-
Notifications
You must be signed in to change notification settings - Fork 4.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cherry pick of #9069 onto release-1.17 #9092
Cherry pick of #9069 onto release-1.17 #9092
Conversation
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: justinsb The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/lgtm |
|
kube-apiserver doesn't expose the healthcheck via a dedicated endpoint, instead relying on anonyomous-access being enabled. That has previously forced us to enable the unauthenticated endpoint on 127.0.0.1:8080. Instead we now run a small sidecar container, which proxies /healthz and /readyz requests (only) adding appropriate authentication using a client certificate. This will also enable better load balancer checks in future, as these have previously been hampered by the custom CA certificate. Co-authored-by: John Gardiner Myers <jgmyers@proofpoint.com>
0710605
to
3f19ca6
Compare
Thanks for the heads up! Hopefully it'll pass this time. It wasn't a totally clean cherry-pick, e.g. I had to add wellknownusers. |
Yes, I noticed that during review. |
Any ideas if this change could have affected the containerd periodic e2e? |
I'm seeing that the failed e2e test is having a problem pulling the new sidecar container. Perhaps the e2e test config or somesuch needs to be tweaked to use the locally built container? I'm also seeing kops-controller isn't starting. |
Cherry pick of #9069