From 804dfea0f941201cc0af2b60216fd732c111639c Mon Sep 17 00:00:00 2001 From: Dalton Hubble Date: Tue, 1 Dec 2020 20:33:20 -0800 Subject: [PATCH] Add kubeconfig's for kube-scheduler and kube-controller-manager * Generate TLS client certificates for `kube-scheduler` and `kube-controller-manager` with `system:kube-scheduler` and `system:kube-controller-manager` CNs * Template separate kubeconfigs for kube-scheduler and kube-controller manager (`scheduler.conf` and `controller-manager.conf`). Rename admin for clarity * Before v1.16.0, Typhoon scheduled a self-hosted control plane, which allowed the steady-state kube-scheduler and kube-controller-manager to use a scoped ServiceAccount. With a static pod control plane, separate CN TLS client certificates are the nearest equiv. * https://kubernetes.io/docs/setup/best-practices/certificates/ * Remove unused Kubelet certificate, TLS bootstrap is used instead --- CHANGES.md | 4 ++-- aws/fedora-coreos/kubernetes/bootstrap.tf | 2 +- aws/fedora-coreos/kubernetes/fcc/controller.yaml | 4 ++-- aws/flatcar-linux/kubernetes/bootstrap.tf | 2 +- aws/flatcar-linux/kubernetes/cl/controller.yaml | 4 ++-- azure/fedora-coreos/kubernetes/bootstrap.tf | 2 +- azure/fedora-coreos/kubernetes/fcc/controller.yaml | 4 ++-- azure/flatcar-linux/kubernetes/bootstrap.tf | 2 +- azure/flatcar-linux/kubernetes/cl/controller.yaml | 4 ++-- bare-metal/fedora-coreos/kubernetes/bootstrap.tf | 2 +- bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml | 4 ++-- bare-metal/flatcar-linux/kubernetes/bootstrap.tf | 2 +- bare-metal/flatcar-linux/kubernetes/cl/controller.yaml | 4 ++-- digital-ocean/fedora-coreos/kubernetes/bootstrap.tf | 2 +- digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml | 4 ++-- digital-ocean/flatcar-linux/kubernetes/bootstrap.tf | 2 +- digital-ocean/flatcar-linux/kubernetes/cl/controller.yaml | 4 ++-- google-cloud/fedora-coreos/kubernetes/bootstrap.tf | 2 +- google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml | 4 ++-- google-cloud/flatcar-linux/kubernetes/bootstrap.tf | 2 +- google-cloud/flatcar-linux/kubernetes/cl/controller.yaml | 4 ++-- 21 files changed, 32 insertions(+), 32 deletions(-) diff --git a/CHANGES.md b/CHANGES.md index 8bcab8f06..3dc782d29 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -7,8 +7,9 @@ Notable changes between versions. * Add input variable validations ([#880](https://github.com/poseidon/typhoon/pull/880)) * Require Terraform v0.13+ ([migration guide](https://typhoon.psdn.io/topics/maintenance/#terraform-versions)) * Set output sensitive to suppress console display for some cases ([#885](https://github.com/poseidon/typhoon/pull/885)) +* Add service account token [volume projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) ([#897](https://github.com/poseidon/typhoon/pull/897)) +* Scope kube-scheduler and kube-controller-manager permissions ([#898](https://github.com/poseidon/typhoon/pull/898)) * Update etcd from v3.4.12 to [v3.4.14](https://github.com/etcd-io/etcd/releases/tag/v3.4.14) -* Enable service account token [volume projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#service-account-token-volume-projection) ([#897](https://github.com/poseidon/typhoon/pull/897)) * Update Calico from v3.16.5 to v3.17.0 ([#890](https://github.com/poseidon/typhoon/pull/890)) * Enable Calico MTU auto-detection * Remove [workaround](https://github.com/poseidon/typhoon/pull/724) to Calico cni-plugin [issue](https://github.com/projectcalico/cni-plugin/issues/874) @@ -64,7 +65,6 @@ Notable changes between versions. ### Flatcar Linux * Rename `container-linux` modules to `flatcar-linux` ([#858](https://github.com/poseidon/typhoon/issues/858)) (**action required**) - * Change on-host system containers from rkt to docker * Change `etcd-member.service` container runnner from rkt to docker ([#867](https://github.com/poseidon/typhoon/pull/867)) * Change `kubelet.service` container runner from rkt-fly to docker ([#855](https://github.com/poseidon/typhoon/pull/855)) diff --git a/aws/fedora-coreos/kubernetes/bootstrap.tf b/aws/fedora-coreos/kubernetes/bootstrap.tf index 948932e2b..cbe82e524 100644 --- a/aws/fedora-coreos/kubernetes/bootstrap.tf +++ b/aws/fedora-coreos/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/aws/fedora-coreos/kubernetes/fcc/controller.yaml b/aws/fedora-coreos/kubernetes/fcc/controller.yaml index 282bb0dcd..810e2651e 100644 --- a/aws/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/aws/fedora-coreos/kubernetes/fcc/controller.yaml @@ -147,7 +147,7 @@ storage: mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/ chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd - mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv auth/* /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests mv static-manifests/* /etc/kubernetes/manifests/ @@ -161,7 +161,7 @@ storage: contents: inline: | #!/bin/bash -e - export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/admin.conf until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/aws/flatcar-linux/kubernetes/bootstrap.tf b/aws/flatcar-linux/kubernetes/bootstrap.tf index 46cb464be..e9a957dc5 100644 --- a/aws/flatcar-linux/kubernetes/bootstrap.tf +++ b/aws/flatcar-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/aws/flatcar-linux/kubernetes/cl/controller.yaml b/aws/flatcar-linux/kubernetes/cl/controller.yaml index 7fe963775..9c2f800bc 100644 --- a/aws/flatcar-linux/kubernetes/cl/controller.yaml +++ b/aws/flatcar-linux/kubernetes/cl/controller.yaml @@ -155,7 +155,7 @@ storage: chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd chmod -R 700 /var/lib/etcd - mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv auth/* /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests mv static-manifests/* /etc/kubernetes/manifests/ @@ -169,7 +169,7 @@ storage: contents: inline: | #!/bin/bash -e - export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/admin.conf until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/azure/fedora-coreos/kubernetes/bootstrap.tf b/azure/fedora-coreos/kubernetes/bootstrap.tf index 96b45e71e..084e63a6a 100644 --- a/azure/fedora-coreos/kubernetes/bootstrap.tf +++ b/azure/fedora-coreos/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/azure/fedora-coreos/kubernetes/fcc/controller.yaml b/azure/fedora-coreos/kubernetes/fcc/controller.yaml index 424ac7f0a..2a71f7ce7 100644 --- a/azure/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/azure/fedora-coreos/kubernetes/fcc/controller.yaml @@ -146,7 +146,7 @@ storage: mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/ chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd - mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv auth/* /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests mv static-manifests/* /etc/kubernetes/manifests/ @@ -160,7 +160,7 @@ storage: contents: inline: | #!/bin/bash -e - export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/admin.conf until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/azure/flatcar-linux/kubernetes/bootstrap.tf b/azure/flatcar-linux/kubernetes/bootstrap.tf index 976ce4481..1cb2434ad 100644 --- a/azure/flatcar-linux/kubernetes/bootstrap.tf +++ b/azure/flatcar-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/azure/flatcar-linux/kubernetes/cl/controller.yaml b/azure/flatcar-linux/kubernetes/cl/controller.yaml index 7fe963775..9c2f800bc 100644 --- a/azure/flatcar-linux/kubernetes/cl/controller.yaml +++ b/azure/flatcar-linux/kubernetes/cl/controller.yaml @@ -155,7 +155,7 @@ storage: chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd chmod -R 700 /var/lib/etcd - mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv auth/* /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests mv static-manifests/* /etc/kubernetes/manifests/ @@ -169,7 +169,7 @@ storage: contents: inline: | #!/bin/bash -e - export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/admin.conf until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/bare-metal/fedora-coreos/kubernetes/bootstrap.tf b/bare-metal/fedora-coreos/kubernetes/bootstrap.tf index 2646e170f..d5d7ea738 100644 --- a/bare-metal/fedora-coreos/kubernetes/bootstrap.tf +++ b/bare-metal/fedora-coreos/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b" cluster_name = var.cluster_name api_servers = [var.k8s_domain_name] diff --git a/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml b/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml index 90a0b151e..1919265bf 100644 --- a/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/bare-metal/fedora-coreos/kubernetes/fcc/controller.yaml @@ -157,7 +157,7 @@ storage: mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/ chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd - mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv auth/* /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests mv static-manifests/* /etc/kubernetes/manifests/ @@ -171,7 +171,7 @@ storage: contents: inline: | #!/bin/bash -e - export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/admin.conf until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/bare-metal/flatcar-linux/kubernetes/bootstrap.tf b/bare-metal/flatcar-linux/kubernetes/bootstrap.tf index 9ea9c39dc..485348e1c 100644 --- a/bare-metal/flatcar-linux/kubernetes/bootstrap.tf +++ b/bare-metal/flatcar-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b" cluster_name = var.cluster_name api_servers = [var.k8s_domain_name] diff --git a/bare-metal/flatcar-linux/kubernetes/cl/controller.yaml b/bare-metal/flatcar-linux/kubernetes/cl/controller.yaml index b89524ee6..3ce8b1efd 100644 --- a/bare-metal/flatcar-linux/kubernetes/cl/controller.yaml +++ b/bare-metal/flatcar-linux/kubernetes/cl/controller.yaml @@ -169,7 +169,7 @@ storage: chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd chmod -R 700 /var/lib/etcd - mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv auth/* /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests mv static-manifests/* /etc/kubernetes/manifests/ @@ -183,7 +183,7 @@ storage: contents: inline: | #!/bin/bash -e - export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/admin.conf until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf b/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf index 9ca47cfa5..66d6d52f7 100644 --- a/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf +++ b/digital-ocean/fedora-coreos/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml b/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml index 62fe163db..f7f5adc4d 100644 --- a/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/digital-ocean/fedora-coreos/kubernetes/fcc/controller.yaml @@ -153,7 +153,7 @@ storage: mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/ chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd - mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv auth/* /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests mv static-manifests/* /etc/kubernetes/manifests/ @@ -167,7 +167,7 @@ storage: contents: inline: | #!/bin/bash -e - export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/admin.conf until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/digital-ocean/flatcar-linux/kubernetes/bootstrap.tf b/digital-ocean/flatcar-linux/kubernetes/bootstrap.tf index 20eb4ca80..44b97f861 100644 --- a/digital-ocean/flatcar-linux/kubernetes/bootstrap.tf +++ b/digital-ocean/flatcar-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/digital-ocean/flatcar-linux/kubernetes/cl/controller.yaml b/digital-ocean/flatcar-linux/kubernetes/cl/controller.yaml index b1ebdf146..5e7732ff3 100644 --- a/digital-ocean/flatcar-linux/kubernetes/cl/controller.yaml +++ b/digital-ocean/flatcar-linux/kubernetes/cl/controller.yaml @@ -162,7 +162,7 @@ storage: chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd chmod -R 700 /var/lib/etcd - mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv auth/* /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests mv static-manifests/* /etc/kubernetes/manifests/ @@ -176,7 +176,7 @@ storage: contents: inline: | #!/bin/bash -e - export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/admin.conf until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/google-cloud/fedora-coreos/kubernetes/bootstrap.tf b/google-cloud/fedora-coreos/kubernetes/bootstrap.tf index 15407159a..79b309c11 100644 --- a/google-cloud/fedora-coreos/kubernetes/bootstrap.tf +++ b/google-cloud/fedora-coreos/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml b/google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml index c14fe0b1a..2a3516d35 100644 --- a/google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml +++ b/google-cloud/fedora-coreos/kubernetes/fcc/controller.yaml @@ -146,7 +146,7 @@ storage: mv tls/etcd/etcd-client* /etc/kubernetes/bootstrap-secrets/ chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd - mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv auth/* /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests mv static-manifests/* /etc/kubernetes/manifests/ @@ -160,7 +160,7 @@ storage: contents: inline: | #!/bin/bash -e - export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/admin.conf until kubectl version; do echo "Waiting for static pod control plane" sleep 5 diff --git a/google-cloud/flatcar-linux/kubernetes/bootstrap.tf b/google-cloud/flatcar-linux/kubernetes/bootstrap.tf index 063c991d6..5fb1f9b7f 100644 --- a/google-cloud/flatcar-linux/kubernetes/bootstrap.tf +++ b/google-cloud/flatcar-linux/kubernetes/bootstrap.tf @@ -1,6 +1,6 @@ # Kubernetes assets (kubeconfig, manifests) module "bootstrap" { - source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=19c3ce61bd32801bef791e4848b2a3eac1b758c8" + source = "git::https://github.com/poseidon/terraform-render-bootstrap.git?ref=ac5cb9577408cba65f66b0ce35a8881c3ca5d63b" cluster_name = var.cluster_name api_servers = [format("%s.%s", var.cluster_name, var.dns_zone)] diff --git a/google-cloud/flatcar-linux/kubernetes/cl/controller.yaml b/google-cloud/flatcar-linux/kubernetes/cl/controller.yaml index cc1c3a044..924f1884c 100644 --- a/google-cloud/flatcar-linux/kubernetes/cl/controller.yaml +++ b/google-cloud/flatcar-linux/kubernetes/cl/controller.yaml @@ -153,7 +153,7 @@ storage: chown -R etcd:etcd /etc/ssl/etcd chmod -R 500 /etc/ssl/etcd chmod -R 700 /var/lib/etcd - mv auth/kubeconfig /etc/kubernetes/bootstrap-secrets/ + mv auth/* /etc/kubernetes/bootstrap-secrets/ mv tls/k8s/* /etc/kubernetes/bootstrap-secrets/ mkdir -p /etc/kubernetes/manifests mv static-manifests/* /etc/kubernetes/manifests/ @@ -167,7 +167,7 @@ storage: contents: inline: | #!/bin/bash -e - export KUBECONFIG=/etc/kubernetes/secrets/kubeconfig + export KUBECONFIG=/etc/kubernetes/secrets/admin.conf until kubectl version; do echo "Waiting for static pod control plane" sleep 5