure Pipelines successfully started running 1 pipeline(s). |
Codecov Report
@@ Coverage Diff @@
## master #4001 +/- ##
=======================================
Coverage 73.68% 73.68%
=======================================
Files 147 147
Lines 23161 23161
=======================================
Hits 17067 17067
Misses 4979 4979
Partials 1115 1115
Continue to review full report at Codecov.
|
aks-engine/parts/k8s/cloud-init/artifacts/cse_customcloud.sh Lines 16 to 23 in 2e2dfd7
@ericsuhong, why is this ^^^ not enough? The man page for |
@jadarsie We encountered this issue on Ubuntu 18.04 with K8s 1.18 in airgap cloud where if you download and update root certificates, cloud-controller won't recognize new root certs until we added that additional mount point. |
right, I understand the symptom, I just wonder why that's the case. |
I will be honest, I could not pinpoint the root cause exactly. I also faced an issue where it sometimes required explicit node reboot for kube-controller-manager to reflect the cert update as well... (does not happen for other services running on agent nodes). update-ca-certificates command did not print out any warning or error messages. It should not require node reboots neither... For now, since this is a pretty safe change, I've decided to make this change and move on due to tight airgap deadlines. |
Reason for Change:
To support airgap clouds, we need to mount /usr/local/share/ca-certificates folder into kube-controller-manager
Credit Where Due:
Does this change contain code from or inspired by another project?
If "Yes," did you notify that project's maintainers and provide attribution?
Requirements:
Notes:
kube-controller-manager was working fine in airgap clouds on K8s 1.16 without requiring this change, so I assume this change is only needed for K8s 1.17+