kubernetes: Kubelet default argument inconsistency between flags and config file
Is this a BUG REPORT or FEATURE REQUEST?:
/kind bug
What happened:
I tried to start a kubelet in standalone mode but got an error
failed to run Kubelet: no client provided, cannot use webhook authentication
What you expected to happen:
I expected the kubelet to start up without needing a client because kubelet --help
says:
--authorization-mode string Authorization mode for Kubelet server. Valid options are AlwaysAllow or Webhook. Webhook mode uses the SubjectAccessReview API to determine authorization. (default "AlwaysAllow") (DEPRECATED: This parameter should be set via the config file specified by the Kubelet's --config flag. See https://kubernetes.io/docs/tasks/administer-cluster/kubelet-config-file/ for more information.)
However looking at the code I see:
https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/apis/config/v1beta1/defaults.go#L75
(defaults to webhook). Since I’m using a config file and the help tells me to do as much, it should either tell me the flag has a default of alwaysallow and the config has a default of webhook, OR the defaults should be consistent.
How to reproduce it (as minimally and precisely as possible): Run kubelet, maybe with a config file
Anything else we need to know?: kubelet systemd file:
[Service]
# Uncomment if you are using containerd
Environment="KUBELET_CRI_ENDPOINT=--container-runtime-endpoint=unix:///var/run/containerd/container.sock"
ExecStart=
ExecStart=/usr/bin/kubelet --config /var/lib/kubelet/config.yaml --allow-privileged $KUBELET_CRI_ENDPOINT
Restart=always
kubelet config file
kind: KubeletConfiguration
apiVersion: kubelet.config.k8s.io/v1beta1
address: 127.0.0.1
staticPodPath: /etc/kubernetes/manifests
Environment: a recent version of kubelet
root@ip-10-0-0-8:~# kubelet --version
Kubernetes v1.13.0-alpha.0.1353+d1111a57d9243c
About this issue
- Original URL
- State: closed
- Created 6 years ago
- Reactions: 2
- Comments: 23 (10 by maintainers)
For the next person who hits this, I figured out the expected values. So when you --config, authentication is defaulted to webhook where as via the cli it’s set to anonymous by default.
NOTE: it would be awesome to generated default configs in the actual yaml/json structure somewhere rather than having to work backwards in go (which I am not that familiar with).
@furkanmustafa good spot, I’ve updated the example in my comment.