I’m working through implementing IAM Roles for Service Accounts on a RKE2 deployment which requires updates to some of the arguments in the kube-apiserver.yaml file.
These arguments are as follows:
spec:
containers:
- command:
- kube-apiserver
- --service-account-issuer=<OIDC provider URL>
- --service-account-key-file=/var/lib/rancher/rke2/server/irsa/sa-signer-pkcs8.pub
- --service-account-key-file=/var/lib/rancher/rke2/server/tls/service.key
- --service-account-signing-key-file=/var/lib/rancher/rke2/server/irsa/sa-signer.key
What I am not sure of is if I need to keep the default service-account-key-file that comes with RKE2 deployments or if I can just replace it outright with the key I generate for the OIDC S3 bucket without breaking anything within RKE2.
Currently I use the RKE2 cloud enabled deployment here: https://github.com/rancherfederal/rke2-aws-tf/tree/master/examples/cloud-enabled and modify the kube-apiserver.yaml file with the following arguments.
kube-apiserver-arg:
- "service-account-issuer=<OIDC provider URL>"
- "api-audiences=https://kubernetes.default.svc.cluster.local,rke2,sts.amazon.com"
- "service-account-key-file=/var/lib/rancher/rke2/server/irsa/sa-signer-pkcs8.pub"
# - "service-account-key-file=/var/lib/rancher/rke2/server/tls/service.key"
- "service-account-signing-key-file=/var/lib/rancher/rke2/server/irsa/sa-signer.key"
As you can see I have the default service-account-key-file commented out because the method for injecting those values in the kube-apiserver.yaml doesn’t seem to support specifying multiple service-account-key-files without one of them overwriting the other. (https://docs.rke2.io/install/install_options/server_config/)
In short, does the default service-account-key-file matter in the grand scheme of things if I replace it with my own?