Minikube: How to start minikube with TokenRequest API enabled?

Created on 22 Apr 2020  ·  4Comments  ·  Source: kubernetes/minikube

Steps to reproduce the issue: 

minikube start \
  --extra-config=apiserver.service-account-signing-key-file=/etc/kubernetes/pki/sa.key
  --extra-config=apiserver.service-account-key-file=/etc/kubernetes/pki/sa.pub
  --extra-config=apiserver.service-account-issuer=api
  --extra-config=apiserver.service-account-api-audiences=api,vault,factors

Full output of failed command:

Full output of minikube start command used, if not already included:

 minikube start \
>   --extra-config=apiserver.service-account-signing-key-file=/etc/kubernetes/pki/sa.key
😄  minikube v1.9.2 on Darwin 10.14.5
✨  Automatically selected the hyperkit driver. Other choices: docker, virtualbox
👍  Starting control plane node m01 in cluster minikube
🔥  Creating hyperkit VM (CPUs=2, Memory=2200MB, Disk=20000MB) ...
🐳  Preparing Kubernetes v1.18.0 on Docker 19.03.8 ...
    ▪ apiserver.service-account-signing-key-file=/etc/kubernetes/pki/sa.key

Optional: Full output of minikube logs command:


capiserver kinsupport
Source
picture wallyqs

Most helpful comment

OK found out how to enable this (TokenReview API is in beta so actually no flag is needed. Credit to othe spire folks who figured it out: https://github.com/spiffe/spire-examples/blob/f98e8ee3b6e528f3e0daa4eec309967a6e2998ff/examples/k8s/simple_psat/README.md#configuration

minikube start \
    --extra-config=apiserver.service-account-signing-key-file=/var/lib/minikube/certs/sa.key \
    --extra-config=apiserver.service-account-key-file=/var/lib/minikube/certs/sa.pub \
    --extra-config=apiserver.service-account-issuer=api \
    --extra-config=apiserver.service-account-api-audiences=api,spire-server,nats \
    --extra-config=apiserver.authorization-mode=Node,RBAC \
    --extra-config=kubelet.authentication-token-webhook=true
picture wallyqs on 14 May 2020
👍3

All 4 comments

Hello.
TokenRequest API is alpha feature of kubernetes.

If you want to enable TokenRequest API, you must enable feature gate when minikube start.
See: https://minikube.sigs.k8s.io/docs/handbook/config/#enabling-feature-gates

govargo picture govargo on 23 Apr 2020

I think that enables the option as well once the extra configs are present. Well this used to work in previous minikube versions...

https://github.com/nats-io/nats-operator/blob/master/README.md#using-serviceaccounts

wallyqs picture wallyqs on 23 Apr 2020

Do you already set config feature gate?

Do you mind sharing us minikube config view output?

Even though you set feature gate, if the feature is not enable, it's may be bug.

govargo picture govargo on 23 Apr 2020

OK found out how to enable this (TokenReview API is in beta so actually no flag is needed. Credit to othe spire folks who figured it out: https://github.com/spiffe/spire-examples/blob/f98e8ee3b6e528f3e0daa4eec309967a6e2998ff/examples/k8s/simple_psat/README.md#configuration

minikube start \
    --extra-config=apiserver.service-account-signing-key-file=/var/lib/minikube/certs/sa.key \
    --extra-config=apiserver.service-account-key-file=/var/lib/minikube/certs/sa.pub \
    --extra-config=apiserver.service-account-issuer=api \
    --extra-config=apiserver.service-account-api-audiences=api,spire-server,nats \
    --extra-config=apiserver.authorization-mode=Node,RBAC \
    --extra-config=kubelet.authentication-token-webhook=true
wallyqs picture wallyqs on 14 May 2020
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

djschny picture djschny  ·  3Comments
javajon picture javajon  ·  3Comments
mrtkp9993 picture mrtkp9993  ·  3Comments
Starefossen picture Starefossen  ·  3Comments
alber70g picture alber70g  ·  3Comments