search

flix-tech / vagrant-kubernetes

A simple Kubernetes all-in-one box for development based on Debian Jessie
https://atlas.hashicorp.com/flixtech/boxes/kubernetes
Apache License 2.0
61 stars 23 forks source link

Fix configuration to expose default secrets #2

Closed matthewvalimaki closed 7 years ago

matthewvalimaki commented 7 years ago

In order to facilitate communication from Pod->API server I had to do the following, which I recommend implementing. I also believe this setup is default in many Kubernetes setup scripts.

Modify /etc/systemd/system/kube-apiserver.service to contain --admission-control=AlwaysAdmit,ServiceAccount. Here I've added ServiceAccount as AlwaysAdmit is default that is in use right now. See http://kubernetes.io/docs/admin/kube-apiserver/.

Modify /etc/systemd/system/kube-controller-manager.service to contain

--service-account-private-key-file=/var/run/kubernetes/apiserver.key \
--root-ca-file=/var/run/kubernetes/apiserver.crt

The mentioned key & crt already exist on the box but they're not just referenced properly.

sudo systemctl daemon-reload and service restarts are required for these to take effect.

With those I now have /var/run/secrets/kubernetes.io/serviceaccount/ with appropriate files to communicate to the API server.

I found these steps from https://github.com/kubernetes/kubernetes/issues/16965#issuecomment-154740451.

hanikesn commented 7 years ago

Good point. I took the shortcut there. And it's also the reason why the kubedns and dashboard are hardcoded to use the insecure apiserver. I think I will be able to release a new version this week.

matthewvalimaki commented 7 years ago

@hanikesn thanks for the quick reply :)

hanikesn commented 7 years ago

I just released 1.4.0-r2 with properly configured service accounts.