Recursive chown the /etc/srv/sshproxy if kube-apiserver is running as non root. This way if a key already exists we will be able to read it.

2025-07-23 11:50:44 +00:00 · 2021-05-05 14:49:59 -07:00 · 2021-05-05 14:49:59 -07:00 · 406ceae991
commit 406ceae991
parent 5d8c89b164
1 changed files with 2 additions and 2 deletions
--- a/cluster/gce/gci/configure-kubeapiserver.sh
+++ b/cluster/gce/gci/configure-kubeapiserver.sh
@ -278,7 +278,7 @@ function start-kube-apiserver {
    params+=" --advertise-address=${MASTER_ADVERTISE_ADDRESS}"
    if [[ -n "${PROXY_SSH_USER:-}" ]]; then
      if [[ -n "${KUBE_API_SERVER_RUNASUSER:-}" && -n "${KUBE_API_SERVER_RUNASGROUP:-}" ]]; then
-        chown "${KUBE_API_SERVER_RUNASUSER}":"${KUBE_API_SERVER_RUNASGROUP}" /etc/srv/sshproxy
+        chown -R "${KUBE_API_SERVER_RUNASUSER}":"${KUBE_API_SERVER_RUNASGROUP}" /etc/srv/sshproxy/
      fi
      params+=" --ssh-user=${PROXY_SSH_USER}"
      params+=" --ssh-keyfile=/etc/srv/sshproxy/.sshkeyfile"
@ -287,7 +287,7 @@ function start-kube-apiserver {
    local -r vm_external_ip=$(get-metadata-value "instance/network-interfaces/0/access-configs/0/external-ip")
    if [[ -n "${PROXY_SSH_USER:-}" ]]; then
      if [[ -n "${KUBE_API_SERVER_RUNASUSER:-}" && -n "${KUBE_API_SERVER_RUNASGROUP:-}" ]]; then
-        chown "${KUBE_API_SERVER_RUNASUSER}":"${KUBE_API_SERVER_RUNASGROUP}" /etc/srv/sshproxy
+        chown -R "${KUBE_API_SERVER_RUNASUSER}":"${KUBE_API_SERVER_RUNASGROUP}" /etc/srv/sshproxy/
      fi
      params+=" --advertise-address=${vm_external_ip}"
      params+=" --ssh-user=${PROXY_SSH_USER}"