10

Looking at documentation for installing Knative requires a Kubernetes cluster v1.11 or newer with the MutatingAdmissionWebhook admission controller enabled. So checking the documentation for this I see the following command: 

kube-apiserver -h | grep enable-admission-plugins

However, kube-apiserver is running inside a docker container on master. Logging in as admin to master, I am not seeing this on the command line after install. What steps do I need to take to to run this command? Its probably a basic docker question but I dont see this documented anywhere in Kubernetes documentation.

So what I really need to know is if this command line is the best way to set these plugins and also how exactly to enter the container to execute the command line.

Where is kube-apiserver located

Should I enter the container? What is name of container and how do I enter it to execute the command?

Jan Hudec
  • 73,652
  • 13
  • 125
  • 172
Steven Smart
  • 495
  • 3
  • 7
  • 22
  • How did you install the kubernetes cluster? There is a config file for the apiserver where the options are specified, but how it is provided depends on how the cluster was built. – Jan Hudec Jun 11 '19 at 11:11
  • Well our admin followed the steps outlined here:https://www.net7.be/blog/article/kubernetes_bare_metal_deployment.html – Steven Smart Jun 11 '19 at 11:14
  • Ok, so you installed it with kubeadm. Then [this part of kubeadm documentation](https://kubernetes.io/docs/setup/independent/control-plane-flags/) seems to be most relevant. It is probably easiest if your admin re-builds the cluster with the appropriate flags. – Jan Hudec Jun 11 '19 at 11:16
  • 1
    I am trying to understand if using command line kube-apiserver is the correct way to set admissions or check controller settings? Would the rebuilding the cluster with the flags set be preferable to running kube-apiserver commands? At the moment, I just needed to check the status MutatingAdmissionWebhook admission controller enabled. And the documentation showed me the command line option to check this. Is there another way or better way to do this? How could I run kube-apiserver on the command line if I wanted to do that? – Steven Smart Jun 11 '19 at 11:37
  • 1
    So one answer was To configure kube-apiserver command line arguments you need to modify /etc/kubernetes/manifests/kube-apiserver.yaml on your master." I dont really understand this answer. How does modifying the kube-apiserver.yaml allow me to run kube-apiserver on a command line in or outside a container? – Steven Smart Jun 11 '19 at 11:49
  • You don't actually want to run `kube-apiserver` on command-line. You only want to modify it's command-line to enable the requested modules. – Jan Hudec Jun 11 '19 at 17:23
  • Possible duplicate of [How to obtain the enabled admission controller list in kubernetes?](https://stackoverflow.com/questions/51489955/how-to-obtain-the-enabled-admission-controller-list-in-kubernetes) – user3527765 Jul 22 '19 at 09:25

2 Answers2

8

I think that answer from @embik that you've pointed out in the initial question is quite decent, but I'll try to shed light on some aspects that can be useful for you.

As @embik mentioned in his answer, kube-apiserver binary actually resides on particular container within K8s api-server Pod, therefore you can free to check it, just execute /bin/sh on that Pod:

kubectl exec -it $(kubectl get pods -n kube-system| grep kube-apiserver|awk '{print $1}') -n kube-system -- /bin/sh

You might be able to propagate the desired enable-admission-plugins through kube-apiserver command inside this Pod, however any modification will disappear once api-server Pod re-spawns, i.e. master node reboot, etc.

The essential api-server config located in /etc/kubernetes/manifests/kube-apiserver.yaml. Node agent kubelet controls kube-apiserver runtime Pod, and each time when health checks are not successful kubelet sents a request to K8s Scheduler in order to re-create this affected Pod from primary kube-apiserver.yaml file.

Nick_Kh
  • 5,089
  • 2
  • 10
  • 16
  • Hi, a related question: what if I want to change the kube-scheduler configuration? If I modify the /etc/kubernetes/manifests/kube-scheduler.yaml, will the kube-scheduler restart with the new configuration automatically? – kz28 Sep 17 '19 at 02:48
  • Is it possible that kube-apiserver pod isn't present in the cluster? Where else could it be located? – MaroonedMind Sep 09 '21 at 21:12
7

This is old, still if its in the benefit of a needy. The a @Nick_Kh's answer is good enough, just want to extend it.

In case the api-server pod fails to give you the shell access, you may directly execute the command using kubectl exec like this:

kubectl exec -it kube-apiserver-rhino -n  kube-system -- kube-apiserver -h | grep enable-admission-plugins

In this case, I wanted to know what are the default admission plugins enabled and every time I tried accessing pod's shell (bash, sh, etc.), ended up with error like this:

[root@rhino]# kubectl exec -it kube-apiserver-rhino -n  kube-system -- /bin/sh
OCI runtime exec failed: exec failed: container_linux.go:367: starting container process caused: exec: "/bin/sh": stat /bin/sh: no such file or directory: unknown
command terminated with exit code 126
Kapil
  • 836
  • 2
  • 8
  • 20