I have two secrets referenced by my API server.
After my API server dies, it's clear that the checkpointer correctly rewrites the first secret to a host volume, but not the custom one I provided.
core@node1 ~ $ cat assets/manifests/kube-apiserver.yaml
apiVersion: "extensions/v1beta1"
kind: DaemonSet
metadata:
name: kube-apiserver
namespace: kube-system
labels:
k8s-app: kube-apiserver
version: v1.4.0_coreos.0
spec:
template:
metadata:
labels:
k8s-app: kube-apiserver
version: v1.4.0_coreos.0
spec:
nodeSelector:
master: "true"
hostNetwork: true
containers:
- name: checkpoint-installer
image: quay.io/coreos/pod-checkpointer:969e207f005a78d1823e88bb10be34386eea473f
command:
- /checkpoint-installer.sh
volumeMounts:
- mountPath: /etc/kubernetes/manifests
name: etc-k8s-manifests
- name: kube-apiserver
image: quay.io/coreos/hyperkube:v1.4.0_coreos.0
command:
- /hyperkube
- apiserver
- --bind-address=0.0.0.0
- --secure-port=443
- --insecure-port=8080
- --etcd-servers=http://node1.example.com:2379
- --allow-privileged=true
- --service-cluster-ip-range=10.3.0.0/24
- --admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota
- --runtime-config=api/all=true
- --tls-cert-file=/etc/kubernetes/secrets/apiserver.crt
- --tls-private-key-file=/etc/kubernetes/secrets/apiserver.key
- --service-account-key-file=/etc/kubernetes/secrets/service-account.pub
- --client-ca-file=/etc/kubernetes/secrets/ca.crt
- --authorization-mode=ABAC,RBAC
- --authorization-rbac-super-user=system:serviceaccount:kube-system:default
- --runtime-config=rbac.authorization.k8s.io/v1alpha1
- --authorization-policy-file=/etc/kubernetes/authz/policy.jsonl
- --oidc-issuer-url=https://cluster.example.com:32000/identity
- --oidc-client-id=tectonic-kubectl
- --oidc-username-claim=email
- --oidc-ca-file=/etc/kubernetes/secrets/ca.crt
volumeMounts:
- mountPath: /etc/ssl/certs
name: ssl-certs-host
readOnly: true
- mountPath: /etc/kubernetes/secrets
name: secrets
readOnly: true
- mountPath: /etc/kubernetes/authz
name: policy
readOnly: true
volumes:
- name: ssl-certs-host
hostPath:
path: /usr/share/ca-certificates
- name: etc-k8s-manifests
hostPath:
path: /etc/kubernetes/manifests
- name: secrets
secret:
secretName: kube-apiserver
- name: policy
secret:
secretName: abac-policy
My custom secret (which may or may not matter).
$ cat assets/manifests/abac-policy.yaml
apiVersion: v1
kind: Secret
metadata:
name: abac-policy
namespace: kube-system
data:
"policy.jsonl": eyJraW5kIjoiUG9saWN5IiwiYXBpVmVyc2lvbiI6ImFiYWMuYXV0aG9yaXphdGlvbi5rdWJlcm5ldGVzLmlvL3YxYmV0YTEiLCJzcGVjIjp7InVzZXIiOiIqIiwiZ3JvdXAiOiIqIiwicmVhZG9ubHkiOnRydWUsIm5vblJlc291cmNlUGF0aCI6Ii92ZXJzaW9uIn19Cnsia2luZCI6IlBvbGljeSIsImFwaVZlcnNpb24iOiJhYmFjLmF1dGhvcml6YXRpb24ua3ViZXJuZXRlcy5pby92MWJldGExIiwic3BlYyI6eyJ1c2VyIjoiKiIsImdyb3VwIjoiKiIsInJlYWRvbmx5Ijp0cnVlLCJub25SZXNvdXJjZVBhdGgiOiIvYXBpIn19Cnsia2luZCI6IlBvbGljeSIsImFwaVZlcnNpb24iOiJhYmFjLmF1dGhvcml6YXRpb24ua3ViZXJuZXRlcy5pby92MWJldGExIiwic3BlYyI6eyJ1c2VyIjoiKiIsImdyb3VwIjoiKiIsInJlYWRvbmx5Ijp0cnVlLCJub25SZXNvdXJjZVBhdGgiOiIvYXBpLyoifX0KeyJraW5kIjoiUG9saWN5IiwiYXBpVmVyc2lvbiI6ImFiYWMuYXV0aG9yaXphdGlvbi5rdWJlcm5ldGVzLmlvL3YxYmV0YTEiLCJzcGVjIjp7InVzZXIiOiIqIiwiZ3JvdXAiOiIqIiwicmVhZG9ubHkiOnRydWUsIm5vblJlc291cmNlUGF0aCI6Ii9hcGlzIn19Cnsia2luZCI6IlBvbGljeSIsImFwaVZlcnNpb24iOiJhYmFjLmF1dGhvcml6YXRpb24ua3ViZXJuZXRlcy5pby92MWJldGExIiwic3BlYyI6eyJ1c2VyIjoiKiIsImdyb3VwIjoiKiIsInJlYWRvbmx5Ijp0cnVlLCJub25SZXNvdXJjZVBhdGgiOiIvYXBpcy8qIn19Cnsia2luZCI6IlBvbGljeSIsImFwaVZlcnNpb24iOiJhYmFjLmF1dGhvcml6YXRpb24ua3ViZXJuZXRlcy5pby92MWJldGExIiwic3BlYyI6eyJ1c2VyIjoia3ViZWxldCIsImFwaUdyb3VwIjoiKiIsInJlc291cmNlIjoiKiIsIm5hbWVzcGFjZSI6IioifX0KeyJraW5kIjoiUG9saWN5IiwiYXBpVmVyc2lvbiI6ImFiYWMuYXV0aG9yaXphdGlvbi5rdWJlcm5ldGVzLmlvL3YxYmV0YTEiLCJzcGVjIjp7InVzZXIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06ZGVmYXVsdCIsImFwaUdyb3VwIjoiKiIsInJlc291cmNlIjoiKiIsIm5hbWVzcGFjZSI6IioifX0K
The checkpointed API server. Notice that "kube-apiserver" secret is correctly converted to a host path, but the abac policy isn't.
core@node1 ~ $ cat /srv/kubernetes/manifests/apiserver.json | jq .
{
"kind": "Pod",
"apiVersion": "v1",
"metadata": {
"name": "temp-apiserver",
"namespace": "kube-system",
"creationTimestamp": null
},
"spec": {
"volumes": [
{
"name": "ssl-certs-host",
"hostPath": {
"path": "/usr/share/ca-certificates"
}
},
{
"name": "etc-k8s-manifests",
"hostPath": {
"path": "/etc/kubernetes/manifests"
}
},
{
"name": "secrets",
"hostPath": {
"path": "/etc/kubernetes/checkpoint-secrets/temp-apiserver/kube-apiserver"
}
},
{
"name": "policy",
"secret": {
"secretName": "abac-policy"
}
}
],
"containers": [
{
"name": "checkpoint-installer",
"image": "quay.io/coreos/pod-checkpointer:969e207f005a78d1823e88bb10be34386eea473f",
"command": [
"/checkpoint-installer.sh"
],
"resources": {},
"volumeMounts": [
{
"name": "etc-k8s-manifests",
"mountPath": "/etc/kubernetes/manifests"
}
],
"terminationMessagePath": "/dev/termination-log",
"imagePullPolicy": "IfNotPresent"
},
{
"name": "kube-apiserver",
"image": "quay.io/coreos/hyperkube:v1.4.0_coreos.0",
"command": [
"/hyperkube",
"apiserver",
"--bind-address=0.0.0.0",
"--secure-port=443",
"--insecure-port=8081",
"--etcd-servers=http://node1.example.com:2379",
"--allow-privileged=true",
"--service-cluster-ip-range=10.3.0.0/24",
"--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota",
"--runtime-config=api/all=true",
"--tls-cert-file=/etc/kubernetes/secrets/apiserver.crt",
"--tls-private-key-file=/etc/kubernetes/secrets/apiserver.key",
"--service-account-key-file=/etc/kubernetes/secrets/service-account.pub",
"--client-ca-file=/etc/kubernetes/secrets/ca.crt",
"--authorization-mode=ABAC,RBAC",
"--authorization-rbac-super-user=system:serviceaccount:kube-system:default",
"--runtime-config=rbac.authorization.k8s.io/v1alpha1",
"--authorization-policy-file=/etc/kubernetes/authz/policy.jsonl",
"--oidc-issuer-url=https://cluster.example.com:32000/identity",
"--oidc-client-id=tectonic-kubectl",
"--oidc-username-claim=email",
"--oidc-ca-file=/etc/kubernetes/secrets/ca.crt"
],
"resources": {},
"volumeMounts": [
{
"name": "ssl-certs-host",
"readOnly": true,
"mountPath": "/etc/ssl/certs"
},
{
"name": "secrets",
"readOnly": true,
"mountPath": "/etc/kubernetes/secrets"
},
{
"name": "policy",
"readOnly": true,
"mountPath": "/etc/kubernetes/authz"
}
],
"terminationMessagePath": "/dev/termination-log",
"imagePullPolicy": "IfNotPresent"
}
],
"restartPolicy": "Always",
"terminationGracePeriodSeconds": 30,
"dnsPolicy": "ClusterFirst",
"nodeSelector": {
"master": "true"
},
"serviceAccountName": "default",
"serviceAccount": "default",
"nodeName": "node1.example.com",
"hostNetwork": true,
"securityContext": {}
},
"status": {}
}
Here's the checkpoint-secrets directory.
core@node1 ~ $ ls -R /etc/kubernetes/checkpoint-secrets
/etc/kubernetes/checkpoint-secrets:
temp-apiserver
/etc/kubernetes/checkpoint-secrets/temp-apiserver:
kube-apiserver
/etc/kubernetes/checkpoint-secrets/temp-apiserver/kube-apiserver:
apiserver.crt apiserver.key ca.crt service-account.pub