kubeadm serves kube-scheduler and kube-controller metrics insecurely #2202

neolit123 · 2020-06-29T04:17:46Z

kubeadm serves kube-scheduler and kube-controller manager metrics insecurely outside of localhost, as reported here:
https://kubernetes.slack.com/archives/C2P1JHS2E/p1593237397449300

i need to double check this myself, but it feels like our --bind-address=127.0.0.1 is not sufficient to disable that.

for example:
curl http://public-ip:10252/metrics

flag refs:
https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/
https://kubernetes.io/docs/reference/command-line-tools-reference/kube-scheduler/

The text was updated successfully, but these errors were encountered:

neolit123 · 2020-06-29T04:22:56Z

seems related: kubernetes/kubernetes#65869 (comment)

neolit123 · 2020-06-29T04:35:03Z

the KCM docs are lacking some flags:

$ kube-controller-manager --help
...
Insecure serving flags:

      --address ip
                The IP address on which to serve the insecure --port (set to 0.0.0.0 for all IPv4 interfaces and :: for all
                IPv6 interfaces). (default 0.0.0.0) (DEPRECATED: see --bind-address instead.)
      --port int
                The port on which to serve unsecured, unauthenticated access. Set to 0 to disable. (default 10252)
                (DEPRECATED: see --secure-port instead.)

https://kubernetes.io/docs/reference/command-line-tools-reference/kube-controller-manager/

kubeadm has a couple of options to disable public metrics:

pass --port=0
pass --address=127.0.0.1

once these flags are removed, it's not clear how insecure metrics will be possible.

neolit123 · 2020-07-01T16:16:14Z

xref kubernetes/kubernetes#91506

neolit123 · 2020-07-01T19:42:14Z

we discussed that --port=0 might be a good option by default and the users can still override using "extraArgs".

PRs for master (1.19) and branches in the support skew:
kubernetes/kubernetes#92720
kubernetes/kubernetes#92723
kubernetes/kubernetes#92725
kubernetes/kubernetes#92726

neolit123 added area/ecosystem area/security priority/awaiting-more-evidence Lowest priority. Possibly useful, but not yet enough support to actually get it done. labels Jun 29, 2020

neolit123 added this to the v1.19 milestone Jun 29, 2020

neolit123 added priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. and removed priority/awaiting-more-evidence Lowest priority. Possibly useful, but not yet enough support to actually get it done. labels Jun 29, 2020

neolit123 mentioned this issue Jul 2, 2020

kubeadm: add --port=0 for kube-controller-manager and kube-scheduler kubernetes/kubernetes#92720

Merged

k8s-ci-robot closed this as completed in kubernetes/kubernetes#92720 Jul 3, 2020

lnovara mentioned this issue Oct 12, 2020

Unable to scrape kube-controller-manager and kube-scheduler metrics sighupio/fury-kubernetes-monitoring#51

Closed

leoryu mentioned this issue Feb 8, 2021

Stop using insecure port kube-scheduler and kube-controller tkestack/tke#1088

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

kubeadm serves kube-scheduler and kube-controller metrics insecurely #2202

kubeadm serves kube-scheduler and kube-controller metrics insecurely #2202

neolit123 commented Jun 29, 2020 •

edited

neolit123 commented Jun 29, 2020

neolit123 commented Jun 29, 2020 •

edited

neolit123 commented Jul 1, 2020

neolit123 commented Jul 1, 2020 •

edited

kubeadm serves kube-scheduler and kube-controller metrics insecurely #2202

kubeadm serves kube-scheduler and kube-controller metrics insecurely #2202

Comments

neolit123 commented Jun 29, 2020 • edited

neolit123 commented Jun 29, 2020

neolit123 commented Jun 29, 2020 • edited

neolit123 commented Jul 1, 2020

neolit123 commented Jul 1, 2020 • edited

neolit123 commented Jun 29, 2020 •

edited

neolit123 commented Jun 29, 2020 •

edited

neolit123 commented Jul 1, 2020 •

edited