deprecate insecure http flags and remove already deprecated flags #59018
Conversation
k8s-ci-robot
added
release-note
|
/assign @gmarek |
cluster/gce/gci/configure-helper.sh
Outdated
| @@ -1518,7 +1518,6 @@ function start-kube-apiserver { | |||
|
|
|||
| # Calculate variables and assemble the command line. | |||
| local params="${API_SERVER_TEST_LOG_LEVEL:-"--v=2"} ${APISERVER_TEST_ARGS:-} ${CLOUD_CONFIG_OPT}" | |||
| params+=" --address=127.0.0.1" | |||
There was a problem hiding this comment.
--address is removed, insecure-bind-address is deprecated.
|
/assign @bowei |
|
@hzxuzhonghu: The following test failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
kops is using
|
hzxuzhonghu
force-pushed
the
deprecate-http
branch
from
9152862 to
24c687f
Compare
k8s-ci-robot
added
size/S
Are there issues in those projects to remove the deprecated use? |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: hzxuzhonghu, sttts The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these OWNERS Files:
You can indicate your approval by writing |
k8s-ci-robot
added
the
approved
Yes, I create one kubernetes/kops#4355 |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here. |
|
Do we have a solution for #43784 ? |
Health checks? |
As of Kubernetes 1.10, the insecure flags will be deprecated: kubernetes/kubernetes#59018 Currently, there is no other way to allow unauthenticated health checks (requests on kube-apiserver's /healthz endpoint) other than allowing anonymous requests (which we do not want). Related issue: kubernetes/kubernetes#43784 We are now going to use the basic authentication credentials which the kubelet will use to reach the /healthz endpoint.
|
|
||
| fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+ | ||
| "The port on which to serve unsecured, unauthenticated access. It is assumed "+ | ||
| "that firewall rules are set up such that this port is not reachable from outside of "+ | ||
| "the cluster and that port 443 on the cluster's public address is proxied to this "+ | ||
| "port. This is performed by nginx in the default setup. Set to zero to disable") | ||
| "port. This is performed by nginx in the default setup. Set to zero to disable.") | ||
| fs.MarkDeprecated("insecure-port", "This flag will be removed in a future version.") |
There was a problem hiding this comment.
marking this deprecated actually omits it from the help, which means the fact that it is enabled by default and you need to "Set to zero to disable." is invisible to the end user. That is not good.
There was a problem hiding this comment.
Never understood this behaviour.
|
The API server still serves on If the latter, it should be disabled by default, but if that's the case, what about health endpoints? Am I going to need a sidecar container to validate the TLS and proxy Edit - For anyone coming along later, check out #43784 |
Nothing should be relying on the insecure port. It is a target for future removal. |
|
@deads2k we are running the apiserver as a static pod on master nodes, which currently requires the apiserver to listen on an insecure port 8080 on localhost for kubelet to be able to talk to it. All other worker nodes' kubelet uses the "--bootstrap-kubeconfig" to perform TLS bootstrapping once the apiserver is up. I tried to use the same "--bootstrap-kubeconfig" for kubelet running on master, but it complains that it can't reach the apiserver (for obvious reason) and crash, without starting the apiserver/controller-manager/scheduler pods defined in the manifests. Is there a proper way for kubelet on master to talk to the apiserver without utilising the --insecure-port and --insecure-bind-address? Environment: |
|
Short lived client certificates are a good option since the kubelet running the kube-apiserver is effectively root on the cluster already. |
* Although the --insecure-port flag is deprecated, apiserver continues to default to listening on 127.0.0.1:8080 * Explicitly disable insecure local listener since its unused * kubernetes/kubernetes#59018 (comment) * 5f3546b
|
Update, thanks @justinsb implemented this for Kops (PR kubernetes/kops#5234) |
Though the flags are deprecated, the deprecation process revealed that the flag is important for health checks in more secure environments. Add a link to kubernetes#43784 to help developers understand why the flags have not yet been removed. Issue kubernetes#43784 Issue kubernetes#74172 Issue kubernetes#59018
What this PR does / why we need it:
insecure-bind-addressinsecure-portflagspublic-address-overrideaddressportThey are mark deprecated in move parts of the mega generic run struct out #36604, which is more than a year ago.Which issue(s) this PR fixes (optional, in
fixes #<issue number>(, fixes #<issue_number>, ...)format, will close the issue(s) when PR gets merged):Fixes #58951
Special notes for your reviewer:
Release note: