Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor: disable insecure serving in kube-scheduler #96345

Merged
merged 1 commit into from Sep 14, 2021
Merged

refactor: disable insecure serving in kube-scheduler #96345

merged 1 commit into from Sep 14, 2021

Conversation

ingvagabund
Copy link
Contributor

@ingvagabund ingvagabund commented Nov 8, 2020
edited by liggitt

What type of PR is this?

/kind deprecation
/kind cleanup

What this PR does / why we need it:

Disable insecure serving in kube-scheduler

Which issue(s) this PR fixes:

xref #91506

Special notes for your reviewer:

Does this PR introduce a user-facing change?:

[ACTION REQUIRED] kube-scheduler: the following flags have no effect and would be removed in v1.24:
* `--port`
* `--address`
The insecure port flags `--port` may only be set to 0 now.
Also `metricsBindAddress` and `healthzBindAddress` fields from `kubescheduler.config.k8s.io/v1beta1` are no-op and expected to be empty. Removed in `kubescheduler.config.k8s.io/v1beta2` completely.

In addition, please be careful that:
* kube-scheduler MUST start with `--authorization-kubeconfig` and `--authentication-kubeconfig` correctly set to get authentication/authorization working.
* liveness/readiness probes to kube-scheduler MUST use HTTPS now, and the default port has been changed to 10259.
* Applications that fetch metrics from kube-scheduler should use a dedicated service account which is allowed to access nonResourceURLs `/metrics`.

Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.:

@k8s-ci-robot k8s-ci-robot added do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. release-note Denotes a PR that will be considered when it comes time to generate release notes. kind/deprecation Categorizes issue or PR as related to a feature/enhancement marked for deprecation. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. labels Nov 8, 2020
@k8s-ci-robot
Copy link
Contributor

@ingvagabund: This issue is currently awaiting triage.

If a SIG or subproject determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-priority Indicates a PR lacks a `priority/foo` label and requires one. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. area/e2e-test-framework Issues or PRs related to refactoring the kubernetes e2e test framework labels Nov 8, 2020
@k8s-ci-robot k8s-ci-robot added area/provider/gcp Issues or PRs related to gcp provider area/test sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. sig/scheduling Categorizes an issue or PR as relevant to SIG Scheduling. sig/testing Categorizes an issue or PR as relevant to SIG Testing. and removed do-not-merge/needs-sig Indicates an issue or PR lacks a `sig/foo` label and requires one. labels Nov 8, 2020
@ingvagabund
Copy link
Contributor Author

@knight42 I have followed your changes in #96216 combined with what I found in https://github.com/kubernetes/kubernetes/pull/95522/files. I have copied testComponentWithoutInsecureServing from your PR for testing purposes only. Once your PR is merged, I will rebase mine to drop it.

@ingvagabund
Copy link
Contributor Author

@alculquicondor @ahg-g FYI

@ingvagabund ingvagabund mentioned this pull request Nov 8, 2020
Closed
@knight42
Copy link
Member

knight42 commented Nov 8, 2020

@ingvagabund Thanks for your effort! Now the major obstacle is how to make Prometheus fetch metrics from the secure port of controller-manager/scheduler in the job pull-kubernetes-e2e-gce-100-performance: #96216 (comment). Once this is solved, I think we are good to go.

@ingvagabund ingvagabund force-pushed the disable-insecure-port-in-scheduler branch from fb21bd9 to fe3e2a9 Compare November 8, 2020 13:43
@ingvagabund
Copy link
Contributor Author

Now the major obstacle is how to make Prometheus fetch metrics from the secure port of controller-manager/scheduler in the job pull-kubernetes-e2e-gce-100-performance: #96216 (comment).

There are few lines of code, that needs to be updated:

Checking the logs you are referring to W1108 13:22:08.530] I1108 13:22:08.529881 98292 util.go:93] 114/115 targets are ready, example not ready target: {map[endpoint:kube-scheduler instance:10.40.0.3:10251 job:master namespace:monitoring service:master] down} I suppose.

Grepping for 10251 port:

@ingvagabund ingvagabund force-pushed the disable-insecure-port-in-scheduler branch from fe3e2a9 to e5692e3 Compare November 9, 2020 08:57
@alculquicondor
Copy link
Member

Are you targeting 1.20 or 1.21?

@ingvagabund
Copy link
Contributor Author

1.20 would be great, though with 3 days left before the code freeze, finishing the PR might be too rushed

@alculquicondor
Copy link
Member

@x13n does any metric pipeline rely on the insecure serving for kube-scheduler?

@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Nov 15, 2020
@ingvagabund ingvagabund force-pushed the disable-insecure-port-in-scheduler branch from ee3f679 to 15b9ac7 Compare September 13, 2021 08:54
alculquicondor
alculquicondor reviewed Sep 13, 2021
View reviewed changes
Copy link
Member

@alculquicondor alculquicondor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

minor comments.

cmd/kube-scheduler/app/options/deprecated.go Outdated
)
fs.IPVar(&bindAddr, "address", bindAddr,
"The IP address on which to serve the insecure --port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).")
fs.MarkDeprecated("address", "This flag has no effect now and will be removed in v1.24.")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mention the alternative: --bind-address

cmd/kube-scheduler/app/options/deprecated.go Outdated
fs.MarkDeprecated("address", "This flag has no effect now and will be removed in v1.24.")

fs.IntVar(&bindPort, "port", bindPort, "The port on which to serve unsecured, unauthenticated access. Set to 0 to disable.")
fs.MarkDeprecated("port", "This flag has no effect now and will be removed in v1.24.")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mention the alternative: --secure-port

cmd/kube-scheduler/app/server.go Outdated
@@ -118,6 +131,11 @@ func runCommand(cmd *cobra.Command, opts *options.Options, registryOptions ...Op
verflag.PrintAndExitIfRequested()
cliflag.PrintFlags(cmd.Flags())

err := checkNonZeroInsecurePort(cmd.Flags())
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

do this in Deprecated.Validate.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If you mean DeprecatedOptions, the type does not provide the port flag through it. Also, adding a new Port field would require changing other places.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it that many places to add it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, not too many after all. Updated

staging/src/k8s.io/kube-scheduler/config/v1beta1/types.go Outdated
// HealthzBindAddress is the IP address and port for the health check server to serve on,
// defaulting to 0.0.0.0:10251

// Note: Both HealthzBindAddress and MetricsBindAddress fields are deprecated
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Put the deprecated note in each field's go comment. And say that only empty or port 0 is allowed.

staging/src/k8s.io/kube-scheduler/config/v1beta2/types.go Outdated
// HealthzBindAddress is the IP address and port for the health check server to serve on,
// defaulting to 0.0.0.0:10251

// Note: Both HealthzBindAddress and MetricsBindAddress fields are deprecated
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same here

@ingvagabund ingvagabund force-pushed the disable-insecure-port-in-scheduler branch 2 times, most recently from 4aca9d4 to ec206eb Compare September 13, 2021 19:47
@ingvagabund ingvagabund force-pushed the disable-insecure-port-in-scheduler branch from ec206eb to 07af669 Compare September 14, 2021 05:52
ravisantoshgudimetla
ravisantoshgudimetla approved these changes Sep 14, 2021
View reviewed changes
Copy link
Contributor

@ravisantoshgudimetla ravisantoshgudimetla left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for working on this @ingvagabund

/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Sep 14, 2021
@liggitt
Copy link
Member

liggitt commented Sep 14, 2021

/approve

@liggitt liggitt moved this from Changes requested to API review completed, 1.23 in API Reviews Sep 14, 2021
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ahg-g, alculquicondor, dims, ingvagabund, JAORMX, knight42, liggitt, ravisantoshgudimetla, sttts

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 14, 2021
@ingvagabund
Copy link
Contributor Author

/hold cancel

@k8s-ci-robot k8s-ci-robot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Sep 14, 2021
alculquicondor
alculquicondor reviewed Sep 14, 2021
View reviewed changes
Copy link
Member

@alculquicondor alculquicondor left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot k8s-ci-robot merged commit c10be98 into kubernetes:master Sep 14, 2021
@ingvagabund ingvagabund deleted the disable-insecure-port-in-scheduler branch September 14, 2021 17:00
@pacoxu pacoxu mentioned this pull request Sep 15, 2021
Merged
@ingvagabund ingvagabund mentioned this pull request Sep 15, 2021
Closed
@rifelpet rifelpet mentioned this pull request Sep 16, 2021
Closed
@aiyengar2 aiyengar2 mentioned this pull request Dec 4, 2021
Closed
@pacoxu pacoxu mentioned this pull request Dec 8, 2021
Closed
@liggitt liggitt mentioned this pull request Dec 8, 2021
Closed
@rfranzke rfranzke mentioned this pull request Jan 12, 2022
Closed
20 tasks
@sjenning sjenning mentioned this pull request Jan 17, 2022
Merged
monogon-bot pushed a commit to monogon-dev/monogon that referenced this pull request Apr 25, 2022
@q3k
m/n/kubernetes: remove --port flag from services
83d793d 
From logs:

  Flag --port has been deprecated, This flag has no effect now and will be removed in v1.24.

So that's what we do. We had this flag only set to disable insecure
serving, and insecure serving has been removed in upstream, thereby
rendering the use of this flag a no-op.

Controller-manager PR: kubernetes/kubernetes#96216
Scheduler PR: kubernetes/kubernetes#96345

Change-Id: If9009aa6f7c72a5ec8b7baf2326964167059c0a1
Reviewed-on: https://review.monogon.dev/c/monogon/+/665
Reviewed-by: Lorenz Brun <lorenz@monogon.tech>
@jinja2 jinja2 mentioned this pull request Mar 28, 2023
Merged
@ingvagabund ingvagabund mentioned this pull request Mar 30, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@liggitt liggitt liggitt left review comments

@alculquicondor alculquicondor alculquicondor left review comments

@edwardstudy edwardstudy edwardstudy left review comments

@ahg-g ahg-g ahg-g left review comments

@JAORMX JAORMX JAORMX approved these changes

@knight42 knight42 knight42 approved these changes

@ravisantoshgudimetla ravisantoshgudimetla ravisantoshgudimetla approved these changes

@draveness draveness Awaiting requested review from draveness

Assignees

@sttts sttts

@alculquicondor alculquicondor

@ravisantoshgudimetla ravisantoshgudimetla

@ahg-g ahg-g

Labels
api-review Categorizes an issue or PR as actively needing an API review. approved Indicates a PR has been approved by an approver from all required OWNERS files. area/e2e-test-framework Issues or PRs related to refactoring the kubernetes e2e test framework area/provider/gcp Issues or PRs related to gcp provider area/test cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. kind/api-change Categorizes issue or PR as related to adding, removing, or otherwise changing an API kind/cleanup Categorizes issue or PR as related to cleaning up code, process, or technical debt. kind/deprecation Categorizes issue or PR as related to a feature/enhancement marked for deprecation. lgtm "Looks good to me", indicates that a PR is ready to be merged. needs-priority Indicates a PR lacks a `priority/foo` label and requires one. needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. release-note-action-required Denotes a PR that introduces potentially breaking changes that require user action. sig/cloud-provider Categorizes an issue or PR as relevant to SIG Cloud Provider. sig/scheduling Categorizes an issue or PR as relevant to SIG Scheduling. sig/testing Categorizes an issue or PR as relevant to SIG Testing. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
API Reviews
Status: API review completed, 1.23
Milestone
v1.23
Development

Successfully merging this pull request may close these issues.

None yet