Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kubeadm: enable secure serving for the kube-scheduler #80951

Merged
merged 1 commit into from Aug 5, 2019

Conversation

@neolit123
Copy link
Member

commented Aug 3, 2019

What this PR does / why we need it:
Secure serving was already enabled for kube-controller-manager.
Do the same for kube-scheduler, by passing the flags
"authentication-kubeconfig" and "authorization-kubeconfig"
to the binary in the static Pod.

This change allows the scheduler to perform reviews on incoming
requests, such as:

  • authentication.k8s.io/v1beta1 TokenReview
  • authorization.k8s.io/v1 SubjectAccessReview

The authentication and authorization checks for "system:kube-scheduler"
users were previously enabled in #72491.

Which issue(s) this PR fixes:

Fixes kubernetes/kubeadm#1285

Special notes for your reviewer:
NONE

Does this PR introduce a user-facing change?:

kubeadm: enable secure serving for the kube-scheduler

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:


/kind feature
/priority important-longterm
/assign @fabriziopandini
@kubernetes/sig-cluster-lifecycle-pr-reviews

kubeadm: enable secure serving for the kube-scheduler
Secure serving was already enabled for kube-controller-manager.
Do the same for kube-scheduler, by passing the flags
"authentication-kubeconfig" and "authorization-kubeconfig"
to the binary in the static Pod.

This change allows the scheduler to perform reviews on incoming
requests, such as:
- authentication.k8s.io/v1beta1 TokenReview
- authorization.k8s.io/v1 SubjectAccessReview

The authentication and authorization checks for "system:kube-scheduler"
users were previously enabled by PR 72491.
@neolit123

This comment has been minimized.

Copy link
Member Author

commented Aug 3, 2019

/test pull-kubernetes-e2e-kind

@neolit123

This comment has been minimized.

Copy link
Member Author

commented Aug 3, 2019

/hold

@fabriziopandini
Copy link
Member

left a comment

@neolit123 thanks for this PR! It is always nice to see security improvements in clusters created by kubeadm!
/approve
I kindly ask @randomvariable for a final check on this PR

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

commented Aug 5, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: fabriziopandini, neolit123

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@fabriziopandini

This comment has been minimized.

Copy link
Member

commented Aug 5, 2019

/assign @randomvariable

@yagonobre
Copy link
Member

left a comment

Thanks @neolit123
/lgtm

@randomvariable

This comment has been minimized.

Copy link
Member

commented Aug 5, 2019

/lgtm

@neolit123

This comment has been minimized.

Copy link
Member Author

commented Aug 5, 2019

/hold cancel

@k8s-ci-robot k8s-ci-robot merged commit 74c0cc2 into kubernetes:master Aug 5, 2019

24 checks passed

cla/linuxfoundation neolit123 authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-conformance-image-test Skipped.
pull-kubernetes-cross Skipped.
pull-kubernetes-dependencies Job succeeded.
Details
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-csi-serial Skipped.
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-gce-iscsi Skipped.
pull-kubernetes-e2e-gce-iscsi-serial Skipped.
pull-kubernetes-e2e-gce-storage-slow Skipped.
pull-kubernetes-e2e-kind Job succeeded.
Details
pull-kubernetes-godeps Skipped.
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-local-e2e Skipped.
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-node-e2e-containerd Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
pull-publishing-bot-validate Skipped.
tide In merge pool.
Details

@k8s-ci-robot k8s-ci-robot added this to the v1.16 milestone Aug 5, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.