diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh index 671c1a5db7b..cadaafc0dd0 100755 --- a/cluster/gce/config-default.sh +++ b/cluster/gce/config-default.sh @@ -455,11 +455,7 @@ ROTATE_CERTIFICATES="${ROTATE_CERTIFICATES:-}" # into kube-controller-manager via `--concurrent-service-syncs` CONCURRENT_SERVICE_SYNCS="${CONCURRENT_SERVICE_SYNCS:-}" -if [[ "${ENABLE_TOKENREQUEST:-}" == "true" ]]; then - FEATURE_GATES="${FEATURE_GATES},TokenRequest=true" - SERVICEACCOUNT_ISSUER="https://kubernetes.io/${CLUSTER_NAME}" - SERVICEACCOUNT_API_AUDIENCES="https://kubernetes.default.svc" -fi +SERVICEACCOUNT_ISSUER="https://kubernetes.io/${CLUSTER_NAME}" # Optional: Enable Node termination Handler for Preemptible and GPU VMs. # https://github.com/GoogleCloudPlatform/k8s-node-termination-handler diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh index c9ce3694c5c..caf16359e5f 100755 --- a/cluster/gce/config-test.sh +++ b/cluster/gce/config-test.sh @@ -470,11 +470,7 @@ ROTATE_CERTIFICATES="${ROTATE_CERTIFICATES:-}" # into kube-controller-manager via `--concurrent-service-syncs` CONCURRENT_SERVICE_SYNCS="${CONCURRENT_SERVICE_SYNCS:-}" -if [[ "${ENABLE_TOKENREQUEST:-}" == "true" ]]; then - FEATURE_GATES="${FEATURE_GATES},TokenRequest=true" - SERVICEACCOUNT_ISSUER="https://kubernetes.io/${CLUSTER_NAME}" - SERVICEACCOUNT_API_AUDIENCES="https://kubernetes.default.svc" -fi +SERVICEACCOUNT_ISSUER="https://kubernetes.io/${CLUSTER_NAME}" # Optional: Enable Node termination Handler for Preemptible and GPU VMs. # https://github.com/GoogleCloudPlatform/k8s-node-termination-handler diff --git a/cluster/gce/gci/apiserver_manifest_test.go b/cluster/gce/gci/apiserver_manifest_test.go index 2b430bd4295..db327771b34 100644 --- a/cluster/gce/gci/apiserver_manifest_test.go +++ b/cluster/gce/gci/apiserver_manifest_test.go @@ -55,6 +55,8 @@ readonly ETC_MANIFESTS=${KUBE_HOME}/etc/kubernetes/manifests readonly KUBE_API_SERVER_DOCKER_TAG=v1.11.0-alpha.0.1808_3c7452dc11645d-dirty readonly LOG_OWNER_USER=$(id -un) readonly LOG_OWNER_GROUP=$(id -gn) +readonly SERVICEACCOUNT_ISSUER=https://foo.bar.baz +readonly SERVICEACCOUNT_KEY_PATH=/foo/bar/baz.key {{if .EncryptionProviderConfig}} ENCRYPTION_PROVIDER_CONFIG={{.EncryptionProviderConfig}} {{end}} diff --git a/cluster/gce/gci/configure-helper.sh b/cluster/gce/gci/configure-helper.sh index f57f0ba6b6a..c8cda248a5f 100644 --- a/cluster/gce/gci/configure-helper.sh +++ b/cluster/gce/gci/configure-helper.sh @@ -1570,11 +1570,9 @@ function start-kube-apiserver { if [[ -n "${SERVICE_CLUSTER_IP_RANGE:-}" ]]; then params+=" --service-cluster-ip-range=${SERVICE_CLUSTER_IP_RANGE}" fi - if [[ -n "${SERVICEACCOUNT_ISSUER:-}" ]]; then - params+=" --service-account-issuer=${SERVICEACCOUNT_ISSUER}" - params+=" --service-account-signing-key-file=${SERVICEACCOUNT_KEY_PATH}" - params+=" --service-account-api-audiences=${SERVICEACCOUNT_API_AUDIENCES}" - fi + params+=" --service-account-issuer=${SERVICEACCOUNT_ISSUER}" + params+=" --service-account-api-audiences=${SERVICEACCOUNT_ISSUER}" + params+=" --service-account-signing-key-file=${SERVICEACCOUNT_KEY_PATH}" local audit_policy_config_mount="" local audit_policy_config_volume="" diff --git a/cluster/gce/util.sh b/cluster/gce/util.sh index 0f6af3a2c76..b7811bcf7d3 100755 --- a/cluster/gce/util.sh +++ b/cluster/gce/util.sh @@ -1008,13 +1008,8 @@ ETCD_CA_CERT: $(yaml-quote ${ETCD_CA_CERT_BASE64:-}) ETCD_PEER_KEY: $(yaml-quote ${ETCD_PEER_KEY_BASE64:-}) ETCD_PEER_CERT: $(yaml-quote ${ETCD_PEER_CERT_BASE64:-}) ENCRYPTION_PROVIDER_CONFIG: $(yaml-quote ${ENCRYPTION_PROVIDER_CONFIG:-}) -EOF - if [[ "${ENABLE_TOKENREQUEST:-}" == "true" ]]; then - cat >>$file <