mirror of
https://github.com/k3s-io/kubernetes.git
synced 2026-01-13 11:25:19 +00:00
d3a797a053
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. kubeadm: When etcd is listening on all interfaces, set the etcd probe to use loopback **What this PR does / why we need it**: When constructing the etcd liveness probe, if the user passes an IPv4 or IPv6 address, we set the `etcdctl` liveness probe to use the respective IPv4 or IPv6 loopback address for `--endpoints`. The etcd probe is now always formatted with the https:// protocol and square brackets around the IP (required for IPv6 / compatible with IPv4). `::1` is now also included in the etcd serving cert SAN by default. /kind bug /area kubeadm /area etcd /priority important-soon /sig cluster-lifecycle /assign @fabriziopandini **Which issue(s) this PR fixes** Fixes https://github.com/kubernetes/kubeadm/issues/882 **Special notes for your reviewer**: ```bash root@vagrant:~# /vagrant/bin/882_kubeadm init --config /dev/stdin << EOF |& tail -n5 etcd: extraArgs: listen-client-urls: https://[::]:2379 EOF I0603 19:52:15.666594 24743 tlsbootstrap.go:50] [bootstraptoken] configured RBAC rules to allow Node Bootstrap tokens to post CSRs in order for nodes to get long term certificate credentials I0603 19:52:15.671424 24743 tlsbootstrap.go:72] [bootstraptoken] configured RBAC rules to allow the csrapprover controller automatically approve CSRs from a Node Bootstrap Token I0603 19:52:15.674607 24743 tlsbootstrap.go:95] [bootstraptoken] configured RBAC rules to allow certificate rotation for all node client certificates in the cluster I0603 19:52:15.677551 24743 clusterinfo.go:43] [bootstraptoken] creating the "cluster-info" ConfigMap in the "kube-public" namespace [addons] Applied essential addon: CoreDNS [addons] Applied essential addon: kube-proxy root@vagrant:~# cat /etc/kubernetes/manifests/etcd.yaml |grep -C4 listen spec: containers: - command: - etcd - --listen-client-urls=https://[::]:2379 - --advertise-client-urls=https://127.0.0.1:2379 - --cert-file=/etc/kubernetes/pki/etcd/server.crt - --client-cert-auth=true - --data-dir=/var/lib/etcd root@vagrant:~# cat /etc/kubernetes/manifests/etcd.yaml |grep -C4 etcdctl exec: command: - /bin/sh - -ec - ETCDCTL_API=3 etcdctl --endpoints=https://[::1]:2379 --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/healthcheck-client.crt --key=/etc/kubernetes/pki/etcd/healthcheck-client.key get foo failureThreshold: 8 initialDelaySeconds: 15 ``` **Release note**: ```release-note kubeadm now configures the etcd liveness probe correctly when etcd is listening on all interfaces ```