[ovs-discuss] ***SPAM*** Re: kubernetes - kubeadm problem with watcher
Sébastien Bernard
sbernard at nerim.net
Thu Nov 16 17:26:27 UTC 2017
On 16/11/2017 13:08, Guru Shetty wrote:
>
>
> On 16 November 2017 at 01:56, Sébastien Bernard <sbernard at nerim.net
> <mailto:sbernard at nerim.net>> wrote:
>
> Ok,
>
> I got to reproduce the error I had yesterday.
>
> Here's the path :
>
> 1- one vm with centos 7
>
> 2- install kubeadm v1.8.3
>
> 3- kubeadm init
>
> 4- install openvswitch (v2.8.1)
>
> 5- follow the instruction of set-master.sh
>
> 6- ln -s /etc/kubernetes/pki/ca.crt /etc/openvswitch/k8s-ca.crt
>
> 7- cp etc/ovn-k8s.conf /etc/openvswitch /
>
> 8- try to start ovn-k8s-watcher and watch it fails. See the log
> below. Seems the watcher really needs a kubeconfig file to use.
>
> cmdline :
>
> ovn-k8s-watcher --overlay --pidfile --log-file -vfile:info
> -vconsole:emer
>
> kubeadm init set RBAC by default. It seems the watcher is not able
> to provide authentication.
>
>
> You are right. I will work on a fix.
>
ovn-k8s-watcher is able to look for a token in the external_ids.
In get_api_params:
k8s_api_token = ovs_vsctl("--if-exists", "get", "Open_vSwitch", ".",
"external_ids:k8s-api-token").strip('"')
An then in stream_api function :
if api_token:
headers['Authorization'] = 'Bearer %s' % api_token
So, it should missing a few configuration parameters (a Role, a
serviceaccount, and RoleBinding).
I'll figure out something from flannel-rbac.yaml. It shouldn't be too
different.
Seb
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20171116/0bf88d70/attachment.html>
More information about the discuss
mailing list