Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add an option for skipping tls verifiation on logs requests #1295

Closed
12 tasks
deads2k opened this issue Oct 10, 2019 · 29 comments
Closed
12 tasks

add an option for skipping tls verifiation on logs requests #1295

deads2k opened this issue Oct 10, 2019 · 29 comments
Assignees
Labels
kind/feature Categorizes issue or PR as related to a new feature. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/cli Categorizes an issue or PR as relevant to SIG CLI. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status
Projects
Milestone

Comments

@deads2k
Copy link
Contributor

deads2k commented Oct 10, 2019

Insecure Backend Proxy for pods/logs

  • If a client chooses, it is possible to bypass the default behavior of the kube-apiserver and allow the kube-apiserver to skip TLS verification of the kubelet to allow gathering logs

  • Kubernetes Enhancement Proposal: https://github.com/kubernetes/enhancements/tree/master/keps/sig-api-machinery/1295-insecure-backend-proxy

  • Discussion Link: This KEP predates the template. I have no memory of where this is

  • Primary contact (assignee): @deads2k

  • Responsible SIGs: apimachinery, auth

  • Enhancement target (which target equals to which milestone):

    • Alpha release target (x.y):
    • Beta release target (x.y): 1.17
    • Stable release target (x.y): 1.21
  • Alpha

    • KEP (k/enhancements) update PR(s):
    • Code (k/k) update PR(s):
    • Docs (k/website) update PR(s):
  • Beta

    • KEP (k/enhancements) update PR(s):
    • Code (k/k) update PR(s):
    • Docs (k/website) update(s):
  • Stable

Please keep this description up to date. This will help the Enhancement Team to track the evolution of the enhancement efficiently.

When trying to get logs for a pod, it is possible for a kubelet to have an expired serving certificate. If a client chooses, it should be possible to bypass the default behavior of the kube-apiserver and allow the kube-apiserver to skip TLS verification of the kubelet to allow gathering logs. This is safe because the kube-apiserver's credentials are always client certificates which cannot be replayed by an evil-kubelet and risk is contained to an evil-kubelet returning false log data. If the user has chosen to accept this risk, we should allow it for the same reason we have an option for --insecure-skip-tls-verify.

On self-hosted clusters it is possible to end up in a state where a kubelet's serving certificate has expired so a kube-apiserver cannot verify the kubelet identity, but the kube-apiserver's client certificate is still valid so the kubelet can still verify the kube-apiserver. In this condition, a cluster-admin may need to get pod logs to debug his cluster.

@kubernetes/sig-api-machinery-feature-requests
@kubernetes/sig-cli-feature-requests
@kubernetes/sig-auth-feature-requests

https://github.com/kubernetes/enhancements/blob/master/keps/sig-api-machinery/20190927-insecure-backend-proxy.md

@deads2k deads2k added this to the v1.17 milestone Oct 10, 2019
@k8s-ci-robot k8s-ci-robot added sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. kind/feature Categorizes issue or PR as related to a new feature. sig/cli Categorizes an issue or PR as relevant to SIG CLI. sig/auth Categorizes an issue or PR as relevant to SIG Auth. labels Oct 10, 2019
@deads2k deads2k self-assigned this Oct 10, 2019
@mrbobbytables
Copy link
Member

mrbobbytables commented Oct 14, 2019

@deads2k Is this an Enhancement that should be tracked for 1.17? If so, can you reformat the issue with the KEP Issue template?

# Enhancement Description
- One-line enhancement description (can be used as a release note):
- Kubernetes Enhancement Proposal: (link to kubernetes/enhancements file, if none yet, link to PR)
- Primary contact (assignee):
- Responsible SIGs:
- Enhancement target (which target equals to which milestone):
  - Alpha release target (x.y)
  - Beta release target (x.y)
  - Stable release target (x.y)

_Please to keep this description up to date. This will help the Enhancement Team track efficiently the evolution of the enhancement_

@fejta-bot
Copy link

fejta-bot commented Jan 12, 2020

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 12, 2020
@palnabarun
Copy link
Member

palnabarun commented Jan 13, 2020

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jan 13, 2020
@fejta-bot
Copy link

fejta-bot commented Apr 12, 2020

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 12, 2020
@palnabarun
Copy link
Member

palnabarun commented Apr 15, 2020

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Apr 15, 2020
@palnabarun
Copy link
Member

palnabarun commented Apr 17, 2020

/remove-milestone v1.17

@palnabarun
Copy link
Member

palnabarun commented Apr 29, 2020

/milestone clear

(removing this issue from v1.17 milestone as the milestone is complete)

@k8s-ci-robot k8s-ci-robot removed this from the v1.17 milestone Apr 29, 2020
@fejta-bot
Copy link

fejta-bot commented Jul 28, 2020

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 28, 2020
@palnabarun
Copy link
Member

palnabarun commented Jul 30, 2020

/remove-lifecycle stale

@k8s-ci-robot k8s-ci-robot removed the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 30, 2020
@kikisdeliveryservice
Copy link
Member

kikisdeliveryservice commented Sep 13, 2020

Hi @deads2k

Enhancements Lead here. Any plans for this in 1.20?

Thanks!
Kirsten

@kikisdeliveryservice
Copy link
Member

kikisdeliveryservice commented Sep 30, 2020

Hi @deads2k

Any plans for this in 1.20? Enhancements Freeze is next week Tuesday October 6th

As a note, the format of KEPs has changed. If you could please update and include the missing sections noted above that would be great. See for ref https://github.com/kubernetes/enhancements/tree/master/keps/NNNN-kep-template

Best,
Kirsten

@fejta-bot
Copy link

fejta-bot commented Dec 29, 2020

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

@k8s-ci-robot k8s-ci-robot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 29, 2020
@liggitt liggitt added this to the v1.21 milestone Jan 6, 2021
@annajung annajung added the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Jan 19, 2021
@annajung
Copy link
Member

annajung commented Jan 19, 2021

Hi @deads2k, this issue is now being tracked for the 1.21 release.
Could you please reformat the issue with the KEP Issue template? It's important to follow the template as it's used frequently by the release team.

Could you also confirm if this enhancement will be graduating to stable for 1.21?

@deads2k deads2k added the stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status label Jan 21, 2021
@deads2k
Copy link
Contributor Author

deads2k commented Jan 21, 2021

Hi @deads2k, this issue is now being tracked for the 1.21 release.
Could you please reformat the issue with the KEP Issue template? It's important to follow the template as it's used frequently by the release team.

Could you also confirm if this enhancement will be graduating to stable for 1.21?

yes, we are targeting 1.21. I am tidying up the KEP and PRR.

@annajung
Copy link
Member

annajung commented Jan 25, 2021

Hey @deads2k
I also see that this is tagged with participation from the SIG auth and cli. Is that accurate? If so, is there work that SIG auth and cli must deliver in 1.21 as well?

@soltysh
Copy link
Contributor

soltysh commented Jan 25, 2021

I also see that this is tagged with participation from the SIG auth and cli. Is that accurate? If so, is there work that SIG auth and cli must deliver in 1.21 as well?

There is no work expected from sig-cli, at most minor cleanups, so 👍 for sig-cli pov.

@annajung
Copy link
Member

annajung commented Feb 6, 2021

Hey @deads2k, it looks like one of the PRR requirements has not been met for this enhancement. You need to create a <KEP number>.yaml file under https://github.com/kubernetes/enhancements/tree/master/keps/prod-readiness/sig-api-machinery, with the PRR approver's GitHub handle for the specific stage.

Please make sure this requirement is met before the enhancement freeze, Feb. 9th. Thank you!

@arunmk
Copy link

arunmk commented Feb 8, 2021

Hi @deads2k ,

Enhancements Freeze is 2 days away, Feb 9th EOD PST

This KEP looks good. As @annajung mentioned earlier, the only missing item is a PRR file present here: https://github.com/kubernetes/enhancements/tree/master/keps/prod-readiness/sig-api-machinery

Any enhancements that do not complete the following requirements by the freeze will require an exception.

[DONE] The KEP must be merged in an implementable state
[DONE] The KEP must have test plans
[DONE] The KEP must have graduation criteria
[DONE] The KEP must have a production readiness review: need file under https://github.com/kubernetes/enhancements/tree/master/keps/prod-readiness/sig-api-machinery

EDIT: with PR #2476 merged, this KEP looks good.

@annajung
Copy link
Member

annajung commented Feb 9, 2021

With PR #2476 merged in, this enhancement has met all requirements for the enhancements freeze 👍

@arunmk
Copy link

arunmk commented Feb 9, 2021

Thanks @annajung @deads2k . I have updated the status in-place.

@arunmk
Copy link

arunmk commented Feb 20, 2021

Hi @deads2k,

Since your Enhancement is scheduled to be in 1.21, please keep in mind the important upcoming dates:

  • Tuesday, March 9th: Week 9 - Code Freeze
  • Tuesday, March 16th: Week 10 - Docs Placeholder PR deadline
    • If this enhancement requires new docs or modification to existing docs, please follow the steps in the Open a placeholder PR doc to open a PR against k/website repo.

As a reminder, please link all of your k/k PR(s) and k/website PR(s) to this issue so we can track them.

Thanks!

@arunmk
Copy link

arunmk commented Mar 2, 2021

Hi @deads2k ,

Enhancements team does not have a linked PR to track for the upcoming code freeze. Could you please link a PR to this KEP so that we may track it.

We are currently marking this KEP as 'At Risk' for the upcoming code freeze on 3/9.

Thanks

@arunmk
Copy link

arunmk commented Mar 6, 2021

Hi @deads2k, this KEP has been marked as implemented in the KEP document. Is there an outstanding PR that is expected to be merged before code freeze on 3/9?

Thanks!

@arunmk
Copy link

arunmk commented Mar 6, 2021

Hi @deads2k ,

A friendly reminder that Code freeze is 4 days away, March 9th EOD PST

Any enhancements that are NOT code complete by the freeze will be removed from the milestone and will require an exception to be added back.

Please also keep in mind that if this enhancement requires new docs or modification to existing docs, you'll need to follow the steps in the Open a placeholder PR doc to open a PR against k/website repo by March 16th EOD PST

Thanks!

@annajung
Copy link
Member

annajung commented Mar 10, 2021

Hi @deads2k , with code freeze now in effect, we are removing this enhancement from 1.21 release due to no code PR being tracked for this enhancement.

If needed, feel free to file an exception to add this back into the release. thanks!

@annajung annajung removed this from the v1.21 milestone Mar 10, 2021
@annajung annajung removed the tracked/yes Denotes an enhancement issue is actively being tracked by the Release Team label Mar 10, 2021
@fejta-bot
Copy link

fejta-bot commented Apr 9, 2021

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten

@k8s-ci-robot k8s-ci-robot added lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Apr 9, 2021
@PI-Victor
Copy link
Member

PI-Victor commented Apr 9, 2021

/remove-lifecycle rotten

@k8s-ci-robot k8s-ci-robot removed the lifecycle/rotten Denotes an issue or PR that has aged beyond stale and will be auto-closed. label Apr 9, 2021
@ritazh ritazh added this to KEP Backlog in SIG Auth Apr 9, 2021
@deads2k deads2k added this to the v1.21 milestone Apr 19, 2021
@deads2k
Copy link
Contributor Author

deads2k commented Apr 19, 2021

This landed as GA in 1.21

/close

SIG Auth automation moved this from KEP Backlog to Closed / Done Apr 19, 2021
@k8s-ci-robot
Copy link
Contributor

k8s-ci-robot commented Apr 19, 2021

@deads2k: Closing this issue.

In response to this:

This landed as GA in 1.21

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
kind/feature Categorizes issue or PR as related to a new feature. sig/api-machinery Categorizes an issue or PR as relevant to SIG API Machinery. sig/auth Categorizes an issue or PR as relevant to SIG Auth. sig/cli Categorizes an issue or PR as relevant to SIG CLI. stage/stable Denotes an issue tracking an enhancement targeted for Stable/GA status
Projects
SIG Auth
Closed / Done
Development

No branches or pull requests