Ok, we accomplished this and now secrets are generated with new service accounts
However, the token isn't placed in the container at ' /var/run/secrets/kubernetes.io/serviceaccount/token'. In fact, there is nothing under /var/run/ We've restarted all the services/ nodes trying to get the changes to take hold, no luck Running env on the container shows that KUBERNETES_CA_FILE is set, but the file isn't there (token missing as well) KUBERNETES_CA_CERTIFICATE_FILE=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt The definition of the RC is here: es-master-rc.yaml <https://github.com/kubernetes/kubernetes/blob/master/examples/elasticsearch/production_cluster/es-master-rc.yaml> On Thursday, December 22, 2016 at 6:39:46 AM UTC-6, Matthias Rampke wrote: > > Is the `--service-account-private-key-file` flag set (correctly) on > kube-controller-manager? It needs to match `--service-account-key-file` on > kube-apiserver if set, or `--tls-private-key-file` otherwise. > > /MR > > On Thu, Dec 22, 2016 at 12:05 PM Christopher Stelly <cste...@uno.edu > <javascript:>> wrote: > >> Hi, >> >> When I create a serviceaccount, no secret is created with along with it. >> According to what I can find in the docs >> <http://kubernetes.io/docs/user-guide/service-accounts/>, it seems like >> it should be created automatically (although apparently it can be done >> manuall >> <http://kubernetes.io/docs/user-guide/secrets/#creating-your-own-secrets>y >> as well). >> >> I'm running CoreOS, k8s was setup with the BrightHouse setup script >> <http://www.brightcomputing.com/documentation>by the sysadmin here, >> defaulting to certificate based authentication and authorization. >> >> Other info which may be useful: >> >> - Trying to curl to the API server leads to an "Unauthorized" error, even >> when giving it the key in my home directory. >> >> - Looks like certs aren't in the default directories as in official k8s >> documentation, do I need to specify kube.pem, kube.key on service creation? >> Which cert do I use, the user cert made for my unix user, or the user cert >> generated by the service sitting in the /etc/kubernetes directory? >> (Spoiler: /etc/kubernetes/kube.pem is root-only, can't get it, and my unix >> cert won't work) >> >> Thanks for your time, I'll hang around in the slack if I can provide any >> more info. >> >> >> NOTICE: This message, including all attachments transmitted with it, is >> intended solely for the use of the Addressee(s) and may contain information >> that is PRIVILEGED, CONFIDENTIAL, and/or EXEMPT FROM DISCLOSURE under >> applicable law. If you are not the intended recipient, you are hereby >> notified that any disclosure, copying, distribution, or use of the >> information contained herein is STRICTLY PROHIBITED. If you received this >> communication in error, please destroy all copies of the message, whether >> in electronic or hard copy format, as well as attachments and immediately >> contact the sender by replying to this email or contact the sender at the >> telephone numbers listed above. Thank you! >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Kubernetes user discussion and Q&A" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to kubernetes-use...@googlegroups.com <javascript:>. >> To post to this group, send email to kubernet...@googlegroups.com >> <javascript:>. >> Visit this group at https://groups.google.com/group/kubernetes-users. >> For more options, visit https://groups.google.com/d/optout. >> > -- You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group. To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscr...@googlegroups.com. To post to this group, send email to kubernetes-users@googlegroups.com. Visit this group at https://groups.google.com/group/kubernetes-users. For more options, visit https://groups.google.com/d/optout.
