Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

kubeadm: use the secure ports for kube-scheduler and kcm health checks #85043

Merged
merged 1 commit into from Nov 10, 2019

Conversation

@neolit123
Copy link
Member

neolit123 commented Nov 9, 2019

What this PR does / why we need it:

The insecure ports were deprecated in 1.13 and 1.12.

See:
kubernetes/kubeadm#1327
#69663
#67069

Which issue(s) this PR fixes:

Fixes kubernetes/kubeadm#1327

Special notes for your reviewer:
NONE

Does this PR introduce a user-facing change?:

kubeadm: enable the usage of the secure kube-scheduler and kube-controller-manager ports for health checks. For kube-scheduler was 10251, becomes 10259. For kube-controller-manager was 10252, becomes 10257.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:


/kind feature
/priority important-longterm
/assign @rosti @yastij

@k8s-ci-robot

This comment has been minimized.

Copy link
Contributor

k8s-ci-robot commented Nov 9, 2019

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: neolit123

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@neolit123 neolit123 changed the title kubeadm: use the secure ports for kube-scheduler and kcm health checks WIP kubeadm: use the secure ports for kube-scheduler and kcm health checks Nov 9, 2019
The insecure ports were deprecated in 1.12 and 1.13.
@neolit123 neolit123 force-pushed the neolit123:1.17-enable-secure-ports branch from b646b3f to 23ba857 Nov 9, 2019
@k8s-ci-robot k8s-ci-robot added size/M and removed size/S labels Nov 9, 2019
@neolit123 neolit123 changed the title WIP kubeadm: use the secure ports for kube-scheduler and kcm health checks kubeadm: use the secure ports for kube-scheduler and kcm health checks Nov 9, 2019
@neolit123

This comment has been minimized.

Copy link
Member Author

neolit123 commented Nov 9, 2019

/retest

@@ -76,7 +76,7 @@ func GetStaticPodSpecs(cfg *kubeadmapi.ClusterConfiguration, endpoint *kubeadmap
ImagePullPolicy: v1.PullIfNotPresent,
Command: getSchedulerCommand(cfg),

This comment has been minimized.

Copy link
@yastij

yastij Nov 10, 2019

Member

IIRC, we don't explicitly set --port 0 to explicitly disable insecure serving.

If we do it would break insecure serving of metrics for the scheduler and controller-manager, that could be mitigated by an action required

This comment has been minimized.

Copy link
@neolit123

neolit123 Nov 10, 2019

Author Member

are you suggesting adding --port=0 for both with an action required as part of this PR?

the components are binding on localhost so they are not exposed to external consumers. but i can see that there may be cases where metrics are proxied to an external consumer.

the alternative is to keep the insecure serving supported and wait for the action-required to come from the components them self when --port is removed.

This comment has been minimized.

Copy link
@yastij

yastij Nov 10, 2019

Member

That’s fine by me. I’ll open an issue to discuss secure defaults

@yastij

This comment has been minimized.

Copy link
Member

yastij commented Nov 10, 2019

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm label Nov 10, 2019
@k8s-ci-robot k8s-ci-robot merged commit 939e1e6 into kubernetes:master Nov 10, 2019
15 checks passed
15 checks passed
cla/linuxfoundation neolit123 authorized
Details
pull-kubernetes-bazel-build Job succeeded.
Details
pull-kubernetes-bazel-test Job succeeded.
Details
pull-kubernetes-dependencies Job succeeded.
Details
pull-kubernetes-e2e-gce Job succeeded.
Details
pull-kubernetes-e2e-gce-100-performance Job succeeded.
Details
pull-kubernetes-e2e-gce-device-plugin-gpu Job succeeded.
Details
pull-kubernetes-e2e-kind Job succeeded.
Details
pull-kubernetes-integration Job succeeded.
Details
pull-kubernetes-kubemark-e2e-gce-big Job succeeded.
Details
pull-kubernetes-node-e2e Job succeeded.
Details
pull-kubernetes-node-e2e-containerd Job succeeded.
Details
pull-kubernetes-typecheck Job succeeded.
Details
pull-kubernetes-verify Job succeeded.
Details
tide In merge pool.
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.