[ovs-discuss] ***SPAM*** Re: kubernetes - kubeadm problem with watcher

Sébastien Bernard sbernard at nerim.net
Thu Nov 16 17:26:27 UTC 2017


On 16/11/2017 13:08, Guru Shetty wrote:
>
>
> On 16 November 2017 at 01:56, Sébastien Bernard <sbernard at nerim.net 
> <mailto:sbernard at nerim.net>> wrote:
>
>     Ok,
>
>     I got to reproduce the error I had yesterday.
>
>     Here's the path :
>
>       1- one vm with centos 7
>
>       2- install kubeadm v1.8.3
>
>       3- kubeadm init
>
>       4- install openvswitch (v2.8.1)
>
>       5- follow the instruction of set-master.sh
>
>       6- ln -s /etc/kubernetes/pki/ca.crt /etc/openvswitch/k8s-ca.crt
>
>       7- cp etc/ovn-k8s.conf /etc/openvswitch /
>
>       8- try to start ovn-k8s-watcher and watch it fails. See the log
>     below. Seems the watcher really needs a kubeconfig file to use.
>
>         cmdline :
>
>         ovn-k8s-watcher --overlay --pidfile --log-file -vfile:info
>     -vconsole:emer
>
>     kubeadm init set RBAC by default. It seems the watcher is not able
>     to provide authentication.
>
>
> You are right. I will work on a fix.
>
ovn-k8s-watcher is able to look for a token in the external_ids.

In get_api_params:

     k8s_api_token = ovs_vsctl("--if-exists", "get", "Open_vSwitch", ".",
"external_ids:k8s-api-token").strip('"')
An then in stream_api function :

     if api_token:
         headers['Authorization'] = 'Bearer %s' % api_token

So, it should missing a few configuration parameters  (a Role, a 
serviceaccount, and RoleBinding).

I'll figure out something from flannel-rbac.yaml. It shouldn't be too 
different.


Seb

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20171116/0bf88d70/attachment.html>


More information about the discuss mailing list