C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Enables Calico serviceAccount token monitoring and update of /etc/cni/net.d/calico-kubeconfig if need be. (#7586)

Browse source 
Since K8S 1.21, BoundServiceAccountTokenVolume feature gate is in beta stage, thus activated by default (anyone who follows CSI guidelines has enabled AllAlpha and faced the issue before 1.21).
With this feature, SA tokens are regenerated every hour.
As a consequence for Calico CNI, token in /etc/cni/net.d/calico-kubeconfig copied from /var/run/secrets/kubernetes.io/serviceaccount in install-cni initContainer expires after one hour and any pod creation fails due to unauthorization.
Calico pods need to be restarted so that /etc/cni/net.d/calico-kubeconfig is updated with the new SA token.
This commit is contained in:
emiran-orange 2021-05-11 17:47:36 +02:00 committed by GitHub
parent 8c0a2741ae
commit afbabebfd5
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
roles/network_plugin/calico/templates/calico-node.yml.j2
View file

@ -259,6 +259,8 @@ spec:
value: "true"
- name: FELIX_IGNORELOOSERPF
value: "{{ calico_node_ignorelooserpf }}"
- name: CALICO_MANAGE_CNI
value: "true"
{% if calico_node_extra_envs is defined %}
{% for key in calico_node_extra_envs %}
- name: {{ key }}
@ -309,6 +311,8 @@ spec:
- name: xtables-lock
mountPath: /run/xtables.lock
readOnly: false
- mountPath: /host/etc/cni/net.d
name: cni-net-dir
{% if typha_secure %}
- name: typha-client
mountPath: /etc/typha-client