New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OCPNODE-2098: Add static pod for kube-rbac-proxy-crio #4175
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,11 @@ | ||
mode: 0644 | ||
path: "/etc/kubernetes/crio-metrics-proxy.cfg" | ||
contents: | ||
inline: |- | ||
authorization: | ||
static: | ||
- resourceRequest: false | ||
path: /metrics | ||
verb: get | ||
user: | ||
name: system:serviceaccount:openshift-monitoring:prometheus-k8s | ||
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
mode: 0644 | ||
path: "/etc/kubernetes/manifests/criometricsproxy.yaml" | ||
contents: | ||
inline: |- | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: kube-rbac-proxy-crio | ||
namespace: openshift-machine-config-operator | ||
spec: | ||
volumes: | ||
- name: etc-kube | ||
hostPath: | ||
path: "/etc/kubernetes" | ||
- name: var-lib-kubelet | ||
hostPath: | ||
path: "/var/lib/kubelet" | ||
hostNetwork: true | ||
priorityClassName: system-cluster-critical | ||
initContainers: | ||
- name: setup | ||
terminationMessagePolicy: FallbackToLogsOnError | ||
image: {{.Images.kubeRbacProxyImage}} | ||
imagePullPolicy: IfNotPresent | ||
volumeMounts: | ||
- name: var-lib-kubelet | ||
mountPath: "/var" | ||
mountPropagation: HostToContainer | ||
command: ['/bin/bash', '-ec'] | ||
args: | ||
- | | ||
echo -n "Waiting for kubelet key and certificate to be available" | ||
while [ -n "$(test -e /var/lib/kubelet/pki/kubelet-server-current.pem)" ] ; do | ||
echo -n "." | ||
sleep 1 | ||
(( tries += 1 )) | ||
if [[ "${tries}" -gt 10 ]]; then | ||
echo "Timed out waiting for kubelet key and cert." | ||
exit 1 | ||
fi | ||
done | ||
securityContext: | ||
privileged: true | ||
resources: | ||
requests: | ||
memory: 50Mi | ||
cpu: 5m | ||
containers: | ||
- name: kube-rbac-proxy-crio | ||
image: {{.Images.kubeRbacProxyImage}} | ||
securityContext: | ||
privileged: true | ||
ports: | ||
- containerPort: 9637 | ||
args: | ||
- --secure-listen-address=:9637 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. any specific reason for this port? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The usual port is 9537. To make it easier to identify the secure port I used 9637 (100 more than the insecure one). (9637 is not in use by the /etc/services file). |
||
- --config-file=/etc/kubernetes/crio-metrics-proxy.cfg | ||
- --client-ca-file=/etc/kubernetes/kubelet-ca.crt | ||
- --logtostderr=true | ||
- --kubeconfig=/var/lib/kubelet/kubeconfig | ||
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 | ||
- --upstream=http://127.0.0.1:9537 | ||
- --tls-cert-file=/var/lib/kubelet/pki/kubelet-server-current.pem | ||
- --tls-private-key-file=/var/lib/kubelet/pki/kubelet-server-current.pem | ||
resources: | ||
requests: | ||
cpu: 20m | ||
memory: 50Mi | ||
volumeMounts: | ||
- name: etc-kube | ||
mountPath: "/etc/kubernetes" | ||
mountPropagation: HostToContainer | ||
- name: var-lib-kubelet | ||
mountPath: "/var/lib/kubelet" | ||
mountPropagation: HostToContainer |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
mode: 0644 | ||
mode: 0644 | ||
path: "/etc/kubernetes/crio-metrics-proxy.cfg" | ||
contents: | ||
inline: |- | ||
authorization: | ||
static: | ||
- resourceRequest: false | ||
path: /metrics | ||
verb: get | ||
user: | ||
name: system:serviceaccount:openshift-monitoring:prometheus-k8s |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,75 @@ | ||
mode: 0644 | ||
path: "/etc/kubernetes/manifests/criometricsproxy.yaml" | ||
contents: | ||
inline: |- | ||
apiVersion: v1 | ||
kind: Pod | ||
metadata: | ||
name: kube-rbac-proxy-crio | ||
namespace: openshift-machine-config-operator | ||
spec: | ||
volumes: | ||
- name: etc-kube | ||
hostPath: | ||
path: "/etc/kubernetes" | ||
- name: var-lib-kubelet | ||
hostPath: | ||
path: "/var/lib/kubelet" | ||
hostNetwork: true | ||
priorityClassName: system-cluster-critical | ||
initContainers: | ||
- name: setup | ||
terminationMessagePolicy: FallbackToLogsOnError | ||
image: {{.Images.kubeRbacProxyImage}} | ||
imagePullPolicy: IfNotPresent | ||
volumeMounts: | ||
- name: var-lib-kubelet | ||
mountPath: "/var" | ||
mountPropagation: HostToContainer | ||
command: ['/bin/bash', '-ec'] | ||
args: | ||
- | | ||
echo -n "Waiting for kubelet key and certificate to be available" | ||
while [ -n "$(test -e /var/lib/kubelet/pki/kubelet-server-current.pem)" ] ; do | ||
echo -n "." | ||
sleep 1 | ||
(( tries += 1 )) | ||
if [[ "${tries}" -gt 10 ]]; then | ||
echo "Timed out waiting for kubelet key and cert." | ||
exit 1 | ||
fi | ||
done | ||
securityContext: | ||
privileged: true | ||
resources: | ||
requests: | ||
memory: 50Mi | ||
cpu: 5m | ||
containers: | ||
- name: kube-rbac-proxy-crio | ||
image: {{.Images.kubeRbacProxyImage}} | ||
securityContext: | ||
privileged: true | ||
ports: | ||
- containerPort: 9637 | ||
args: | ||
- --secure-listen-address=:9637 | ||
- --config-file=/etc/kubernetes/crio-metrics-proxy.cfg | ||
- --client-ca-file=/etc/kubernetes/kubelet-ca.crt | ||
- --logtostderr=true | ||
- --kubeconfig=/var/lib/kubelet/kubeconfig | ||
- --tls-cipher-suites=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 | ||
- --upstream=http://127.0.0.1:9537 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. our kube-rbac-proxy ctrs usually use a different port, I am forgetting which. Should we mimic that here? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. The kube-rbac-proxy is exposing a host network port (9637) and forwarding to the host's 9537 port. I slightly deviated from the usual construct due to host networking. |
||
- --tls-cert-file=/var/lib/kubelet/pki/kubelet-server-current.pem | ||
- --tls-private-key-file=/var/lib/kubelet/pki/kubelet-server-current.pem | ||
resources: | ||
requests: | ||
cpu: 20m | ||
memory: 50Mi | ||
volumeMounts: | ||
- name: etc-kube | ||
mountPath: "/etc/kubernetes" | ||
mountPropagation: HostToContainer | ||
- name: var-lib-kubelet | ||
mountPath: "/var/lib/kubelet" | ||
mountPropagation: HostToContainer |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is this using the openshift-monitoring SA?
In our other kube-rbac-proxy pods we specify which
serviceAccountName:
we want to use. Where is that happening in this PR?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This new kube-rbac-proxy-crio service does not have access to service account secrets due to being a static pod. Instead, we are using client side certificate validation and only allowing the
system:serviceaccount:openshift-monitoring:prometheus-k8s
user.