New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ubernetes-Lite: reuse existing configuration when reusing master #22594
Conversation
Labelling this PR as size/M |
GCE e2e build/test passed for commit de520e2da4c5721f194f66b9950f2705c7490dbb. |
In particular, we need to share the kubelet cert & key, otherwise we can't connect to the kube-api. Fix kubernetes#22593
GCE e2e build/test passed for commit 523e1d0. |
Marking cherrypick-candidate for tracking / self-reminder... We need this or something equivalent. |
@justinsb is this PR missing anything that you're waiting to add? |
@preillyme Just that I haven't tested it nearly as much as I would like to. That said it should be scoped only to KUBE_USE_EXISTING_MASTER (i.e. Ubernetes Lite), it does "work for me" on AWS. I haven't had the chance to test yet on GCE, but when I do I'lll remove WIP. (If anyone tests on GCE first let me know!) |
Removing WIP; this shouldn't break anything other than Ubernetes-Lite, and the fastest way to find out whether Ubernetes-Lite is broken is to get it into e2e. |
Just tested this on GCE and it works :-) So verified working on AWS & GCE. |
# AWS_SSH_KEY | ||
# SSH_USER | ||
function get-master-env() { | ||
ssh -oStrictHostKeyChecking=no -i "${AWS_SSH_KEY}" ${SSH_USER}@${KUBE_MASTER_IP} sudo cat /etc/kubernetes/kube_env.yaml |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: It's not clear to me why sudo would not prompt for an interactive password entry here. But it you've tested it, I guess it doesn't. Any idea why @justinsb ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Aah, re-reading the man page, I guess one of these applies?
Authentication and logging
sudo requires that most users authenticate themselves by default. A password is not required if the invoking user is root, if the target user is
the same as the invoking user, or if the authentication has been disabled for the user or command in the sudoers file.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes - it's because all AWS images have a non-root account which you SSH in to, but that user is set up to allow passwordless sudo. (Because there's no way to communicate a password). At least all the images I've ever seen!
@justinsb LGTM barring minor nits. Feel free to address them in a separate PR, or not at all (they're just suggestions). |
@k8s-bot test this Tests are more than 48 hours old. Re-running tests. |
Responded to all the nits - my opinion is that they should not be addressed in this PR. |
GCE e2e build/test passed for commit 523e1d0. |
@k8s-bot test this [submit-queue is verifying that this PR is safe to merge] |
GCE e2e build/test passed for commit 523e1d0. |
Automatic merge from submit-queue |
Auto commit by PR queue bot
Auto commit by PR queue bot
Auto commit by PR queue bot
Auto commit by PR queue bot
In particular, we need to share the kubelet cert & key, otherwise we
can't connect to the kube-api.