GithubHelp home page GithubHelp logo

Comments (6)

hakman avatar hakman commented on July 30, 2024

@elliotdobson You definitely need to specify serviceAccountIssuer and serviceAccountJWKSURI to the old value.
I would add that you may want to set additionalSANs (or additionalSans) to master.cluster.domain.
My suggestion would be to try this on a new small test cluster.

from kops.

elliotdobson avatar elliotdobson commented on July 30, 2024

Thanks for your response @hakman.

We decided to move forward with the change to serviceAccountIssuer & serviceAccountJWKSURI rather than fight it by specifying our existing value.

Based on this comment we were able to come up with the following procedure that allowed us to migrate the Service Account Issuer (SAI) non-disruptively on two clusters:

  1. Add additionalSans with masterInternalName value to the kops cluster spec
  2. Remove masterInternalName from the kops cluster spec
  3. Add the modify-kube-api-manifest (existing SAI as primary) hook to the master instancegroups
  hooks:
  - name: modify-kube-api-manifest
    before:
      - kubelet.service
    manifest: |
      User=root
      Type=oneshot
      ExecStart=/bin/bash -c "until [ -f /etc/kubernetes/manifests/kube-apiserver.manifest ];do sleep 5;done;sed -i '/- --service-account-issuer=https:\/\/api.internal.cluster.domain/i\ \ \ \ - --service-account-issuer=https:\/\/master.cluster.domain' /etc/kubernetes/manifests/kube-apiserver.manifest"
  1. Apply the changes to the cluster
  2. Roll the masters
  3. Manually create the master.cluster.domain DNS record pointing at the masters IP addresses
  4. (If the kubernetes-services-endpoint configMap exists (& using calico CNI) then) Update the KUBERNETES_SERVICE_HOST value to api.internal.cluster.domain in the kubernetes-services-endpoint configMap (kube-system namespace) & Roll the calico daemonset
  5. Update the modify-kube-api-manifest (switch the primary/secondary SAI) hook on the master instancegroups
  hooks:
  - name: modify-kube-api-manifest
    before:
      - kubelet.service
    manifest: |
      User=root
      Type=oneshot
      ExecStart=/bin/bash -c "until [ -f /etc/kubernetes/manifests/kube-apiserver.manifest ];do sleep 5;done;sed -i '/- --service-account-issuer=https:\/\/api.internal.cluster.domain/a\ \ \ \ - --service-account-issuer=https:\/\/master.cluster.domain' /etc/kubernetes/manifests/kube-apiserver.manifest"
  1. Apply the changes to the cluster
  2. Roll the masters (remember to update the master.cluster.domain DNS record with new IP addresses of the masters)
  3. Roll all the nodes in the cluster
  4. Wait 24 hours until the dynamic SA tokens have refreshed
  5. Remove the modify-kube-api-manifest hook on the master instancegroups
  6. Remove additionalSans from the kops cluster spec
  7. Apply the changes to the cluster
  8. Roll the masters
  9. Delete the master.cluster.domain DNS record

Care needs to be taken around the master.cluster.domain DNS record as without it unexpected things can occur (kubelet unable to contact API, etc) until the migration is complete.

I think the same procedure could be used to enable IRSA non-disruptively (which we will try in the future).

Do you think it is worth adding this to the kops documentation and/or updating kops cluster spec to allow multiple serviceAccountIssuer to be specified?

from kops.

hakman avatar hakman commented on July 30, 2024

Thank you for the detailed guide @elliotdobson. This would be useful to be added to the kOps docs.
Regarding multiple service account issuers, see #16497. Would that be what you were looking for?

from kops.

elliotdobson avatar elliotdobson commented on July 30, 2024

Where would a procedure like that live in the kOps docs? Under Operations perhaps?

Yes #16497 is the addition to the cluster spec that would've been required for this migration. Will that feature will be back-ported to previous kOps releases?

from kops.

hakman avatar hakman commented on July 30, 2024

Where would a procedure like that live in the kOps docs? Under Operations perhaps?

Yes, under Operations.

Yes #16497 is the addition to the cluster spec that would've been required for this migration. Will that feature will be back-ported to previous kOps releases?

Seems pretty simple to back-port. Probably it will be in kOps 1.28+.

from kops.

elliotdobson avatar elliotdobson commented on July 30, 2024

Closing this issue as we've worked around the issue and documented the workaround.

from kops.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.