New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Kube_apiserver_bind_address auto-configures wrong API access endpoint for all-in-one deployments #2051
Comments
Masters have always pointed to localhost for apiserver. What is the bug? We have an AIO case in CI working. |
@mattymo - we're trying to deploy with an external LB (haproxy) and VIP (manged via keepalived), & when you specify loadbalancer_apiserver_localhost: false the generated /etc/kubernetes/*kubeconfig.yaml files all point to localhost, which doesn't seem to work unless you don't set kube_apiserver_bind_address (so the API listens on 0.0.0.0) - we want to set this so haproxy and the kube API can listen on the same port, because that fits the current TripleO loadbalancer implementation better. |
Note it's possible we're doing something wrong, but here's what I'm trying: (undercloud) [stack@undercloud kubespray]$ cat global_vars.yml (undercloud) [stack@undercloud kubespray]$ cat inventory.yml kube-node: hosts: etcd: k8s-cluster: You can see the VIP and local bind IP via netstat: [root@overcloud-controller-0 ~]# netstat -taupen | grep 6443 haproxy config like this: global defaults listen haproxy.stats listen kubernetes-master This fails like http://paste.openstack.org/show/628651/ because the API isn't accessible to kubeadm I think, any pointers appreciated :) |
With a custom |
Yes as mentioned by @bogdando the issue is we don't want the API to listen to all interfaces, so I guess we need to either configure it to listen to kube_apiserver_bind_address and localhost, confgure haproxy to listen on the vip and localhost, or configure the kubeconfig files to point at the VIP. Configuring everything to point at the VIP would be most consistent with how we handle the OpenStack services, but I'm not clear if that would be acceptable for the k8s masters, not yet tried it. |
BUG REPORT
HA docs describe external and local LB as mutual exclusive and impose masters and nodes running on separate nodes.
When using all-in-one (a master is running workloads) and
kube_apiserver_bind_address
set up,kube_apiserver_endpoint auto eval fails to detect its value. It puts
127.0.0.1
, while there is nothing listens there, and local nginx LB is not configured for masters.As a fix for
loadbalancer_apiserver_localhost=False
, we need to switch the endpoint to usekube_apiserver_bind_address
instead of127.0.0.1
.And for the
loadbalancer_apiserver_localhost=True
case, we prolly need to deploy nginx on masters as well?Environment:
Cloud provider or hardware configuration: n/a
OS (
printf "$(uname -srm)\n$(cat /etc/os-release)\n"
): n/aVersion of Ansible (
ansible --version
): n/aKubespray version (commit) (
git rev-parse --short HEAD
): 2c6255dNetwork plugin used: n/a
Copy of your inventory file:
Command used to invoke ansible: as usual
The text was updated successfully, but these errors were encountered: