when starting the CCM with only the --use-service-account-credentials=true
flag set for credentials it does not appear to accept the service account from the deployment for the kubeconfig.
for example, we are starting the CCM with this manifest:
kind: Deployment
apiVersion: apps/v1
metadata:
labels:
app: alibaba-cloud-controller-manager
name: alibaba-cloud-controller-manager
namespace: openshift-cloud-controller-manager
spec:
replicas: 2
selector:
matchLabels:
app: alibaba-cloud-controller-manager
template:
metadata:
labels:
app: alibaba-cloud-controller-manager
spec:
hostNetwork: true
serviceAccountName: cloud-controller-manager
priorityClassName: system-cluster-critical
nodeSelector:
node-role.kubernetes.io/master: ""
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- topologyKey: "kubernetes.io/hostname"
labelSelector:
matchLabels:
app: alibaba-cloud-controller-manager
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
operator: Exists
- effect: NoExecute
key: node.kubernetes.io/unreachable
operator: Exists
tolerationSeconds: 120
- effect: NoExecute
key: node.kubernetes.io/not-ready
operator: Exists
tolerationSeconds: 120
- effect: NoSchedule
key: node.cloudprovider.kubernetes.io/uninitialized
operator: Exists
- effect: NoSchedule
key: node.kubernetes.io/not-ready
operator: Exists
containers:
- command:
- /bin/sh
- -c
- |
#!/bin/sh
set -o allexport
if [[ -f /etc/kubernetes/apiserver-url.env ]]; then
source /etc/kubernetes/apiserver-url.env
fi
exec /cloud-controller-manager \
--address=127.0.0.1 \
--allow-untagged-cloud=true \
--leader-elect=true \
--leader-elect-lease-duration=137s \
--leader-elect-renew-deadline=107s \
--leader-elect-retry-period=26s \
--leader-elect-resource-namespace=openshift-cloud-controller-manager \
--cloud-provider=alicloud \
--use-service-account-credentials=true \
--cloud-config=/etc/kubernetes/config/cloud-config.conf \
--feature-gates=ServiceNodeExclusion=true \
--configure-cloud-routes=false \
--allocate-node-cidrs=false
image: quay.io/openshift/origin-alibaba-cloud-controller-manager
livenessProbe:
failureThreshold: 8
httpGet:
host: 127.0.0.1
path: /healthz
port: 10258
scheme: HTTP
initialDelaySeconds: 15
timeoutSeconds: 15
name: cloud-controller-manager
resources:
requests:
cpu: 200m
memory: 50Mi
volumeMounts:
- mountPath: /etc/kubernetes/
name: k8s
- name: cloud-config
mountPath: /etc/kubernetes/config
volumes:
- hostPath:
path: /etc/kubernetes
name: k8s
- name: cloud-config
configMap:
name: cloud-conf
items:
- key: cloud.conf
path: cloud-config.conf
of note are the following entries:
serviceAccountName: cloud-controller-manager
and
exec /cloud-controller-manager \
--address=127.0.0.1 \
--allow-untagged-cloud=true \
--leader-elect=true \
--leader-elect-lease-duration=137s \
--leader-elect-renew-deadline=107s \
--leader-elect-retry-period=26s \
--leader-elect-resource-namespace=openshift-cloud-controller-manager \
--cloud-provider=alicloud \
--use-service-account-credentials=true \
--cloud-config=/etc/kubernetes/config/cloud-config.conf \
--feature-gates=ServiceNodeExclusion=true \
--configure-cloud-routes=false \
--allocate-node-cidrs=false
the service account is setup using this manifest.
when we run the controller though, we see this in the output
E0916 19:34:13.733843 1 reflector.go:178] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1.Endpoints: endpoints is forbidden: User "system:serviceaccount:kube-system:shared-informers" cannot list resource "endpoints" in API group "" at the cluster scope
E0916 19:34:18.256934 1 reflector.go:178] pkg/mod/k8s.io/[email protected]/tools/cache/reflector.go:125: Failed to list *v1.Node: nodes is forbidden: User "system:serviceaccount:kube-system:shared-informers" cannot list resource "nodes" in API group "" at the cluster scope
which appears to indicate that the system:serviceacount:kube-system:shared-informers
is being used for the kubeconfig user, instead of the expected cloud-controller-manager
.
i looked at the code around building a client, https://github.com/openshift/cloud-provider-alibaba-cloud/blob/master/cmd/cloudprovider/app/ccm.go#L120 and it appears that the client
function is using clientcmd.BuildConfigFromFlags(ccm.Master, ccm.Kubeconfig)
to build the kubeconfig, but does not fall back to check if the service account credentials will be used if there is no kubeconfig or master specified.
the BuildConfigFromFlags
function is used slightly differently in the client-go code (see https://github.com/kubernetes/cloud-provider/blob/master/options/options.go#L177), and in specific has a check to detect is the service account credentials should be used (see https://github.com/kubernetes/cloud-provider/blob/master/options/options.go#L197).
i think this may indicate that the client
function will need to also check this flag in cases where no kubeconfig or master is specified.