Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Turned-off etcd listening on public ports as potentially insecure. #35192

Merged
merged 1 commit into from
Oct 20, 2016
Merged

Turned-off etcd listening on public ports as potentially insecure. #35192

merged 1 commit into from
Oct 20, 2016

Conversation

jszczepkowski
Copy link
Contributor

@jszczepkowski jszczepkowski commented Oct 20, 2016
edited by k8s-oncall
Loading 

Turned-off etcd listening on public ports as potentially insecure. Removed
experimental support for master replication.

Turned-off etcd listening on public ports as potentially insecure. Removed
experimental support for master replication.

This change is Reviewable

@jszczepkowski
Copy link
Contributor Author

CC @roberthbailey

wojtek-t
wojtek-t reviewed Oct 20, 2016
View reviewed changes
cluster/saltbase/salt/etcd/etcd.manifest
@@ -37,7 +37,7 @@
"command": [
"/bin/sh",
"-c",
"if [ -e /usr/local/bin/migrate-if-needed.sh ]; then /usr/local/bin/migrate-if-needed.sh; fi; /usr/local/bin/etcd --name etcd-{{ hostname }} --listen-peer-urls http://{{ hostname }}:{{ server_port }} --initial-advertise-peer-urls http://{{ hostname }}:{{ server_port }} --advertise-client-urls http://127.0.0.1:{{ port }} --listen-client-urls http://127.0.0.1:{{ port }} --data-dir /var/etcd/data{{ suffix }} --initial-cluster-state {{ cluster_state }} --initial-cluster {{ etcd_cluster }} 1>>/var/log/etcd{{ suffix }}.log 2>&1"
"if [ -e /usr/local/bin/migrate-if-needed.sh ]; then /usr/local/bin/migrate-if-needed.sh; fi; /usr/local/bin/etcd --listen-peer-urls http://127.0.0.1:{{ server_port }} --advertise-client-urls http://127.0.0.1:{{ port }} --listen-client-urls http://127.0.0.1:{{ port }} --data-dir /var/etcd/data{{ suffix }} 1>>/var/log/etcd{{ suffix }}.log 2>&1"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you leave "--name" flag? This is useful also for etcd3 and I don't think it breaks anything itself.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@k8s-github-robot k8s-github-robot added do-not-merge DEPRECATED. Indicates that a PR should not merge. Label can only be manually applied/removed. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. release-note-label-needed labels Oct 20, 2016
@jszczepkowski
Turn-off etcd listining on public ports as potentially insecure.
939a108 
Turn-off etcd listining on public ports as potentially insecure. Removed
experimental support for master replication.
@jszczepkowski
Copy link
Contributor Author

PTAL

@jszczepkowski jszczepkowski added release-note Denotes a PR that will be considered when it comes time to generate release notes. and removed release-note-label-needed labels Oct 20, 2016
@fgrzadkowski fgrzadkowski added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 20, 2016
@fgrzadkowski
Copy link
Contributor

@jessfraz This PR is needed to fix vulnerability in 1.4 where we started listening on public network interface without using SSL.

@jszczepkowski jszczepkowski added this to the v1.4 milestone Oct 20, 2016
@roberthbailey
Copy link
Contributor

lgtm

@jessfraz jessfraz added cherrypick-candidate cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. and removed do-not-merge DEPRECATED. Indicates that a PR should not merge. Label can only be manually applied/removed. labels Oct 20, 2016
@k8s-github-robot
Copy link

@k8s-bot test this [submit-queue is verifying that this PR is safe to merge]

@k8s-ci-robot
Copy link
Contributor

Jenkins GCE etcd3 e2e failed for commit 939a108. Full PR test history.

The magic incantation to run this job again is @k8s-bot gce etcd3 e2e test this. Please help us cut down flakes by linking to an open flake issue when you hit one in your PR.

@k8s-github-robot k8s-github-robot merged commit 7f26d57 into kubernetes:release-1.4 Oct 20, 2016
@k8s-cherrypick-bot
Copy link

Commit found in the "release-1.4" branch appears to be this PR. Removing the "cherrypick-candidate" label. If this is an error find help to get your PR picked.

@jszczepkowski
Copy link
Contributor Author

Part of kubernetes/enhancements#48

shyamjvs pushed a commit to shyamjvs/kubernetes that referenced this pull request Dec 1, 2016
Merge pull request kubernetes#35192 from jszczepkowski/ha-port-fix-14
e464445 
Automatic merge from submit-queue

Turned-off etcd listening on public ports as potentially insecure.

```release-note
Turned-off etcd listening on public ports as potentially insecure. Removed
experimental support for master replication.
```

Turned-off etcd listening on public ports as potentially insecure. Removed
experimental support for master replication.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wojtek-t wojtek-t wojtek-t left review comments

Assignees

@jessfraz jessfraz

@fgrzadkowski fgrzadkowski

Labels
cherry-pick-approved Indicates a cherry-pick PR into a release branch has been approved by the release branch manager. lgtm "Looks good to me", indicates that a PR is ready to be merged. release-note Denotes a PR that will be considered when it comes time to generate release notes. size/S Denotes a PR that changes 10-29 lines, ignoring generated files.
Projects
None yet
Milestone
v1.4
Development

Successfully merging this pull request may close these issues.
9 participants
@jszczepkowski @fgrzadkowski @roberthbailey @k8s-github-robot @k8s-ci-robot @k8s-cherrypick-bot @wojtek-t @jessfraz @googlebot