Merge pull request #53317 from liggitt/fix-kubelet-cert-dir

Automatic merge from submit-queue (batch tested with PRs 53317, 52186). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Change default --cert-dir for kubelet to a non-transient location The default kubelet `--cert-dir` location is `/var/run/kubernetes`, which is automatically erased on reboot on many platforms. As of 1.8.0, kubelet TLS bootstrapping and cert rotation now persist files in `--cert-dir`, this should default to a non-transient location. Default it to the `pki` subfolder of the default `--root-dir` Fixes #53288 Additionally, since `kubeadm` expects a running (albeit crashlooping) kubelet prior to running `kubeadm init` or `kubeadm join`, and was using the default `--root-dir` of `/var/lib/kubelet`, it should not expect that folder to be empty as a pre-init check. Fixes https://github.com/kubernetes/kubernetes/issues/53356 ```release-note kubelet: `--cert-dir` now defaults to `/var/lib/kubelet/pki`, in order to ensure bootstrapped and rotated certificates persist beyond a reboot. ```
2017-10-04 10:32:45 -07:00 · 2017-10-04 10:32:45 -07:00 · 0690b79d2f
parent 6039c79f6c 8c25265314
commit 0690b79d2f
2 changed files with 1 additions and 3 deletions
--- a/cmd/kubeadm/app/preflight/checks.go
+++ b/cmd/kubeadm/app/preflight/checks.go
@ -650,7 +650,6 @@ func RunInitMasterChecks(cfg *kubeadmapi.MasterConfiguration) error {
 		PortOpenCheck{port: 10252},
 		HTTPProxyCheck{Proto: "https", Host: cfg.API.AdvertiseAddress, Port: int(cfg.API.BindPort)},
 		DirAvailableCheck{Path: filepath.Join(kubeadmconstants.KubernetesDir, kubeadmconstants.ManifestsSubDirName)},
-		DirAvailableCheck{Path: "/var/lib/kubelet"},
 		FileContentCheck{Path: bridgenf, Content: []byte{'1'}},
 		SwapCheck{},
 		InPathCheck{executable: "ip", mandatory: true},
@ -711,7 +710,6 @@ func RunJoinNodeChecks(cfg *kubeadmapi.NodeConfiguration) error {
 		ServiceCheck{Service: "docker", CheckIfActive: true},
 		PortOpenCheck{port: 10250},
 		DirAvailableCheck{Path: filepath.Join(kubeadmconstants.KubernetesDir, kubeadmconstants.ManifestsSubDirName)},
-		DirAvailableCheck{Path: "/var/lib/kubelet"},
 		FileAvailableCheck{Path: cfg.CACertPath},
 		FileAvailableCheck{Path: filepath.Join(kubeadmconstants.KubernetesDir, kubeadmconstants.KubeletKubeConfigFileName)},
 		FileContentCheck{Path: bridgenf, Content: []byte{'1'}},
--- a/cmd/kubelet/app/options/options.go
+++ b/cmd/kubelet/app/options/options.go
@ -120,7 +120,7 @@ func NewKubeletFlags() *KubeletFlags {
 		RequireKubeConfig:       false,
 		KubeConfig:              flag.NewStringFlag("/var/lib/kubelet/kubeconfig"),
 		ContainerRuntimeOptions: *NewContainerRuntimeOptions(),
-		CertDirectory:           "/var/run/kubernetes",
+		CertDirectory:           "/var/lib/kubelet/pki",
 		RootDirectory:           v1alpha1.DefaultRootDir,
 		// DEPRECATED: auto detecting cloud providers goes against the initiative
 		// for out-of-tree cloud providers as we'll now depend on cAdvisor integrations