search

clastix / kamaji

Kamaji is the Hosted Control Plane Manager for Kubernetes.
https://kamaji.clastix.io
Apache License 2.0
992 stars 90 forks source link

Allow for overriding kube-apiserver arguments #414

Closed jwitko closed 6 months ago

jwitko commented 6 months ago

Currently the code is written to explicitly deny overwriting kube-apiserver arguments. In my use case I am deploying TCPs on top of AWS EKS. I want the pods running within my TCPs to be able to leverage AWS IAM roles linked to service accounts so I don't have to provide AWS credentials to services that need them. To do this I need to override the kube-apiserver as such:

  controlPlane:
    deployment:
      additionalVolumes:
        - name: oidc-secret
          secret:
            secretName: {{ .secret }}
      additionalVolumeMounts:
        apiServer:
          - name: oidc-secret
            mountPath: /var/run/secrets/oidc
            readOnly: true
      extraArgs:
        apiServer:
          - '--service-account-key-file="/var/run/secrets/oidc/oidc.crt"'
          - '--service-account-signing-key-file="/var/run/secrets/oidc/oidc.key"'
          - '--api-audiences="sts.amazonaws.com"'
          - '--service-account-issuer="<url>" }}

But this is then overwritten in the code.