Comments (5)
@krancour - I think this could be caused by the discussion in kubernetes/kubernetes#12186. I don't have certificates on the api or the controller-manager. Can you confirm that you have this in your setup?
from router.
I do, but I'm not the original reporter of the problem. See deis/workflow#314. This is not to say that other issues may still be lurking, but in this case, I know for certain that this is a result of a missing ServiceAccount admission control. The simple resolution is to manually, explicitly, generate the secrets that will be used by the service account and then it won't matter if that admission control happens to not be in play.
from router.
I do, but I'm not the original reporter of the problem.
@lachie83, I owe you an apology. Somehow I failed to recognize that you were the original reporter of the problem in the deis/workflow#314 issue that I referenced... If I had made that connection, I might have realized that my initial advice re: admission controls hadn't resolved deis/workflow#314 and that there was more to this issue than meets the eye. So again... sorry.
I realized all of this while attempting to reproduce your original issue this morning. After about a dozen failed attempts to do so, I re-read the kubernetes issue you referenced and found it enlightening. So, thank you. That thread is a bit protracted, so I'll summarize here for the benefit of any other Deis user who runs into this...
To start, no option on the apiserver has any bearing on reproducing this issue. That is to say, no matter what SSL related config I strip out of my apiserver, I cannot get service accounts to be created without an associated token-bearing secret. This is not to say that these apiserver configs do not matter. They certainly matter very much, but getting them wrong won't reproduce this specific issue.
What will reproduce the issue is dropping SSL related config (specifically --root-ca-file
and --service-account-private-key-file
) from the controller-manager. These are used to generate and sign tokens.
Now, all that being said... go back to the apiserver and if that's not configured correctly, then the tokens generated by the controller manager won't be of any use because the apiserver won't recognize them.
On a related note, this got me curious about what happens when apiserver exposes only the insecure endpoint. In such cases, service accounts and their associated tokens should be irrelevant. As it turns out, however, most Deis components use the NewInCluster()
function of the k8s.io/kubernetes/pkg/client/unversioned
package. This function seems to assume the use of a secure endpoint and expects a token to be available. If it's not found it fails. I'll open a ticket on that against kubernetes/kubernetes, because it seems that could be improved upon.
Bottom line, however, is that on multiple fronts, all SSL-related options must be configured correctly in a k8s cluster or else Deis won't work. Most k8s distributions I am aware of should adequately address this out-of-the-box, so it's likely just "custom" clusters that might run into such problems.
I'm going to close this issue because there isn't much that can be done on the Deis end to insulate the platform from failures that result from an improperly configured cluster.
from router.
fwiw...
most Deis components use the NewInCluster() function of the k8s.io/kubernetes/pkg/client/unversioned package. This function seems to assume the use of a secure endpoint and expects a token to be available. If it's not found it fails. I'll open a ticket on that against kubernetes/kubernetes, because it seems that could be improved upon.
Researching the matter more, the secure endpoint and the requirement for client authentication on that endpoint can never be fully disabled. If not explicitly configured, the secure endpoint will bind to port 6443 on 0.0.0.0, secured with a self-generated certificate, and will use client certificate authentication.
So my imaginative scenario where an SA and its secret wouldn't be relevant was invalid.
This reinforces the bottom line that SSL, auth, etc. must be configured properly in a k8s cluster as a prerequisite for Deis.
from router.
@krancour - Thank you very much for the follow up. Understood. We were an early adopter and didn't have SSL ironed out. I'll roll these changes and try again. In the meantime I tried in GKE without any issues. Thanks again
from router.
Related Issues (20)
- need annotation for nginx proxy_buffer_size HOT 5
- When using proxy protocol, X-Forwarded-For header should be set to $proxy_protocol_addr HOT 4
- TCP support for Deis applications HOT 22
- HPKP Public-Key-Pins Header HOT 7
- Per domain real_ip_header HOT 1
- When <sub>.example.com domain is added to app on example.com cluster, ssl configuration is missing HOT 1
- Clickjacking prevention header? X-Frame-Options HOT 2
- Random 502 bad gateway HOT 10
- There's no point in having Travis build HOT 5
- Proxy Protocol Port not used to determine Access Scheme HOT 7
- Trouble setting service_annotations via chart values file HOT 4
- Proposal: Add aws load balancer timeout override to service template HOT 2
- Router makes zombies permanently HOT 9
- Claiming a reserved name for the router HOT 3
- Documentation still has some references to Helm Classic HOT 3
- GKE Failed: Create Address error` HOT 2
- Custom "Site Maintenance" page HOT 3
- Deis router picks up non-Deis traffic HOT 15
- Config builder silently fails with missing annotations HOT 2
- Support non-HTTP, streaming apps HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from router.