fix kube-dns CrashLoopBackOff issue with RBAC enabled minikube #1107
Conversation
|
@galexrt I am using minikube v0.22.3.(with image minikube-v0.23.5.iso) And my kube-dns pod keeps restaring all the time. The kube-dns restart issue hasn't caused any issues but i thought i would be nice to fix it. |
dangula
force-pushed
the
pr_fix_minikubeRBAC
branch
from
7c6c828
to
6955280
Compare
|
@dangula I just noticed it happens again for me. Kube-dns working fine for me, was caused because I was using a minikube in which I already fixed the RBAC by hand earlier. Yes, it is definitely good to fix this. |
tests/scripts/minikube.sh
Outdated
| # workaround for kube-dns CrashLoopBackOff issue with RBAC enabled | ||
| #issue https://github.com/kubernetes/minikube/issues/1734 and https://github.com/kubernetes/minikube/issues/1722 | ||
| enable_roles_for_RBAC() { | ||
| cat <<EOF | kubectl create -f - |
tests/scripts/minikube.sh
Outdated
| verbs: ["*"] | ||
| - nonResourceURLs: ["*"] | ||
| verbs: ["*"] | ||
|
|
There was a problem hiding this comment.
I would remove those empty lines in between the objects.
dangula
force-pushed
the
pr_fix_minikubeRBAC
branch
from
6955280
to
b8af903
Compare
tests/scripts/minikube.sh
Outdated
| # workaround for kube-dns CrashLoopBackOff issue with RBAC enabled | ||
| #issue https://github.com/kubernetes/minikube/issues/1734 and https://github.com/kubernetes/minikube/issues/1722 | ||
| enable_roles_for_RBAC() { | ||
| cat <<EOF | kubectl create -f - |
There was a problem hiding this comment.
The indent from the other lines seems to be 4 spaces. Please change it here to look like the other lines.
dangula
force-pushed
the
pr_fix_minikubeRBAC
branch
from
b8af903
to
58053a5
Compare
tests/scripts/minikube.sh
Outdated
| name: cluster-writer | ||
| apiGroup: rbac.authorization.k8s.io | ||
| --- | ||
| # Setup sd-build as a reader. This has to be a |
There was a problem hiding this comment.
why do we need these sd-* accounts, roles and bindings? in the original issue kubernetes/minikube#1734, it looks like the sample fix came from the Screwdriver project: http://blog.screwdriver.cd/post/161863341372/set-up-screwdriver-in-kubernetes, which is where I think this sd-* stuff is coming from.
We aren't using screwdriver, so we shouldn't add those RBAC configs to our scripts, right? I would think that only cluster-writer and cluster-reader are necessary. Can you please try this scenario after removing all the sd-* stuff that I suspect isn't necessary?
There was a problem hiding this comment.
thanks for catching that,i just coped the roles from the last comment in the issue. Cleaned them up now.
There was a problem hiding this comment.
@dangula can you confirm that kube-dns worked OK with RBAC enabled once you removed those sd-* permissions?
There was a problem hiding this comment.
@jbw976 it worked, i ran full regession and all tests passed.
There was a problem hiding this comment.
ah, it looks like the cluster-reader role isn't used anymore now. it was only used by the sd-build account. let's get rid of the cluster-reader role too then I think this change will be complete. thanks @dangula
dangula
force-pushed
the
pr_fix_minikubeRBAC
branch
from
58053a5
to
7553724
Compare
dangula
force-pushed
the
pr_fix_minikubeRBAC
branch
from
7553724
to
3292bff
Compare
[skip ci] fix #925