-
Notifications
You must be signed in to change notification settings - Fork 38.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use 10250 as targetPort for metrics-server #105957
Use 10250 as targetPort for metrics-server #105957
Conversation
Metrics-server's usage of privileged port 443 as targetPort requires elevated permissions than necessary and violates principle of least privilege.
@shuaich: This issue is currently awaiting triage. If a SIG or subproject determines this is a relevant issue, they will accept it by applying the The Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Hi @shuaich. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
/assign @serathius |
Port 10250 is the Kubelet secure port. Main reason to pick it over commonly used pattern for unpriviliged ports like 8443 (add 8000 to https port 443) is firewall backward compatibility. This was brought up in #103713 (comment). Proposed port 10250 reuses Kubelet node port to piggybacking on preexisting firewall rules. @liggitt To confirm if this is not a breaking change. |
ack |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: serathius, shuaich The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Description
Metrics-server's usage of privileged port 443 as targetPort requires
elevated permissions than necessary and violates principle of least
privilege.
Testing
Create a k8s cluster using kubetest2 with gce as provider and manually query metrics.k8s.io API.
What type of PR is this?
/kind bug
What this PR does / why we need it:
Metrics-server will use non-privilege port and we will be able to remove elevated permission from metrics-server.
Which issue(s) this PR fixes:
None
Special notes for your reviewer:
After this PR is merged, a new PR will remove elevated permission from metrics-server.
Does this PR introduce a user-facing change?
No
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:
No