-
Notifications
You must be signed in to change notification settings - Fork 504
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Disable publicly available cAdvisor #356
Conversation
+1 for disabling this. cc @dashpole |
I'm definitely in favor of disabling this, but I'm a little unclear about what guarantees kubeadm makes about changes to enabled services. |
@luxas @liggitt - seen this change? kubernetes/kubernetes#47195 |
Yes, I still wouldn't expose unnecessary services by default. |
+1 turning this off. Are these really the only scripts that need to be edited? Also I've no idea what might break when we disable this, but if we do this as soon as 1.8 opens, it should have plenty of soak time. |
@mtaufen Actually I'm targeting this for v1.7... @dims Yes, but kubelet listens to I tried to test things out, but I saw nothing that broke. https://github.com/kubernetes/kubernetes/blob/master/test/e2e/cadvisor.go#L68 // cadvisor is not accessible directly unless its port (4194 by default) is exposed.
// Here, we access '/stats/' REST endpoint on the kubelet which polls cadvisor internally.
statsResource := fmt.Sprintf("api/v1/proxy/nodes/%s/stats/", node.Name)
By(fmt.Sprintf("Querying stats from node %s using url %s", node.Name, statsResource))
_, err = c.Core().RESTClient().Get().AbsPath(statsResource).Timeout(timeout).Do().Raw()
if err != nil {
errors = append(errors, err)
} https://github.com/kubernetes/kubernetes/blob/master/test/e2e/proxy.go#L62
So to me it seems like all consumers (like heapster) use |
@luxas @dchen1107 would need to make the call on this for 1.7. |
@luxas is there an associated issue open in kubernetes/kubernetes? |
@ixdy Not in k/k, but here: kubernetes/kubeadm#321 |
@luxas and I discussed at slack, and we agreed to proceed with this change. |
Attack plan is:
|
Both CI at head and CI for v1.7 have been green as before since kubernetes/kubernetes#48042 merged, so this is good to go. Documentation is here: kubernetes/website#4229 And I'll add a release note about this. Given the discussion with and approval by @dchen1107 and the other LGTM's here in this thread, I'm merging this to move forward. |
Add the additional 1.13 alpha.3 release to timeline
cc @kubernetes/sig-auth-pr-reviews @kubernetes/sig-node-pr-reviews @piosz @DirectXMan12 @mwielgus @kubernetes/sig-cluster-lifecycle-pr-reviews @mtaufen
After chatting with @DirectXMan12 about what the cAdvisor port actually is used for, I realized that we might be able to turn it off. I tested it locally and it worked just fine, heapster could fetch metrics normally.
Problem: Many kubeadm users spawn their clusters on public VMs from providers like DigitalOcean, Packet, GCE or their own solution where the master has a public IP to the internet. Currently, the
4194
cAdvisor port, is exposed publicly to anyone. If the machine has a public IP address; it is publicly exposed to the internet. Most users don't know about this nor that they should block4194
in their firewalls. However, that's unnecessarily complex when we can disable it on the kubelet side.Proposed solution: Disabling the publicly available port. Only running cAdvisor internally in the kubelet. cAdvisor metrics are available anyway from
{node-ip}:10250/stats
, but this time with proper authentication and authorization.