Kubernetes 1.10.5 is unusable, auth is not working

[kalbasit]

Issue description

Kubernetes, as installed from nixos-unstable, is not usable, kube-dns is in a crash loop and I can't see logs or exec into any container. Helm does not work either because it fails to forward the port.

I have no KUBECONFIG environment variable, nor do I have a ~/.kube/config.

Steps to reproduce

in /etc/nixos/configuration.nix

  services.kubernetes = {
    # I have a SWAP device enabled. The following flag disables the error
    # emitted by kubelet when a swap device is found.
    # After all, this is a laptop machine and the cluster is for dev-only.
    kubelet.extraOpts = "--fail-swap-on=false";
    roles = [ "master" "node" ];
  };

and sudo -i nixos-rebuild test

$ kubectl get nodes
NAME      STATUS    ROLES     AGE       VERSION
cratos    Ready     <none>    7m        v1.10.5

$ kubectl get pods --all-namespaces
NAMESPACE     NAME                        READY     STATUS             RESTARTS   AGE
kube-system   kube-dns-5746ddc44f-kvsrb   1/3       CrashLoopBackOff   9          7m

$ kubectl logs kube-dns-5746ddc44f-kvsrb -n kube-system -c kubedns
error: You must be logged in to the server (the server has asked for the client to provide credentials ( pods/log kube-dns-5746ddc44f-kvsrb))

$ nix-shell -p kubernetes-helm --run 'helm init'
$HELM_HOME has been configured at /home/kalbasit/.helm.

Tiller (the Helm server-side component) has been installed into your Kubernetes Cluster.

Error: forwarding ports: error upgrading connection: unable to upgrade connection: Unauthorized.

What I tried

I have tried to add the admin user to system:masters by the following setting:

  services.kubernetes = {
    # I have a SWAP device enabled. The following flag disables the error
    # emitted by kubelet when a swap device is found.
    # After all, this is a laptop machine and the cluster is for dev-only.
    kubelet.extraOpts = "--fail-swap-on=false";
    roles = [ "master" "node" ];

    apiserver.basicAuthFile = pkgs.writeText "users" ''
      kubernetes,admin,0,"system:masters"
    '';
  };

and add the following contents to ~/.kube/config

apiVersion: v1
clusters:
- cluster:
    insecure-skip-tls-verify: true
    server: https://127.0.0.1
  name: local
contexts:
- context:
    cluster: local
    user: local
  name: local
current-context: local
kind: Config
preferences: {}
users:
- name: local
  user:
    password: kubernetes
    username: admin

But I'm still getting the same error:

$ kube logs kube-dns-5746ddc44f-kvsrb -n kube-system -c dnsmasq
error: You must be logged in to the server (the server has asked for the client to provide credentials ( pods/log kube-dns-5746ddc44f-kvsrb))

Technical details

Please run nix-shell -p nix-info --run "nix-info -m" and paste the
results.

• system: "x86_64-linux"
• host os: Linux 4.17.4, NixOS, 18.09pre145679.dae9cf6106d (Jellyfish)
• multi-user?: yes
• sandbox: no
• version: nix-env (Nix) 2.0.4
• channels(root): "nixos-18.09pre145679.dae9cf6106d"
• channels(kalbasit): "nixos-18.09pre145524.2a8a5533d18"
• nixpkgs: /nix/var/nix/profiles/per-user/root/channels/nixos

relates to:

• kubernetes default "admin" user isn't authorized to do anything useful #40560
• Kubernetes kubectl's "logs" and "exec" commands do not work #40731

cc @srhb
cc @johanot

[johanot]

@kalbasit The issue is that there is no default service-account signing key and certificate set on the vanilla cluster. In order for kubedns to work, you currently need to add a serviceAccountKeyFile and a caFile as minimum to the kube-apiserver and kube-controller-manager.

PKI is a difficult subject and I have mixed feelings about adding dummy certificates and keys to the module, because... On one hand it would be nice to have the cluster running with minimal config like the one you posted above, one the other hand I would not want anyone actually using dummy certs in real life.

Another option is to add cfssl as dependency and auto-generate all certs needed for the cluster.

But.. Since we are probably soon upgrading to v1.11, we also need to consider some of the in-cluster bootstrapping mechanisms. And I believe we are soon up for a bigger rewrite of the module in that case anyway. What do you say @srhb and @steveej ?

[srhb]

Agreed, we should not add dummy certificates at all.

An option to autogenerate certificates at startup would be fine, guarded by some bootstrap file and plenty of documentation for the option.

I think the services.kubernetes.roles quick setup is more cute than really reliable in most cases, but it's great for dev setupts, so keeping something similar to insulate beginners from the whole mess of k8s options is still a good idea after a rewrite.

I also think the current philosophy of mostly exposing the component options directly through nix (ie a 1-1 correspondence between option names and flags/kubecfgs) coupled with an easy-mode wrapper is really excellent, so I think we should still prioritize that if possible. It could definitely do with some cleanup though.

[srhb]

Oh and the dependency on eg. cfssl would be entirely optional, guarded by mkIf cfg.easyCertSetup...

[kalbasit]

I agree with generating certs via cfssl guarded by a flag.

FYI, most k8s installers out there, including kops generate SSL certs on install. These certs are not expected to be signed by an official CA, so the self-signed certs just work well. So it might not be as bad as you think, to generate certs for the cluster anyway.

[johanot]

I am well aware how kops, kubeadm etc. do things. But I still think that it is important to have the discussion. There are too many insecure clusters out there do to a certain level of cargo culting. :) But I also agree that a flag like easyCertSetup is nice to have by default for dev purposes.

I will work on some kind of k8s/cfssl symbiosis during the upcoming week. Most likely stealing from the kubernetes nixos-test setup, which already utilizes cfssl for tls-bootstrapping..

We are gonna have a lot of module changes anyway related to the k8s v1.11 upgrade.

And we are probably going to have this discussion again as Kubernetes internal TLS-bootstrapping matures. :)

[kalbasit]

@johanot is there a discussion happening about updating k8s to v1.11? Is it planned before 18.09? What about the TLS bootstrapping we've talked about?

[johanot]

@kalbasit Yes, I'm working on it as we speak.. #44127 (review) .. The cfssl module is part of that. And I also created an issue for the v1.11 upgrade itself. Strong plans of getting there before 18.09 yes. We will get there :)

[kalbasit]

@johanot awesome! Thank you for your time!