Closed matthewvalimaki closed 7 years ago
Good point. I took the shortcut there. And it's also the reason why the kubedns and dashboard are hardcoded to use the insecure apiserver. I think I will be able to release a new version this week.
@hanikesn thanks for the quick reply :)
I just released 1.4.0-r2 with properly configured service accounts.
In order to facilitate communication from Pod->API server I had to do the following, which I recommend implementing. I also believe this setup is default in many Kubernetes setup scripts.
Modify
/etc/systemd/system/kube-apiserver.service
to contain--admission-control=AlwaysAdmit,ServiceAccount
. Here I've addedServiceAccount
asAlwaysAdmit
is default that is in use right now. See http://kubernetes.io/docs/admin/kube-apiserver/.Modify
/etc/systemd/system/kube-controller-manager.service
to containThe mentioned key & crt already exist on the box but they're not just referenced properly.
sudo systemctl daemon-reload
and service restarts are required for these to take effect.With those I now have
/var/run/secrets/kubernetes.io/serviceaccount/
with appropriate files to communicate to the API server.I found these steps from https://github.com/kubernetes/kubernetes/issues/16965#issuecomment-154740451.