Stop using kube-apiserver insecure-port

The tiller container in the armada bootstrap pod relies on the insecure port that kube-apiserver once listened on by default. The kube-apiserver ability to serve on an insecure port, deprecated since v1.10, has been removed in v1.20. [0] This change updates the armada bootstrap pod to use the secure port instead. 0: https://github.com/kubernetes/kubernetes/pull/95856 Change-Id: I6a37fa4e7f97c7aaa3cd0f61b56214483a7dc217
2021-03-31 02:48:37 +00:00 · 2021-03-31 02:48:37 +00:00 · fd9f3d6cec
parent ef66d10a25
commit fd9f3d6cec
1 changed files with 8 additions and 1 deletions
--- a/promenade/templates/roles/genesis/etc/kubernetes/manifests/bootstrap-armada.yaml
+++ b/promenade/templates/roles/genesis/etc/kubernetes/manifests/bootstrap-armada.yaml
@ -21,6 +21,8 @@ spec:
    - env:
      - name: TILLER_NAMESPACE
        value: kube-system
+      - name: KUBECONFIG
+        value: /etc/kubernetes/admin/config
      image: {{ config['Genesis:images.helm.tiller'] }}
      command:
        - /tiller
@ -61,8 +63,13 @@ spec:
        successThreshold: 1
        timeoutSeconds: 1
      resources: {}
+      securityContext:
+        runAsUser: 0
      terminationMessagePath: /dev/termination-log
      terminationMessagePolicy: File
+      volumeMounts:
+        - name: auth
+          mountPath: /etc/kubernetes/admin
    - name: armada
      image: {{ config['Genesis:images.armada'] }}
      securityContext:
@ -149,7 +156,7 @@ spec:
        {%- endfor %}
 {% include "genesis-apiserver.yaml" with context %}
        - --etcd-servers=https://localhost:12379
-        - --insecure-port=8080
+        - --insecure-port=0
        - --secure-port=6444
        - --endpoint-reconciler-type=none
      env: