Comments (6)
@elliotdobson You definitely need to specify serviceAccountIssuer
and serviceAccountJWKSURI
to the old value.
I would add that you may want to set additionalSANs
(or additionalSans
) to master.cluster.domain
.
My suggestion would be to try this on a new small test cluster.
from kops.
Thanks for your response @hakman.
We decided to move forward with the change to serviceAccountIssuer
& serviceAccountJWKSURI
rather than fight it by specifying our existing value.
Based on this comment we were able to come up with the following procedure that allowed us to migrate the Service Account Issuer (SAI) non-disruptively on two clusters:
- Add
additionalSans
withmasterInternalName
value to the kops cluster spec - Remove
masterInternalName
from the kops cluster spec - Add the
modify-kube-api-manifest
(existing SAI as primary) hook to the master instancegroups
hooks:
- name: modify-kube-api-manifest
before:
- kubelet.service
manifest: |
User=root
Type=oneshot
ExecStart=/bin/bash -c "until [ -f /etc/kubernetes/manifests/kube-apiserver.manifest ];do sleep 5;done;sed -i '/- --service-account-issuer=https:\/\/api.internal.cluster.domain/i\ \ \ \ - --service-account-issuer=https:\/\/master.cluster.domain' /etc/kubernetes/manifests/kube-apiserver.manifest"
- Apply the changes to the cluster
- Roll the masters
- Manually create the
master.cluster.domain
DNS record pointing at the masters IP addresses - (If the
kubernetes-services-endpoint
configMap exists (& using calico CNI) then) Update theKUBERNETES_SERVICE_HOST
value toapi.internal.cluster.domain
in thekubernetes-services-endpoint
configMap (kube-system namespace) & Roll the calico daemonset - Update the
modify-kube-api-manifest
(switch the primary/secondary SAI) hook on the master instancegroups
hooks:
- name: modify-kube-api-manifest
before:
- kubelet.service
manifest: |
User=root
Type=oneshot
ExecStart=/bin/bash -c "until [ -f /etc/kubernetes/manifests/kube-apiserver.manifest ];do sleep 5;done;sed -i '/- --service-account-issuer=https:\/\/api.internal.cluster.domain/a\ \ \ \ - --service-account-issuer=https:\/\/master.cluster.domain' /etc/kubernetes/manifests/kube-apiserver.manifest"
- Apply the changes to the cluster
- Roll the masters (remember to update the
master.cluster.domain
DNS record with new IP addresses of the masters) - Roll all the nodes in the cluster
- Wait 24 hours until the dynamic SA tokens have refreshed
- Remove the
modify-kube-api-manifest
hook on the master instancegroups - Remove
additionalSans
from the kops cluster spec - Apply the changes to the cluster
- Roll the masters
- Delete the
master.cluster.domain
DNS record
Care needs to be taken around the master.cluster.domain
DNS record as without it unexpected things can occur (kubelet unable to contact API, etc) until the migration is complete.
I think the same procedure could be used to enable IRSA non-disruptively (which we will try in the future).
Do you think it is worth adding this to the kops documentation and/or updating kops cluster spec to allow multiple serviceAccountIssuer
to be specified?
from kops.
Thank you for the detailed guide @elliotdobson. This would be useful to be added to the kOps docs.
Regarding multiple service account issuers, see #16497. Would that be what you were looking for?
from kops.
Where would a procedure like that live in the kOps docs? Under Operations perhaps?
Yes #16497 is the addition to the cluster spec that would've been required for this migration. Will that feature will be back-ported to previous kOps releases?
from kops.
Where would a procedure like that live in the kOps docs? Under Operations perhaps?
Yes, under Operations.
Yes #16497 is the addition to the cluster spec that would've been required for this migration. Will that feature will be back-ported to previous kOps releases?
Seems pretty simple to back-port. Probably it will be in kOps 1.28+.
from kops.
Closing this issue as we've worked around the issue and documented the workaround.
from kops.
Related Issues (20)
- Add ProxMox Support
- GCE cluster deletion fails when unable to list InstanceGroupManagers
- Node-local-dns doesn't work with cilium CNI on kops 1.29.0 HOT 7
- Hetzner: error running task "ServerGroup/bastions": Field is required: UserData
- kops 1.29.0 can't deploy aws-iam-authenticator pods - image tag not found in registry HOT 6
- Allow to define resources for controller manager and scheduler
- Volumes available in multiple zones HOT 3
- kops 1.29 should update DNS to new loadBalancer
- 1.29 release notes missing from menu HOT 3
- [OpenStack] Allow configuration of bastion's machineType without template
- [feat] Add EKS Pod Identity Skip Tag HOT 3
- Finish Migrating To Community CI By August 1st HOT 6
- Kops Cluster upgrade from 1.27 to 1.29 and Kubernetes from 1.27.4 to 1.29.5 . Nodes going to NOT READY state.
- Wrong SSH username on GCE HOT 1
- Missing release assets on v1.30.0-beta.1 release HOT 2
- dns-controller fails to update Route 53 zones after upgrading kOps from 1.29.0 to 1.30.0-beta.1 HOT 4
- cluster-autoscaler: priority-expander sort order always changing
- need help on getting my node join my cluster using kops HOT 1
- Add custom permission on cert-manager addon HOT 1
- Kops 1.29 with AWS CNI Networking not working in restricted AWS accounts
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kops.