-
Notifications
You must be signed in to change notification settings - Fork 1.9k
Make use of secure port when accessing Kubelet API #471
Conversation
jenkins test this please |
Hey @jmlrt . What is the status on this? Is this valid or is anything else missing here? |
jenkins test this please |
Hi @ChrsMark, |
Updated with the latest master. Not sure if the latest failure is related though. |
@ChrsMark This is really strange, we have a test which queries elasticsearch for This test is failing in your PR because there is no document matching In the same time, The test on master branch is still working well (see logs here). |
Hi @jmlrt ! Could I somehow check what is the output of Metricbeat pod? If there is a way to reproduce it locally feel free to mention and I could give it a shot. To share some content here, with this change Metricbeat will try to query for metrics from Kubelet's API secure port instead of the insecure which was the previous one in the configuration. So I'm wondering if for some reason this port is not accessible in the testing env maybe because Kubelet is configured without this port enabled or for some reason this port is not exposed. |
Hi Chris, Here are the logs of a metricbeat pod when deploying your metricbeat chart from this PR on a GKE 1.15 cluster with default config:
It seems that secure ports isn't available from inside the pods with default GKE config. |
Signed-off-by: ChrsMark <[email protected]>
After discussing and debugging it with @jmlrt, it was found that the problem was a missing Since it is not possible to add it in helm charts too (see #391 (comment) for more info), we switch from using For reference if @exekias any comments on this, since we have it with |
This sounds reasonable. Also since we are now exposing NODE_NAME we can switch to using it too to avoid confusion, WDYT? |
Signed-off-by: ChrsMark <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
⛴ Thanks for this PR 👍
What does this PR do?
This PR switches Metricbeat k8s manifests and docs to point to Kubelet secure port over https instead of the insecure port.
Why is it important?
Insecure port of Kubelet (10255/TCP) is now less common and discouraged and also in most cases it is not enabled by default (requiring to restart
kubelet
with--read-only-port
flag)Related to elastic/beats#16063