Open ghost opened 8 years ago
I believe I have this same issue. I am using cert auth in my kube cluster and I can not get example [1] to work. The romulus container within the ingress-controller-v1 pod is not starting due to the following error:
$ kubectl logs ingress-controller-v1-rr5k7 -c romulus --namespace=kube-system Pod "ingress-controller-v1-rr5k7" in namespace "kube-system": container "romulus" is in waiting state.
[2] provides the details of my kubectl config. Does romulus support token-based auth?
[1] https://github.com/timelinelabs/romulus/blob/master/examples/romulus-rc.yaml [2] https://gist.github.com/danehans/57362949eaedf8529e85
I thought this was a blocker too, but I looked into it and I see that the service account is being tried first, so this should just work if you run inside a k8s pod. I am trying it out now and will report back if I can't get it to work.
https://github.com/timelinelabs/romulus/blob/dev/kubernetes/kubernetes.go#L79
Update: This isn't working for my use case of having a pod launched by kubelet defined in the /etc/kubernetes/manifests directory because these don't have a serviceaccount mounted. (ref: https://github.com/kubernetes/kubernetes/issues/16230)
@danehans How are you starting the api-server? You need to have Kubernetes ServiceAccount enabled and working. The kubelet needs a --service-account-private-key-file flag as well
--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota \
--service-account-key-file=/home/core/kube-ssl/server.key \
If you do not know about the flags, test whaever you got it or not, the below line should return something
core@master ~ $ kubectl --all-namespaces=1 get secrets
NAMESPACE NAME TYPE DATA AGE
blog default-token-hpwrn kubernetes.io/service-account-token 3 1h
default default-token-pa35b kubernetes.io/service-account-token 3 3h
kube-system default-token-269ge kubernetes.io/service-account-token 3 3h
myapp default-token-hk0yf kubernetes.io/service-account-token 3 1h
@cescoferraro Can you run example well? I still not to validate romulus can proxy blog pods. I do not know how to log Etcd. Do not know how to access blog pod under browse. Can you help me?Thanks!
I ran the example with the --validate=false flag. I have added to #27 all my achivements. As far as I know the controller is just a replication controller, so to see it from the outside you will need a service to proxy request to your nodes ip.So I think you should start debugging at the pod level first. Kubernetes get tricky because things depends on the cloudprovider you are in. Hope I can help because I am stuck too
Hi,
I tried the recent release of Coreos/Kubernetes (https://github.com/coreos/coreos-kubernetes/blob/v0.1.0/Documentation/kubernetes-on-aws.md) and they are using the client certificate authentication. Is it possible to have romulus dealing with the a certificate authentication ?
Cheers, Luc