Adding support for agent authenticate server by using kubeapi-server ca #47
Adding support for agent authenticate server by using kubeapi-server ca #47k8s-ci-robot merged 1 commit intokubernetes-sigs:masterfrom
Conversation
|
Thanks for your pull request. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA). 📝 Please follow instructions at https://git.k8s.io/community/CLA.md#the-contributor-license-agreement to sign the CLA. It may take a couple minutes for the CLA signature to be fully registered; after that, please reply here with a new comment and we'll verify. Thanks.
DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-ci-robot
added
the
cncf-cla: no
|
Welcome @dberkov! |
|
Hi @dberkov. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
k8s-ci-robot
added
the
needs-ok-to-test
k8s-ci-robot
added
the
size/L
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
CLA signature completed |
k8s-ci-robot
added
cncf-cla: yes
dberkov
force-pushed
the
auth
branch
2 times, most recently
from
080653c to
a669644
Compare
|
/assign |
caesarxuchao
left a comment
caesarxuchao
left a comment
There was a problem hiding this comment.
Dima, can you move the code refactor into another PR?
If I understand correctly, with this PR, only the proxy agent validates the identity of the proxy server, but not the other way. Will there be follow-up PRs that implement the other direction of verification?
I haven't reviewed the test changes.
[1] - renaming udsName has been undo |
| ${DOCKER_CMD} manifest push --purge $(SERVER_FULL_IMAGE):$(TAG) | ||
|
|
||
| .PHONY: docker-push-manifest/proxy-test-client | ||
| docker-push-manifest/proxy-test-client: ## Push the fat manifest docker image. |
There was a problem hiding this comment.
I know it's copied from somewhere, but what does "fat manifest" mean?
There was a problem hiding this comment.
https://developer.ibm.com/linuxonpower/2017/07/27/create-multi-architecture-docker-image/ suggest a "fat manifest" is a mutli-architecture manifest.
|
Thank you @dberkov. The refactor looks good. I have some comments on the details. |
| timeoutSeconds: 15 | ||
| resources: | ||
| limits: | ||
| cpu: 50m |
There was a problem hiding this comment.
I assume so, it's a copy and paste of what we have in k/k (https://github.com/kubernetes/kubernetes/blob/master/cluster/gce/addons/konnectivity-agent/daemonset.yaml#L53). cc: @cheftako
There was a problem hiding this comment.
A very good question. Its sufficient for the server to come up. It will be interesting to see if its sufficient to proxy something like a cluster with high admission webhook load.
k8s-ci-robot
added
the
lgtm
|
Can you squash the commits? At least the "Do not make unnecessary call to kubeapi-server to pull certificates" commit is redundant. |
k8s-ci-robot
removed
the
lgtm
dberkov
changed the title
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/lgtm |
| flags.IntVar(&o.requestPort, "request-port", o.requestPort, "The port the request server is listening on.") | ||
| flags.StringVar(&o.proxyHost, "proxy-host", o.proxyHost, "The host of the proxy server.") | ||
| flags.IntVar(&o.proxyPort, "proxy-port", o.proxyPort, "The port the proxy server is listening on.") | ||
| flags.StringVar(&o.proxyUdsName, "proxy-uds", o.proxyHost, "The UDS name to connect to.") |
k8s-ci-robot
removed
the
lgtm
k8s-ci-robot
added
the
lgtm
k8s-ci-robot
removed
the
lgtm
|
/assign @cheftako |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
/approve |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: cheftako, dberkov The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
…odules/github.com/stretchr/testify-1.7.3 Build(deps): bump github.com/stretchr/testify from 1.7.2 to 1.7.3
…ncy-openshift-4.16-ose-apiserver-network-proxy OCPBUGS-27932: Updating ose-apiserver-network-proxy-container image to be consistent with ART for 4.16
6 participants
The PR allows to reuse certificate generated for kubelet by proxy/agent/test-client, instead of generating dedicated set of certificates for proxy / agent / test-agent.
Server
Proxy-server runs as a static pod on master and initializes a grpc server with /etc/srv/kubernetes/pki/apiserver.crt & /etc/srv/kubernetes/pki/apiserver.key (no CA certificate)
Agent
Agent runs on node as a regular pod. It uses existing /var/run/secrets/kubernetes.io/serviceaccount/ca.crt (ca.crt bounds in every pod by k8s) to validate proxy-server's certificate returns during tls handshake.
Test-Clinet
As part of the tests, test-client runs on master VM as a static pod and communicates with proxy-server via UDS.