Kubeadm: Kubeadm deploy kube-proxy's --kubeconfig file is wrong

/assign @timothysc

Note that you can use the _MasterConfiguration_ file's "api.controlPlaneEndpoint" field to point all the _kube-proxy_ configurations to the _same_ API server, but that doesn't accomplish what you want: Components sitting on each master machine talk to the local API server.

That configuration comes from the "kube-proxy" _ConfigMap_ in the "kube-system" namespace, and the last master machine to pass through _kubeadm alpha phase addon kube-proxy_ writes its own address to that _ConfigMap_. That's why the current "Creating HA clusters with kubeadm" document advises editing that _ConfigMap_ manually in the "Configure workers" section. (I don't know why it's mentioned in that section, so late in the process.)

Note that as you bring each master up one by one, it's possible that the _kube-proxy_ process starting on each will observe a different value from that _ConfigMap_, and you wind up with a reasonable variation—until any of the processes fail and get replaced.

I'd like to see a cross-cutting pattern afforded by _kubeadm_ for HA clusters:

• Components on master machines talk to the local API server.
• Components on other non-master worker machines talk to a load balancer fronting the API servers.

That would require, though, that components like _kube-proxy_ that run on all the nodes would need different configuration on the masters. Loading the configuration from a local file rather than a _ConfigMap_ would make it easier to lay down that non-uniform arrangement (that is, there's a file at the same path on each machine, but with varying content).

Back on 18 May 2018, I asked this question in the "kubeadm" channel of the "Kuberetes" Slack team:

In the HA guide’s “Configure workers” section, it advises modifying the “kube-proxy” _ConfigMap_ consumed by _kube-proxy_.

However, looking at my _kube-proxy_ pods, while it looks like they mount this _ConfigMap_, they only reference the “config.conf” key, and not the “kubeconfig.conf” key.

Is this modification still necessary?

Looking again today, I see that the "config.conf" key has the following field:

clientConnection:
  # ...
  kubeconfig: /var/lib/kube-proxy/kubeconfig.conf

Hence, _kube-proxy_ is using that "kubeconfig.conf" key.

Here's how I wound up working around this problem.

First, I created two different KUBECONFIG files: one for the masters that refers to the API server via the _127.0.0.1_ IP address, and another for the workers that refers to the API server load balancer via its domain name.

Here's the masters' file:

apiVersion: v1
kind: Config
clusters:
- name: default
  cluster:
    server: https://127.0.0.1:6443
    certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
contexts:
- name: default
  context:
    cluster: default
    namespace: default
    user: default
current-context: default
users:
- name: default
  user:
    tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token

Here's the workers' file:

apiVersion: v1
kind: Config
clusters:
- name: default
  cluster:
    server: https://<FQDN of load balancer>
    certificate-authority: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
contexts:
- name: default
  context:
    cluster: default
    namespace: default
    user: default
current-context: default
users:
- name: default
  user:
    tokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token

On each master and worker machine, I store this file at path _/etc/kubernetes/in-cluster.conf_.
Before running _kubeadm alpha phase addon all_, be sure to include the following stanza in the _MasterConfiguration_ file:

kubeProxy:
  config:
    clientConnection:
      kubeconfig: /var/lib/kube-proxy-kubeconfig.yaml

Run _kubeadm alpha phase addon all_, feeding it that _MasterConfiguration_ file, then patch _kube-proxy_'s _DaemonSet_ immediately afterward to mount this file at the path nominated in the "kube-proxy" _ConfigMap_'s "config.conf" entry.

# Coerce kube-proxy to read a KUBECONFIG file mounted from the host
# rather than the one mounted from the "kube-proxy" ConfigMap in the
# "kube-system" namespace, in order to allow the API server endpoint
# to vary between the load balancer for the workers and localhost for
# the masters (avoiding using the load balancer, which fails for
# hairpinned packets).
add_volumes_patch=$(cat <<EOF
spec:
  template:
    spec:
      containers:
      - name: kube-proxy
        volumeMounts:
        - name: kube-proxy-kubeconfig
          mountPath: /var/lib/kube-proxy-kubeconfig.yaml
      volumes:
      - name: kube-proxy-kubeconfig
        hostPath:
          path: /etc/kubernetes/in-cluster.conf
          type: File
EOF
)
sudo /opt/bin/kubectl \
     --namespace=kube-system \
     patch daemonset kube-proxy \
     --patch "${add_volumes_patch}"

With that patch, we force _kube-proxy_ to use the host-provided file, rather than the KUBECONFIG file stored in the "kube-proxy" _ConfigMap_.

@seh Thank you for your help. I think kube-proxy's kubeconfig can be configured by kubeadm in the best way.This hope can be improved in the future, and users can easily configure it.

fix in kubespray https://github.com/kubernetes-incubator/kubespray/pull/2872

@seh I followed your steps in v1beta1 kubeadm for kubernetes 1.14.1
It fails with the error
F0625 19:33:36.516452 1 server.go:463] failed complete: no kind "Config" is registered for version "v1" in scheme "k8s.io/kubernetes/pkg/proxy/apis/config/scheme/scheme.go:29"

Did you encounter this issue?

Found the issue. I was passing the kubeconfig instead of kube-proxy config to kube-proxy.
I will let it be here for anyone doing the same mistake.