From ddb5ad107ffb8831db58d61c098311ec7591f7a0 Mon Sep 17 00:00:00 2001 From: Ole Markus With Date: Thu, 1 Sep 2022 20:47:22 +0200 Subject: [PATCH 1/2] Warn that enabling irsa can be disruptive --- docs/cluster_spec.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/cluster_spec.md b/docs/cluster_spec.md index 0fe0d87717..954f84bc48 100644 --- a/docs/cluster_spec.md +++ b/docs/cluster_spec.md @@ -1506,6 +1506,8 @@ spec: {{ kops_feature_table(kops_added_default='1.21') }} +**Warning**: Enabling the following configuration on an existing cluster can be disruptive due to the control plane provisioning tokens with different issuers. The symptom is that Pods are unable to authenticate to the Kubernetes API. To resolve this, delete Service Account token secrets that exists in the cluster and kill all pods unable to authenticate. + kOps can publish the Kubernetes service account token issuer and configure AWS to trust it to authenticate Kubernetes service accounts: From 82c2cdc07c1833fefb2466c66be3cd9fd323418b Mon Sep 17 00:00:00 2001 From: Ole Markus With Date: Thu, 1 Sep 2022 20:47:31 +0200 Subject: [PATCH 2/2] Fix etcd administration link --- docs/operations/etcd_backup_restore_encryption.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/operations/etcd_backup_restore_encryption.md b/docs/operations/etcd_backup_restore_encryption.md index 87c82e6abc..3a7ca6827d 100644 --- a/docs/operations/etcd_backup_restore_encryption.md +++ b/docs/operations/etcd_backup_restore_encryption.md @@ -76,7 +76,7 @@ kubectl get endpoints/kubernetes -o yaml If you see more address than masters, you will need to remove it manually inside the etcd cluster. -See [etcd administation](etcd-administration.md) how to obtain access to the etcd cluster. +See [etcd administation](/operations/etcd_administration) how to obtain access to the etcd cluster. Once you have a working etcd client, run the following: ```