From fd9f3d6cec766f3fe76e39bdc5de1a0ad9825653 Mon Sep 17 00:00:00 2001 From: Phil Sphicas Date: Wed, 31 Mar 2021 02:48:37 +0000 Subject: [PATCH] Stop using kube-apiserver insecure-port The tiller container in the armada bootstrap pod relies on the insecure port that kube-apiserver once listened on by default. The kube-apiserver ability to serve on an insecure port, deprecated since v1.10, has been removed in v1.20. [0] This change updates the armada bootstrap pod to use the secure port instead. 0: https://github.com/kubernetes/kubernetes/pull/95856 Change-Id: I6a37fa4e7f97c7aaa3cd0f61b56214483a7dc217 --- .../etc/kubernetes/manifests/bootstrap-armada.yaml | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/promenade/templates/roles/genesis/etc/kubernetes/manifests/bootstrap-armada.yaml b/promenade/templates/roles/genesis/etc/kubernetes/manifests/bootstrap-armada.yaml index dbc44ec0..17de8ab3 100644 --- a/promenade/templates/roles/genesis/etc/kubernetes/manifests/bootstrap-armada.yaml +++ b/promenade/templates/roles/genesis/etc/kubernetes/manifests/bootstrap-armada.yaml @@ -21,6 +21,8 @@ spec: - env: - name: TILLER_NAMESPACE value: kube-system + - name: KUBECONFIG + value: /etc/kubernetes/admin/config image: {{ config['Genesis:images.helm.tiller'] }} command: - /tiller @@ -61,8 +63,13 @@ spec: successThreshold: 1 timeoutSeconds: 1 resources: {} + securityContext: + runAsUser: 0 terminationMessagePath: /dev/termination-log terminationMessagePolicy: File + volumeMounts: + - name: auth + mountPath: /etc/kubernetes/admin - name: armada image: {{ config['Genesis:images.armada'] }} securityContext: @@ -149,7 +156,7 @@ spec: {%- endfor %} {% include "genesis-apiserver.yaml" with context %} - --etcd-servers=https://localhost:12379 - - --insecure-port=8080 + - --insecure-port=0 - --secure-port=6444 - --endpoint-reconciler-type=none env: