Skip to content
This repository has been archived by the owner on Jun 6, 2024. It is now read-only.

[Deployment] Secure kubelet public api #1088

Closed
wants to merge 5 commits into from
Closed

[Deployment] Secure kubelet public api #1088

wants to merge 5 commits into from

Conversation

abuccts
Copy link
Member

@abuccts abuccts commented Aug 16, 2018

Secure kubelet public api, add authentication for https port 10250 and close http port 10255.

Please refer to kubernetes/kubernetes#7965, kubernetes/kubernetes#59666 for reasons and docker/for-linux#324, Backdooring through kubelet for hacking examples.

@abuccts abuccts added the kubernetes-deployment Issue or feature relative to k8s-deploy label Aug 16, 2018
@coveralls
Copy link

Coverage Status

Coverage decreased (-3.3%) to 72.964% when pulling 9493c12 on xiongyf/secure-kubelet into 90f1691 on master.

1 similar comment
@coveralls
Copy link

Coverage Status

Coverage decreased (-3.3%) to 72.964% when pulling 9493c12 on xiongyf/secure-kubelet into 90f1691 on master.

@coveralls
Copy link

coveralls commented Aug 16, 2018
edited
Loading

Coverage Status

Coverage increased (+0.01%) to 51.644% when pulling ba8fe00 on xiongyf/secure-kubelet into 0b9f008 on master.

@ydye ydye requested review from hao1939 and YitongFeng August 17, 2018 02:22
@hao1939
Copy link
Contributor

hao1939 commented Aug 17, 2018

@ydye , this PR breaks the deployment process, could you take a look?

fanyangCS
fanyangCS reviewed Aug 17, 2018
View reviewed changes
pai-management/k8sPaiLibrary/template/certs.sh.template Outdated


# Authentication for apiserver -> kubelet
openssl genrsa -out ${certspath}/kubelet.ca.key 4096
Copy link
Contributor

@fanyangCS fanyangCS Aug 17, 2018
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

openssl [](start = 0, length = 7)

do you assume the host OS always has openssl? #Resolved

Copy link
Contributor

@YitongFeng YitongFeng Aug 20, 2018
edited by fanyangCS
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/Microsoft/pai/blob/c01981c68963d960beec37b9e558ad98de853159/pai-management/k8sPaiLibrary/maintaintool/docker-ce-install.sh#L43

When install docker, we installed ca-certificates which depends on openssl, and will install openssl first. #Resolved

fanyangCS
fanyangCS approved these changes Aug 21, 2018
View reviewed changes
Copy link
Contributor

@fanyangCS fanyangCS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

:shipit:

@xudifsd xudifsd mentioned this pull request Aug 30, 2018
Closed
@xudifsd
Copy link
Member

xudifsd commented Aug 30, 2018

should remove kubelet health metrics from watchdog after this PR is merged.

abuccts and others added 3 commits August 31, 2018 17:28
@abuccts @hao1939
Secure kubelet public api
0c13438 
Secure kubelet public api, add authentication for https port 10250 and close
http port 10255.

Please refer to kubernetes/kubernetes#7965,
kubernetes/kubernetes#59666 for reasons and
docker/for-linux#324, [Backdooring through
kubelet](https://medium.com/handy-tech/analysis-of-a-kubernetes-hack-backdooring-through-kubelet-823be5c3d67c)
for hacking examples.
@YitongFeng-git @hao1939
fix mount bugs
c66cec4
@xudifsd @hao1939
add certs.sh to {worker,proxy}-deployment
ea4b8cd
@hao1939 hao1939 force-pushed the xiongyf/secure-kubelet branch from b2672f4 to ea4b8cd Compare August 31, 2018 09:28
@xudifsd
Copy link
Member

xudifsd commented Sep 5, 2018

Please hold on this PR.
The kubernetes Dashboard is broken, can't run exec , logs into pod.

@fanyangCS
Copy link
Contributor

close this PR and address this issue in other PRs.

@fanyangCS fanyangCS closed this Nov 7, 2018
@abuccts abuccts deleted the xiongyf/secure-kubelet branch February 20, 2019 09:53
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@YitongFeng YitongFeng YitongFeng approved these changes

@ydye ydye ydye approved these changes

@fanyangCS fanyangCS fanyangCS approved these changes

@hao1939 hao1939 hao1939 approved these changes

@sterowang sterowang Awaiting requested review from sterowang

Assignees

@ydye ydye

Labels
kubernetes-deployment Issue or feature relative to k8s-deploy
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
8 participants
@abuccts @coveralls @hao1939 @xudifsd @fanyangCS @ydye @YitongFeng @YitongFeng-git