Need a way to disable version lookup when doing kubeadm init phase upload-certs

[echu23]

Is this a request for help?

What keywords did you search in kubeadm issues before filing this one?

--kubernetes-version, upload-certs, dl.k8s.io

Is this a BUG REPORT or FEATURE REQUEST?

FEATURE REQUEST (since I think I didn't see an option to disable this)

Versions

v1.21, v1.20, v1.19, v1.18, v1.17 (this happens in all versions)

Environment:
I am testing this using a kind v1.17.17

• Kubernetes version (use kubectl version):

root@kind-v1:/# kubectl version
Client Version: version.Info{Major:"1", Minor:"17", GitVersion:"v1.17.17", GitCommit:"f3abc15296f3a3f54e4ee42e830c61047b13895f", GitTreeState:"clean", BuildDate:"2021-01-22T22:20:06Z", GoVersion:"go1.13.15", Compiler:"gc", Platform:"linux/amd64"}

• Cloud provider or hardware configuration: kind v1.17.17
• OS (e.g. from /etc/os-release): ubuntu
• Kernel (e.g. uname -a): Linux kind-v1.17-control-plane 5.10.25-linuxkit kubeadm join on slave node fails preflight checks #1 SMP Tue Mar 23 09:27:39 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
• Others:

What happened?

When running

kubeadm --v=5 init phase upload-certs --upload-certs --certificate-key=dec9994c68e45c20ef669b43f66fdd6f73af81a708f88154a8ec33cb59c31d01

kubeadm trying to access https://dl.k8s.io/release/stable-1.txt and we are requesting an option to disable this lookup.

As far as we can see, there is no way to simply disable this lookup.

The reason is that we are using kubeadm in a private cloud and the Masters do not have public internet access.

For now we can wait for it to timeout when doing upload-certs, but we really want to avoid making external network call at all.

What you expected to happen?

There should be a command line option to disable this lookup.

How to reproduce it (as minimally and precisely as possible)?

In any env, including kind env, execute

kubeadm --v=5 init phase upload-certs --upload-certs --certificate-key=dec9994c68e45c20ef669b43f66fdd6f73af81a708f88154a8ec33cb59c31d01

and observe

I0617 18:05:19.806583  162608 version.go:182] fetching Kubernetes version from URL: https://dl.k8s.io/release/stable-1.txt
I0617 18:05:20.111463  162608 version.go:251] remote version is much newer: v1.21.2; falling back to: stable-1.17
I0617 18:05:20.111555  162608 version.go:182] fetching Kubernetes version from URL: https://dl.k8s.io/release/stable-1.17.txt

Anything else we need to know?

[neolit123]

For now we can wait for it to timeout when doing upload-certs, but we really want to avoid making external network call at all.

most kubeadm commands construct a kubeadm config in memory to be able to operate.
if you don't pass a --config it will be constructed in memory with defaults.

for ClusterConfiguration.kubernetesVersion stable-1 is the default, so it should be possible to add --config foo.yaml to workaround this:

# foo.yaml
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.17.0

https://pkg.go.dev/k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm/v1beta2

let me know if that works.

/kind support

[echu23]

Sorry it doesn't work.

1. I need to use kubeadm init phase upload-certs so I need certificateKey field but it is only available in InitConfiguration and JoinConfiguration but not in ClusterConfiguration.

root@host [ ~ ]# cat kubeconfig-811799202.yaml
apiVersion: kubeadm.k8s.io/v1beta2
kind: ClusterConfiguration
kubernetesVersion: v1.21.0
certificateKey: 47061427ff8221a11279bce738d1164fa5c1bf1d3c64cbdd0adcbece29db220d
root@host [ ~ ]# /usr/bin/kubeadm --v=5 init phase upload-certs --upload-certs --config /root/kubeconfig-811799202.yaml
I0618 18:22:53.298525   21611 initconfiguration.go:246] loading configuration from "/root/kubeconfig-811799202.yaml"
W0618 18:22:53.300153   21611 strict.go:54] error unmarshaling configuration schema.GroupVersionKind{Group:"kubeadm.k8s.io", Version:"v1beta2", Kind:"ClusterConfiguration"}: error unmarshaling JSON: while decoding JSON: json: unknown field "certificateKey"
I0618 18:22:53.302173   21611 initconfiguration.go:115] detected and using CRI socket: /run/containerd/containerd.sock
I0618 18:22:53.302614   21611 interface.go:431] Looking for default routes with IPv4 addresses
I0618 18:22:53.302737   21611 interface.go:436] Default route transits interface "eth0"
I0618 18:22:53.304588   21611 interface.go:208] Interface eth0 is up
I0618 18:22:53.305122   21611 interface.go:256] Interface "eth0" has 5 addresses :[10.192.227.14/19 10.192.255.48/32 fd01:1:2:2917:0:a:0:6d9/128 fd01:1:2:2917:250:56ff:febf:b00f/64 fe80::250:56ff:febf:b00f/64].
I0618 18:22:53.305303   21611 interface.go:223] Checking addr  10.192.227.14/19.
I0618 18:22:53.306722   21611 interface.go:230] IP found 10.192.227.14
I0618 18:22:53.327748   21611 interface.go:262] Found valid IPv4 address 10.192.227.14 for interface "eth0".
I0618 18:22:53.327835   21611 interface.go:442] Found active IP 10.192.227.14
I0618 18:22:53.337091   21611 kubelet.go:259] setting the KubeletConfiguration cgroupDriver to "systemd"
I0618 18:22:53.343647   21611 certs.go:487] validating certificate period for CA certificate
I0618 18:22:53.343980   21611 certs.go:487] validating certificate period for front-proxy CA certificate
[upload-certs] Storing the certificates in Secret "kubeadm-certs" in the "kube-system" Namespace
[upload-certs] Using certificate key:
2068638e32dd3ec738548c495f11f4b8a4841c104527de70448da013ba25a545

2. I can't combine --config and --certificateKey

# /usr/bin/kubeadm --v=5 init phase upload-certs --upload-certs --config /root/kubeconfig-811799202.yaml --certificate-key=47061427ff8221a11279bce738d1164fa5c1bf1d3c64cbdd0adcbece29db220d
can not mix '--config' with arguments [certificate-key]

[neolit123]

Why not pass an initconfiguration too?
(Separated with ---\n)

[echu23]

I think it does work this time, thank you very much.