kube-apiserver flags override by extraKubeAPIServerArgs #177
Description
Use case is to support keystone-k8s-atuh on canonical k8s deployed using Cluster API.
Trying to add --authentication-token-webhook-config-file flag using CK8SControlPlane extraKubeAPIServerArgs [1].
However after deployment, the existing kube-apiserver flag --authentication-token-webhook-config-file="/var/snap/k8s/common/args/conf.d/auth-token-webhook.conf" is overriden.
spec:
controlPlane:
cloudProvider: external
extraKubeAPIServerArgs:
--authentication-token-webhook-config-file: /var/snap/k8s/common/args/conf.d/k8s-auth-token-webhook.conf
--authorization-webhook-config-file: /var/snap/k8s/common/args/conf.d/k8s-auth-token-webhook.conf
--authorization-mode: Node,RBAC,Webhook
Expectation is to have the same flag repeated twice (Native k8s supports having multiple entries for this flag).
This is bit tricky because sometimes you expect flags to get override. For example, replacing --authorization-mode=Node,RBAC with --authorization-mode=Node,RBAC,Webhook
Workaround is to use postRunCommands to add flag directly to kube-apiserver args file and restart the service:
spec:
controlPlane:
cloudProvider: external
extraKubeAPIServerArgs:
--authentication-token-webhook-config-file: /var/snap/k8s/common/args/conf.d/k8s-auth-token-webhook.conf
--authorization-webhook-config-file: /var/snap/k8s/common/args/conf.d/k8s-auth-token-webhook.conf
--authorization-mode: Node,RBAC,Webhook
postRunCommands:
- echo "--authentication-token-webhook-config-file=/var/snap/k8s/common/args/conf.d/k8s-auth-token-webhook.conf" >> /var/snap/k8s/common/args/kube-apiserver
- sudo snap restart k8s.kube-apiserver