Setting requestheader flags on kube-apiserver #2234
Comments
|
This feature is required to make use of more advanced operator patterns on top of a stock tectonic install. |
|
/cc @diegs @aaronlevy |
|
Hello folks, any updated on this? This feature in going GA in 1.10. |
|
Ping |
|
The first step (generate the TLS assets for aggregated apiserver) was merged in #2850 (but not yet in a release). Then the other half of this is adding the requestheader flags to the apiserver manifest. We're in the process of moving "ownership" of the kubernetes manifests out of the installer, and into operators (so source of truth for configuration is not duplicated across both installer and operators). However, these operators are currently close-sourced so the configuration is not immediately apparent. The flag additions have merged in the operator that manages the kube-apiserver, and are currently set as: No guarantees, but I'd estimate that the operator updates should be in an (alpha) release in the next couple weeks. We're also working on exposing these manifests in a way that they can be customized (so they're not just a black-box). |
|
Visbility is important, because for example we have enabled this feature since we needed and tectonic did not have a pattern to follow. With visibility we could work to align our implementation of the configuration with the operator to provide a simple migration. |
|
Agreed about visibility. We were prioritizing getting the change in architecture working end-to-end (sacrificing initial visibility), but ability to customize these manifests would be a near-term follow up. FWIW, in this case, these flags would be set by default regardless (so aggregated apiservers would work out of box without customization). |
|
We're working on the next generation of the installer which will integrate Tectonic and Open Shift. We'll consider this for that project, but will not be adding this feature in this repo. See our blog for any additional details: |
|
Interesting choice - re the transparency comments above, does this imply
that tectonic still does not support this in the latest release (I am not
sure where best to check!)
I guess this means that metrics-server is also not supported with tectonic,
which seems an interesting choice for a small change to the apiserver
manifests. Hopefully soon (if not already), the kubernetes conformance
suite will cover this area of functionality and force the tectonic projects
hand 🙂
…On Tue, 26 Jun 2018 at 14:30, Ed Rooth ***@***.***> wrote:
Closed #2234 <#2234>.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#2234 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAMbP_kQiRsLovWTDTtldCOwq4L7J9EYks5uAjeAgaJpZM4QHzt3>
.
|
What keywords did you search in tectonic-installer issues before filing this one?
requestheaderIs this a BUG REPORT or FEATURE REQUEST?
FEATURE REQUEST
In order to support aggregated API servers, you must set the requestheader arguments on kube-apiserver. It's currently not possible to register an apiserver and use delegated auth behind the aggregator as these are not set.
More information on requestheader auth is here: https://github.com/kubernetes-incubator/apiserver-builder/blob/master/docs/concepts/auth.md#requestheader-authentication
I'm assuming we'd only need to enable this on the actual apiserver deployment, and not as part of the bootkube process? I'm going to give this a go 😄
The text was updated successfully, but these errors were encountered: