-
Notifications
You must be signed in to change notification settings - Fork 450
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changing the ServiceAccount
issuer of a Shoot
breaks the cluster
#5817
Comments
With this PR was introduced a possibility to specify the |
Thanks @dimityrmirchev. I think what we should do is to always add the external hostname to the list of accepted issuers (
acceptedIssuers (which is non-obvious for users and they shouldn't even care).
|
But I think that this again will not stop me from breaking a cluster. For example:
I am not sure if some kind of validation can be introduced to not allow changing the current issuer if the old value is not present in the |
IMO the non obvious part of the whole thing is "When can I remove the old issuer from |
Right, thanks for pointing this out! |
We discussed this again and came up with the following plan:
|
How to categorize this issue?
/area usability
/kind bug
What happened:
When changing the
ServiceAccount
issuer for an existing shoot cluster then the control plane and system components start to fail.What you expected to happen:
How to reproduce it (as minimally and precisely as possible):
Shoot
with a standard manifest (ref https://github.com/gardener/gardener/blob/master/example/provider-local/shoot.yaml).spec.kubernetes.kubeAPIServer.serviceAccountConfig.issuer="https://foo.bar.com"
Anything else we need to know?:
According to https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/, the
--service-account-issuer
field does the following:By default, the issuer is the external hostname of the cluster itself:
gardener/pkg/operation/botanist/kubeapiserver.go
Line 339 in 1b10d51
kube-apiserver
have this issuer.Now, after changing this for an existing shoot, we just set the flag to the provided value:
gardener/pkg/operation/botanist/kubeapiserver.go
Lines 348 to 350 in 1b10d51
This will make
kube-apiserver
no longer accepting old tokens.The text was updated successfully, but these errors were encountered: