Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
deprecate insecure http flags and remove already deprecated flags #59018
What this PR does / why we need it:
Which issue(s) this PR fixes (optional, in
Special notes for your reviewer:
@hzxuzhonghu: The following test failed, say
referenced this pull request
Jan 30, 2018
[APPROVALNOTIFIER] This PR is APPROVED
The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing
Jan 30, 2018
12 of 13 checks passed
added a commit
this pull request
Mar 2, 2018
The API server still serves on
If the latter, it should be disabled by default, but if that's the case, what about health endpoints? Am I going to need a sidecar container to validate the TLS and proxy
Edit - For anyone coming along later, check out #43784
@deads2k we are running the apiserver as a static pod on master nodes, which currently requires the apiserver to listen on an insecure port 8080 on localhost for kubelet to be able to talk to it. All other worker nodes' kubelet uses the "--bootstrap-kubeconfig" to perform TLS bootstrapping once the apiserver is up.
I tried to use the same "--bootstrap-kubeconfig" for kubelet running on master, but it complains that it can't reach the apiserver (for obvious reason) and crash, without starting the apiserver/controller-manager/scheduler pods defined in the manifests.
Is there a proper way for kubelet on master to talk to the apiserver without utilising the --insecure-port and --insecure-bind-address?