kubernetes: Service account not working in hyperkube since v1.3.0-alpha.5
Problem Service account seems to be broken in Hyperkube
Steps:
export K8S_VERSION=v1.3.0-alpha.5
export ARCH=amd64
docker run -d \
--volume=/:/rootfs:ro \
--volume=/sys:/sys:rw \
--volume=/var/lib/docker/:/var/lib/docker:rw \
--volume=/var/lib/kubelet/:/var/lib/kubelet:rw \
--volume=/var/run:/var/run:rw \
--net=host \
--pid=host \
--privileged \
gcr.io/google_containers/hyperkube-${ARCH}:${K8S_VERSION} \
/hyperkube kubelet \
--containerized \
--hostname-override=127.0.0.1 \
--api-servers=http://localhost:8080 \
--config=/etc/kubernetes/manifests \
--cluster-dns=10.0.0.10 \
--cluster-domain=cluster.local \
--allow-privileged --v=2
kubectl run debain2 --image debian sleep 1000000
kubectl exec debain2-1279483658-wakm7 ls /var/run/secrets/kubernetes.io/serviceaccount
Result is empty dir.
Comment: It works in v1.3.0-alpha.4
export K8S_VERSION=v1.3.0-alpha.4
export ARCH=amd64
docker run ...
kubectl run debain2 --image debian sleep 1000000
kubectl exec debain2-1279483658-wakm7 ls /var/run/secrets/kubernetes.io/serviceaccount
ca.crt
namespace
token
About this issue
- Original URL
- State: closed
- Created 8 years ago
- Reactions: 3
- Comments: 35 (30 by maintainers)
I guess what I really need to do is write some doc on this subject.
You need to add shared to kublet. This is required to make mounts done by kubelet visible to other containers (e.g. service accounts)