kubernetes: Kubelet default argument inconsistency between flags and config file

Is this a BUG REPORT or FEATURE REQUEST?:

/kind bug

What happened: I tried to start a kubelet in standalone mode but got an error failed to run Kubelet: no client provided, cannot use webhook authentication

What you expected to happen: I expected the kubelet to start up without needing a client because kubelet --help says:

      --authorization-mode string                                                                                 Authorization mode for Kubelet server. Valid options are AlwaysAllow or Webhook. Webhook mode uses the SubjectAccessReview API to determine authorization. (default "AlwaysAllow") (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)

However looking at the code I see:

https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/apis/config/v1beta1/defaults.go#L75

(defaults to webhook). Since I’m using a config file and the help tells me to do as much, it should either tell me the flag has a default of alwaysallow and the config has a default of webhook, OR the defaults should be consistent.

How to reproduce it (as minimally and precisely as possible): Run kubelet, maybe with a config file

Anything else we need to know?: kubelet systemd file:

[Service]
# Uncomment if you are using containerd
Environment="KUBELET_CRI_ENDPOINT=--container-runtime-endpoint=unix:///var/run/containerd/container.sock"
ExecStart=
ExecStart=/usr/bin/kubelet --config /var/lib/kubelet/config.yaml --allow-privileged $KUBELET_CRI_ENDPOINT
Restart=always

kubelet config file

kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 127.0.0.1
staticPodPath: /etc/kubernetes/manifests

Environment: a recent version of kubelet

root@ip-10-0-0-8:~# kubelet --version
Kubernetes v1.13.0-alpha.0.1353+d1111a57d9243c

About this issue

  • Original URL
  • State: closed
  • Created 6 years ago
  • Reactions: 2
  • Comments: 23 (10 by maintainers)

Most upvoted comments

For the next person who hits this, I figured out the expected values. So when you --config, authentication is defaulted to webhook where as via the cli it’s set to anonymous by default.

kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 127.0.0.1
cgroupDriver: systemd
staticPodPath: /etc/kubelet.d
authentication:
  anonymous:
    enabled: true
  webhook:
    enabled: false
authorization:
  mode: AlwaysAllow

NOTE: it would be awesome to generated default configs in the actual yaml/json structure somewhere rather than having to work backwards in go (which I am not that familiar with).

@furkanmustafa good spot, I’ve updated the example in my comment.