This PR may require API review.

If so, when the changes are ready, complete the pre-review checklist and request an API review.

Status of requested reviews is tracked in the API Review project.

Second commit is mostly to improve readability and make future enhancements easier - a880668

/triage accepted
/priority important-longterm

/retest

Release note claims:

Cluster admins can now turn off /debug/pprof and /debug/flags/v endpoint in kubelet by setting enableProfilingHandler and enableDebugFlagsHandler to false in their kubelet configuration file. enableProfilingHandler and enableDebugFlagsHandler can be set to true only when enableDebuggingHandlers is also set to true.

However I don't see any code enforcing that. Maybe the implementation happens to work this way but it's not easy at all to verify. Apart from this the api is fine. I think it's important that these things don't suddenly turn on for people who have them off currently.

Release note claims:

Cluster admins can now turn off /debug/pprof and /debug/flags/v endpoint in kubelet by setting enableProfilingHandler and enableDebugFlagsHandler to false in their kubelet configuration file. enableProfilingHandler and enableDebugFlagsHandler can be set to true only when enableDebuggingHandlers is also set to true.

However I don't see any code enforcing that. Maybe the implementation happens to work this way but it's not easy at all to verify. Apart from this the api is fine. I think it's important that these things don't suddenly turn on for people who have them off currently.

Thank you for reviewing the PR @lavalamp :)

We are using enableDebuggingHandlers as the parent knob to turn on/off all the sub handlers like /logs or /pprof and other handlers. If at present if admin has enableDebuggingHandlers set to false then it wont turn on these handlers. Like you mentioned we decided this route earlier just to avoid turning on the feature accidentally and also to make it backward compatible.

we enforce that here - https://github.com/kubernetes/kubernetes/pull/98458/files#diff-c3e7f724d1b0dcee40df80716ed57d90d2649710150fa92bf9822bdad35e0429R239 enableDebuggingHandlers should be set to true to enable/disable other child handlers.

we enforce that here

I guess I'm not sure why you install a "not turned on" handler if it is off? I think it would be easier to audit if the section of code you linked me to was just if statements.

I also don't really like that this is so inconsistent with how apiserver handles this, but I don't know that anything can be done about that.

Anyway, kubelet is not my binary so I don't really have a strong opinion, if you all are certain enough then that's fine.

For the API:
/approve

I guess I'm not sure why you install a "not turned on" handler if it is off? I think it would be easier to audit if the section of code you linked me to was just if statements.

If its off, Kubelet just return messages like "logs(profiling) endpoint is disabled."

I also don't really like that this is so inconsistent with how apiserver handles this, but I don't know that anything can be done about that.

@lavalamp is it due to the fact that single --profiling cmd line argument takes care of turning off /debug/pprof and /debug/flags/v endpoints in ApiServer but we are turning off in Kubelet with two different flags? (our thought process is documented here for reference #84165 (comment)) or is it in general how Kubelet handles these handlers.

I guess I'm not sure why you install a "not turned on" handler if it is off? I think it would be easier to audit if the section of code you linked me to was just if statements.

If its off, Kubelet just return messages like "logs(profiling) endpoint is disabled."

Yes, I understood, I just am not sure why that's desirable.

I guess I'm not sure why you install a "not turned on" handler if it is off? I think it would be easier to audit if the section of code you linked me to was just if statements.

If its off, Kubelet just return messages like "logs(profiling) endpoint is disabled."

Yes, I understood, I just am not sure why that's desirable.

Ah ok.. I can remove if we don't need to return anything.. I added with assumption that it provides better wording(UX) when disabled.

From what I can see the latest update has changed quite a bit from the last... @sjenning can you PTAL?

actually @ehashman I didn't make any change though between 3944e1d and 51c5401 but for some reason robot reported - "New changes are detected"

I added with assumption that it provides better wording(UX) when disabled.

It's up to the Kubelet owners. :)

actually @ehashman I didn't make any change though between 3944e1d and 51c5401 but for some reason robot reported - "New changes are detected"

When I tried to diff the branches the diff numbers didn't match... I didn't do the initial review but I am not the right person to LGTM this :)

actually @ehashman I didn't make any change though between 3944e1d and 51c5401 but for some reason robot reported - "New changes are detected"

When I tried to diff the branches the diff numbers didn't match... I didn't do the initial review but I am not the right person to LGTM this :)

looks like there was some log format changes in master which was missed after rebase. Fixed it now :)

/approve
/lgtm

@andrewsykim maybe you can help restructure this in a follow-on to make the code path clearer per @lavalamp comments as part of overall /pkg/kubelet/server cleanup?

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: derekwaynecarr, dims, lavalamp, SaranBalaji90, sjenning

The full list of commands accepted by this bot can be found here.

The pull request process is described here