Merge pull request #38333 from euank/more-ssl-mounts

Automatic merge from submit-queue (batch tested with PRs 37325, 38313, 38141, 38321, 38333)

cluster: bindmount more cert paths

**What this PR does / why we need it**:

/etc/ssl/certs is currently mounted through in a number of places.
However, on Gentoo and CoreOS (and probably others), the files in
/etc/ssl/certs are just symlinks to files in /usr/share/ca-certificates.

For these components to correclty work, the target of the symlinks needs
to be available as well.

This is especially important for kube-controller-manager, where this
issue was noticed.



**Special notes for your reviewer**:

This change was originally part of #33965, but was split out for ease of
review.

**Release note**:

```release-note
NONE
```
This commit is contained in:
Kubernetes Submit Queue
2016-12-07 17:14:21 -08:00
committed by GitHub
6 changed files with 51 additions and 2 deletions

View File

@@ -53,6 +53,9 @@ spec:
- name: ssl-certs
mountPath: /etc/ssl/certs
readOnly: true
- name: usr-ca-certs
mountPath: /usr/share/ca-certificates
readOnly: true
- image: gcr.io/google_containers/heapster:v1.2.0
name: eventer
command:
@@ -63,6 +66,9 @@ spec:
- name: ssl-certs
mountPath: /etc/ssl/certs
readOnly: true
- name: usr-ca-certs
mountPath: /usr/share/ca-certificates
readOnly: true
- image: gcr.io/google_containers/addon-resizer:1.6
name: heapster-nanny
resources:
@@ -125,3 +131,6 @@ spec:
- name: ssl-certs
hostPath:
path: "/etc/ssl/certs"
- name: usr-ca-certs
hostPath:
path: "/usr/share/ca-certificates"

View File

@@ -54,6 +54,9 @@ spec:
- name: ssl-certs
mountPath: /etc/ssl/certs
readOnly: true
- name: usr-ca-certs
mountPath: /usr/share/ca-certificates
readOnly: true
- image: gcr.io/google_containers/heapster:v1.2.0
name: eventer
command:
@@ -64,6 +67,9 @@ spec:
- name: ssl-certs
mountPath: /etc/ssl/certs
readOnly: true
- name: usr-ca-certs
mountPath: /usr/share/ca-certificates
readOnly: true
- image: gcr.io/google_containers/addon-resizer:1.6
name: heapster-nanny
resources:
@@ -126,3 +132,6 @@ spec:
- name: ssl-certs
hostPath:
path: "/etc/ssl/certs"
- name: usr-ca-certs
hostPath:
path: "/usr/share/ca-certificates"

View File

@@ -45,6 +45,11 @@
"readOnly": true,
"mountPath": "/etc/ssl/certs"
},
{
"name": "usrsharecacerts",
"readOnly": true,
"mountPath": "/usr/share/ca-certificates"
},
{
"name": "logfile",
"mountPath": "/var/log/cluster-autoscaler.log",
@@ -63,6 +68,12 @@
"path": "/etc/ssl/certs"
}
},
{
"name": "usrsharecacerts",
"hostPath": {
"path": "/usr/share/ca-certificates"
}
},
{
"name": "logfile",
"hostPath": {

View File

@@ -236,6 +236,9 @@
{ "name": "etcssl",
"mountPath": "/etc/ssl",
"readOnly": true},
{ "name": "usrsharecacerts",
"mountPath": "/usr/share/ca-certificates",
"readOnly": true},
{ "name": "varssl",
"mountPath": "/var/ssl",
"readOnly": true},
@@ -270,6 +273,10 @@
"hostPath": {
"path": "/etc/ssl"}
},
{ "name": "usrsharecacerts",
"hostPath": {
"path": "/usr/share/ca-certificates"}
},
{ "name": "varssl",
"hostPath": {
"path": "/var/ssl"}

View File

@@ -134,6 +134,9 @@
{ "name": "etcssl",
"mountPath": "/etc/ssl",
"readOnly": true},
{ "name": "usrsharecacerts",
"mountPath": "/usr/share/ca-certificates",
"readOnly": true},
{ "name": "varssl",
"mountPath": "/var/ssl",
"readOnly": true},
@@ -161,6 +164,10 @@
"hostPath": {
"path": "/etc/ssl"}
},
{ "name": "usrsharecacerts",
"hostPath": {
"path": "/usr/share/ca-certificates"}
},
{ "name": "varssl",
"hostPath": {
"path": "/var/ssl"}

View File

@@ -57,7 +57,10 @@ spec:
privileged: true
volumeMounts:
- mountPath: /etc/ssl/certs
name: ssl-certs-host
name: etc-ssl-certs
readOnly: true
- mountPath: /usr/share/ca-certificates
name: usr-ca-certs
readOnly: true
- mountPath: /var/log
name: varlog
@@ -68,7 +71,10 @@ spec:
volumes:
- hostPath:
path: /usr/share/ca-certificates
name: ssl-certs-host
name: usr-ca-certs
- hostPath:
path: /etc/ssl/certs
name: etc-ssl-certs
- hostPath:
path: /var/lib/kube-proxy/kubeconfig
name: kubeconfig