Team,
I am trying to specify the authentication-token-webhook flag on kubelet. so, I manually add the flag in /etc/sysconfig/kubelet and restart the service. then it works.
Is there a specific way to add that flag in cluster.yaml file that it gets added to kubelet automatically and I don't have to manually add it.
My changes in cluster.yaml look like this
kubelet:
featureGates:
DevicePlugins: "true"so shall i add it as kubelet: featureGates: DevicePlugins: "true" authentication-token-webhook
Kubelet output after adding manually looks like this:
lab@10:~$ ps -ax | grep kubel | grep web
5188 ? Ssl 0:17 /usr/local/bin/kube-apiserver --address=127.0.0.1 --admission-control=Initializers,NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,NodeRestriction,ResourceQuota --allow-privileged=true --anonymous-auth=false --apiserver-count=1 --authentication-token-webhook-config-file=/srv/kubernetes/assets/webhook-auth.yaml --authorization-mode=RBAC --basic-auth-file=/srv/kubernetes/basic_auth.csv --client-ca-file=/srv/kubernetes/ca.crt --cloud-provider=external --etcd-quorum-read=false --etcd-servers-overrides=/events#http://127.0.0.1:4002 --etcd-servers=http://127.0.0.1:4001 --insecure-port=8080 --kubelet-preferred-address-types=InternalIP,Hostname,ExternalIP --proxy-client-cert-file=/srv/kubernetes/apiserver-aggregator.cert --proxy-client-key-file=/srv/kubernetes/apiserver-aggregator.key --requestheader-allowed-names=aggregator --requestheader-client-ca-file=/srv/kubernetes/apiserver-aggregator-ca.cert --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=443 --service-cluster-ip-range=100.64.0.0/13 --storage-backend=etcd2 --tls-cert-file=/srv/kubernetes/server.cert --tls-private-key-file=/srv/kubernetes/server.key --token-auth-file=/srv/kubernetes/known_tokens.csv --v=2
7250 ? Ssl 0:00 /usr/local/bin/kubelet --allow-privileged=true --authentication-token-webhook --cgroup-root=/ --cloud-provider=external --cluster-dns=100.64.0.10 --cluster-domain=cluster.local --enable-debugging-handlers=true --eviction-hard=memory.available<100Mi,nodefs.available<10%,nodefs.inodesFree<5%,imagefs.available<10%,imagefs.inodesFree<5% --feature-gates=DevicePlugins=true,ExperimentalCriticalPodAnnotation=true --kubeconfig=/var/lib/kubelet/kubeconfig --network-plugin=cni --node-labels=kops.k8s.io/instancegroup=master-a,kubernetes.io/role=master,node-role.kubernetes.io/master= --non-masquerade-cidr=100.64.0.0/10 --pod-infra-container-image=k8s.gcr.io/pause-amd64:3.0 --pod-manifest-path=/etc/kubernetes/manifests --register-schedulable=true --register-with-taints=node-role.kubernetes.io/master=:NoSchedule --v=2 --cni-bin-dir=/opt/cni/bin/ --cni-conf-dir=/etc/cni/net.d/
Flag needs to be added in this file manually cat /etc/sysconfig/kubelet
or via cluster deployment file as below: kubelet: featureGates: DevicePlugins: "true" authenticationTokenWebhook: true
then also specify the CA cert to use fileAssets: - name: webhook-auth-ca.pem roles: ["Master"] content: | -----BEGIN CERTIFICATE-----
and finally the auth file - name: webhook-auth.yaml roles: ["Master"] content: | clusters: