Always secure api -> kubelet communication #11185
Conversation
k8s-ci-robot
added
cncf-cla: yes
|
/test pull-kops-e2e-cni-cilium |
|
/retest |
1 similar comment
|
/retest |
|
/kind bug |
nodeup/pkg/model/context.go
Outdated
| @@ -399,7 +399,11 @@ func (c *NodeupModelContext) UseBootstrapTokens() bool { | |||
|
|
|||
| // UseSecureKubelet checks if the kubelet api should be protected by a client certificate. | |||
| func (c *NodeupModelContext) UseSecureKubelet() bool { | |||
| return c.NodeupConfig.KubeletConfig.AnonymousAuth != nil && !*c.NodeupConfig.KubeletConfig.AnonymousAuth | |||
| if c.IsKubernetesGTE("1.21") { | |||
| return true | |||
There was a problem hiding this comment.
I don't see much logging elsewhere in this file, but should we warn users if they had enabled anonymous authentication, and we're overriding their intention here?
There was a problem hiding this comment.
Ah, I just saw #11180, which I think takes care of catching that discrepancy.
There was a problem hiding this comment.
Yeah. Need to think a little about how to approach that. But for now, this should take care of some of the bugs people have been reporting.
k8s-ci-robot
added
size/S
|
/retest |
4 similar comments
|
/retest |
|
/retest |
|
/retest |
|
/retest |
olemarkus
force-pushed
the
always-secure-node
branch
from
63ac1a9
to
7b1a145
Compare
k8s-ci-robot
added
size/M
olemarkus
changed the title
olemarkus
force-pushed
the
always-secure-node
branch
from
7b1a145
to
5717874
Compare
Without secure node auth enabled, commands like `kubectl logs` may fail with certain configurations. Previously, we checked if anonymousAuth was enabled on the kubelet before securing node communication, but this isn't really relevant. We can still authenticate even if anonymous access is allowed.
olemarkus
force-pushed
the
always-secure-node
branch
from
5717874
to
bd731ce
Compare
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hakman The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
lgtm
|
/retest |
|
/test pull-kops-e2e-k8s-containerd |
…185-origin-release-1.20 Automated cherry pick of #11185: Use secure kubelet auth
…185-origin-release-1.19 Automated cherry pick of #11185: Use secure kubelet auth
Without secure node auth enabled, commands like
kubectl logsmay fail with certain configurations.As of kubernetes 1.11, we explicitly disable anonymousauth on kubelet for new clusters. We also always disable AlwaysAllow auth mode for kubelet as of 1.19. This combination works for new clusters and those who have already disabled anonymousAuth for kubelet, which accounts for most users, it seems.
But old clusters upgrading from pre 1.11 face issues with commands like
kubectl logsbecause for these clusters, apiserver is anonymous and anonymous users are not allowed to talk to kubelet per our RBAC rules.The logic for this is
anonymousAuth and secure kubelet comms are two different things as far as I can tell. So not sure why we made the check this way. Checking for
AuthorizationMode="" or AlwaysAllowwould make more sense.This PR enables secure comms unconditionally