Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set --service-account-issuer for k8s 1.20+ #10284

Merged
merged 2 commits into from
Dec 4, 2020
Merged

Set --service-account-issuer for k8s 1.20+ #10284

merged 2 commits into from
Dec 4, 2020

Conversation

johngmyers
Copy link
Member

Kubernetes 1.20+ requires the --service-account-issuer flag be passed to kube-apiserver

Fixes #10279

/cc @justinsb

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. approved Indicates a PR has been approved by an approver from all required OWNERS files. labels Nov 21, 2020
johngmyers
johngmyers commented Nov 21, 2020
View reviewed changes
pkg/model/iam/subject.go Outdated
}

return "", fmt.Errorf("ServiceAcccountIssuer not (currently) supported without PublicJWKS")
return "https://api." + clusterName, nil
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Somewhat unrelated to what this PR is trying to fix, if the admin has set spec.kubeAPIServer.serviceAccountIssuer explicitly, this should probably return that value instead.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree we should respect the API field but that could be done in a separate PR.

This function no longer needs to return an error

@johngmyers
Copy link
Member Author

This is at least sufficient to get k8s 1.20 to start, but I'm not entirely confident about setting that issuer without enabling discovery. I would appreciate review from @justinsb or @rifelpet.
/approve cancel

@johngmyers johngmyers changed the title WIP: Set --service-account-issuer for k8s 1.20+ Set --service-account-issuer for k8s 1.20+ Nov 21, 2020
@k8s-ci-robot k8s-ci-robot removed approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. labels Nov 21, 2020
@olemarkus
Copy link
Member

Service account issuer discovery was promoted to beta in 1.20 so this feature should be enabled by default. I don't think we need to do anything in particular around that feature.

rifelpet
rifelpet reviewed Dec 3, 2020
View reviewed changes
Copy link
Member

@rifelpet rifelpet left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this looks good to me but I'd like Justin's opinion on potential impact

/cc @justinsb

pkg/model/iam/subject.go Outdated
}

return "", fmt.Errorf("ServiceAcccountIssuer not (currently) supported without PublicJWKS")
return "https://api." + clusterName, nil
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree we should respect the API field but that could be done in a separate PR.

This function no longer needs to return an error

@hakman hakman mentioned this pull request Dec 4, 2020
Merged
@k8s-ci-robot k8s-ci-robot added the area/provider/aws Issues or PRs related to aws provider label Dec 4, 2020
@justinsb
Copy link
Member

justinsb commented Dec 4, 2020

This looks good. One thing we'll have to verify is that upgrading works!

/approve
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Dec 4, 2020
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: justinsb

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Dec 4, 2020
@k8s-ci-robot k8s-ci-robot merged commit 0fecffb into kubernetes:master Dec 4, 2020
@k8s-ci-robot k8s-ci-robot added this to the v1.20 milestone Dec 4, 2020
@johngmyers johngmyers deleted the service-account-issuer branch December 4, 2020 16:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@rifelpet rifelpet rifelpet left review comments

@justinsb justinsb Awaiting requested review from justinsb

Assignees

@justinsb justinsb

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. area/provider/aws Issues or PRs related to aws provider cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
v1.20
Development

Successfully merging this pull request may close these issues.

Clusters created with k8s v1.20 don't start
5 participants
@johngmyers @olemarkus @justinsb @k8s-ci-robot @rifelpet