Skip to content
This repository has been archived by the owner on Jul 29, 2018. It is now read-only.

Updates kube-apiserver configuration for KUBE_ADMISSION_CONTROL #76

Merged
merged 2 commits into from
Aug 26, 2015
Merged

Updates kube-apiserver configuration for KUBE_ADMISSION_CONTROL #76

merged 2 commits into from
Aug 26, 2015

Conversation

navidshaikh
Copy link
Contributor

Fixes: #75

Removes ServiceAccount from the value of KUBE_ADMISSION_CONTROL variable
in /etc/kubernetes/apiserver

@navidshaikh navidshaikh changed the title Updates the kube-apiserver configuration Updates kube-apiserver configuration for KUBE_ADMISSION_CONTROL Aug 21, 2015
@LalatenduMohanty
Copy link
Contributor

@navidshaikh I dont understand why we need to remove "ServiceAccount". We need more details.

@liggitt
Copy link

liggitt commented Aug 24, 2015

Removing it is not correct. The correct change is to set up the signing key for service account token generation

@liggitt
Copy link

liggitt commented Aug 24, 2015

See kubernetes/kubernetes#11355 (comment)

@navidshaikh
Copy link
Contributor Author

@liggitt : ACK!

Chose location for key at /etc/pki/kube-apiserver/ rather using /tmp/, thoughts?

@liggitt
Copy link

liggitt commented Aug 25, 2015

sure, whatever path is appropriate

@LalatenduMohanty
Copy link
Contributor

@navidshaikh do u have a scratch build with this patch? Also the patch looks like 2 commits. I think it should be just one commit as the previous commit not relevant anymore.

@dustymabe
Copy link
Contributor

@navidshaikh This looks wrong:

sed -i.back '/KUBE_API_ARGS=*/c\KUBE_API_ARGS="/etc/pki/kube-apiserver/serviceaccount.key"' /etc/kubernetes/apiserver

Shouldn't it be KUBE_API_ARGS=--service_account_key_file=/etc/pki/kube-apiserver/serviceaccount.key ?

@jasonbrooks
Copy link
Contributor

FWIW, this is how it looks when configured w/ https://github.com/kubernetes/contrib/tree/master/ansible:

KUBE_API_ARGS="--tls-cert-file=/etc/kubernetes/certs/server.crt --tls-private-key-file=/etc/kubernetes/certs/server.key --client-ca-file=/etc/kubernetes/certs/ca.crt --token-auth-file=/etc/kubernetes/tokens/known_tokens.csv --service-account-key-file=/etc/kubernetes/certs/server.crt"

@LalatenduMohanty
Copy link
Contributor

LGTM. Scratch build by @navidshaikh at http://cbs.centos.org/koji/taskinfo?taskID=29206

@LalatenduMohanty
Copy link
Contributor

Scratch build is working fine.

 1  ls
    2  kubectl get nodes
    3  systemctl status docker
    4  atomic run projectatomic/helloapache
    5  kubectl get pods
    6  history 
    7  kubectl get pods
    8  curl localhost

[vagrant@localhost ~]$ kubectl get pods
NAME          READY     STATUS    RESTARTS   AGE
helloapache   1/1       Running   0          2m

LalatenduMohanty added a commit that referenced this pull request Aug 26, 2015
@LalatenduMohanty
Merge pull request #76 from navidshaikh/fix-75
cbbe654 
Updates kube-apiserver configuration for KUBE_ADMISSION_CONTROL
@LalatenduMohanty LalatenduMohanty merged commit cbbe654 into projectatomic:master Aug 26, 2015
@LalatenduMohanty LalatenduMohanty mentioned this pull request Aug 27, 2015
Closed
@navidshaikh navidshaikh mentioned this pull request Sep 22, 2015
Open
@vincentvdk
Copy link

Hi,
Just stumbled on this thread because i have a similar issue deploying the load-balancer (kubernetes contrib). On the latest F23 images the ServiceAccount is left out. When adding it, i need to generate the certs and add

KUBE_API_ARGS="--service_account_key_file=/path/secret.key"

I'm building my own Ansible playbooks so not a big deal, but I couldn't find this in the docs on the ProjectAtomic website. Also not sure if this should be the default or not.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@navidshaikh @LalatenduMohanty @liggitt @dustymabe @jasonbrooks @vincentvdk