contiv
getDefaultToken from token file is not right
When I not set the K8S_CERT and K8S_TOKEN in the config contiv.json, netplugin will read the default token from the token file /var/run/secrets/kubernetes.io/serviceaccount/token. But there is additional \\n at the end of token, which causes the http header check failure. If fact, there is no auth control for K8s apiserver, but netplugin always needs one token. As a workaround, I have to set a fake token like "K8S_TOKEN=paaword".
Error event form the pod
21s 21s 1 {default-scheduler } Normal Scheduled Successfully assigned nginx to 10.10.10.2
20s 2s 10 {kubelet 10.10.10.2} Warning MissingClusterDNS kubelet does not have ClusterDNS IP configured and cannot cre ate Pod using "ClusterFirst" policy. Falling back to DNSDefault policy.
19s 1s 10 {kubelet 10.10.10.2} Warning FailedSync Error syncing pod, skipping: failed to "SetupNetwork" for "nginx_test" with SetupNetworkError: "Failed to setup network for pod \"nginx_test(fe0c577c-fe59-11e6-9a20-fa163e54e088)\" using network plugins \"cni\": Contiv:Error getting labels; Err: Get https://10.10.10.3:6443/api/v1/namespaces/test/pods/nginx: net/http: invalid header field value \"Bearer eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZWZhdWx0LXRva2VuLWI5cXJzIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImRlZmF1bHQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIwM2IwZDNmMi1mY2M0LTExZTYtYmNiZC1mYTE2M2U1NGUwODgiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06ZGVmYXVsdCJ9.CXnqGnoqNMlwNEF_6_AnR6sBxwv1dinAMayLZG7TNNGFEzaMrgRWzk0Yo7SF9l-9GwDIxDjPC-yt2nc3GGC84PDFndC2QFyKtvpu7sC7POns06z2YnSZ_2_NRA8JO7uWjzdSvpD7Dx5H6ltGqxDfuSayc4KrgQJZuE9b70yNPd0-vz4sD3fEwiK2tfL4cGJtDbJmulaHO5MWV6xXTwvRQA2HbFOVblSBesM4RBvDBy_ap0zmD1jNpYT83juKTQVfDv01kmoQ_EsGaZ5DFIkv0dI8RISlPJQkqpNdte9Lm9dyiKcsdJvdL__mmPdAd2NMxvbFNuUYR_kSjokKxn-HSg\\n\" for key Authorization; Skipping pod"
Content of default token file
# cat /var/run/secrets/kubernetes.io/serviceaccount/token
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJrdWJlLXN5c3RlbSIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VjcmV0Lm5hbWUiOiJkZWZhdWx0LXRva2VuLWI5cXJzIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZXJ2aWNlLWFjY291bnQubmFtZSI6ImRlZmF1bHQiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC51aWQiOiIwM2IwZDNmMi1mY2M0LTExZTYtYmNiZC1mYTE2M2U1NGUwODgiLCJzdWIiOiJzeXN0ZW06c2VydmljZWFjY291bnQ6a3ViZS1zeXN0ZW06ZGVmYXVsdCJ9.CXnqGnoqNMlwNEF_6_AnR6sBxwv1dinAMayLZG7TNNGFEzaMrgRWzk0Yo7SF9l-9GwDIxDjPC-yt2nc3GGC84PDFndC2QFyKtvpu7sC7POns06z2YnSZ_2_NRA8JO7uWjzdSvpD7Dx5H6ltGqxDfuSayc4KrgQJZuE9b70yNPd0-vz4sD3fEwiK2tfL4cGJtDbJmulaHO5MWV6xXTwvRQA2HbFOVblSBesM4RBvDBy_ap0zmD1jNpYT83juKTQVfDv01kmoQ_EsGaZ5DFIkv0dI8RISlPJQkqpNdte9Lm9dyiKcsdJvdL__mmPdAd2NMxvbFNuUYR_kSjokKxn-HSg
#
Infos state driver: etcd netplugin version: Version: 1.0.0-beta.3 driver: ovs operating system & version: Centos 7.1
Is there any way to run netplugin without token? If no, whether we need to support this case?
We do need either token or cert for authentication, unless you want to run api-server in insecure mode. Is that what you're asking about? @neelimamukiri could you look at the newline character @supereagle is referring to?
Yes. I want to run api-server in insecure mode, but it seems that netplugin can not support.
I have verified that there is really a newline in my token file when I create it by vim. Any need to trim the newline of the content read from the token file?
I have 2 questions about this issue:
- Whether need to filter the newline character when reading from token file?
- Whether need to support insecure K8s apiserver?
@jojimt Any comments?
