Merge pull request #67836 from sttts/sttts-non-fatal-missing-external…

…-apiserver-authn-configmap Automatic merge from submit-queue (batch tested with PRs 67764, 68034, 67836). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md. apiserver: make not-found external-apiserver-authn configmap non-fatal As client-ca and requestheader-client-ca is optional in the external-apiserver-authentication config file and components like kube-controller-manager and kube-scheduler won't need that anyway, we better make it non-fatal if the configmap is not found in the cluster. Consumer counter-part PR to kubernetes/kubernetes#67694. ```release-note Don't let aggregated apiservers fail to launch if the external-apiserver-authentication configmap is not found in the cluster. ``` Kubernetes-commit: 55859a60fe09c412e183c92ad265cf0d52fbe3d8
sttts · Sep 5, 2018 · 0c94442 · 0c94442
2 parents 2d7c57c + 993c6f7
commit 0c94442
Showing 1 changed file with 25 additions and 13 deletions.
diff --git a/pkg/server/options/authentication.go b/pkg/server/options/authentication.go
@@ -26,6 +26,7 @@ import (
 	"github.com/spf13/pflag"
 
 	"k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apiserver/pkg/authentication/authenticatorfactory"
 	"k8s.io/apiserver/pkg/server"
@@ -238,34 +239,45 @@ func (s *DelegatingAuthenticationOptions) lookupMissingConfigInCluster(client ku
 	}
 
 	authConfigMap, err := client.CoreV1().ConfigMaps(authenticationConfigMapNamespace).Get(authenticationConfigMapName, metav1.GetOptions{})
-	if err != nil {
+	switch {
+	case errors.IsNotFound(err):
+		// ignore, authConfigMap is nil now
+	case errors.IsForbidden(err):
 		glog.Warningf("Unable to get configmap/%s in %s.  Usually fixed by "+
 			"'kubectl create rolebinding -n %s ROLE_NAME --role=%s --serviceaccount=YOUR_NS:YOUR_SA'",
 			authenticationConfigMapName, authenticationConfigMapNamespace, authenticationConfigMapNamespace, authenticationRoleName)
 		return err
+	case err != nil:
+		return err
 	}
 
 	if len(s.ClientCert.ClientCA) == 0 {
-		opt, err := inClusterClientCA(authConfigMap)
-		if err != nil {
-			return err
+		if authConfigMap != nil {
+			opt, err := inClusterClientCA(authConfigMap)
+			if err != nil {
+				return err
+			}
+			if opt != nil {
+				s.ClientCert = *opt
+			}
 		}
-		if opt == nil {
+		if len(s.ClientCert.ClientCA) == 0 {
 			glog.Warningf("Cluster doesn't provide client-ca-file in configmap/%s in %s, so client certificate authentication to extension api-server won't work.", authenticationConfigMapName, authenticationConfigMapNamespace)
-		} else {
-			s.ClientCert = *opt
 		}
 	}
 
 	if len(s.RequestHeader.ClientCAFile) == 0 {
-		opt, err := inClusterRequestHeader(authConfigMap)
-		if err != nil {
-			return err
+		if authConfigMap != nil {
+			opt, err := inClusterRequestHeader(authConfigMap)
+			if err != nil {
+				return err
+			}
+			if opt != nil {
+				s.RequestHeader = *opt
+			}
 		}
-		if opt == nil {
+		if len(s.RequestHeader.ClientCAFile) == 0 {
 			glog.Warningf("Cluster doesn't provide requestheader-client-ca-file in configmap/%s in %s, so request-header client certificate authentication to extension api-server won't work.", authenticationConfigMapName, authenticationConfigMapNamespace)
-		} else {
-			s.RequestHeader = *opt
 		}
 	}