2

I want to use the kube-apiserver to enable/disable admission controllers (e.g. kube-apiserver --enable-admission-plugins=NamespaceLifecycle), but I cannot find it anywhere.

When I run the following, I don't see it anywhere:

# Running this:
kubectl get pods -n kube-system

# Shows only this:
# NAME                                       READY   STATUS      RESTARTS   AGE
# helm-install-traefik-fvs4z                 0/1     Completed   0          10d
# local-path-provisioner-5ff76fc89d-rrntw    1/1     Running     4          10d
# coredns-854c77959c-vz4s2                   1/1     Running     4          10d
# metrics-server-86cbb8457f-6kl5n            1/1     Running     4          10d
# svclb-traefik-cc7zx                        2/2     Running     8          10d
# calico-kube-controllers-5dc5c9f744-6bwdj   1/1     Running     4          10d
# calico-node-xcjz8                          1/1     Running     4          10d
# traefik-6f9cbd9bd4-b6nk7                   1/1     Running     4          10d

I thought it might be due to using Calico, but even creating a cluster without Calico still shows no kube-apiserver:

# Running this:
kubectl get pods -n kube-system

# Shows only this:
# NAME                                      READY   STATUS      RESTARTS   AGE
# local-path-provisioner-5ff76fc89d-d28gc   1/1     Running     0          2m31s
# coredns-854c77959c-lh78n                  1/1     Running     0          2m31s
# metrics-server-86cbb8457f-xlzl2           1/1     Running     0          2m31s
# helm-install-traefik-nhxp4                0/1     Completed   0          2m31s
# svclb-traefik-hqndx                       2/2     Running     0          2m21s
# traefik-6f9cbd9bd4-m42jg                  1/1     Running     0          2m21s

Where is the kube-apiserver? How do I enable and disable controllers in k3d?

Don Rhummy
  • 24,730
  • 42
  • 175
  • 330

1 Answers1

0

It's not running via static pod, so it doesn't show up as a pod. With k3s you would usually install it as a systemd service unit. With k3d you can see it via docker ps.

coderanger
  • 52,400
  • 4
  • 52
  • 75
  • How would I call it? Do I `exec` into that docker container? And which one is it? I see two: `rancher/k3d-proxy:v4.4.1` and `rancher/k3s:v1.20.5-k3s1` – Don Rhummy May 03 '21 at 23:59
  • When I exec into both of those, e.g. `docker exec -it k3d-dev-server-0 /bin/sh` I get a terminal, but when I type `kube-apiserver` both containers say `/bin/sh: kube-apiserver: not found` – Don Rhummy May 04 '21 at 00:04
  • I don't understand your question, you don't call anything and I don't think they include a shell in the container as its a single-purpose daemon. It's just a thing that is running. You configure it through its config file, though I'm not actually sure how much of admission plugins are configurable, you would have to check their docs. – coderanger May 04 '21 at 01:37
  • You can call the admission controller to enable/disable controllers/plugins. https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/ For example, `kube-apiserver --disable-admission-plugins=PodNodeSelector,AlwaysDeny`. How would I do that in k3d? – Don Rhummy May 04 '21 at 13:44
  • 1
    That's not a "call", it's not a stateful thing. You have to include that on the command line when it starts. Every time. – coderanger May 04 '21 at 18:40
  • So I can't disable them after it's already running? – Don Rhummy May 07 '21 at 22:51
  • 1
    Correct. You would have to change the CLI arguments in whatever config file they live in and restart kube-apiserver. – coderanger May 07 '21 at 22:56