From 4ad6d64483d61d5c7d57024983e2c8341e4fbe03 Mon Sep 17 00:00:00 2001 From: Charly Fontaine Date: Thu, 17 May 2018 19:22:57 -0400 Subject: [PATCH] Allow failover with http when tls communication is unauthorized (#1679) * allow failover with http when tls communication is unauthorized --- pkg/util/kubernetes/kubelet/kubelet.go | 5 ++++- .../notes/kubelet-http-attempt-66433aa43e37e3f7.yaml | 4 ++++ 2 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 releasenotes/notes/kubelet-http-attempt-66433aa43e37e3f7.yaml diff --git a/pkg/util/kubernetes/kubelet/kubelet.go b/pkg/util/kubernetes/kubelet/kubelet.go index 60035687c496c7..56a328f7aa6a8e 100644 --- a/pkg/util/kubernetes/kubelet/kubelet.go +++ b/pkg/util/kubernetes/kubelet/kubelet.go @@ -395,7 +395,10 @@ func (ku *KubeUtil) setupKubeletApiEndpoint() error { log.Debugf("Kubelet endpoint is: %s", ku.kubeletApiEndpoint) return nil } - return fmt.Errorf("unexpected status code %d on endpoint %s%s", code, ku.kubeletApiEndpoint, kubeletPodPath) + if code != http.StatusUnauthorized { + return fmt.Errorf("unexpected status code %d on endpoint %s%s", code, ku.kubeletApiEndpoint, kubeletPodPath) + } + log.Warn("Failed to securely reach the kubelet over HTTPS. Trying a non secure connection over HTTP. We highly recommend configuring TLS to access the kubelet") } log.Debugf("Cannot query %s%s: %s", ku.kubeletApiEndpoint, kubeletPodPath, httpsUrlErr) diff --git a/releasenotes/notes/kubelet-http-attempt-66433aa43e37e3f7.yaml b/releasenotes/notes/kubelet-http-attempt-66433aa43e37e3f7.yaml new file mode 100644 index 00000000000000..ec82c9b4025f1c --- /dev/null +++ b/releasenotes/notes/kubelet-http-attempt-66433aa43e37e3f7.yaml @@ -0,0 +1,4 @@ +--- +issues: + - | + If the kubelet is not configured with TLS auth, the agent will fail to communicate with the API when it should still try HTTP.