-
Notifications
You must be signed in to change notification settings - Fork 462
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support HTTPS for /healthz, /readyz, /metrics and /debug endpoints #2829
Comments
Should we close this in favor of #4251? cc @timebertt |
Hm, I don't think that one comes with the other. The scheduler for instance was changed to use the Controller-Runtime but the endpoints are still served via http only. Even on the contrary, with the Controller-Runtime serving these endpoints with https is not supported yet (kubernetes-sigs/controller-runtime#979). Hence, we should only close it if we decide that this is not too relevant. |
Once we refactor gardenlet to a native controller-runtime component (#4251), i.e. use a c-r manager to expose metrics and health endpoints, we will also be back to plain http for Do we consider this to be important?
If not and we want to go with HTTP for the endpoints, we need to
If we should decide for a), it might make sense to start with this in parallel to the other steps in #4251, so that we don't need to add configuration knobs for different ports and so on that will be replaced shortly afterwards again. Looking for more opinions here! |
Thanks a lot @timebertt for outlining the options. I personally prefer b) because it additionally delivers RBAC capabilities. The disadvantage I see is yet another vertically scaled side-car and I hope that if we decide for option b), we don't see this as the #1 reason for Pod evictions. |
Thanks @timuthy for adding your opinion here. I like b) as well. I recently learned, that kubebuilder actually uses kube-rbac-proxy for securing the metrics endpoints etc. by default: https://book.kubebuilder.io/reference/metrics.html#protecting-the-metrics |
The Gardener project currently lacks enough active contributors to adequately respond to all issues and PRs.
/lifecycle rotten |
/remove-lifecycle rotten |
The Gardener project currently lacks enough contributors to adequately respond to all issues and PRs.
You can:
/lifecycle stale |
/remove-lifecycle stale |
I vote for closing this one and simply relying on what the controller-runtime library provides. If it's HTTP for the metrics and health endpoints, then it's HTTP and good enough (I don't see any security risk whatsoever with this). |
I kind of agree here, even though I'm a bit more concerned that we don't have authorization for |
Any feedback @timebertt? |
I still vote for implementing option b) (adding kube-rbac-proxy) which is very little effort. I even have some running examples in one of my projects, which can be used as a template. |
In an internal chat we figured that we won't be able to use the Since However, In this light, we agreed to not invest here since the additional complexity/effort is not worth it. /close |
@rfranzke: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
How to categorize this issue?
/area security
/kind enhancement
What would you like to be added:
Similar to Gardenlet, controller-manager, admission-controller, resource-manager, scheduler and seed-admission-controller should serve
/healthz
,/readyz
and/metrics
endpoints via HTTPS instead of HTTP.Additionally,
/debug
should also be served via HTTPS if enabled (ref #4567).The text was updated successfully, but these errors were encountered: