Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Kubeadm ignores multiple service-account-issuer #2735

Closed
challapradyumna opened this issue Jul 29, 2022 · 1 comment
Closed

Kubeadm ignores multiple service-account-issuer #2735

challapradyumna opened this issue Jul 29, 2022 · 1 comment
Labels
kind/support Categorizes issue or PR as a support question.

Comments

@challapradyumna
Copy link

challapradyumna commented Jul 29, 2022
edited
Loading

What keywords did you search in kubeadm issues before filing this one?

service-account-issuer

BUG REPORT

Versions

kubeadm version (use kubeadm version): 1.22.12

Environment:

  • Kubernetes version (use kubectl version): 1.22.12
  • Cloud provider or hardware configuration: AWS
  • OS (e.g. from /etc/os-release): Ubuntu
  • Kernel (e.g. uname -a): 4.4.0-1087-aws
  • Container runtime (CRI) (e.g. containerd, cri-o): Docker
  • Container networking plugin (CNI) (e.g. Calico, Cilium): Calico
  • Others:

What happened?

Provided multiple service-account-issuer in ClusterConfiguration -> apiServer -> extraArgs
Only the last provided service-account-issuer is being added to the kube-apiserver.yaml manifest file.

What you expected to happen?

kube-apiserver.yaml manifest file should have multiple service-account-issuer flags. Since it is supported 1.22+

- --service-account-issuer=https://kubernetes.default.svc.cluster.local

How to reproduce it (as minimally and precisely as possible)?

Create a kind cluster with the following configuration:

# cluster.yaml
kind: Cluster
apiVersion: kind.x-k8s.io/v1alpha4
featureGates:
  ServiceAccountIssuerDiscovery: true
networking:
  apiServerPort: 6443
name: test
nodes:
- role: control-plane
  image: kindest/node:v1.22.9
  kubeadmConfigPatches:
  - |
    apiVersion: kubeadm.k8s.io/v1beta3
    kind: ClusterConfiguration
    apiServer:
      extraArgs:
        service-account-issuer: https://abc.s3.com
        service-account-issuer: https://kubernetes.default.svc.cluster.local
        service-account-signing-key-file: /etc/kubernetes/pki/sa.key
        service-account-key-file: /etc/kubernetes/pki/sa.pub
        api-audiences: sts.amazonaws.com,https://kubernetes.default.svc.cluster.local
    etcd:
      local:
          imageRepository: k8s.gcr.io
          imageTag: 3.5.4-0
          dataDir: /var/lib/etcd

kind create cluster --config=cluster.yaml

This function has to be updated - https://github.com/kubernetes/kubernetes/blob/95303390ac7c7bcc47306eede25644712127cdfb/cmd/kubeadm/app/phases/controlplane/manifests.go#L161
@neolit123
Copy link
Member

known problem #1601

you can use patches instead of extra args
https://kubernetes.io/docs/setup/production-environment/tools/kubeadm/control-plane-flags/#patches

@neolit123 neolit123 added the kind/support Categorizes issue or PR as a support question. label Jul 29, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/support Categorizes issue or PR as a support question.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@neolit123 @challapradyumna