Skip to content
This repository has been archived by the owner on Jan 4, 2022. It is now read-only.

Commit

Permalink
kubeadm join: fix TLS on Kubernetes >=1.9
Browse files Browse the repository at this point in the history
kubeadm got a new option in version 1.8:
--discovery-token-unsafe-skip-ca-verification
See: kubernetes/kubernetes#49520

Since version 1.9, it became mandatory to either use it to skip
verification, or to use --discovery-token-ca-cert-hash=...
See: kubernetes/kubernetes#55468

Since kube-spawn is a developer tool used on one physical machine, use
the former.
  • Loading branch information
alban committed Nov 26, 2017
1 parent 43e34d4 commit 0edaa40
Showing 1 changed file with 14 additions and 2 deletions.
16 changes: 14 additions & 2 deletions pkg/nspawntool/kubeadm.go
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ import (
"github.com/kinvolk/kube-spawn/pkg/bootstrap"
"github.com/kinvolk/kube-spawn/pkg/config"
"github.com/kinvolk/kube-spawn/pkg/machinetool"
"github.com/kinvolk/kube-spawn/pkg/utils"
"github.com/kinvolk/kube-spawn/pkg/utils/fs"
"github.com/pkg/errors"
)
Expand Down Expand Up @@ -88,7 +89,18 @@ func JoinNode(cfg *config.ClusterConfiguration, mNo int) error {
}
joinCmd = append(joinCmd, []string{
"/usr/bin/kubeadm", "join", "--skip-preflight-checks",
"--token", cfg.Token,
cfg.Machines[0].IP + ":6443"}...)
"--token", cfg.Token}...)

// --discovery-token-unsafe-skip-ca-verification appeared in Kubernetes 1.8
// See: https://github.com/kubernetes/kubernetes/pull/49520
// It is mandatory since Kubernetes 1.9
// See: https://github.com/kubernetes/kubernetes/pull/55468
// Test is !<1.8 instead of >=1.8 in order to handle non-semver version 'latest'
if !utils.CheckVersionConstraint(cfg.KubernetesVersion, "<1.8") {
joinCmd = append(joinCmd, "--discovery-token-unsafe-skip-ca-verification")
}

joinCmd = append(joinCmd, cfg.Machines[0].IP+":6443")

return machinetool.Shell(shellOpts, cfg.Machines[mNo].Name, joinCmd...)
}

0 comments on commit 0edaa40

Please sign in to comment.