Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create a service account and token for use in ~/.kube/config #1458

Open
wants to merge 27 commits into
base: master
Choose a base branch
from
Open

Create a service account and token for use in ~/.kube/config #1458

wants to merge 27 commits into from

Conversation

kke
Copy link
Contributor

@kke kke commented Aug 13, 2019
edited

Fixes #1454

Create a pharos-admin service account and sa token and use those instead of the client certificate in the kubeconfig created into ~/.kube/config during pharos up.

Instead of copying the /etc/kubernetes/admin.conf, a new config is built from scratch.

@kke kke added the enhancement New feature or request label Aug 13, 2019
jakolehm
jakolehm requested changes Aug 13, 2019
View reviewed changes
Copy link
Contributor

@jakolehm jakolehm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still missing this: https://github.com/kontena/pharos-cluster/blob/master/lib/pharos/phases/configure_master.rb#L57

@kke
Copy link
Contributor Author

kke commented Aug 13, 2019
edited

If we want to update the ~/.kube/config on master, then I guess the service account should be made during pharos up instead of pharos kubeconfig?

Should it be in the /etc/kubernetes/admin.conf also?

@jakolehm
Copy link
Contributor

If we want to update the ~/.kube/config on master, then I guess the service account should be made during pharos up instead of pharos kubeconfig?

Yes.

Should it be in the /etc/kubernetes/admin.conf also?

Maybe yes. @jnummelin wdyt?

@kke
Copy link
Contributor Author

kke commented Aug 14, 2019

Moved to ConfigureServiceAccount phase.

Still needs some specs, though most of it would be expect(transport).to receive(:exec!).with('xyz').

jakolehm
jakolehm reviewed Aug 14, 2019
View reviewed changes
lib/pharos/phases/configure_service_account.rb Outdated
end

def validate
transport.exec!('kubectl get -n kube-system serviceaccount/pharos-admin')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are using kubectl here because client is not yet configured?

Copy link
Contributor Author

@kke kke Aug 14, 2019
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added that just to validate that kubectl without sudo on master works without KUBECONFIG= or --kubeconfig=.

The next phase actually probably should be changed to use the file from home instead of /etc/kubernetes

lib/pharos/phases/configure_service_account.rb
end

def create_service_account
transport.exec!("sudo kubectl get #{KUBECONFIG_PARAM} -n kube-system serviceaccount/#{ADMIN_USER} || sudo kubectl #{KUBECONFIG_PARAM} -n kube-system create serviceaccount #{ADMIN_USER}")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO we don't need sudo for kubectl.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, maybe we need because this points to root readable kubeconfig?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

error: Error loading config file "/etc/kubernetes/admin.conf": open /etc/kubernetes/admin.conf: permission denied

@kke kke changed the title Create a service account and token during "pharos kubeconfig" Create a service account and token for use in ~/.kube/config Aug 14, 2019
@kke
Copy link
Contributor Author

kke commented Aug 14, 2019
edited

Any idea why the validation fails on drone? Works fine on my vagrant.

3645 | [1459-do-master-0] [ERROR] + kubectl get -n kube-system serviceaccount/pharos-admin
3646 | [1459-do-master-0] [ERROR] Unable to connect to the server: Forbidden
3647 | [1459-do-master-0] [WARN] Retrying after 2 seconds (#107) ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jakolehm jakolehm jakolehm requested changes

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Create admin kubeconfig using SA token
2 participants
@kke @jakolehm