-
Notifications
You must be signed in to change notification settings - Fork 39.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
enable token authentication for kubelets in GCE #58178
Conversation
mikedanese
commented
Jan 11, 2018
•
edited
Loading
edited
I think I'm fine with this. Was the only reason we didn't enable this on GKE that we didn't used to expose the Token Webhook? |
We are waiting to figure out audiences before enabling this. |
/retest |
/lgtm |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cjcullen, mikedanese The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/test all [submit-queue is verifying that this PR is safe to merge] |
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
Automatic merge from submit-queue (batch tested with PRs 62632, 62789, 62512, 62848). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. [prometheus addon] Use secure kubelet port This PR changes port used by prometheus server to kubelet secure port. To access endpoints for metrics it adds "nodes/metrics" resource to rbac. Previously it was not possible to authorize to kubelet in GCP, because Token Auth was disabled. PR that enabled Token Auth in GCP #58178 ```release-note NONE ``` /cc @brancz @kawych
Automatic merge from submit-queue (batch tested with PRs 64174, 64187, 64216, 63265, 64223). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. kubeadm: Improve the kubelet default configuration security-wise **What this PR does / why we need it**: - Disables the readonly port for the kubelets in the cluster - Enables delegated SA token authentication for the secure kubelet port (GCE also did this ref: #58178) - Follows up #63912 to move the last flag from the system dropin to the ComponentConfig **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes kubernetes/kubeadm#732 Fixes kubernetes/kubeadm#650 Replaces #57997 **Special notes for your reviewer**: In order to make sure this actually works, or that clusters actually are secure, we're adding e2e tests for this: kubernetes/kubeadm#838 & #64140 Depends on #63912 **Release note**: ```release-note [action required] kubeadm: kubelets in kubeadm clusters now disable the readonly port (10255). If you're relying on unauthenticated access to the readonly port, please switch to using the secure port (10250). Instead, you can now use ServiceAccount tokens when talking to the secure port, which will make it easier to get access to e.g. the `/metrics` endpoint of the kubelet securely. ``` @kubernetes/sig-cluster-lifecycle-pr-reviews @kubernetes/sig-auth-pr-reviews FYI