-
Notifications
You must be signed in to change notification settings - Fork 715
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
join w/ master dns name writes ip to kubelet config #411
Comments
related #338 |
+1, this seems reasonable to allow a hostname and validate the certificate against that hostname rather than pre-resolving to an IP address. |
I was confused because I thought this already worked, and I just tested to confirm and it seems to:
In this case I have a (local) DNS entry for The API server TLS certificate common name/SANs will be validated against whatever name you pass to |
The issue is when i examine the contents of /etc/kubernetes/kubelet.conf its the ip address of the master not the dns name thats configured. If we join with dns name, i would expect to see the dns name here. join
kubelet config file that gets generated
|
Ah, I see what you mean. The initial kubeadm discovery process works but then the bootstrap kubelet config ( |
this appears to be the issue https://github.com/kubernetes/kubernetes/blob/master/cmd/kubeadm/app/util/config/masterconfig.go#L45 |
fixing it there has a minor ripple to generating the api server pod's cli params to use the netutil.ChooseBindAddress. i.e. the root reason afaics for the early rewrite of the configured value was its use in both the client config as well as there server bind addresses, separating the two uses allows the use of a dns entry for the client. |
fwiw, I have fixes against 1.7 release branch here https://github.com/kapilt/kubernetes/tree/kubeadm-use-advertised I assume I should replant to 1.8 trunk, is this something that is appropriate for a pr to the extant release branch? |
@mattmoyer can we close this? |
Running into this issue myself. 3 questions here:
|
To confirm, I just bootstrapped a master node on a HypriotOS raspberry pi for my pi-cluster and can confirm that this is still happening on 1.8. If you need any info from me feel free to let me know below is version info of the kubeadm used : $ kubeadm version Thanks for the great work! I recreated my master with @kapilt version of the command passing in the apiserver cert param above below is the output if it helps.
|
also happening on 1.9.1 |
fwiw, the mechanics underlying this issue also cause the master to write out its ip to on kubeadm init to config files on disk and to the configmap it initializes. |
/cc @craigtracey @chuckha |
I'd like to take this on, will post back updates as I progress through. |
@stevesloka - just poke me on review and I can help guide it through. |
@timothysc Is the best place to get the dns name from |
@stevesloka As someone who uses this heavily, I think it should be a configurable parameter. This means you can use things like ELB addresses. Currently the advertise address is used I believe, maybe a flag like |
@jaxxstorm that sounds good to me, I like the idea of a new flag. |
@jaxxstorm would it make sense to just use |
@stevesloka doesn't that get used as the listen address for the apiserver manifest? Would a hostname be acceptable there? |
yup you are correct @jaxxstorm I got ahead of myself and forgot API server requires an IP address. |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Add configuration item to allow kubeadm join to use a dns name pointing to control plane This adds a new flag (`--apiserver-advertise-dns-address`) to kubeadm which is used in node kubelet.confg to point to API server allowing users to define a DNS entry instead of an IP address. Fixes kubernetes/kubeadm#411 ```release-note Adds new flag `--apiserver-advertise-dns-address` which is used in node kubelet.confg to point to API server ``` // @timothysc @craigtracey
i'm using kubeadm in a corporate cloud environment with enforced node recycling, one of the challenges of using kubeadm is that join will always use the ip address of the master instead of a passed in dns name (master cert also with subject alt to include dns name). the join ends up writing out the master ip to the kubelet.conf which complicates rotation/restoration of the master. given the symmetric secret, and the ca hash work being done in
https://docs.google.com/document/d/1SP4P7LJWSA8vUXj27UvKdVEdhpo5Fp0QHNo4TXvLQbw/edit?ts=5971498a#heading=h.5bejulk96xxi
is there any reason why kubeadm couldn't support using the actual value passed (ip or dns per user choice) instead of forcing ip usage?
kubeadm version - 1.7.4
The text was updated successfully, but these errors were encountered: