Support for Service Account Issuer Discovery #1187
Description
Refs:
https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-issuer-discovery
https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection
https://docs.k3s.io/advanced#starting-the-server-with-the-installation-script
I have been trying to configure service account volume projection using --k3s-args, but when doing so the cluster fails to create. Sometimes the error is ...
ERRO[0005] Failed Cluster Start: Failed to start server k3d-workload-identity-server-0: Node k3d-workload-identity-server-0 failed to get ready: error waiting for log line k3s is up and running ...
and at other times a little different.
I have tried passing the args using a config file and the command-line. In both cases the behaviour is the same (cluster creation fails):
Snippet from k3d-config.yml:
k3s:
extraArgs:
...
- arg: --service-account-issuer=https://host.desktop.homelab:6443
nodeFilters:
- server:*
- arg: --service-account-jwks-uri=https://host.desktop.homelab:6443/openid/v1/jwks
nodeFilters:
- server:*
- arg: --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key
nodeFilters:
- server:*
- arg: --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key
nodeFilters:
- server:*
and the command line
k3d cluster create workload-identity --servers 1 --agents 2 ... --k3s-arg --service-account-issuer=https://host.desktop.homelab:6443@server:* --k3s-arg --service-account-jwks-uri=https://host.desktop.homelab:6443/openid/v1/jwks@server:* --k3s-arg --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key@server:* --k3s-arg --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key@server:*
Looking at the advanced configuration for k3s here, the output window shows some of these args being used.
$ k3s server
INFO[2019-01-22T15:16:19.908493986-07:00] Starting k3s dev
INFO[2019-01-22T15:16:19.908934479-07:00] Running kube-apiserver --allow-privileged=true --authorization-mode Node,RBAC --service-account-signing-key-file /var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range 10.43.0.0/16 --advertise-port 6445 --advertise-address 127.0.0.1 --insecure-port 0 --secure-port 6444 --bind-address 127.0.0.1 --tls-cert-file /var/lib/rancher/k3s/server/tls/localhost.crt --tls-private-key-file /var/lib/rancher/k3s/server/tls/localhost.key --service-account-key-file /var/lib/rancher/k3s/server/tls/service.key --service-account-issuer k3s --api-audiences unknown --basic-auth-file /var/lib/rancher/k3s/server/cred/passwd --kubelet-client-certificate /var/lib/rancher/k3s/server/tls/token-node.crt --kubelet-client-key /var/lib/rancher/k3s/server/tls/token-node.key
...
I also have a k3s cluster which does respond to a request for the OIDC discovery document:
kubectl get --raw /.well-known/openid-configuration
{"issuer":"https://kubernetes.default.svc.cluster.local","jwks_uri":"https://xxx.xxx.xxx.xx:6443/openid/v1/jwks","response_types_supported":["id_token"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"]}
So this suggests that it is supported in k3s.
Can you advise whether these flags are supported in k3d ?
Kind Regards
Fraser.