StarlingX

kubeadm command can use wrong config file

Bug #1882678 reported by Bart Wensley
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
StarlingX
Fix Released
High
Andy

Bug Description

Brief Description
-----------------
Our software uses the kubeadm command to install, manage and upgrade kubernetes. However, it is not passing the --kubeconfig parameter to this command, so the command will search for the kubeconfig file. Normally it finds this file in /etc/kubernetes/admin.conf, but if a user accidentally (or intentionally) creates a config file at /root/.kube/config, this file can take precedence and cause the kubeadm command to fail.

Changes will be required in the ansible, config and stx-puppet repos - anywhere
the kubeadm command is used. Note that some kubeadm commands (e.g. kubeadm init
and kubeadm join do not use the --kubeconfig parameter) because they actually
create this file.

Severity
--------
Major: the user should not be creating these extra files, but if they do, basic system functionality (e.g. locking/unlocking hosts) is broken.

Steps to Reproduce
------------------
Create an invalid kubeconfig file at /root/.kube/config. This can be done as the sysadmin user by running "sudo kubectl config set-context ..." and "sudo kubectl config use-context ..." commands.

Expected Behavior
------------------
The system should always use the /etc/kubernetes/admin.conf file for kubeadm commands.

Actual Behavior
----------------
See above

Reproducibility
---------------
Reproducible

System Configuration
--------------------
All

Branch/Pull Time/Commit
-----------------------
StarlingX Master - this is a day one issue.

Last Pass
---------
Never

Timestamp/Logs
--------------
N/A

Test Activity
-------------
Evaluation

Workaround
----------
Delete the extra kubeconfig file.

See original description
Bart Wensley (bartwensley)
tags: added: stx.containers
description: updated
Ghada Khalil (gkhalil)
tags: added: stx.4.0
Ghada Khalil (gkhalil)
Changed in starlingx:
importance: Undecided → High
status: New → Triaged
Revision history for this message
Ghada Khalil (gkhalil) wrote :

stx.4.0 / high priority - this can leave the system non-operational

Changed in starlingx:
assignee: nobody → Andy (andy.wrs)
Ghada Khalil (gkhalil)
Changed in starlingx:
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to stx-puppet (master)

Fix proposed to branch: master
Review: https://review.opendev.org/735214

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to config (master)

Fix proposed to branch: master
Review: https://review.opendev.org/735215

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to ansible-playbooks (master)

Fix proposed to branch: master
Review: https://review.opendev.org/735216

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to ansible-playbooks (master)

Reviewed: https://review.opendev.org/735216
Committed: https://git.openstack.org/cgit/starlingx/ansible-playbooks/commit/?id=01819d5090bc8da039533dd0ac915b35cc489db1
Submitter: Zuul
Branch: master

commit 01819d5090bc8da039533dd0ac915b35cc489db1
Author: Andy Ning <email address hidden>
Date: Thu Jun 11 09:19:41 2020 -0400

    Run kubeadm command with specific configuration file

    Playbook uses the kubeadm command to deploy kubernetes. However,
    it is not passing the --kubeconfig parameter to this command, so
    the command will search for the kubeconfig file. Normally it finds
    this file in /etc/kubernetes/admin.conf, but if a user accidentally
    (or intentionally) creates a config file at /root/.kube/config,
    this file can take precedence and cause the kubeadm command to fail.

    This commit updated the command with /etc/kubernetes/admin.conf as its
    configuration file explicitly.

    Change-Id: Id97a7c25cd6f0a0b3cc31276dd77c193fcbdefc6
    Closes-Bug: 1882678
    Signed-off-by: Andy Ning <email address hidden>

Changed in starlingx:
status: In Progress → Fix Released
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to stx-puppet (master)

Reviewed: https://review.opendev.org/735214
Committed: https://git.openstack.org/cgit/starlingx/stx-puppet/commit/?id=6f23a813a3f5447a88e2058f12f022f044f82c08
Submitter: Zuul
Branch: master

commit 6f23a813a3f5447a88e2058f12f022f044f82c08
Author: Andy Ning <email address hidden>
Date: Thu Jun 11 09:44:21 2020 -0400

    Run kubeadm command with specific configuration file

    Puppet manifests use the kubeadm command during initializing
    kubernetes nodes. However, it is not passing the --kubeconfig
    parameter to this command, so the command will search for the
    kubeconfig file. Normally it finds this file in
    /etc/kubernetes/admin.conf, but if a user accidentally (or
    intentionally) creates a config file at /root/.kube/config, this
    file can take precedence and cause the kubeadm command to fail.

    This commit updated the command with /etc/kubernetes/admin.conf as
    its configuration file explicitly.

    Change-Id: I2942fa4a275145cc3a1b6c6fdb0f3827a244f1bb
    Closes-Bug: 1882678
    Signed-off-by: Andy Ning <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to config (master)

Reviewed: https://review.opendev.org/735215
Committed: https://git.openstack.org/cgit/starlingx/config/commit/?id=78974f643ab6bd65046385a774a3ee6f7313da15
Submitter: Zuul
Branch: master

commit 78974f643ab6bd65046385a774a3ee6f7313da15
Author: Andy Ning <email address hidden>
Date: Thu Jun 11 09:35:46 2020 -0400

    Run kubeadm command with specific configuration file

    sysinv uses the kubeadm command to generate kubeadm join command.
    However, it is not passing the --kubeconfig parameter to this command,
    so the command will search for the kubeconfig file. Normally it finds
    this file in /etc/kubernetes/admin.conf, but if a user accidentally
    (or intentionally) creates a config file at /root/.kube/config,
    this file can take precedence and cause the kubeadm command to fail.

    This commit updated the command with /etc/kubernetes/admin.conf as its
    configuration file explicitly.

    Change-Id: I4fb6d6325ca2cd8c7ab28c0acb0efdf6b1fea45b
    Closes-Bug: 1882678
    Signed-off-by: Andy Ning <email address hidden>

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to stx-puppet (f/centos8)

Fix proposed to branch: f/centos8
Review: https://review.opendev.org/762919

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.