ansible-role-kubernetes-ca icon indicating copy to clipboard operation
ansible-role-kubernetes-ca copied to clipboard

Published 20 hours ago verified publisher icon githubixx

Change organization for the apiserver certificate

Open tiagoblackcode opened this issue 3 years ago • 1 comments

According to https://kubernetes.io/docs/setup/best-practices/certificates/#all-certificates the kube-apiserver-kubelet-client needs to have the organization defined as system:masters. With the previous identifier (Kubernetes) there were some permission problems, specifically the ability to fetch pod logs.

When using Kubernetes as organization, the error when fetching the logs for a resource is:

Error from server (Forbidden): Forbidden (user=kubernetes, verb=get, resource=nodes, subresource=proxy) ( pods/log nginx)

This may be solved by adding a ClusterRole with the proxy permissions to the Kubernetes user, but the Kubernetes' defaults should instead be used for the API server.

tiagoblackcode avatar Feb 14 '22 13:02 tiagoblackcode

I think the problem is the other way around, e.g. kuber-apiserver fails to connect to kubelet to establish the proxy session that's needed for the logs.

I will investigate further to see what happened in my case. Thanks for the feedback!

Great job on the ansible roles.

tiagoblackcode avatar Feb 15 '22 08:02 tiagoblackcode