Add --allow-privileged=true to:
# kubelet config
sudo vim /var/snap/microk8s/current/args/kubelet
#kube-apiserver config
sudo vim /var/snap/microk8s/current/args/kube-apiserverRestart services:
sudo systemctl restart snap.microk8s.daemon-kubelet.service
sudo systemctl restart snap.microk8s.daemon-apiserver.service
https://github.com/ubuntu/microk8s/blob/master/microk8s-resources/actions/enable.istio.sh
@vochicong, any hint on how to run this directly on command line? thx
# source /snap/microk8s/current/actions/common/utils.sh
# refresh_opt_in_config "allow-privileged" "true" kubelet
grep: /args/kubelet: No such file or directory
/bin/sed: can't read /args/kubelet: No such file or directory
On the latest version, you need to sudo vim /var/snap/microk8s/current/args/kube-apiserver and add PodSecurityPolicy to the admission plugins-
--- kube-apiserver-old 2019-08-11 17:48:42.367840343 -0700
+++ kube-apiserver-new 2019-08-11 17:48:28.199502772 -0700
@@ -4,7 +4,7 @@
--service-cluster-ip-range=10.152.183.0/24
--authorization-mode=AlwaysAllow
--basic-auth-file=${SNAP_DATA}/credentials/basic_auth.csv
---enable-admission-plugins="NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota"
+--enable-admission-plugins="NamespaceLifecycle,LimitRanger,ServiceAccount,DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook,ValidatingAdmissionWebhook,ResourceQuota,PodSecurityPolicy"
--service-account-key-file=${SNAP_DATA}/certs/serviceaccount.key
--client-ca-file=${SNAP_DATA}/certs/ca.crt
--tls-cert-file=${SNAP_DATA}/certs/server.crt
https://github.com/ubuntu/microk8s/blob/master/microk8s-resources/actions/enable.istio.sh