Recommended liveness check for kube-apiserver

[justinsb]

For 1.6, what is the healthz endpoint / recommended liveness check for a secure setup (RBAC, kubeadm discovery not enabled, insecure port disabled)?

curl https://127.0.0.1/healthz is returning a 401 for me.

Edit: What I originally called "kubeadm discovery not enabled" is now more commonly / correctly called "setting --anonymous-auth=false on apiserver".

[liggitt]

You can include credentials in the liveness check or allow unauthenticated requests (until a healthz-only option is available)

[justinsb]

And I came so close! Probably going to enable the insecure port, for the time being at least, in kops.

Is there an effort to implement an unprotected healthz endpoint? Can I help?

[liggitt]

@justinsb are you setting --anonymous-auth=false or leaving the authorization mode as AlwaysAllow?

[justinsb]

We always set anonymous-auth=false. We currently have two authorization modes - AlwaysAllow & RBAC; no hybrids supported yet.

[liggitt]

We always set anonymous-auth=false

is this a holdover from 1.5.0? From 1.5.1 on, the defaults are reasonable (anonymous auth is disabled by default in 1.5.x, and only enabled in 1.6 when using authorizers that require explicit ACL grants to anonymous users)

[justinsb]

It's a safety gate, yes. We never want anonymous authn to the API, even if authz should catch it it's too easy to make a mistake.

[liggitt]

it's certainly up to the deployer, but I expect that to cause difficulties as auth discovery gets built out (kubectl login asks where it should go to log in, etc).

[adamhaney]

kops v1.6.0 references this issue

W0528 11:00:47.597850 9970 apiserver.go:90] Enabling apiserver insecure port, for healthchecks (issue #43784)

But it's not clear what if any action I should take as a part of my configuration. Is that line kops telling me that they're using a workaround or that I need to change my configuration?