search

k3d-io / k3d

Little helper to run CNCF's k3s in Docker
https://k3d.io/
MIT License
5.33k stars 456 forks source link

Support for Service Account Issuer Discovery #1187

Closed goffinf closed 1 year ago

goffinf commented 1 year ago

Refs:

https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-issuer-discovery https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection https://docs.k3s.io/advanced#starting-the-server-with-the-installation-script

I have been trying to configure service account volume projection using --k3s-args, but when doing so the cluster fails to create. Sometimes the error is ...

ERRO[0005] Failed Cluster Start: Failed to start server k3d-workload-identity-server-0: Node k3d-workload-identity-server-0 failed to get ready: error waiting for log linek3s is up and running...

and at other times a little different.

I have tried passing the args using a config file and the command-line. In both cases the behaviour is the same (cluster creation fails):

Snippet from k3d-config.yml:

  k3s:
    extraArgs:
      ...
      - arg: --service-account-issuer=https://host.desktop.homelab:6443
        nodeFilters:
          - server:*
      - arg: --service-account-jwks-uri=https://host.desktop.homelab:6443/openid/v1/jwks
        nodeFilters:
          - server:*
      - arg: --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key
        nodeFilters:
          - server:*
      - arg: --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key
        nodeFilters:
          - server:*

and the command line

k3d cluster create workload-identity --servers 1 --agents 2 ... --k3s-arg --service-account-issuer=https://host.desktop.homelab:6443@server:* --k3s-arg --service-account-jwks-uri=https://host.desktop.homelab:6443/openid/v1/jwks@server:* --k3s-arg --service-account-signing-key-file=/var/lib/rancher/k3s/server/tls/service.key@server:* --k3s-arg --service-account-key-file=/var/lib/rancher/k3s/server/tls/service.key@server:*

Looking at the advanced configuration for k3s here, the output window shows some of these args being used.

$ k3s server
INFO[2019-01-22T15:16:19.908493986-07:00] Starting k3s dev                             
INFO[2019-01-22T15:16:19.908934479-07:00] Running kube-apiserver --allow-privileged=true --authorization-mode Node,RBAC --service-account-signing-key-file /var/lib/rancher/k3s/server/tls/service.key --service-cluster-ip-range 10.43.0.0/16 --advertise-port 6445 --advertise-address 127.0.0.1 --insecure-port 0 --secure-port 6444 --bind-address 127.0.0.1 --tls-cert-file /var/lib/rancher/k3s/server/tls/localhost.crt --tls-private-key-file /var/lib/rancher/k3s/server/tls/localhost.key --service-account-key-file /var/lib/rancher/k3s/server/tls/service.key --service-account-issuer k3s --api-audiences unknown --basic-auth-file /var/lib/rancher/k3s/server/cred/passwd --kubelet-client-certificate /var/lib/rancher/k3s/server/tls/token-node.crt --kubelet-client-key /var/lib/rancher/k3s/server/tls/token-node.key 
...

I also have a k3s cluster which does respond to a request for the OIDC discovery document:

kubectl get --raw /.well-known/openid-configuration

{"issuer":"https://kubernetes.default.svc.cluster.local","jwks_uri":"https://xxx.xxx.xxx.xx:6443/openid/v1/jwks","response_types_supported":["id_token"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"]}

So this suggests that it is supported in k3s.

Can you advise whether these flags are supported in k3d ?

Kind Regards

Fraser.

goffinf commented 1 year ago

Sorry should have RTFM. API args should be prefixed with --kube-apiserver-arg