Login/Register
Restart Kubernetes API server with different options
Asked Answered
Solved authenticationkuberneteskubectlkubeadm
H

2

14

I'm pretty new to Kubernetes and clusters so this might be very simple.

I set up a Kubernetes cluster with 5 nodes using kubeadm following this guide. I got some issues but it all worked in the end. So now I want to install the Web UI (Dashboard). To do so I need to set up authentication:

Please note, this works only if the apiserver is set up to allow authentication with username and password. This is not currently the case with the some setup tools (e.g., kubeadm). Refer to the authentication admin documentation for information on how to configure authentication manually.

So I got to read authentication page of the documentation. And I decided I want to add authentication via a Static Password File. To do so I have to append the option --basic-auth-file=SOMEFILE to the Api server.

When I do ps -aux | grep kube-apiserver this is the result, so it is already running. (which makes sense because I use it when calling kubectl)

kube-apiserver 
  --insecure-bind-address=127.0.0.1
  --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota 
  --service-cluster-ip-range=10.96.0.0/12 
  --service-account-key-file=/etc/kubernetes/pki/apiserver-key.pem 
  --client-ca-file=/etc/kubernetes/pki/ca.pem 
  --tls-cert-file=/etc/kubernetes/pki/apiserver.pem 
  --tls-private-key-file=/etc/kubernetes/pki/apiserver-key.pem 
  --token-auth-file=/etc/kubernetes/pki/tokens.csv 
  --secure-port=6443 
  --allow-privileged 
  --advertise-address=192.168.1.137
  --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname 
  --anonymous-auth=false 
  --etcd-servers=http://127.0.0.1:2379

Couple of questions I have:

  • So where are all these options set?
  • Can i just kill this process and restart it with the option I need?
  • Will it be started when I reboot the system?
Hyman answered 10/1, 2017 at 10:17 Comment(0)
H
10

in /etc/kubernetes/manifests is a file called kube-apiserver.json. This is a JSON file and contains all the option you can set. I've appended the --basic-auth-file=SOMEFILE and rebooted the system (right after the change of the file kubectl wasn't working anymore and the API was shutdown)

After a reboot the whole system was working again.

Update

I didn't manage to run the dashboard using this. What I did in the end was installing the dashboard on the cluster. copying the keys from the master node (/etc/kubernetes/admin.conf) to my laptop and did kubectl proxy to proxy the traffic of the dashboard to my local machine. Now I can access it on my laptop through 127.0.0.1:8001/ui

Hyman answered 10/1, 2017 at 11:26 Comment(4)
Hi Ravenix, after reboot did the --basic-auth-file=SOMEFILE changes worked for you? I did same but for me changes not worked.. While using kubectl from remote it is not validating password which i passed in --basic-auth-file=xx.csv file.Demography
@AnumanthaRaja: No, in the end what I did was installing the dashboard on the cluster. copying the keys from the master node (/etc/kubernetes/admin.conf) to my laptop and did kubectl proxy to proxy the traffic to the dashboard to my local machine. Now I can access it through 127.0.0.1:8001/uiHyman
@Hyman You saved me with this question, and your last comment here. I think editing the answer to add the kubectl proxy solution might help future googlers even more. Thanks again!Randellrandene
@Randellrandene thanks for the feedback, I've updated the answer.Hyman
G
3

I just found this for a similar use case and the API server was crashing after adding an Option with a file path.

I was able to solve it and maybe this helps others as well:

As described in https://kubernetes.io/docs/reference/setup-tools/kubeadm/implementation-details/#constants-and-well-known-values-and-paths the files in /etc/kubernetes/manifests are static pod definitions. Therefore container rules apply.

So if you add an option with a file path, make sure you make it available to the pod with a hostPath volume.

Gnat answered 5/6, 2020 at 20:52 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.