Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add service account to kube-dns addon #1970

Closed
wants to merge 1 commit into from
Closed

Add service account to kube-dns addon #1970

wants to merge 1 commit into from

Conversation

MrHohn
Copy link
Member

@MrHohn MrHohn commented Sep 15, 2017

From kubernetes/kubernetes#52487.

kube-dns will not be funcitoning without service account when RBAC is enabled.

And seems like we are setting authorization mode to RBAC by default: ref #1904.

cc @vadimeisenbergibm

@k8s-ci-robot k8s-ci-robot added size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. labels Sep 15, 2017
@MrHohn MrHohn mentioned this pull request Sep 15, 2017
Closed
@minikube-bot
Copy link
Collaborator

Can one of the admins verify this patch?

@r2d4
Copy link
Contributor

r2d4 commented Sep 15, 2017

@minikube-bot ok to test

@codecov-io
Copy link

Codecov Report

Merging #1970 into master will not change coverage.
The diff coverage is n/a.

Impacted file tree graph

@@          Coverage Diff           @@
##           master   #1970   +/-   ##
======================================
  Coverage      30%     30%           
======================================
  Files          77      77           
  Lines        4740    4740           
======================================
  Hits         1422    1422           
  Misses       3138    3138           
  Partials      180     180

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 17ecbcd...c487d6b. Read the comment docs.

@MrHohn
Copy link
Member Author

MrHohn commented Sep 15, 2017

From https://storage.googleapis.com/minikube-builds/logs/1970/Linux-VirtualBox.txt.

--- FAIL: TestFunctional/DNS (600.07s)
  cluster_dns_test.go:35: Waiting for DNS to be running: waiting for kube-dns pods: timed out waiting for the condition

Anywhere I could find more logs?

@MrHohn
Copy link
Member Author

MrHohn commented Sep 15, 2017

Reproduced locally, this will not pass until #1904 go in, as there is no rolebinding for kube-dns service account. Though I'm surprised #1904 didn't fail the DNS test.

I0915 21:30:46.863544       1 dns.go:174] Waiting for services and endpoints to be initialized from apiserver...
E0915 21:30:46.918435       1 reflector.go:199] k8s.io/dns/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:kube-system:kube-dns" cannot list endpoints at the cluster scope
E0915 21:30:46.918476       1 reflector.go:199] k8s.io/dns/vendor/k8s.io/client-go/tools/cache/reflector.go:94: Failed to list *v1.Service: services is forbidden: User "system:serviceaccount:kube-system:kube-dns" cannot list services at the cluster scope
...

@r2d4
Copy link
Contributor

r2d4 commented Sep 15, 2017

@MrHohn that PR adds the kube-system cluster role binding programmatically

https://github.com/kubernetes/minikube/pull/1904/files#diff-cd422c0789166e2b456c1ca471d0680eR10

As far as localkube goes, there are probably a few other things we need to do until we can get RBAC working properly. Most likely the way forward is to deprecate localkube (for many reasons), and eventually default to our kubeadm-backed bootstrapping

RBAC is enabled and dns is configured properly if you use minikube start --bootstrapper kubeadm

@vadimeisenbergibm
Copy link

@r2d4 I get the following error with --bootstrapper kubeadm

$ minikube start --extra-config=apiserver.Authorization.Mode=RBAC --bootstrapper kubeadm
Starting local Kubernetes v1.7.5 cluster...
Starting VM...
Getting VM IP address...
F0916 08:31:39.003561   39257 start.go:200] Error getting cluster bootstrapper: Unknown bootstrapper: kubeadm

@r2d4
Copy link
Contributor

r2d4 commented Sep 16, 2017

@vadimeisenbergibm the kubeadm bootstrapper will be released soon in v0.22.2 #1971

@vadimeisenbergibm vadimeisenbergibm mentioned this pull request Sep 17, 2017
Merged
@fejta-bot
Copy link

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 5, 2018
@fejta-bot
Copy link

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Feb 9, 2018
@fejta-bot
Copy link

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@MrHohn @minikube-bot @r2d4 @codecov-io @vadimeisenbergibm @fejta-bot @k8s-ci-robot