Remove /etc/ssl/certs in the controller manager pod

For system such as Fedora Atomic, the CA bundle files which are contained in /etc/ssl/certs are symbolic links to /etc/pki. When configuring the controller manager to use an SSL endpoint, it will raise an error as it is unable to authenticate the SSL endpoint. This patch removes the host mount at /etc/ssl/certs. The Hyperkube images already ship a collection of CAs which are likely good for all needs. Closes-Bug: #1708452 Change-Id: Ife2b60d1968482a8c3ab9b44abbe401c6230881c
2017-07-28 12:08:31 -04:00 · 2017-07-28 12:08:31 -04:00 · ae15aa6c28
parent 4fb91cc109
commit ae15aa6c28
1 changed files with 0 additions and 12 deletions
--- a/magnum/drivers/common/templates/kubernetes/fragments/enable-kube-controller-manager-scheduler.sh
+++ b/magnum/drivers/common/templates/kubernetes/fragments/enable-kube-controller-manager-scheduler.sh
@ -59,16 +59,10 @@ $(generate_pod_args "    - " $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_MASTER $KUB
      initialDelaySeconds: ${SYSTEM_PODS_INITIAL_DELAY}
      timeoutSeconds: ${SYSTEM_PODS_TIMEOUT}
    volumeMounts:
-    - mountPath: /etc/ssl/certs
-      name: ssl-certs-host
-      readOnly: true
    - mountPath: /etc/kubernetes
      name: kubernetes-config
      readOnly: true
  volumes:
-  - hostPath:
-      path: /etc/ssl/certs
-    name: ssl-certs-host
  - hostPath:
      path: /etc/kubernetes
    name: kubernetes-config
@ -105,16 +99,10 @@ $(generate_pod_args "    - " $KUBE_LOGTOSTDERR $KUBE_LOG_LEVEL $KUBE_MASTER $KUB
      initialDelaySeconds: ${SYSTEM_PODS_INITIAL_DELAY}
      timeoutSeconds: ${SYSTEM_PODS_TIMEOUT}
    volumeMounts:
-    - mountPath: /etc/ssl/certs
-      name: ssl-certs-host
-      readOnly: true
    - mountPath: /etc/kubernetes
      name: kubernetes-config
      readOnly: true
  volumes:
-  - hostPath:
-      path: /etc/ssl/certs
-    name: ssl-certs-host
  - hostPath:
      path: /etc/kubernetes
    name: kubernetes-config