-
Notifications
You must be signed in to change notification settings - Fork 752
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Get most services out of the default interface #88
Conversation
df6cf5f
to
908b9f3
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, just a few updates needed.
README.md
Outdated
@@ -13,7 +13,7 @@ snap install microk8s --classic --beta | |||
``` | |||
|
|||
> At this time microk8s is an early beta, while this should be safe to install please beware. | |||
> In order to install microk8s make sure port 8080 is not used. | |||
> There are a few ports that need to be open for microk8s to install successfully. 8080 and 6443 are the most common ones. Please go though the [list of used ports](docs/ports.md) and the security implications involved in installing microk8s. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/open/available/
docs/ports.md
Outdated
|
||
For now microk8s is meant to be used for local development thus certain security issues are not addressed at this point. Here we present the ports and sockets each service uses as well as the default authorisation and authentication configuration. | ||
|
||
Services can be placed in two groups based on the network interface they are bind to. Services binding to the localhost interface are only available from within the host and we take no action to protect them. Services binding to the default host interface are available from outside the host and thus we enforce some form of access restrictions. The ports used by both types of services need to be free so that microk8s starts successfully. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"interface they are bound to" or "interface they bind to"
docs/ports.md
Outdated
|
||
Services can be placed in two groups based on the network interface they are bind to. Services binding to the localhost interface are only available from within the host and we take no action to protect them. Services binding to the default host interface are available from outside the host and thus we enforce some form of access restrictions. The ports used by both types of services need to be free so that microk8s starts successfully. | ||
|
||
### Services Binging to the Default Host Interface |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/Binging/Binding/
docs/ports.md
Outdated
If you remove `--proxy-mode` from `/var/snap/microk8s/current/args/kube-proxy` and `sudo systemctl restart snap.microk8s.daemon-proxy` kube-proxy will stop exposing the cluster hosted services. | ||
|
||
|
||
### Services Binging to the localhost Interface |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
s/Binging/Binding/
docs/ports.md
Outdated
|
||
## Authentication and Authorization | ||
|
||
Upon a new deployment microk8s creates a new CA, a signed server certificate and a service account key file. These files are stored under `/var/microk8s/current/certs`. Kubelet an the API server are aware of the same CA and so the signed server certificate is used by the API server to authenticate with kubelet (`--kubelet-client-certificate`). Clients talking to the secure port of the API server (`6443`) have to also be aware of the CA (`certificate-authority-data` in user kubeconfig). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Kubelet and the API server...
snapcraft.yaml.orig
Outdated
@@ -0,0 +1,200 @@ | |||
name: microk8s |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this file (snapcraft.yaml.orig) supposed to be here?
908b9f3
to
0597630
Compare
Can we test this PR by running the following? Referencing comments in #110 I'm however getting this message:
When inspected the changes are not included in the I would like to test this PR (preferably by running |
@nilbot The channel
|
cc5e232
to
f130b85
Compare
Closing this in favor of #323 |
Ports still used on the default interface:
--proxy-mode=userspace
for compatibility reasons.If you remove
--proxy-mode
from/var/snap/microk8s/current/args/kube-proxy
andsudo systemctl restart snap.microk8s.daemon-proxy
kube-proxy will stop exposing the cluster hosted services.