-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Always secure api -> kubelet communication #11185
Conversation
/test pull-kops-e2e-cni-cilium |
/retest |
1 similar comment
/retest |
/kind bug |
nodeup/pkg/model/context.go
Outdated
@@ -399,7 +399,11 @@ func (c *NodeupModelContext) UseBootstrapTokens() bool { | |||
|
|||
// UseSecureKubelet checks if the kubelet api should be protected by a client certificate. | |||
func (c *NodeupModelContext) UseSecureKubelet() bool { | |||
return c.NodeupConfig.KubeletConfig.AnonymousAuth != nil && !*c.NodeupConfig.KubeletConfig.AnonymousAuth | |||
if c.IsKubernetesGTE("1.21") { | |||
return true |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't see much logging elsewhere in this file, but should we warn users if they had enabled anonymous authentication, and we're overriding their intention here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, I just saw #11180, which I think takes care of catching that discrepancy.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah. Need to think a little about how to approach that. But for now, this should take care of some of the bugs people have been reporting.
/retest |
4 similar comments
/retest |
/retest |
/retest |
/retest |
63ac1a9
to
7b1a145
Compare
7b1a145
to
5717874
Compare
Without secure node auth enabled, commands like `kubectl logs` may fail with certain configurations. Previously, we checked if anonymousAuth was enabled on the kubelet before securing node communication, but this isn't really relevant. We can still authenticate even if anonymous access is allowed.
5717874
to
bd731ce
Compare
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hakman The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/retest |
/test pull-kops-e2e-k8s-containerd |
…185-origin-release-1.20 Automated cherry pick of #11185: Use secure kubelet auth
…185-origin-release-1.19 Automated cherry pick of #11185: Use secure kubelet auth
Without secure node auth enabled, commands like
kubectl logs
may fail with certain configurations.As of kubernetes 1.11, we explicitly disable anonymousauth on kubelet for new clusters. We also always disable AlwaysAllow auth mode for kubelet as of 1.19. This combination works for new clusters and those who have already disabled anonymousAuth for kubelet, which accounts for most users, it seems.
But old clusters upgrading from pre 1.11 face issues with commands like
kubectl logs
because for these clusters, apiserver is anonymous and anonymous users are not allowed to talk to kubelet per our RBAC rules.The logic for this is
anonymousAuth and secure kubelet comms are two different things as far as I can tell. So not sure why we made the check this way. Checking for
AuthorizationMode="" or AlwaysAllow
would make more sense.This PR enables secure comms unconditionally