Not able to create TLS_DISABLED k8s cluster

If we mount /var/run/kubernetes does it work? I mean if it can write in /var/run/kubernetes

Haven't tried this, will try and update.

We can try to pass this parameter to the apiserver --cert-dir
when tls-disbled.

from the docs [1]:

      --cert-dir string The directory where the TLS certs
                               are located. If --tls-cert-file and
                               --tls-private-key-file are provided,
                               this flag will be ignored. (default
                               "/var/run/kubernetes")

with /etc/kubernetes/certs/ (make sure that the dir exists in the non-tls case)

[1] https://kubernetes.io/docs/admin/kube-apiserver/

It doesn't work, we need to have a writable directory for the kubernetes-apiserver system container OR create certs for the apiserver. I'll open an issue in atomic-system-containers

https://github.com/projectatomic/atomic-system-containers/issues/133

Hi, Spyros, how we fix this in magnum ourselves?

In the v1.7.7 container images the problem is fixed (in pike). I'm not sure how useful is a non tls cluster though. With RBAC enabled it can not work. AFAIK there is no option for RBAC enabled clusters to work without tls. If there is a requirement to have non-tls cluster we can do the following separation.

Generate certs and enable rbac and expose the api at 6443 with tls, AND expose the api at 8080 as well.

In any case you need the fixed images with 1.7.7 or higher to have the proper mounts and permissions.

I am still experiencing this issue with the latest Fedora Atomic (Fedora-Atomic-27-20180326.1.x86_64.qcow2 as of this writing) on Queens. Do I need to build my own atomic image with disk image-builder for this to work?