mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 20:24:09 +00:00
gce: add support for enabling TokenRequest feature
This commit is contained in:
parent
6546b69964
commit
857690baf5
@ -399,3 +399,9 @@ ROTATE_CERTIFICATES="${ROTATE_CERTIFICATES:-}"
|
||||
# The number of services that are allowed to sync concurrently. Will be passed
|
||||
# into kube-controller-manager via `--concurrent-service-syncs`
|
||||
CONCURRENT_SERVICE_SYNCS="${CONCURRENT_SERVICE_SYNCS:-}"
|
||||
|
||||
if [[ "${ENABLE_TOKENREQUEST:-}" == "true" ]]; then
|
||||
FEATURE_GATES="${FEATURE_GATES},TokenRequest=true"
|
||||
SERVICEACCOUNT_ISSUER="https://kubernetes.io/${CLUSTER_NAME}"
|
||||
SERVICEACCOUNT_API_AUDIENCES="https://kubernetes.default.svc"
|
||||
fi
|
||||
|
@ -442,3 +442,9 @@ ROTATE_CERTIFICATES="${ROTATE_CERTIFICATES:-}"
|
||||
# The number of services that are allowed to sync concurrently. Will be passed
|
||||
# into kube-controller-manager via `--concurrent-service-syncs`
|
||||
CONCURRENT_SERVICE_SYNCS="${CONCURRENT_SERVICE_SYNCS:-}"
|
||||
|
||||
if [[ "${ENABLE_TOKENREQUEST:-}" == "true" ]]; then
|
||||
FEATURE_GATES="${FEATURE_GATES},TokenRequest=true"
|
||||
SERVICEACCOUNT_ISSUER="https://kubernetes.io/${CLUSTER_NAME}"
|
||||
SERVICEACCOUNT_API_AUDIENCES="https://kubernetes.default.svc"
|
||||
fi
|
||||
|
@ -1466,6 +1466,11 @@ function start-kube-apiserver {
|
||||
if [[ -n "${ETCD_QUORUM_READ:-}" ]]; then
|
||||
params+=" --etcd-quorum-read=${ETCD_QUORUM_READ}"
|
||||
fi
|
||||
if [[ -n "${SERVICEACCOUNT_ISSUER:-}" ]]; then
|
||||
params+=" --service-account-issuer=${SERVICEACCOUNT_ISSUER}"
|
||||
params+=" --service-account-signing-key-file=${SERVICEACCOUNT_KEY_PATH}"
|
||||
params+=" --service-account-api-audiences=${SERVICEACCOUNT_API_AUDIENCES}"
|
||||
fi
|
||||
|
||||
local audit_policy_config_mount=""
|
||||
local audit_policy_config_volume=""
|
||||
|
@ -819,6 +819,12 @@ ETCD_CA_CERT: $(yaml-quote ${ETCD_CA_CERT_BASE64:-})
|
||||
ETCD_PEER_KEY: $(yaml-quote ${ETCD_PEER_KEY_BASE64:-})
|
||||
ETCD_PEER_CERT: $(yaml-quote ${ETCD_PEER_CERT_BASE64:-})
|
||||
EOF
|
||||
if [[ "${ENABLE_TOKENREQUEST:-}" == "true" ]]; then
|
||||
cat >>$file <<EOF
|
||||
SERVICEACCOUNT_ISSUER: $(yaml-quote ${SERVICEACCOUNT_ISSUER:-})
|
||||
SERVICEACCOUNT_API_AUDIENCES: $(yaml-quote ${SERVICEACCOUNT_API_AUDIENCES:-})
|
||||
EOF
|
||||
fi
|
||||
# KUBE_APISERVER_REQUEST_TIMEOUT_SEC (if set) controls the --request-timeout
|
||||
# flag
|
||||
if [ -n "${KUBE_APISERVER_REQUEST_TIMEOUT_SEC:-}" ]; then
|
||||
|
Loading…
Reference in New Issue
Block a user