github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #38333 from euank/more-ssl-mounts 

Automatic merge from submit-queue (batch tested with PRs 37325, 38313, 38141, 38321, 38333)

cluster: bindmount more cert paths

**What this PR does / why we need it**:

/etc/ssl/certs is currently mounted through in a number of places.
However, on Gentoo and CoreOS (and probably others), the files in
/etc/ssl/certs are just symlinks to files in /usr/share/ca-certificates.

For these components to correclty work, the target of the symlinks needs
to be available as well.

This is especially important for kube-controller-manager, where this
issue was noticed.



**Special notes for your reviewer**:

This change was originally part of #33965, but was split out for ease of
review.

**Release note**:

```release-note
NONE
```
pull/6/head
Kubernetes Submit Queue 2016-12-07 17:14:21 -08:00 committed by GitHub
parent 04cd4ae43e b8d2099b3f
commit bc28aeb8ef
6 changed files with 51 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
cluster/addons/cluster-monitoring/google/heapster-controller.yaml
View File

@ -53,6 +53,9 @@ spec:
- name: ssl-certs - name: ssl-certs
mountPath: /etc/ssl/certs mountPath: /etc/ssl/certs
readOnly: true readOnly: true
- name: usr-ca-certs
mountPath: /usr/share/ca-certificates
readOnly: true
- image: gcr.io/google_containers/heapster:v1.2.0 - image: gcr.io/google_containers/heapster:v1.2.0
name: eventer name: eventer
command: command:
@ -63,6 +66,9 @@ spec:
- name: ssl-certs - name: ssl-certs
mountPath: /etc/ssl/certs mountPath: /etc/ssl/certs
readOnly: true readOnly: true
- name: usr-ca-certs
mountPath: /usr/share/ca-certificates
readOnly: true
- image: gcr.io/google_containers/addon-resizer:1.6 - image: gcr.io/google_containers/addon-resizer:1.6
name: heapster-nanny name: heapster-nanny
resources: resources:
@ -125,3 +131,6 @@ spec:
- name: ssl-certs - name: ssl-certs
hostPath: hostPath:
path: "/etc/ssl/certs" path: "/etc/ssl/certs"
- name: usr-ca-certs
hostPath:
path: "/usr/share/ca-certificates"

9
cluster/addons/cluster-monitoring/googleinfluxdb/heapster-controller-combined.yaml
View File

@ -54,6 +54,9 @@ spec:
- name: ssl-certs - name: ssl-certs
mountPath: /etc/ssl/certs mountPath: /etc/ssl/certs
readOnly: true readOnly: true
- name: usr-ca-certs
mountPath: /usr/share/ca-certificates
readOnly: true
- image: gcr.io/google_containers/heapster:v1.2.0 - image: gcr.io/google_containers/heapster:v1.2.0
name: eventer name: eventer
command: command:
@ -64,6 +67,9 @@ spec:
- name: ssl-certs - name: ssl-certs
mountPath: /etc/ssl/certs mountPath: /etc/ssl/certs
readOnly: true readOnly: true
- name: usr-ca-certs
mountPath: /usr/share/ca-certificates
readOnly: true
- image: gcr.io/google_containers/addon-resizer:1.6 - image: gcr.io/google_containers/addon-resizer:1.6
name: heapster-nanny name: heapster-nanny
resources: resources:
@ -126,3 +132,6 @@ spec:
- name: ssl-certs - name: ssl-certs
hostPath: hostPath:
path: "/etc/ssl/certs" path: "/etc/ssl/certs"
- name: usr-ca-certs
hostPath:
path: "/usr/share/ca-certificates"

11
cluster/saltbase/salt/cluster-autoscaler/cluster-autoscaler.manifest
View File

@ -45,6 +45,11 @@
"readOnly": true, "readOnly": true,
"mountPath": "/etc/ssl/certs" "mountPath": "/etc/ssl/certs"
}, },
{
"name": "usrsharecacerts",
"readOnly": true,
"mountPath": "/usr/share/ca-certificates"
},
{ {
"name": "logfile", "name": "logfile",
"mountPath": "/var/log/cluster-autoscaler.log", "mountPath": "/var/log/cluster-autoscaler.log",
@ -63,6 +68,12 @@
"path": "/etc/ssl/certs" "path": "/etc/ssl/certs"
} }
}, },
{
"name": "usrsharecacerts",
"hostPath": {
"path": "/usr/share/ca-certificates"
}
},
{ {
"name": "logfile", "name": "logfile",
"hostPath": { "hostPath": {

7
cluster/saltbase/salt/kube-apiserver/kube-apiserver.manifest
View File

@ -236,6 +236,9 @@
{ "name": "etcssl", { "name": "etcssl",
"mountPath": "/etc/ssl", "mountPath": "/etc/ssl",
"readOnly": true}, "readOnly": true},
{ "name": "usrsharecacerts",
"mountPath": "/usr/share/ca-certificates",
"readOnly": true},
{ "name": "varssl", { "name": "varssl",
"mountPath": "/var/ssl", "mountPath": "/var/ssl",
"readOnly": true}, "readOnly": true},
@ -270,6 +273,10 @@
"hostPath": { "hostPath": {
"path": "/etc/ssl"} "path": "/etc/ssl"}
}, },
{ "name": "usrsharecacerts",
"hostPath": {
"path": "/usr/share/ca-certificates"}
},
{ "name": "varssl", { "name": "varssl",
"hostPath": { "hostPath": {
"path": "/var/ssl"} "path": "/var/ssl"}

7
cluster/saltbase/salt/kube-controller-manager/kube-controller-manager.manifest
View File

@ -134,6 +134,9 @@
{ "name": "etcssl", { "name": "etcssl",
"mountPath": "/etc/ssl", "mountPath": "/etc/ssl",
"readOnly": true}, "readOnly": true},
{ "name": "usrsharecacerts",
"mountPath": "/usr/share/ca-certificates",
"readOnly": true},
{ "name": "varssl", { "name": "varssl",
"mountPath": "/var/ssl", "mountPath": "/var/ssl",
"readOnly": true}, "readOnly": true},
@ -161,6 +164,10 @@
"hostPath": { "hostPath": {
"path": "/etc/ssl"} "path": "/etc/ssl"}
}, },
{ "name": "usrsharecacerts",
"hostPath": {
"path": "/usr/share/ca-certificates"}
},
{ "name": "varssl", { "name": "varssl",
"hostPath": { "hostPath": {
"path": "/var/ssl"} "path": "/var/ssl"}

10
cluster/saltbase/salt/kube-proxy/kube-proxy.manifest
View File

@ -57,7 +57,10 @@ spec:
privileged: true privileged: true
volumeMounts: volumeMounts:
- mountPath: /etc/ssl/certs - mountPath: /etc/ssl/certs
name: ssl-certs-host name: etc-ssl-certs
readOnly: true
- mountPath: /usr/share/ca-certificates
name: usr-ca-certs
readOnly: true readOnly: true
- mountPath: /var/log - mountPath: /var/log
name: varlog name: varlog
@ -68,7 +71,10 @@ spec:
volumes: volumes:
- hostPath: - hostPath:
path: /usr/share/ca-certificates path: /usr/share/ca-certificates
name: ssl-certs-host name: usr-ca-certs
- hostPath:
path: /etc/ssl/certs
name: etc-ssl-certs
- hostPath: - hostPath:
path: /var/lib/kube-proxy/kubeconfig path: /var/lib/kube-proxy/kubeconfig
name: kubeconfig name: kubeconfig