mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-27 21:47:07 +00:00
Merge pull request #17848 from sdminonne/libvirt_service_account
Auto commit by PR queue bot
This commit is contained in:
commit
abf9a90030
@ -14,6 +14,9 @@ coreos:
|
|||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=/opt/kubernetes/bin/kube-apiserver \
|
ExecStart=/opt/kubernetes/bin/kube-apiserver \
|
||||||
|
--service-account-key-file=/opt/kubernetes/certs/kube-serviceaccount.key \
|
||||||
|
--service-account-lookup=${SERVICE_ACCOUNT_LOOKUP} \
|
||||||
|
--admission-control=${ADMISSION_CONTROL} \
|
||||||
--insecure-bind-address=0.0.0.0 \
|
--insecure-bind-address=0.0.0.0 \
|
||||||
--insecure-port=8080 \
|
--insecure-port=8080 \
|
||||||
--etcd-servers=http://127.0.0.1:2379 \
|
--etcd-servers=http://127.0.0.1:2379 \
|
||||||
@ -36,7 +39,8 @@ coreos:
|
|||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStart=/opt/kubernetes/bin/kube-controller-manager \
|
ExecStart=/opt/kubernetes/bin/kube-controller-manager \
|
||||||
--master=127.0.0.1:8080
|
--master=127.0.0.1:8080 \
|
||||||
|
--service-account-private-key-file=/opt/kubernetes/certs/kube-serviceaccount.key \
|
||||||
Restart=always
|
Restart=always
|
||||||
RestartSec=2
|
RestartSec=2
|
||||||
|
|
||||||
|
@ -22,7 +22,8 @@ source "$ROOT/${KUBE_CONFIG_FILE:-"config-default.sh"}"
|
|||||||
source "$KUBE_ROOT/cluster/common.sh"
|
source "$KUBE_ROOT/cluster/common.sh"
|
||||||
|
|
||||||
export LIBVIRT_DEFAULT_URI=qemu:///system
|
export LIBVIRT_DEFAULT_URI=qemu:///system
|
||||||
|
export SERVICE_ACCOUNT_LOOKUP=${SERVICE_ACCOUNT_LOOKUP:-false}
|
||||||
|
export ADMISSION_CONTROL=${ADMISSION_CONTROL:-NamespaceLifecycle,LimitRanger,ServiceAccount,ResourceQuota}
|
||||||
readonly POOL=kubernetes
|
readonly POOL=kubernetes
|
||||||
readonly POOL_PATH="$(cd $ROOT && pwd)/libvirt_storage_pool"
|
readonly POOL_PATH="$(cd $ROOT && pwd)/libvirt_storage_pool"
|
||||||
|
|
||||||
@ -51,6 +52,19 @@ function detect-nodes {
|
|||||||
KUBE_NODE_IP_ADDRESSES=("${NODE_IPS[@]}")
|
KUBE_NODE_IP_ADDRESSES=("${NODE_IPS[@]}")
|
||||||
}
|
}
|
||||||
|
|
||||||
|
function set_service_accounts {
|
||||||
|
SERVICE_ACCOUNT_KEY=${SERVICE_ACCOUNT_KEY:-"/tmp/kube-serviceaccount.key"}
|
||||||
|
# Generate ServiceAccount key if needed
|
||||||
|
if [[ ! -f "${SERVICE_ACCOUNT_KEY}" ]]; then
|
||||||
|
mkdir -p "$(dirname ${SERVICE_ACCOUNT_KEY})"
|
||||||
|
openssl genrsa -out "${SERVICE_ACCOUNT_KEY}" 2048 2>/dev/null
|
||||||
|
fi
|
||||||
|
|
||||||
|
mkdir -p "$POOL_PATH/kubernetes/certs"
|
||||||
|
cp "${SERVICE_ACCOUNT_KEY}" "$POOL_PATH/kubernetes/certs"
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
# Verify prereqs on host machine
|
# Verify prereqs on host machine
|
||||||
function verify-prereqs {
|
function verify-prereqs {
|
||||||
if ! which virsh >/dev/null; then
|
if ! which virsh >/dev/null; then
|
||||||
@ -185,6 +199,7 @@ function kube-up {
|
|||||||
detect-nodes
|
detect-nodes
|
||||||
load-or-gen-kube-bearertoken
|
load-or-gen-kube-bearertoken
|
||||||
initialize-pool keep_base_image
|
initialize-pool keep_base_image
|
||||||
|
set_service_accounts
|
||||||
initialize-network
|
initialize-network
|
||||||
|
|
||||||
readonly ssh_keys="$(cat ~/.ssh/id_*.pub | sed 's/^/ - /')"
|
readonly ssh_keys="$(cat ~/.ssh/id_*.pub | sed 's/^/ - /')"
|
||||||
|
@ -83,11 +83,12 @@ On the other hand, `libvirt-coreos` might be useful for people investigating low
|
|||||||
2. Install [ebtables](http://ebtables.netfilter.org/)
|
2. Install [ebtables](http://ebtables.netfilter.org/)
|
||||||
3. Install [qemu](http://wiki.qemu.org/Main_Page)
|
3. Install [qemu](http://wiki.qemu.org/Main_Page)
|
||||||
4. Install [libvirt](http://libvirt.org/)
|
4. Install [libvirt](http://libvirt.org/)
|
||||||
5. Enable and start the libvirt daemon, e.g:
|
5. Install [openssl](http://openssl.org/)
|
||||||
|
6. Enable and start the libvirt daemon, e.g:
|
||||||
* ``systemctl enable libvirtd``
|
* ``systemctl enable libvirtd``
|
||||||
* ``systemctl start libvirtd``
|
* ``systemctl start libvirtd``
|
||||||
6. [Grant libvirt access to your user¹](https://libvirt.org/aclpolkit.html)
|
7. [Grant libvirt access to your user¹](https://libvirt.org/aclpolkit.html)
|
||||||
7. Check that your $HOME is accessible to the qemu user²
|
8. Check that your $HOME is accessible to the qemu user²
|
||||||
|
|
||||||
#### ¹ Depending on your distribution, libvirt access may be denied by default or may require a password at each access.
|
#### ¹ Depending on your distribution, libvirt access may be denied by default or may require a password at each access.
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user