Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support HTTPS for /healthz, /readyz, /metrics and /debug endpoints #2829

Closed
Tracked by #4251
timuthy opened this issue Sep 9, 2020 · 15 comments
Closed
Tracked by #4251

Support HTTPS for /healthz, /readyz, /metrics and /debug endpoints #2829

timuthy opened this issue Sep 9, 2020 · 15 comments
Labels
area/security Security related kind/enhancement Enhancement, improvement, extension priority/3 Priority (lower number equals higher priority)

Comments

@timuthy
Copy link
Member

timuthy commented Sep 9, 2020
edited by timebertt
Loading

How to categorize this issue?

/area security
/kind enhancement

What would you like to be added:
Similar to Gardenlet, controller-manager, admission-controller, resource-manager, scheduler and seed-admission-controller should serve /healthz, /readyz and /metrics endpoints via HTTPS instead of HTTP.
Additionally, /debug should also be served via HTTPS if enabled (ref #4567).
@timuthy timuthy added the kind/enhancement Enhancement, improvement, extension label Sep 9, 2020
@timuthy timuthy mentioned this issue Sep 9, 2020
Merged
@gardener-robot gardener-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Nov 9, 2020
@gardener-robot gardener-robot added priority/3 Priority (lower number equals higher priority) and removed priority/normal labels Mar 8, 2021
@rfranzke
Copy link
Member

Should we close this in favor of #4251? cc @timebertt

@timuthy
Copy link
Member Author

timuthy commented Aug 18, 2021

Hm, I don't think that one comes with the other. The scheduler for instance was changed to use the Controller-Runtime but the endpoints are still served via http only. Even on the contrary, with the Controller-Runtime serving these endpoints with https is not supported yet (kubernetes-sigs/controller-runtime#979). Hence, we should only close it if we decide that this is not too relevant.

@timebertt timebertt changed the title Support HTTPS for /healthz and /metrics endpoints of GCM Support HTTPS for /healthz, /readyz and /metrics endpoints Oct 21, 2021
@gardener gardener deleted a comment from gardener-robot Oct 21, 2021
@timebertt
Copy link
Member

timebertt commented Oct 21, 2021
edited
Loading

Once we refactor gardenlet to a native controller-runtime component (#4251), i.e. use a c-r manager to expose metrics and health endpoints, we will also be back to plain http for /healthz, /readyz, /metrics and /debug there as well.

Do we consider this to be important?
If so, we could

If not and we want to go with HTTP for the endpoints, we need to

If we should decide for a), it might make sense to start with this in parallel to the other steps in #4251, so that we don't need to add configuration knobs for different ports and so on that will be replaced shortly afterwards again.

Looking for more opinions here!

@timebertt timebertt changed the title Support HTTPS for /healthz, /readyz and /metrics endpoints Support HTTPS for /healthz, /readyz, /metrics and /debug endpoints Oct 21, 2021
This was referenced Oct 21, 2021
Closed
Closed
@timuthy
Copy link
Member Author

timuthy commented Oct 25, 2021

Thanks a lot @timebertt for outlining the options. I personally prefer b) because it additionally delivers RBAC capabilities. The disadvantage I see is yet another vertically scaled side-car and I hope that if we decide for option b), we don't see this as the #1 reason for Pod evictions.

@timebertt
Copy link
Member

Thanks @timuthy for adding your opinion here. I like b) as well.

I recently learned, that kubebuilder actually uses kube-rbac-proxy for securing the metrics endpoints etc. by default: https://book.kubebuilder.io/reference/metrics.html#protecting-the-metrics
So I think, b) should be a safe bet :)

@gardener-ci-robot
Copy link
Contributor

The Gardener project currently lacks enough active contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed
    You can:
  • Mark this issue or PR as fresh with /remove-lifecycle rotten
  • Close this issue or PR with /close

/lifecycle rotten

@gardener-prow gardener-prow bot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Mar 30, 2022
@timebertt
Copy link
Member

/remove-lifecycle rotten

@gardener-prow gardener-prow bot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Mar 30, 2022
@gardener-ci-robot
Copy link
Contributor

The Gardener project currently lacks enough contributors to adequately respond to all issues and PRs.
This bot triages issues and PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the issue is closed

You can:

  • Mark this issue or PR as fresh with /remove-lifecycle stale
  • Mark this issue or PR as rotten with /lifecycle rotten
  • Close this issue or PR with /close

/lifecycle stale

@gardener-prow gardener-prow bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 28, 2022
@timebertt timebertt mentioned this issue Jun 29, 2022
Closed
76 tasks
@timebertt
Copy link
Member

/remove-lifecycle stale

@gardener-prow gardener-prow bot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jun 29, 2022
@rfranzke
Copy link
Member

I vote for closing this one and simply relying on what the controller-runtime library provides. If it's HTTP for the metrics and health endpoints, then it's HTTP and good enough (I don't see any security risk whatsoever with this).

@timuthy
Copy link
Member Author

timuthy commented Sep 13, 2022
edited by rfranzke
Loading

I kind of agree here, even though I'm a bit more concerned that we don't have authorization for /debug which is however disabled by default. Any strong concerns from your side @timebertt?
IIRC, the main reason for opening this issue was to mimic what K8s did with their components and to make it consistent with Gardenlet when we didn't use CR.

@rfranzke
Copy link
Member

rfranzke commented Oct 4, 2022

Any feedback @timebertt?

@timebertt
Copy link
Member

timebertt commented Oct 5, 2022
edited
Loading

I still vote for implementing option b) (adding kube-rbac-proxy) which is very little effort.
This plays nicely with what the community does (kubebuilder, etc.) and follows best practices. I would consider this to be "what controller-runtime/kubebuilder provides" even though it is a sidecar component rather than a go library feature.

I even have some running examples in one of my projects, which can be used as a template.

@rfranzke
Copy link
Member

rfranzke commented Oct 5, 2022

In an internal chat we figured that we won't be able to use the kube-rbac-proxy approach for the /healthz and /readyz endpoints since we otherwise would need to write JWT tokens into the {live,ready}nessProbes of the various Deployments (which isn't a great idea).

Since /debug is disabled by default and typically only used for dev purposes, /metrics is the only endpoint left that would "benefit" from using kube-rbac-proxy.

However, /metrics doesn't expose sensitive data and is in addition only reachable cluster-internally (this is different for the comparable endpoints in kube-apiserver).

In this light, we agreed to not invest here since the additional complexity/effort is not worth it.

/close

@gardener-prow gardener-prow bot closed this as completed Oct 5, 2022
@gardener-prow
Copy link
Contributor

gardener-prow bot commented Oct 5, 2022

@rfranzke: Closing this issue.

In response to this:

In an internal chat we figured that we won't be able to use the kube-rbac-proxy approach for the /healthz and /readyz endpoints since we otherwise would need to write JWT tokens into the {live,ready}nessProbes of the various Deployments (which isn't a great idea).

Since /debug is disabled by default and typically only used for dev purposes, /metrics is the only endpoint left that would "benefit" from using kube-rbac-proxy.

However, /metrics doesn't expose sensitive data and is in addition only reachable cluster-internally (this is different for the comparable endpoints in kube-apiserver).

In this light, we agreed to not invest here since the additional complexity/effort is not worth it.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area/security Security related kind/enhancement Enhancement, improvement, extension priority/3 Priority (lower number equals higher priority)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@rfranzke @timuthy @timebertt @gardener-robot @gardener-ci-robot