Service account token not being mounted in podGoogle container engine / Kubernetes 1.1.1 - Service LoadBalancer not being createdOld pod not deleted after rolling-updateKubernetes cluster internal routing not working (NodePort service)How does nodeAffinity work in DaemonSets?Kubernetes: relation between Service IP's and pod IP'skubernetes daemonset pod terminating for a time after being killedPOD services in Kubernetes not opening from google cloudWhich service account is associated with a given kubelet?How to expose a web service, running as pod in K8s cluster which is deployed on ec2 instance, to externalKubernetes: 502 Bad Gateway for some assets - with Nginx Ingress
I want to write a blog post building upon someone else's paper, how can I properly cite/credit them?
Expl3 and recent xparse on overleaf: No expl3 loader detected
Is there an application which does HTTP PUT?
Why did Missandei say this?
99 coins into the sacks
Why is there a cap on 401k contributions?
Do oversize pulley wheels increase derailleur capacity?
Would the rotation of the starfield from a ring station be too disorienting?
Colorless commander using lands that chose based upon identity?
Why is it wrong to *implement* myself a known, published, widely believed to be secure crypto algorithm?
Are wands in any sort of book going to be too much like Harry Potter?
Why doesn't Dany protect her dragons better?
Mindfulness of Watching Youtube
Align a table column at a specific symbol
What will Doctor Strange protect now?
What is the Ancient One's mistake?
Existence of a weight of a representation in the fundamental Weyl chamber
Is it possible to do moon sighting in advance for 5 years with 100% accuracy?
Illegal assignment from Id to List
Light Switch Neutrals: Bundle all together?
My parents are Afghan
Is there a list of the most-transited airports in the world?
get unsigned long long addition carry
How to append code verbatim to .bashrc?
Service account token not being mounted in pod
Google container engine / Kubernetes 1.1.1 - Service LoadBalancer not being createdOld pod not deleted after rolling-updateKubernetes cluster internal routing not working (NodePort service)How does nodeAffinity work in DaemonSets?Kubernetes: relation between Service IP's and pod IP'skubernetes daemonset pod terminating for a time after being killedPOD services in Kubernetes not opening from google cloudWhich service account is associated with a given kubelet?How to expose a web service, running as pod in K8s cluster which is deployed on ec2 instance, to externalKubernetes: 502 Bad Gateway for some assets - with Nginx Ingress
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
1
I've create a service account for helm; the account works with kubectl, but the service account token is not being mounted in tiller's pod. Here's the Deployment's definition:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
creationTimestamp: 2019-04-29T08:56:59Z
generation: 1
labels:
app: helm
name: tiller
name: tiller-deploy
namespace: kube-system
resourceVersion: "560527"
selfLink: /apis/extensions/v1beta1/namespaces/kube-system/deployments/tiller-deploy
uid: bf5f4010-6a5c-11e9-b714-52540012345d
spec:
replicas: 1
selector:
matchLabels:
app: helm
name: tiller
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: helm
name: tiller
spec:
automountServiceAccountToken: true
containers:
- env:
- name: TILLER_NAMESPACE
value: kube-system
- name: TILLER_HISTORY_MAX
value: "0"
image: kubernetes-helm/tiller:v2.13.1
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /liveness
port: 44135
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: tiller
ports:
- containerPort: 44134
hostPort: 44134
name: tiller
protocol: TCP
- containerPort: 44135
hostPort: 44135
name: http
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readiness
port: 44135
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
hostNetwork: true
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
serviceAccount: tiller
serviceAccountName: tiller
terminationGracePeriodSeconds: 30
Here's the service account definition:
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
automountServiceAccountToken: true
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
Kubernetes version is 1.8.2, is installed on bare-metal. Installation method is manual.
Control plane commands:
kube-apiserver --token-auth-file /etc/kubernetes/useraccount --authorization-mode RBAC,ABAC,AlwaysDeny --authorization-policy-file /etc/kubernetes/abac.json --secure-port 5587 --bind-address 1.1.1.1 --insecure-port 0 --service-cluster-ip-range 172.16.0.0/12 --etcd-servers http://1.1.1.1:2379,http://1.1.1.2:2379,http://1.1.1.3:2379 --tls-cert-file apisrv.crt --tls-private-key-file apisrv.key --cert-dir=kubernetes --advertise-address 1.1.1.1 --service-node-port-range 1024-65535 --service-account-key-file sa.crt
kube-controller-manager --kubeconfig kubeconf_admin.yaml --cluster-cidr 192.168.0.0/16 --service-account-private-key-file sa.key --root-ca-file sa.crt --leader-elect true
kubernetes
edited Apr 29 at 22:11
Eduardo Baitello
17910
asked Apr 29 at 11:25
user2061812user2061812
61
add a comment |
1
I've create a service account for helm; the account works with kubectl, but the service account token is not being mounted in tiller's pod. Here's the Deployment's definition:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
creationTimestamp: 2019-04-29T08:56:59Z
generation: 1
labels:
app: helm
name: tiller
name: tiller-deploy
namespace: kube-system
resourceVersion: "560527"
selfLink: /apis/extensions/v1beta1/namespaces/kube-system/deployments/tiller-deploy
uid: bf5f4010-6a5c-11e9-b714-52540012345d
spec:
replicas: 1
selector:
matchLabels:
app: helm
name: tiller
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: helm
name: tiller
spec:
automountServiceAccountToken: true
containers:
- env:
- name: TILLER_NAMESPACE
value: kube-system
- name: TILLER_HISTORY_MAX
value: "0"
image: kubernetes-helm/tiller:v2.13.1
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /liveness
port: 44135
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: tiller
ports:
- containerPort: 44134
hostPort: 44134
name: tiller
protocol: TCP
- containerPort: 44135
hostPort: 44135
name: http
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readiness
port: 44135
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
hostNetwork: true
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
serviceAccount: tiller
serviceAccountName: tiller
terminationGracePeriodSeconds: 30
Here's the service account definition:
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
automountServiceAccountToken: true
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
Kubernetes version is 1.8.2, is installed on bare-metal. Installation method is manual.
Control plane commands:
kube-apiserver --token-auth-file /etc/kubernetes/useraccount --authorization-mode RBAC,ABAC,AlwaysDeny --authorization-policy-file /etc/kubernetes/abac.json --secure-port 5587 --bind-address 1.1.1.1 --insecure-port 0 --service-cluster-ip-range 172.16.0.0/12 --etcd-servers http://1.1.1.1:2379,http://1.1.1.2:2379,http://1.1.1.3:2379 --tls-cert-file apisrv.crt --tls-private-key-file apisrv.key --cert-dir=kubernetes --advertise-address 1.1.1.1 --service-node-port-range 1024-65535 --service-account-key-file sa.crt
kube-controller-manager --kubeconfig kubeconf_admin.yaml --cluster-cidr 192.168.0.0/16 --service-account-private-key-file sa.key --root-ca-file sa.crt --leader-elect true
kubernetes
edited Apr 29 at 22:11
Eduardo Baitello
17910
asked Apr 29 at 11:25
user2061812user2061812
61
is there a particular reason you are using Kubernetes 1.8.2?
– aurelius
Apr 29 at 15:54
Just didn't upgrade.
– user2061812
Apr 30 at 3:56
add a comment |
1
1
1
I've create a service account for helm; the account works with kubectl, but the service account token is not being mounted in tiller's pod. Here's the Deployment's definition:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
creationTimestamp: 2019-04-29T08:56:59Z
generation: 1
labels:
app: helm
name: tiller
name: tiller-deploy
namespace: kube-system
resourceVersion: "560527"
selfLink: /apis/extensions/v1beta1/namespaces/kube-system/deployments/tiller-deploy
uid: bf5f4010-6a5c-11e9-b714-52540012345d
spec:
replicas: 1
selector:
matchLabels:
app: helm
name: tiller
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: helm
name: tiller
spec:
automountServiceAccountToken: true
containers:
- env:
- name: TILLER_NAMESPACE
value: kube-system
- name: TILLER_HISTORY_MAX
value: "0"
image: kubernetes-helm/tiller:v2.13.1
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /liveness
port: 44135
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: tiller
ports:
- containerPort: 44134
hostPort: 44134
name: tiller
protocol: TCP
- containerPort: 44135
hostPort: 44135
name: http
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readiness
port: 44135
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
hostNetwork: true
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
serviceAccount: tiller
serviceAccountName: tiller
terminationGracePeriodSeconds: 30
Here's the service account definition:
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
automountServiceAccountToken: true
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
Kubernetes version is 1.8.2, is installed on bare-metal. Installation method is manual.
Control plane commands:
kube-apiserver --token-auth-file /etc/kubernetes/useraccount --authorization-mode RBAC,ABAC,AlwaysDeny --authorization-policy-file /etc/kubernetes/abac.json --secure-port 5587 --bind-address 1.1.1.1 --insecure-port 0 --service-cluster-ip-range 172.16.0.0/12 --etcd-servers http://1.1.1.1:2379,http://1.1.1.2:2379,http://1.1.1.3:2379 --tls-cert-file apisrv.crt --tls-private-key-file apisrv.key --cert-dir=kubernetes --advertise-address 1.1.1.1 --service-node-port-range 1024-65535 --service-account-key-file sa.crt
kube-controller-manager --kubeconfig kubeconf_admin.yaml --cluster-cidr 192.168.0.0/16 --service-account-private-key-file sa.key --root-ca-file sa.crt --leader-elect true
kubernetes
edited Apr 29 at 22:11
Eduardo Baitello
17910
asked Apr 29 at 11:25
user2061812user2061812
61
I've create a service account for helm; the account works with kubectl, but the service account token is not being mounted in tiller's pod. Here's the Deployment's definition:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "1"
creationTimestamp: 2019-04-29T08:56:59Z
generation: 1
labels:
app: helm
name: tiller
name: tiller-deploy
namespace: kube-system
resourceVersion: "560527"
selfLink: /apis/extensions/v1beta1/namespaces/kube-system/deployments/tiller-deploy
uid: bf5f4010-6a5c-11e9-b714-52540012345d
spec:
replicas: 1
selector:
matchLabels:
app: helm
name: tiller
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
app: helm
name: tiller
spec:
automountServiceAccountToken: true
containers:
- env:
- name: TILLER_NAMESPACE
value: kube-system
- name: TILLER_HISTORY_MAX
value: "0"
image: kubernetes-helm/tiller:v2.13.1
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 3
httpGet:
path: /liveness
port: 44135
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: tiller
ports:
- containerPort: 44134
hostPort: 44134
name: tiller
protocol: TCP
- containerPort: 44135
hostPort: 44135
name: http
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /readiness
port: 44135
scheme: HTTP
initialDelaySeconds: 1
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
dnsPolicy: ClusterFirst
hostNetwork: true
restartPolicy: Always
schedulerName: default-scheduler
securityContext:
serviceAccount: tiller
serviceAccountName: tiller
terminationGracePeriodSeconds: 30
Here's the service account definition:
apiVersion: v1
kind: ServiceAccount
metadata:
name: tiller
namespace: kube-system
automountServiceAccountToken: true
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: tiller
subjects:
- kind: ServiceAccount
name: tiller
namespace: kube-system
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
Kubernetes version is 1.8.2, is installed on bare-metal. Installation method is manual.
Control plane commands:
kube-apiserver --token-auth-file /etc/kubernetes/useraccount --authorization-mode RBAC,ABAC,AlwaysDeny --authorization-policy-file /etc/kubernetes/abac.json --secure-port 5587 --bind-address 1.1.1.1 --insecure-port 0 --service-cluster-ip-range 172.16.0.0/12 --etcd-servers http://1.1.1.1:2379,http://1.1.1.2:2379,http://1.1.1.3:2379 --tls-cert-file apisrv.crt --tls-private-key-file apisrv.key --cert-dir=kubernetes --advertise-address 1.1.1.1 --service-node-port-range 1024-65535 --service-account-key-file sa.crt
kube-controller-manager --kubeconfig kubeconf_admin.yaml --cluster-cidr 192.168.0.0/16 --service-account-private-key-file sa.key --root-ca-file sa.crt --leader-elect true
kubernetes
kubernetes
edited Apr 29 at 22:11
Eduardo Baitello
17910
asked Apr 29 at 11:25
user2061812user2061812
61
edited Apr 29 at 22:11
Eduardo Baitello
17910
asked Apr 29 at 11:25
user2061812user2061812
61
edited Apr 29 at 22:11
Eduardo Baitello
17910
edited Apr 29 at 22:11
Eduardo Baitello
17910
edited Apr 29 at 22:11
Eduardo Baitello
17910
17910
asked Apr 29 at 11:25
user2061812user2061812
61
asked Apr 29 at 11:25
user2061812user2061812
61
asked Apr 29 at 11:25
user2061812user2061812
61
61
is there a particular reason you are using Kubernetes 1.8.2?
– aurelius
Apr 29 at 15:54
Just didn't upgrade.
– user2061812
Apr 30 at 3:56
add a comment |
is there a particular reason you are using Kubernetes 1.8.2?
– aurelius
Apr 29 at 15:54
Just didn't upgrade.
– user2061812
Apr 30 at 3:56
is there a particular reason you are using Kubernetes 1.8.2?
– aurelius
Apr 29 at 15:54
is there a particular reason you are using Kubernetes 1.8.2?
– aurelius
Apr 29 at 15:54
Just didn't upgrade.
– user2061812
Apr 30 at 3:56
Just didn't upgrade.
– user2061812
Apr 30 at 3:56
add a comment |
0
active
oldest
votes
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f965089%2fservice-account-token-not-being-mounted-in-pod%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
0
active
oldest
votes
0
active
oldest
votes
active
oldest
votes
active
oldest
votes
draft saved
draft discarded
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
draft saved
draft discarded
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f965089%2fservice-account-token-not-being-mounted-in-pod%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
is there a particular reason you are using Kubernetes 1.8.2?
– aurelius
Apr 29 at 15:54
Just didn't upgrade.
– user2061812
Apr 30 at 3:56