From ade228f5c96dfc7059ea274a5fd04ce34aa8119c Mon Sep 17 00:00:00 2001 From: Lingxian Kong Date: Tue, 30 Mar 2021 19:04:38 +1300 Subject: [PATCH] [K8S] Enable --use-service-account-credentials Enable the config --use-service-account-credentials=true. This is necessary to support Pod Security Policy[1]. See https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/ for the option description, and more information here[2]. [1]: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#troubleshooting [2]: https://docs.datadoghq.com/security_monitoring/default_rules/cis-kubernetes-1.5.1-1.3.3/ Change-Id: I053808fac72a63af7ebf6f33d94659134b6cbdac (cherry picked from commit e9b48896703dabd3aac78c48f6c0c9d5489a534e) --- .../kubernetes/fragments/configure-kubernetes-master.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh index 46ee58e614..acd4ce634a 100644 --- a/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh +++ b/magnum/drivers/common/templates/kubernetes/fragments/configure-kubernetes-master.sh @@ -402,7 +402,7 @@ chmod 600 ${ADMIN_KUBECONFIG} export KUBECONFIG=${ADMIN_KUBECONFIG} # Add controller manager args -KUBE_CONTROLLER_MANAGER_ARGS="--leader-elect=true --kubeconfig=/etc/kubernetes/admin.conf" +KUBE_CONTROLLER_MANAGER_ARGS="--leader-elect=true --kubeconfig=/etc/kubernetes/admin.conf --use-service-account-credentials=true" KUBE_CONTROLLER_MANAGER_ARGS="$KUBE_CONTROLLER_MANAGER_ARGS --cluster-name=${CLUSTER_UUID}" KUBE_CONTROLLER_MANAGER_ARGS="${KUBE_CONTROLLER_MANAGER_ARGS} --allocate-node-cidrs=true" KUBE_CONTROLLER_MANAGER_ARGS="${KUBE_CONTROLLER_MANAGER_ARGS} --cluster-cidr=${PODS_NETWORK_CIDR}"