1

I have implemented a KMS Plugin gRPC server. However, my api-server is not able to connect to Unix socket at path "/opt/mysocket.sock".

If I bind my socket to "/etc/ssl/certs/" directory. "api-server" is able to access it and interact with my gRPC server over Unix socket and plugin is working as expected.

How I can pass my unix socket to api-server without getting restricted to only "/etc/ssl/certs/" directory.

I want to use other standard directories like "/opt" or "/var" etc.

I have followed below guide from Google to implement KMS plugin. https://kubernetes.io/docs/tasks/administer-cluster/kms-provider/

Neeraj Kukreti
  • 141
  • 14
  • What stops you from binding your socket to any another socket inside apiserver pod like /tmp/socket.sock for example? – Vasili Angapov May 10 '19 at 06:11
  • I can bind my server (plugin) at " /tmp/socket.sock" but api-server is not able to access it. It can access it only if I am binding it at "/etc/ssl/certs/". Do we need any additional configuration, so that api-sever can access other directories in my local filesystem? – Neeraj Kukreti May 10 '19 at 06:24
  • You can modify your apiserver pod configuration to mount any hostPath inside apiserver pod. Have you tried that? – Vasili Angapov May 10 '19 at 06:26
  • No, I just followed the steps mentioned in google documentation for writing KMS plugin. I am new to kubernetes, can you help me with some online references on how to do that? – Neeraj Kukreti May 10 '19 at 06:33
  • but you use GKE? It is not possible to modify apiserver settings in GKE. – Vasili Angapov May 10 '19 at 06:35
  • 1
    I am not using GKE. I have kubernetes setup on my bare metal test servers. However, I expect my KMS plugin to work on any kind of kubernetes setup (including GKE). – Neeraj Kukreti May 10 '19 at 06:48
  • 1
    Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/193129/discussion-between-vasily-angapov-and-neeraj-kukreti). – Vasili Angapov May 10 '19 at 06:50

1 Answers1

1

For "api-server" pod to access any directory from the host system, we need to add mount path in "kube-apiserver.yaml" file.

Path to yaml file "/etc/kubernetes/manifests/kube-apiserver.yaml" file.

Add mount point as shown below (keep correct indentation).

=====
volumeMounts:
   - mountPath: /etc/my_dir
       name: my-kms
       readOnly: true
...
...
volumes:
   - hostPath:
       path: /etc/my_dir
       type: DirectoryOrCreate
====
Neeraj Kukreti
  • 141
  • 14