minikube: --extra-config=kubelet.authorization-mode=AlwaysAllow ignored
Is this a BUG REPORT or FEATURE REQUEST? (choose one): BUG REPORT
Please provide the following details:
Environment: Ubuntu 17.10
Minikube version (use minikube version): v0.24.1
- OS (e.g. from /etc/os-release): “Ubuntu 17.10 (Artful Aardvark)”
- VM Driver (e.g.
cat ~/.minikube/machines/minikube/config.json | grep DriverName): virtualbox - ISO version (e.g.
cat ~/.minikube/machines/minikube/config.json | grep -i ISOorminikube ssh cat /etc/VERSION): minikube-v0.23.6.iso - Install tools:
- Others: The above can be generated in one go with the following commands (can be copied and pasted directly into your terminal):
minikube version
echo "";
echo "OS:";
cat /etc/os-release
echo "";
echo "VM driver":
grep DriverName ~/.minikube/machines/minikube/config.json
echo "";
echo "ISO version";
grep -i ISO ~/.minikube/machines/minikube/config.json
What happened:
Running minikube with:
minikube --bootstrapper=kubeadm --extra-config=kubelet.authorization-mode=AlwaysAllow --kubernetes-version=v1.8.5 start
Results in RBAC still being active.
Excerpt from:
kubectl get pods -n kube-system kube-apiserver-minikube -o yaml
spec:
containers:
- command:
- kube-apiserver
- --authorization-mode=AlwaysAllow
- --secure-port=8443
- --requestheader-client-ca-file=/var/lib/localkube/certs/front-proxy-ca.crt
- --proxy-client-key-file=/var/lib/localkube/certs/front-proxy-client.key
- --insecure-port=0
- --requestheader-group-headers=X-Remote-Group
- --advertise-address=192.168.99.102
- --tls-cert-file=/var/lib/localkube/certs/apiserver.crt
- --kubelet-client-key=/var/lib/localkube/certs/apiserver-kubelet-client.key
- --enable-bootstrap-token-auth=true
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --requestheader-username-headers=X-Remote-User
- --requestheader-extra-headers-prefix=X-Remote-Extra-
- --service-account-key-file=/var/lib/localkube/certs/sa.pub
- --kubelet-client-certificate=/var/lib/localkube/certs/apiserver-kubelet-client.crt
- --service-cluster-ip-range=10.96.0.0/12
- --proxy-client-cert-file=/var/lib/localkube/certs/front-proxy-client.crt
- --admission-control=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,NodeRestriction,ResourceQuota
- --allow-privileged=true
- --requestheader-allowed-names=front-proxy-client
- --client-ca-file=/var/lib/localkube/certs/ca.crt
- --tls-private-key-file=/var/lib/localkube/certs/apiserver.key
- --authorization-mode=Node,RBAC
- --etcd-servers=http://127.0.0.1:2379
Shows authorization-mode being passed twice. The default value is appended at the end which I suspect takes precedence over the overridden value.
Running a kubectl command from a pod inside the cluster shows:
Error from server (Forbidden): error when retrieving current configuration of:
&{0xc420f552c0 0xc420a65500 abcd test-service /var/spool/rendered/kube-services.yml 0xc420fa42d8 0xc420fa42d8 false}
from server for: "/var/spool/rendered/kube-services.yml": endpoints "test-service" is forbidden: User "system:serviceaccount:abcd:default" cannot get endpoints in the namespace "abcd"
Which means that RBAC is active.
What you expected to happen: RBAC should be turned off.
How to reproduce it (as minimally and precisely as possible):
Run minikube as following:
minikube --bootstrapper=kubeadm --extra-config=kubelet.authorization-mode=AlwaysAllow --kubernetes-version=v1.8.5 start
Verify if RBAC is not active.
Output of minikube logs (if applicable):
N/A
Anything else do we need to know:
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Comments: 22 (4 by maintainers)
I can’t say exactly when this was fixed, but it no longer appears with at least the v1.9.0-beta.1:
My apologies for it taking so long to get this resolved.
yes @kwojcicki that’s what I did