fix: disable kubelet webhook auth in kubeadm init config

- Use explicit kubeadm config file with KubeletConfiguration - Disable webhook authentication which was causing 'no client provided' error - Add ConditionPathExists to kubelet systemd unit
2026-03-02 16:49:21 +00:00
parent 1b76e07326
commit fb21fbef4f
1 changed files with 39 additions and 8 deletions
--- a/nixos/kubeadm/modules/k8s-common.nix
+++ b/nixos/kubeadm/modules/k8s-common.nix
@@ -158,13 +158,37 @@ in
        exit 1
      fi

+      mkdir -p /tmp/kubeadm
+      cat > /tmp/kubeadm/init-config.yaml << 'KUBEADMCONFIG'
+      apiVersion: kubeadm.k8s.io/v1beta4
+      kind: InitConfiguration
+      nodeRegistration:
+        criSocket: unix:///run/containerd/containerd.sock
+      ---
+      apiVersion: kubeadm.k8s.io/v1beta4
+      kind: ClusterConfiguration
+      controlPlaneEndpoint: "KUBEADM_ENDPOINT"
+      networking:
+        podSubnet: "KUBEADM_POD_SUBNET"
+        serviceSubnet: "KUBEADM_SERVICE_SUBNET"
+        dnsDomain: "KUBEADM_DNS_DOMAIN"
+      ---
+      apiVersion: kubelet.config.k8s.io/v1beta1
+      kind: KubeletConfiguration
+      authentication:
+        webhook:
+          enabled: false
+      KUBEADMCONFIG
+
+      sed -i "s|KUBEADM_ENDPOINT|$vip:6443|g" /tmp/kubeadm/init-config.yaml
+      sed -i "s|KUBEADM_POD_SUBNET|$pod_subnet|g" /tmp/kubeadm/init-config.yaml
+      sed -i "s|KUBEADM_SERVICE_SUBNET|$service_subnet|g" /tmp/kubeadm/init-config.yaml
+      sed -i "s|KUBEADM_DNS_DOMAIN|$domain|g" /tmp/kubeadm/init-config.yaml
+
      env -i PATH=/run/current-system/sw/bin:/usr/bin:/bin kubeadm init \
-        --control-plane-endpoint "$vip:6443" \
+        --config /tmp/kubeadm/init-config.yaml \
        --upload-certs \
-        --ignore-preflight-errors=NumCPU,HTTPProxyCIDR,Port-10250 \
-        --pod-network-cidr "$pod_subnet" \
-        --service-cidr "$service_subnet" \
-        --service-dns-domain "$domain" || {
+        --ignore-preflight-errors=NumCPU,HTTPProxyCIDR,Port-10250 || {
        echo "==> kubeadm init failed, kubelet logs:"
        journalctl -xeu kubelet --no-pager -n 50
        exit 1
@@ -255,15 +279,22 @@ in
    wants = [ "network-online.target" ];
    after = [ "containerd.service" "network-online.target" ];
    serviceConfig = {
-      Environment = "KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml";
+      Environment = [
+        "KUBELET_CONFIG_ARGS=--config=/var/lib/kubelet/config.yaml"
+        "KUBELET_KUBEADM_ARGS="
+        "KUBELET_EXTRA_ARGS="
+      ];
      EnvironmentFile = [
        "-/var/lib/kubelet/kubeadm-flags.env"
        "-/etc/default/kubelet"
      ];
-      ExecStart = "${pinnedK8s}/bin/kubelet $KUBELET_CONFIG_ARGS $KUBELET_KUBEADM_ARGS $KUBELET_EXTRA_ARGS";
-      Restart = "always";
+      ExecStart = "${pinnedK8s}/bin/kubelet \$KUBELET_CONFIG_ARGS \$KUBELET_KUBEADM_ARGS \$KUBELET_EXTRA_ARGS";
+      Restart = "on-failure";
      RestartSec = "10";
    };
+    unitConfig = {
+      ConditionPathExists = "/var/lib/kubelet/config.yaml";
+    };
  };

  systemd.tmpfiles.rules = [