Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

kubeadm cannot mount basic auth file for apiserver static pod #441

Closed
mattymo opened this issue Sep 13, 2017 · 3 comments
Closed

kubeadm cannot mount basic auth file for apiserver static pod #441

mattymo opened this issue Sep 13, 2017 · 3 comments
Assignees
@andrewrynhard
Labels
priority/backlog Higher priority than priority/awaiting-more-evidence.
Milestone
v1.8

Comments

@mattymo
Copy link

mattymo commented Sep 13, 2017
edited
Loading

Choose one: BUG REPORT

Versions

kubeadm version (use kubeadm version): v1.8.0-beta1

Environment:

  • Kubernetes version (use kubectl version): v1.7.3
  • Cloud provider or hardware configuration: none
  • OS (e.g. from /etc/os-release): ubuntu xenial
  • Kernel (e.g. uname -a):
  • Others:

What happened?

In kubeadm v1.7.3, /etc/kubernetes is mounted directly on kube-apiserver static pod. This allows me to specify basic-auth-file: /etc/kubernetes/users/known_users.csv in the apiServerExtraArgs section. In v1.8.0-beta1, this mount was removed. Now only very specific mounts are made. If I move my users file into my pki dir, then it could be seen, but I don't prefer to store my user file there.

What you expected to happen?

Keep /etc/kubernetes mount or make an option to specify extra mount volumes.

How to reproduce it (as minimally and precisely as possible)?

Add to kubeadm config YAML:
Create a basic auth csv file.

apiServerExtraArgs:
  basic-auth-file: /etc/kubernetes/users/known_users.csv

Anything else we need to know?

There should be an option to make extra mounts for static pods for features like basic auth file
@luxas luxas added this to the v1.9 milestone Oct 20, 2017
@luxas luxas added the priority/backlog Higher priority than priority/awaiting-more-evidence. label Oct 20, 2017
@luxas
Copy link
Member

luxas commented Oct 20, 2017

cc @andrewrynhard as your PR will fix this as well

@mattymo
Copy link
Author

mattymo commented Oct 23, 2017

@luxas @andrewrynhard Do you have a link to the PR?

@luxas luxas modified the milestones: v1.9, v1.8 Oct 27, 2017
@luxas
Copy link
Member

luxas commented Oct 27, 2017

First PR is here: kubernetes/kubernetes#49840

@andrewrynhard andrewrynhard mentioned this issue Oct 31, 2017
Merged
k8s-github-robot pushed a commit to kubernetes/kubernetes that referenced this issue Nov 1, 2017
Merge pull request #49840 from andrewrynhard/variable_certs_dir
c119a60 
Automatic merge from submit-queue (batch tested with PRs 49840, 54937, 54543). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

kubeadm: Make it possible to configure volume mounts via the config file

**What this PR does / why we need it**:
Kubeadm mounts host CA certs into api server and controller manager. It uses `/etc/pki` and does not allow for the path to be configurable. This PR adds a default to `/etc/pki` but also allows a user to configure the path in the config file. In the case of using Container Linux, the CAs are located at `/usr/share/ca-certificates`, so without this PR the hardcoded `/etc/pki` path is used and will break, for example, the `--cloud-provider` flag because of missing CAs.

Fixes kubernetes/kubeadm#484
Fixes kubernetes/kubeadm#476
Fixes kubernetes/kubeadm#441

/cc @luxas
@vinceho vinceho mentioned this issue Apr 26, 2018
Closed
daohoangson added a commit to daohoangson/kubespray that referenced this issue Jul 8, 2018
@daohoangson
Remove step that force disable kube_basic_auth.
d306c97 
The referenced issue (kubernetes/kubeadm#441) has already been fixed.
@daohoangson daohoangson mentioned this issue Jul 8, 2018
Merged
okamototk pushed a commit to okamototk/kubespray that referenced this issue Aug 4, 2018
@daohoangson @okamototk
Remove step that force disable kube_basic_auth.
154d2d8 
The referenced issue (kubernetes/kubeadm#441) has already been fixed.
@neolit123 neolit123 mentioned this issue Sep 11, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@andrewrynhard andrewrynhard

Labels
priority/backlog Higher priority than priority/awaiting-more-evidence.
Projects
None yet
Milestone
v1.8
Development

No branches or pull requests
3 participants
@mattymo @andrewrynhard @luxas