Use 10250 as targetPort for metrics-server

[shuaich]

Description

Metrics-server's usage of privileged port 443 as targetPort requires
elevated permissions than necessary and violates principle of least
privilege.

Testing

Create a k8s cluster using kubetest2 with gce as provider and manually query metrics.k8s.io API.

kubetest2 gce -v 2 \
  --repo-root ${HOME}/shuaich/kubernetes \
  --gcp-project shuaichen-gke-dev \
  --gcp-zone us-central1-c \
  --legacy-mode \
  --build \
  --up

kubectl get --raw /apis/metrics.k8s.io/v1beta1/nodes
kubectl get --raw /apis/metrics.k8s.io/v1beta1/nodes/${worker_node}
kubectl get --raw /apis/metrics.k8s.io/v1beta1/pods
kubectl get --raw /apis/metrics.k8s.io/v1beta1/namespaces/kube-system/pods/${system_pod}
kubectl get --raw /apis/metrics.k8s.io/v1beta1/namespaces/default/pods/${user_pod}

What type of PR is this?

/kind bug

What this PR does / why we need it:

Metrics-server will use non-privilege port and we will be able to remove elevated permission from metrics-server.

Which issue(s) this PR fixes:

None

Special notes for your reviewer:

After this PR is merged, a new PR will remove elevated permission from metrics-server.

Does this PR introduce a user-facing change?

No

NONE

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

No

[k8s-ci-robot]

@shuaich: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[k8s-ci-robot]

Hi @shuaich. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[aojea]

/assign @serathius
/ok-to-test
I suggest using another port like 8443 or similar , is not relevant but in case of troubleshooting is easier to find than 10250, that IIRC is the kubelet insecure port.

[serathius]

Port 10250 is the Kubelet secure port. Main reason to pick it over commonly used pattern for unpriviliged ports like 8443 (add 8000 to https port 443) is firewall backward compatibility. This was brought up in #103713 (comment). Proposed port 10250 reuses Kubelet node port to piggybacking on preexisting firewall rules.

@liggitt To confirm if this is not a breaking change.

[liggitt]

Proposed port 10250 reuses Kubelet node port to piggybacking on preexisting firewall rules.

ack

[serathius]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: serathius, shuaich

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• cluster/addons/metrics-server/OWNERS [serathius]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment