Run cAdvisor on the same interface as kubelet

cAdvisor currently binds to all interfaces. Currently the only solution is to use iptables to block access to the port. We are better off making cAdvisor to bind to the interface that kubelet uses for better security. Fixes kubernetes#11710
dims · Jun 8, 2017 · 7e5c43a · 7e5c43a
1 parent 038d194
commit 7e5c43a
Show file tree

Hide file tree

Showing 5 changed files with 10 additions and 8 deletions.
diff --git a/cmd/kubelet/app/server.go b/cmd/kubelet/app/server.go
@@ -522,7 +522,7 @@ func run(s *options.KubeletServer, kubeDeps *kubelet.KubeletDeps) (err error) {
 	}
 
 	if kubeDeps.CAdvisorInterface == nil {
-		kubeDeps.CAdvisorInterface, err = cadvisor.New(uint(s.CAdvisorPort), s.ContainerRuntime, s.RootDirectory)
+		kubeDeps.CAdvisorInterface, err = cadvisor.New(s.Address, uint(s.CAdvisorPort), s.ContainerRuntime, s.RootDirectory)
 		if err != nil {
 			return err
 		}

diff --git a/pkg/kubelet/cadvisor/cadvisor_linux.go b/pkg/kubelet/cadvisor/cadvisor_linux.go
@@ -21,7 +21,9 @@ package cadvisor
 import (
 	"flag"
 	"fmt"
+	"net"
 	"net/http"
+	"strconv"
 	"time"
 
 	"github.com/golang/glog"
@@ -94,7 +96,7 @@ func containerLabels(c *cadvisorapi.ContainerInfo) map[string]string {
 }
 
 // New creates a cAdvisor and exports its API on the specified port if port > 0.
-func New(port uint, runtime string, rootPath string) (Interface, error) {
+func New(address string, port uint, runtime string, rootPath string) (Interface, error) {
 	sysFs := sysfs.NewRealSysFs()
 
 	// Create and start the cAdvisor container manager.
@@ -109,7 +111,7 @@ func New(port uint, runtime string, rootPath string) (Interface, error) {
 		Manager:  m,
 	}
 
-	err = cadvisorClient.exportHTTP(port)
+	err = cadvisorClient.exportHTTP(address, port)
 	if err != nil {
 		return nil, err
 	}
@@ -120,7 +122,7 @@ func (cc *cadvisorClient) Start() error {
 	return cc.Manager.Start()
 }
 
-func (cc *cadvisorClient) exportHTTP(port uint) error {
+func (cc *cadvisorClient) exportHTTP(address string, port uint) error {
 	// Register the handlers regardless as this registers the prometheus
 	// collector properly.
 	mux := http.NewServeMux()
@@ -134,7 +136,7 @@ func (cc *cadvisorClient) exportHTTP(port uint) error {
 	// Only start the http server if port > 0
 	if port > 0 {
 		serv := &http.Server{
-			Addr:    fmt.Sprintf(":%d", port),
+			Addr:    net.JoinHostPort(address, strconv.Itoa(int(port))),
 			Handler: mux,
 		}
 

diff --git a/pkg/kubelet/cadvisor/cadvisor_unsupported.go b/pkg/kubelet/cadvisor/cadvisor_unsupported.go
@@ -31,7 +31,7 @@ type cadvisorUnsupported struct {
 
 var _ Interface = new(cadvisorUnsupported)
 
-func New(port uint, runtime string, rootPath string) (Interface, error) {
+func New(address string, port uint, runtime string, rootPath string) (Interface, error) {
 	return &cadvisorUnsupported{}, nil
 }
 

diff --git a/pkg/kubelet/cadvisor/cadvisor_windows.go b/pkg/kubelet/cadvisor/cadvisor_windows.go
@@ -30,7 +30,7 @@ type cadvisorClient struct {
 var _ Interface = new(cadvisorClient)
 
 // New creates a cAdvisor and exports its API on the specified port if port > 0.
-func New(port uint, runtime string, rootPath string) (Interface, error) {
+func New(address string, port uint, runtime string, rootPath string) (Interface, error) {
 	return &cadvisorClient{}, nil
 }
 

diff --git a/test/e2e_node/environment/conformance.go b/test/e2e_node/environment/conformance.go
@@ -99,7 +99,7 @@ func containerRuntime() error {
 	}
 
 	// Setup cadvisor to check the container environment
-	c, err := cadvisor.New(0 /*don't start the http server*/, "docker", "/var/lib/kubelet")
+	c, err := cadvisor.New("", 0 /*don't start the http server*/, "docker", "/var/lib/kubelet")
 	if err != nil {
 		return printError("Container Runtime Check: %s Could not start cadvisor %v", failed, err)
 	}