-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Revert "kubeadm: Create control plane with ClusterFirstWithHostNet dns policy" #71010
Revert "kubeadm: Create control plane with ClusterFirstWithHostNet dns policy" #71010
Conversation
@neolit123: Adding the "do-not-merge/release-note-label-needed" label because no release-note block was detected, please follow our release note process to remove it. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/release-note-none |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/lgtm
/approve
/cc @andrewrynhard - we needed to revert this!
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: neolit123, timothysc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/hold cancel |
@timothysc I see. Sorry for the troubles. I would still like to see |
@andrewrynhard Since oidc url has to be https anyway in tectonic we did this by standing up an ingress controller and configuring that as part of our install. Being able to reference internal svc urls for this stuff is kind of brittle. |
@mauilion Thanks for the suggestion. I actually ran it like that for quite some time. In my current use case I am using cert-manager and some rewrite rules in CoreDNS:
I am able to handle OIDC using only a service. It has worked out well so far. I can get valid certs for my internal service, but this whole setup is dependent on |
nice! this is a neat idea. This is a hard thing to solve since the apiserver comes in so early in the process. The solution to this is to ensure that the underlying node uses some dns server with dns stub capability or to ensure that before the apiserver starts a hosts entry like 10.96.0.100 dex.example.com TL;DR it's better to solve this problem without Another possible and interesting solution would be to extend kubeadm to populate as an example here is a modified /etc/kubernetes/manifests/kube-apiserver.yaml
This results in a /etc/hosts on the apiserver pod that can resolv dex.example.org without resorting to |
@mauilion Awesome, those suggestions look like some potentially good alternatives, but I don't have a way of know the IP of the internal dex service. |
You can predefine it. You can specify the cluster ip when defining the Dex service.
|
@andrewrynhard Did you find a way to resolve this? I have a similiar scenario where I want to extend kube-apiserver by using the webhook with a service. However, DNS cannot resolve the |
@hansenwg I kinda gave up on the idea unfortunately because I got pulled into other things, but I still would like to run it this way. |
@andrewrynhard Thanks for the reply, I will look for some other workarounds then, thanks anyways! |
Reverts #68890
This is causing issues as described in the linked issue:
fixes kubernetes/kubeadm#1236
@kubernetes/sig-cluster-lifecycle-pr-reviews
/priority critical-urgent
/kind bug
/assign @timothysc @chuckha
/hold