Fix race condition when joining nodes

Despite we were checking for the kubelet kubeconfig file to be present, the kubelet first writes this file and then the certificates the kubeconfig file refers to. This represents a race condition in kubeadm in which when we confirm that the kubelet's kubeconfig file is present we continue creating a clientset out of it. However, the clientset creation will ensure that the certificates the kubeconfig file refers to exist on the filesystem. To fix this problem, not only wait for the kubelet's kubeconfig file to be present, but also ensure that we can create a clientset ouf of it on our polling process, while we wait for the kubelet to have performed the TLS bootstrap.
2018-12-13 17:51:52 +01:00 · 2018-12-13 17:51:52 +01:00 · 6a8a832f61
parent 59fce36866
commit 6a8a832f61
1 changed files with 4 additions and 2 deletions
--- a/cmd/kubeadm/app/cmd/join.go
+++ b/cmd/kubeadm/app/cmd/join.go
@ -586,10 +586,12 @@ func (j *Join) PostInstallControlPlane(initConfiguration *kubeadmapi.InitConfigu
 func waitForTLSBootstrappedClient() error {
 	fmt.Println("[tlsbootstrap] Waiting for the kubelet to perform the TLS Bootstrap...")

-	kubeletKubeConfig := filepath.Join(kubeadmconstants.KubernetesDir, kubeadmconstants.KubeletKubeConfigFileName)
 	// Loop on every falsy return. Return with an error if raised. Exit successfully if true is returned.
 	return wait.PollImmediate(kubeadmconstants.APICallRetryInterval, kubeadmconstants.TLSBootstrapTimeout, func() (bool, error) {
-		_, err := os.Stat(kubeletKubeConfig)
+		// Check that we can create a client set out of the kubelet kubeconfig. This ensures not
+		// only that the kubeconfig file exists, but that other files required by it also exist (like
+		// client certificate and key)
+		_, err := kubeconfigutil.ClientSetFromFile(kubeadmconstants.GetKubeletKubeConfigPath())
 		return (err == nil), nil
 	})
 }