If you want to provide extra flags to the kube-apiserver
that runs inside minikube how do you do it? You can use the minikube’s --extra-config
flag with apiserver.<apiserver flag>=<value>
, for e.g. if you want to enable RBAC
authorization mode you do it as follows:
--extra-config=apiserver.authorization-mode=RBAC
So this is a no brainer when doing it for flags whose value can be given right away, like the one above. But what if you want to provide value which is a file path. Because you will have to make that file available for apiserver. And this apiserver runs as a static pod inside minikube. How do you make the file available to that process inside pod inside minikube?
The solution is little tricky and not very straight forward. The api-server pod mounts minikube’s /var/lib/minikube/certs/
directory in the pod at location /var/lib/minikube/certs/
. Make the file available at this location. When enabling that flag for apiserver provide file location of this directory.
To make this step easier I have filed an issue in minikube upstream kubernetes/minikube/3559.
Follow this tutorial on how to do this. In this tutorial I want to make the EncryptionConfiguration
file available for apiserver to enable encryption of secret data at rest. This is the first step to the tasks from kubernetes docs as mentioned here.
Start minikube normally
To make the file needed available in the machine start minikube normally. For that run following command:
minikube start \
--vm-driver kvm2 \
--kubernetes-version v1.13.2 \
--cpus 3 --memory 3000 \
--extra-config=apiserver.authorization-mode=RBAC \
--v 10
You can make required changes to the above commmand lke change the --vm-driver
or --cpus
or --memory
, as per your needs.
Make file available inside minikube
Run following command to go into machine
minikube ssh
Once inside machine become root by running sudo -i
. And then create the config file needed that will be passed to the apiserver. For my needs I wanted to create a EncryptionConfiguration
.
Run following command to make the config file available.
echo "
kind: EncryptionConfiguration
apiVersion: apiserver.config.k8s.io/v1
resources:
- resources:
- secrets
providers:
- aescbc:
keys:
- name: key1
secret: fPLrjJNkbuLmh2aqOsCR5sZV+/Wqhi8CdMrgceaKR3E=
- identity: {}
" | tee /var/lib/minikube/certs/encryptionconfig.yaml
See the location of the file it is in /var/lib/minikube/certs
. In above command you can change it to the config you would want to make available for apiserver.
Restart minikube
Exit out of the minikube vm and get to your host machine and run following:
minikube stop
minikube start \
--vm-driver kvm2 \
--kubernetes-version v1.13.2 \
--cpus 3 --memory 3000 \
--extra-config=apiserver.authorization-mode=RBAC \
--extra-config=apiserver.encryption-provider-config=/var/lib/minikube/certs/encryptionconfig.yaml \
--v 10
Again make changes to the apiserver flag and file name if needed according to your needs. Now you should have apiserver started without problems.