From ddb5ad107ffb8831db58d61c098311ec7591f7a0 Mon Sep 17 00:00:00 2001 From: Ole Markus With Date: Thu, 1 Sep 2022 20:47:22 +0200 Subject: [PATCH] Warn that enabling irsa can be disruptive --- docs/cluster_spec.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/docs/cluster_spec.md b/docs/cluster_spec.md index 0fe0d87717..954f84bc48 100644 --- a/docs/cluster_spec.md +++ b/docs/cluster_spec.md @@ -1506,6 +1506,8 @@ spec: {{ kops_feature_table(kops_added_default='1.21') }} +**Warning**: Enabling the following configuration on an existing cluster can be disruptive due to the control plane provisioning tokens with different issuers. The symptom is that Pods are unable to authenticate to the Kubernetes API. To resolve this, delete Service Account token secrets that exists in the cluster and kill all pods unable to authenticate. + kOps can publish the Kubernetes service account token issuer and configure AWS to trust it to authenticate Kubernetes service accounts: