Skip to content
This repository has been archived by the owner on Feb 5, 2020. It is now read-only.

disable kubelet readonly access from outside cluster #227

Closed
sym3tri opened this issue Apr 12, 2017 · 7 comments
Closed

disable kubelet readonly access from outside cluster #227

sym3tri opened this issue Apr 12, 2017 · 7 comments
Assignees
@alexsomesan
Labels
platform/aws
Milestone
AWS is stable

Comments

@sym3tri
Copy link
Contributor

sym3tri commented Apr 12, 2017

Port 10255 should only be accessible from other cluster master/worker nodes.
@sym3tri sym3tri added this to the AWS is stable milestone Apr 12, 2017
@sym3tri sym3tri mentioned this issue Apr 12, 2017
Closed
@alexsomesan alexsomesan self-assigned this Apr 17, 2017
@philips
Copy link
Contributor

philips commented Apr 17, 2017

Agree we should do this but:

@aaronlevy said that this should be bound to localhost
@Quentin-M said this should likely just be removed, the reason we used it is no longer in use

@aaronlevy
Copy link
Contributor

heapster / prometheus might still want access to this -- which would mean wherever they run would need access. At minimum this needs to be available on localhost because the pod-checkpointer uses this.

@philips
Copy link
Contributor

philips commented Apr 17, 2017

@aaronlevy Can you link to the docs/resources on how we secure this port and get the certs to heapster, etc?

@philips
Copy link
Contributor

philips commented Apr 17, 2017

This is the doc line from kubelet docs https://kubernetes.io/docs/admin/kubelet/

--read-only-port int32                                    The read-only port for the Kubelet to serve on with no authentication/authorization (set to 0 to disable) (default 10255)

@fabxc
Copy link
Contributor

fabxc commented Apr 19, 2017
edited
Loading

We have a new release pending for tectonic-prometheus-operator and the question is whether we switch to the secure port + certs or not.
What's the current status of this? #223 indicates its kinda stuck due to checkpointing requiring the insecure port. If this gets deferred for a while, we'd move forward while keeping the read-only port.

@fabxc
Copy link
Contributor

fabxc commented Apr 19, 2017
edited
Loading

So I talked to @s-urbaniak about this as well.

When it seemed an easy target we did implement this: https://github.com/coreos-inc/tectonic-prometheus-operator/pull/34
But it depends on changes in the installer and a decision considering points in #223.

As the discussion stalled there, by now it seems unlikely that this is feasible for the next release, which is already pretty packed with heavy changes. @s-urbaniak, @alexsomesan, and I would suggest to defer this change to the next release to have more confidence in making the required changes.

(Discussion is not always clearly distinguishing between completely disabling the read-only port vs just blocking it from outside of the cluster. I'm referring to the former above – the latter is no problem for us an what @s-urbaniak is working on AFAIK.)

@fabxc fabxc mentioned this issue Apr 19, 2017
Closed
s-urbaniak pushed a commit to s-urbaniak/tectonic-installer that referenced this issue Apr 19, 2017
modules/aws: tighten security groups
43d0c35 
Currently masters and workers share a pretty open security group.
Furthermore workers expose ingress traffic at critical k8s ports like
10250 and 10255.

This fixes it by removing the common cluster default security group and
specifying separate ingress/egress rules reflecting settings from the
current tectonic installer.

It also assigns only one security group for masters and workers.

Fixes coreos#248, coreos#243, coreos#227
@s-urbaniak s-urbaniak mentioned this issue Apr 19, 2017
Merged
alexsomesan pushed a commit that referenced this issue Apr 19, 2017
@alexsomesan
modules/aws: tighten security groups (#264)
b620c16 
* modules/aws: tighten security groups

Currently masters and workers share a pretty open security group.
Furthermore workers expose ingress traffic at critical k8s ports like
10250 and 10255.

This fixes it by removing the common cluster default security group and
specifying separate ingress/egress rules reflecting settings from the
current tectonic installer.

It also assigns only one security group for masters and workers.

Fixes #248, #243, #227

* Documentation/generic-platform: change flannel port to 4789

... because that one is configured and recommended since it is the IANA
based one. Tools like tcpdump then decode vxlan packets natively.

The old port (8472) is retained as the default port in the kernel for
backwards compatibility purposes only, see [1].

Other projects also switched to the new IANA assigned port.

[1] http://lxr.free-electrons.com/source/drivers/net/vxlan.c#L43
@s-urbaniak
Copy link
Contributor

resolved by #264

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@alexsomesan alexsomesan

Labels
platform/aws
Projects
None yet
Milestone
AWS is stable
Development

No branches or pull requests
6 participants
@philips @sym3tri @aaronlevy @s-urbaniak @alexsomesan @fabxc