Skip to content

Instantly share code, notes, and snippets.

@lucianozablocki

lucianozablocki/spire-quickstart-k8s-kubeadm.md

Created January 29, 2021 14:00
Show Gist options
  • Save lucianozablocki/ec96e72a3af2d6c6b56fe94a3c613813 to your computer and use it in GitHub Desktop.
Save lucianozablocki/ec96e72a3af2d6c6b56fe94a3c613813 to your computer and use it in GitHub Desktop.
Download ZIP
Add default storage class to run the SPIRE Quickstart for Kubernetes on Kubeadm
Raw
spire-quickstart-k8s-kubeadm.md

SPIRE Quickstart for Kubernetes on Kubeadm

If you are using Kubeadm to run the Quickstart for Kubernetes tutorial, a default storage class and an associated provisioner must be manually created. To achieve this, proceed with the steps described in the link, and after running the command in Create Server Bundle Configmap, Role & ClusterRoleBinding, apply the following files.

kind: StorageClass
apiVersion: storage.k8s.io/v1
metadata:
  namespace: kube-system
  name: standard
  annotations:
    storageclass.kubernetes.io/is-default-class: "true"
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists

provisioner: k8s.io/minikube-hostpath

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: storage-provisioner
  namespace: kube-system
  labels:
    addonmanager.kubernetes.io/mode: Reconcile

---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: storage-provisioner
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: system:persistent-volume-provisioner
subjects:
  - kind: ServiceAccount
    name: storage-provisioner
    namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: system:persistent-volume-provisioner
  namespace: kube-system
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists
rules:
- apiGroups:
  - ""
  resources:
  - endpoints
  verbs:
  - watch
  - create
- apiGroups:
  - ""
  resourceNames:
  - k8s.io-minikube-hostpath
  resources:
  - endpoints
  verbs:
  - get
  - update
  - create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: system:persistent-volume-provisioner
  namespace: kube-system
  labels:
    addonmanager.kubernetes.io/mode: EnsureExists
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: system:persistent-volume-provisioner
subjects:
  - kind: ServiceAccount
    name: storage-provisioner
    namespace: kube-system
---
apiVersion: v1
kind: Endpoints
metadata:
  name: k8s.io-minikube-hostpath
  namespace: kube-system
  labels:
    addonmanager.kubernetes.io/mode: Reconcile
---
apiVersion: v1
kind: Pod
metadata:
  name: storage-provisioner
  namespace: kube-system
  labels:
    integration-test: storage-provisioner
    addonmanager.kubernetes.io/mode: Reconcile
spec:
  serviceAccountName: storage-provisioner
  hostNetwork: true
  containers:
  - name: storage-provisioner
    image: gcr.io/k8s-minikube/storage-provisioner:v3
    command: ["/storage-provisioner"]
    imagePullPolicy: IfNotPresent
    volumeMounts:
    - mountPath: /tmp
      name: tmp
  volumes:
  - name: tmp
    hostPath:
      path: /tmp
      type: Directory

After this, Continue with the steps in Create Server Configmap.

If these resources are not applied before the spire-server statefulset creation, the pod will stay in Pending status, showing the 1 pod has unbound immediate PersistentVolumeClaims error

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment