--admission-control=ServiceAccount を kube-apiserver 呼び出しに追加して、kubernetes-ui と apiserver からの https 接続をホストできるようにしようとしています。これをコントローラーマネージャーで取得しています。
Mar 25 18:39:51 master kube-controller-manager[1388]: I0325 18:39:51.425556 1388 event.go:211] Event(api.ObjectReference{Kind:"ReplicaSet", Namespace:"default", Name:"nginx4-3088538572", UID:"aefae1a6-f2b8-11e5-8269-0401bd450a01", APIVersion:"extensions", ResourceVersion:"252", FieldPath:""}): type: 'Warning' reason: 'FailedCreate' Error creating: pods "nginx4-3088538572-" is forbidden: no API token found for service account default/default, retry after the token is automatically created and added to the service account
現在、私のデフォルトのサービスアカウントは次のようになっています
cesco@desktop: ~/code/go/src/bitbucket.org/cescoferraro/cluster/terraform on master [+!?]
$ kubectl get serviceaccount default -o wide
NAME SECRETS AGE
default 0 2m
cesco@desktop: ~/code/go/src/bitbucket.org/cescoferraro/cluster/terraform on master [+!?]
$ kubectl get serviceaccount default -o json
{
"kind": "ServiceAccount",
"apiVersion": "v1",
"metadata": {
"name": "default",
"namespace": "default",
"selfLink": "/api/v1/namespaces/default/serviceaccounts/default",
"uid": "eaa3c6e1-f2cd-11e5-973f-0401bd52ec01",
"resourceVersion": "30",
"creationTimestamp": "2016-03-25T21:09:52Z"
}
}
kubernetes への認証にトークンを使用しており、完全なクラスターは https で動作します。
コントローラーマネージャー
ExecStart=/opt/bin/kube-controller-manager \
--address=0.0.0.0 \
--root-ca-file=/home/core/ssl/ca.pem \
--service-account-private-key-file=/home/core/ssl/kube-key.pem \
--master=https://${COREOS_PRIVATE_IPV4}:6443 \
--logtostderr=true \
--kubeconfig=/home/core/.kube/config \
--cluster-cidr=10.132.0.0/16 \
--register-retry-count 100
APIサーバー
ExecStart=/opt/bin/kube-apiserver \
--admission-control=NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota \
--logtostderr=true \
--insecure-bind-address=${MASTER_PRIVATE} \
--insecure-port=8080 \
--bind-address=0.0.0.0 \
--secure-port=6443 \
--runtime-config=api/v1 \
--allow-privileged=true \
--service-cluster-ip-range=10.100.0.0/16 \
--advertise-address=${MASTER_PUBLIC} \
--token-auth-file=/data/kubernetes/token.csv \
--etcd-cafile=/home/core/ssl/ca.pem \
--etcd-certfile=/home/core/ssl/etcd1.pem \
--etcd-keyfile=/home/core/ssl/etcd1-key.pem \
--etcd-servers=https://${MASTER_PRIVATE}:2379,https://${DATABASE_PRIVATE}:2379 \
--cert-dir=/home/core/ssl \
--client-ca-file=/home/core/ssl/ca.pem \
--tls-cert-file=/home/core/ssl/kubelet.pem \
--tls-private-key-file=/home/core/ssl/kubelet-key.pem \
--kubelet-certificate-authority=/home/core/ssl/ca.pem \
--kubelet-client-certificate=/home/core/ssl/kubelet.pem \
--kubelet-client-key=/home/core/ssl/kubelet-key.pem \
--kubelet-https=true
.kube/config
ExecStart=/opt/bin/kubectl config set-cluster CLUSTER \
--server=https://${MASTER_PRIVATE}:6443 \
--certificate-authority=/home/core/ssl/ca.pem
ExecStart=/opt/bin/kubectl config set-credentials admin \
--token=elezxaMiqXVcXXU7lRYZ4akrlAtxY5Za \
--certificate-authority=/home/core/ssl/ca.pem \
--client-key=/home/core/ssl/kubelet-key.pem \
--client-certificate=/home/core/ssl/kubelet.pem
ExecStart=/opt/bin/kubectl config set-context default-system \
--cluster=CLUSTER \
--user=admin
ExecStart=/opt/bin/kubectl config use-context default-system
更新 1
@Jordan Liggitt の回答に従って、 --service-account-key-file=/home/core/ssl/kubelet-key.pem を apiserver 呼び出しに追加しましたが、今は取得しています
Mar 26 11:19:30 master kube-apiserver[1874]: F0326 11:19:30.556591 1874 server.go:410] Invalid Authentication Config: asn1: structure error: tags don't match (16 vs {class:0 tag:2 length:1 isCompound:false}) {optional:false explicit:false application:false defaultValue:<nil> tag:<nil> stringType:0 set:false omitEmpty:false} tbsCertificate @2