Magnum

Add service account to Kubernetes

Bug #1646489 reported by Bertrand NOEL on 2016-12-01

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Magnum	Fix Released	Undecided	Mathieu Velten

Bug Description

Some pods deployed in a Kubernetes cluster may need to access its API. For example Kubernetes' new dashboard, or Prometheus. The usual way is to have a service account, and make the client use a token [1]. In Kubernetes it is done by creating a Secret, and exposing it to the pod on this path "/var/run/secrets/kubernetes.io/serviceaccount/token" [1].
To have that, Kubernetes needs to enable the ServiceAccount plug-in in the list of Admission Controller [2][3]. The ServiceAccount is in the recommended set of plug-ins to use [3].

[1] http://kubernetes.io/docs/user-guide/accessing-the-cluster/#accessing-the-api-from-a-pod
[2] http://kubernetes.io/docs/admin/admission-controllers/
[3] http://kubernetes.io/docs/admin/admission-controllers/#is-there-a-recommended-set-of-plug-ins-to-use
[4] https://github.com/prometheus/prometheus/blob/master/documentation/examples/prometheus-kubernetes.yml#L40 Example, Prometheus expecting a token at path /var/run/secrets/kubernetes.io/serviceaccount/token

Tags:

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-12-01: Fix proposed to magnum (master)

Fix proposed to branch: master
Review: https://review.openstack.org/405374

Changed in magnum:
assignee:	nobody → Bertrand NOEL (bertrand-noel-88)
status:	New → In Progress

OpenStack Infra (hudson-openstack) on 2017-01-26

Changed in magnum:
assignee:	Bertrand NOEL (bertrand-noel-88) → Mathieu Velten (matmaul)

OpenStack Infra (hudson-openstack) on 2017-01-26

Changed in magnum:
assignee:	Mathieu Velten (matmaul) → Spyros Trigazis (strigazi)

OpenStack Infra (hudson-openstack) on 2017-01-27

Changed in magnum:
assignee:	Spyros Trigazis (strigazi) → Mathieu Velten (matmaul)

Revision history for this message

Spyros Trigazis (strigazi) wrote on 2017-01-27:

we need the following argument in the controller manager

--service-account-private-key-file=/etc/kubernetes/ssl/kube-serviceaccount.key

Source: https://github.com/kubernetes/kubernetes/issues/29549

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-07: Fix merged to magnum (master)

Reviewed: https://review.openstack.org/405374
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=1f3b0500b7de384a6d1cacc39affdf716f0b0679
Submitter: Jenkins
Branch: master

commit 1f3b0500b7de384a6d1cacc39affdf716f0b0679
Author: Bertrand NOEL <email address hidden>
Date: Thu Dec 1 14:23:42 2016 +0100

K8S: Allows to specify admission control plugins to enable

If nothing is specified a set of recommended default plugins is used,
which includes the ServiceAccount one.

Change-Id: I1383aae09ba68f8e83b07e3eaae40ab071f7be94
Closes-Bug: #1646489

Changed in magnum:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-02-16: Fix included in openstack/magnum 4.1.0

This issue was fixed in the openstack/magnum 4.1.0 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-14: Fix proposed to magnum (stable/newton)

Fix proposed to branch: stable/newton
Review: https://review.openstack.org/483940

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2017-07-15: Fix merged to magnum (stable/newton)

Reviewed: https://review.openstack.org/483940
Committed: https://git.openstack.org/cgit/openstack/magnum/commit/?id=98f4ae9942ee55c1e7454bb257f21d935c403cb2
Submitter: Jenkins
Branch: stable/newton

commit 98f4ae9942ee55c1e7454bb257f21d935c403cb2
Author: Bertrand NOEL <email address hidden>
Date: Thu Dec 1 14:23:42 2016 +0100

K8S: Allows to specify admission control plugins to enable

If nothing is specified a set of recommended default plugins is used,
which includes the ServiceAccount one.

    Change-Id: I1383aae09ba68f8e83b07e3eaae40ab071f7be94
    Closes-Bug: #1646489
    (cherry picked from commit 1f3b0500b7de384a6d1cacc39affdf716f0b0679)