search

kubernetes-sigs / kind

Kubernetes IN Docker - local clusters for testing Kubernetes
https://kind.sigs.k8s.io/
Apache License 2.0
13.56k stars 1.57k forks source link

extraMounts does not sync between host and kube node #3674

Closed vitalik closed 1 month ago

vitalik commented 5 months ago 
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
name: mycluster
nodes:
- role: control-plane
  extraMounts:
    - hostPath: /home/ubuntu/.docker/config.json
      containerPath: /var/lib/kubelet/config.json

when I create this cluster - it works fine - my k8s can pull images from private repo

but over time (I guess once docker re-authenticates on host machine and /home/ubuntu/.docker/config.json changes) it no longer able to pull images

when I docker shell into node I see that /var/lib/kubelet/config.json does not match the host config...

so extraMounts does only one time sync ? how to make it work as usuakl docker volume mounts ?

vitalik commented 5 months ago

I guess /var shadowing /var/lib/kublet/config.json volume ?

docker inspect mycluster-control-plane
...
        "Mounts": [
            {
                "Type": "volume",
                "Name": "adf6381bc73c8af0588f7fb8ed00aebc56790e7d66430389df00b46e040827d2",
                "Source": "/var/lib/docker/volumes/adf6381bc73c8af0588f7fb8ed00aebc56790e7d66430389df00b46e040827d2/_data",
                "Destination": "/var",
                "Driver": "local",
                "Mode": "",
                "RW": true,
                "Propagation": ""
            },
            {
                "Type": "bind",
                "Source": "/home/ubuntu/.docker/config.json",
                "Destination": "/var/lib/kubelet/config.json",
                "Mode": "",
                "RW": true,
                "Propagation": "rprivate"
            },

what's the solution ? how can I keep something in sync with host that mounted on /var/xxx inside kube node ?

aojea commented 5 months ago

Try to mount it in a different folder , one that is not being shadowed https://github.com/kubernetes/kubernetes/issues/115389

BenTheElder commented 5 months ago

I think this would work with a directory instead of a file, or as mentioned you can mount at a different path (there are multiple kubelet reads, I'm not actually sure where that is documented but the code is here https://github.com/kubernetes/kubernetes/blob/688c1c3b5e7ff344524bc11d5dc9b3f7dbeccd93/pkg/credentialprovider/config.go#L38)

FWIW I Recommend using imagepullSecrets instead (which can be set on the namespace without mutating the pod) https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/#registry-secret-existing-credentials