New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add TLS option for grpc probes #119093
Comments
/sig node |
/assign @AryanSharma9917 |
This is the KEP https://github.com/kubernetes/enhancements/tree/master/keps/sig-node/2727-grpc-probe but I can't see any reference to TLS, however, the external project that is meant to replace allows to use TLS so I think we should too |
I mention transition here: https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-grpc-liveness-probe: "Built-in probes do not support any authentication parameters (like KEP also saying: "As spec'd, the kubelet probe will not allow use of client certificates nor verify the certificate on the container. ". I asked at gRPC meetup and the feedback was that the WithInsecure (https://github.com/kubernetes/kubernetes/blame/7e3c98fd303359cb9f79dfc691da733a6ca2a6e3/pkg/probe/grpc/grpc.go#L58) is probably enough for many services. This PR changes the implementation to the new transport security: #109778 I wonder if the replacement is not adequate and your proposed SkipVerify is a proper fix. Let me look into it, not a gRPC expert. If you know for sure - please comment which option is the best |
Found this: grpc/grpc-go#5609 Yes, it looks like the PR: #109778 broke the feature |
@TheImpressiveDonut if you can send a PR and if you have a suggestion how to implement the test (unit or e2e) to validate this feature - it will be great |
/triage accepted |
Hey @SergeyKanzhelev, I'll send the PR by today I have already made some changes already, after they are done I'll send the PR. |
Hey @AryanSharma9917, I do not think that the PR #119516 you've made fix this issue. I am not really familiar with flexvolume but I believe the point I made here is not linked to those. Tell me if I am wrong. I have a rough idea on how to fix this, but I have a two questions on how it should be implemented w.r.t. kubernetes:
@SergeyKanzhelev do you have some thoughts on those ? Thanks ! |
/assign @TheImpressiveDonut |
Hey @TheImpressiveDonut, Here's a revised version of the implementation that ensures secure communication by validating the server certificate:
By providing a valid tls.Config with certificate verification, we ensure that the gRPC client communicates securely with the server, making the probe implementation more secure. |
for any PR please add an e2e test demonstrating it works |
This issue is labeled with You can:
For more details on the triage process, see https://www.kubernetes.dev/docs/guide/issue-triage/ /remove-triage accepted |
The Kubernetes project currently lacks enough contributors to adequately respond to all issues. This bot triages un-triaged issues according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
What would you like to be added?
gRPC built-in probes should be able to communicate with a server that is setup to use a secured connection.
Why is this needed?
Setting up a gRPC server to use plaintext is not really acceptable in production, so built-in probes are kind of unusable.
How?
The same way as http probe does it, with setting the field InsecureSkipVerify to true, we could do:
Maybe there is a specific reason this has not been done already ?
I am willing to contribute if needed.
/sig node
The text was updated successfully, but these errors were encountered: