From 31c72e9a247cead664ea12e992ac07d54e40dbb4 Mon Sep 17 00:00:00 2001 From: Grant Rodgers Date: Tue, 27 Mar 2018 09:27:13 -0700 Subject: [PATCH] Enable certificate controller on Minikube (#506) The certificate controller is required to configure the istio sidecar injector webhook, but Minikube doesn't give it the paths to the CA certs by default, so it can't start. These paths are local to the VM, not the host machine, so they are the same for all users. --- creating-a-kubernetes-cluster.md | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/creating-a-kubernetes-cluster.md b/creating-a-kubernetes-cluster.md index 5eb736a57..83b0a6a84 100644 --- a/creating-a-kubernetes-cluster.md +++ b/creating-a-kubernetes-cluster.md @@ -81,11 +81,18 @@ To use a k8s cluster running in GKE: default](https://github.com/kubernetes/minikube/pull/2547),the MutatingAdmissionWebhook plugin must be manually enabled._ + _Until minikube [makes this the + default](https://github.com/kubernetes/minikube/issues/1647), the + certificate controller must be told where to find the cluster CA certs on + the VM._ + ```shell minikube start \ --kubernetes-version=v1.9.0 \ --vm-driver=kvm2 \ - --extra-config=apiserver.Admission.PluginNames=DenyEscalatingExec,LimitRanger,NamespaceExists,NamespaceLifecycle,ResourceQuota,ServiceAccount,DefaultStorageClass,SecurityContextDeny,MutatingAdmissionWebhook + --extra-config=apiserver.Admission.PluginNames=DenyEscalatingExec,LimitRanger,NamespaceExists,NamespaceLifecycle,ResourceQuota,ServiceAccount,DefaultStorageClass,SecurityContextDeny,MutatingAdmissionWebhook \ + --extra-config=controller-manager.ClusterSigningCertFile="/var/lib/localkube/certs/ca.crt" \ + --extra-config=controller-manager.ClusterSigningKeyFile="/var/lib/localkube/certs/ca.key" ``` ### Minikube with GCR