kube-ctrl-mgr: enable secure port 10257 #64149
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
k8s-ci-robot
added
do-not-merge/work-in-progress
k8s-ci-robot
added
the
needs-rebase
sttts
force-pushed
the
sttts-ctrl-mgr-secure-ports
branch
from
e717dfa
to
e0ed50a
Compare
k8s-ci-robot
added
size/M
sttts
changed the title
k8s-ci-robot
removed
the
do-not-merge/work-in-progress
k8s-ci-robot
added
the
needs-rebase
andrewsykim
reviewed
Jul 25, 2018
pkg/master/ports/ports.go
Outdated
| @@ -41,4 +41,10 @@ const ( | |||
| // ProxyHealthzPort is the default port for the proxy healthz server. | |||
| // May be overridden by a flag at startup. | |||
| ProxyHealthzPort = 10256 | |||
| // InsecureKubeControllerManagerPort is the default port for the controller manager status server. | |||
There was a problem hiding this comment.
s/InsecureKubeControllerManagerPort/KubeControllerManagerPort/
andrewsykim
reviewed
Jul 25, 2018
pkg/master/ports/ports.go
Outdated
| // InsecureKubeControllerManagerPort is the default port for the controller manager status server. | ||
| // May be overridden by a flag at startup. | ||
| KubeControllerManagerPort = 10257 | ||
| // InsecureCloudControllerManagerPort is the default port for the cloud controller manager server. |
There was a problem hiding this comment.
s/InsecureCloudControllerManagerPort/CloudControllerManagerPort
sttts
force-pushed
the
sttts-ctrl-mgr-secure-ports
branch
from
e0ed50a
to
c19c9a2
Compare
k8s-ci-robot
added
size/XXL
sttts
force-pushed
the
sttts-ctrl-mgr-secure-ports
branch
from
c19c9a2
to
be106d2
Compare
sttts
changed the title
|
Split out the cloud-ctrl-mgr changes into #67069 |
sttts
force-pushed
the
sttts-ctrl-mgr-secure-ports
branch
from
be106d2
to
82d4512
Compare
k8s-ci-robot
added
the
release-note
This is the old behaviour and we did not intent to change it due to enabled authn/z in general. As the kube-apiserver this sets the "system:unsecured" user info.
sttts
force-pushed
the
sttts-ctrl-mgr-secure-ports
branch
from
0075df3
to
8aa0eef
Compare
|
Rebased, advanced auditing GA merged. |
k8s-ci-robot
removed
the
needs-rebase
|
/retest |
|
@liggitt lgty and ready to unhold? |
|
/lgtm |
k8s-ci-robot
added
lgtm
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: deads2k, liggitt, sttts The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/test all [submit-queue is verifying that this PR is safe to merge] |
|
Automatic merge from submit-queue (batch tested with PRs 67756, 64149, 68076, 68131, 68120). If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md. |
|
@sttts: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
k8s-github-robot
pushed a commit
that referenced
this pull request
Sep 1, 2018
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions here: https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md. cloud-ctrl-mgr: enable secure port 10258 This PR enables authn+authz (delegated to the kube-apiserver) and the secure port 10258 for the cloud-controller-manager. In addition, the insecure port is disabled. This is the counterpart PR to #64149. Moreover, it adds integration test coverage for the `--port` and `--secure-port` flags, plus the testserver infrastructure to tests flags in general inside integration tests. ```release-note Enable secure serving on port 10258 to cloud-controller-manager (configurable via `--secure-port`). Delegated authentication and authorization have to be configured like for aggregated API servers. ```
sttts
pushed a commit
to sttts/apiserver
that referenced
this pull request
Sep 5, 2018
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. delegated authz: add AlwaysAllowPaths to option struct (defaulting to /healthz) Add `AlwaysAllowPaths` field to delegated authz. These http paths are excluded from the authz chain. Prerequisite for kubernetes/kubernetes#64149 and kubernetes/kubernetes#67069. ```release-note Added --authorization-always-allow-paths to components doing delegated authorization to exclude certain HTTP paths like /healthz from authorization. ``` Kubernetes-commit: 5ed26a348b017c3ece8ac468d15770ddf8b922ae
sttts
pushed a commit
to sttts/apiserver
that referenced
this pull request
Sep 5, 2018
Automatic merge from submit-queue (batch tested with PRs 66960, 67545). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. delegated authn/z: optionally opt-out of mandatory authn/authz kubeconfig This adds `RemoteKubeConfigFileOptional` field to the delegated authn/z option structs. If set to true, the authn/z kubeconfig file flags are optional. If no kubeconfig is given, all token requests are considered to be anonymous and no client CA is looked up in the cluster. Prerequisite for kubernetes/kubernetes#64149 and kubernetes/kubernetes#67069. Kubernetes-commit: 1b3a2dd0830ca0e02d5b95d2ecc0161d0c93a0c7
sttts
pushed a commit
to sttts/kube-aggregator
that referenced
this pull request
Sep 5, 2018
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. delegated authz: add AlwaysAllowPaths to option struct (defaulting to /healthz) Add `AlwaysAllowPaths` field to delegated authz. These http paths are excluded from the authz chain. Prerequisite for kubernetes/kubernetes#64149 and kubernetes/kubernetes#67069. ```release-note Added --authorization-always-allow-paths to components doing delegated authorization to exclude certain HTTP paths like /healthz from authorization. ``` Kubernetes-commit: 5ed26a348b017c3ece8ac468d15770ddf8b922ae
sttts
pushed a commit
to sttts/sample-apiserver
that referenced
this pull request
Sep 5, 2018
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. delegated authz: add AlwaysAllowPaths to option struct (defaulting to /healthz) Add `AlwaysAllowPaths` field to delegated authz. These http paths are excluded from the authz chain. Prerequisite for kubernetes/kubernetes#64149 and kubernetes/kubernetes#67069. ```release-note Added --authorization-always-allow-paths to components doing delegated authorization to exclude certain HTTP paths like /healthz from authorization. ``` Kubernetes-commit: 5ed26a348b017c3ece8ac468d15770ddf8b922ae
sttts
pushed a commit
to sttts/apiextensions-apiserver
that referenced
this pull request
Sep 5, 2018
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. delegated authz: add AlwaysAllowPaths to option struct (defaulting to /healthz) Add `AlwaysAllowPaths` field to delegated authz. These http paths are excluded from the authz chain. Prerequisite for kubernetes/kubernetes#64149 and kubernetes/kubernetes#67069. ```release-note Added --authorization-always-allow-paths to components doing delegated authorization to exclude certain HTTP paths like /healthz from authorization. ``` Kubernetes-commit: 5ed26a348b017c3ece8ac468d15770ddf8b922ae
k8s-publishing-bot
added a commit
to kubernetes/apiserver
that referenced
this pull request
Sep 6, 2018
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. delegated authz: add AlwaysAllowPaths to option struct (defaulting to /healthz) Add `AlwaysAllowPaths` field to delegated authz. These http paths are excluded from the authz chain. Prerequisite for kubernetes/kubernetes#64149 and kubernetes/kubernetes#67069. ```release-note Added --authorization-always-allow-paths to components doing delegated authorization to exclude certain HTTP paths like /healthz from authorization. ``` Kubernetes-commit: 5ed26a348b017c3ece8ac468d15770ddf8b922ae
k8s-publishing-bot
added a commit
to kubernetes/apiserver
that referenced
this pull request
Sep 6, 2018
Automatic merge from submit-queue (batch tested with PRs 66960, 67545). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. delegated authn/z: optionally opt-out of mandatory authn/authz kubeconfig This adds `RemoteKubeConfigFileOptional` field to the delegated authn/z option structs. If set to true, the authn/z kubeconfig file flags are optional. If no kubeconfig is given, all token requests are considered to be anonymous and no client CA is looked up in the cluster. Prerequisite for kubernetes/kubernetes#64149 and kubernetes/kubernetes#67069. Kubernetes-commit: 1b3a2dd0830ca0e02d5b95d2ecc0161d0c93a0c7
k8s-publishing-bot
added a commit
to kubernetes/kube-aggregator
that referenced
this pull request
Sep 6, 2018
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. delegated authz: add AlwaysAllowPaths to option struct (defaulting to /healthz) Add `AlwaysAllowPaths` field to delegated authz. These http paths are excluded from the authz chain. Prerequisite for kubernetes/kubernetes#64149 and kubernetes/kubernetes#67069. ```release-note Added --authorization-always-allow-paths to components doing delegated authorization to exclude certain HTTP paths like /healthz from authorization. ``` Kubernetes-commit: 5ed26a348b017c3ece8ac468d15770ddf8b922ae
k8s-publishing-bot
added a commit
to kubernetes/sample-apiserver
that referenced
this pull request
Sep 6, 2018
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. delegated authz: add AlwaysAllowPaths to option struct (defaulting to /healthz) Add `AlwaysAllowPaths` field to delegated authz. These http paths are excluded from the authz chain. Prerequisite for kubernetes/kubernetes#64149 and kubernetes/kubernetes#67069. ```release-note Added --authorization-always-allow-paths to components doing delegated authorization to exclude certain HTTP paths like /healthz from authorization. ``` Kubernetes-commit: 5ed26a348b017c3ece8ac468d15770ddf8b922ae
k8s-publishing-bot
added a commit
to kubernetes/apiextensions-apiserver
that referenced
this pull request
Sep 6, 2018
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. delegated authz: add AlwaysAllowPaths to option struct (defaulting to /healthz) Add `AlwaysAllowPaths` field to delegated authz. These http paths are excluded from the authz chain. Prerequisite for kubernetes/kubernetes#64149 and kubernetes/kubernetes#67069. ```release-note Added --authorization-always-allow-paths to components doing delegated authorization to exclude certain HTTP paths like /healthz from authorization. ``` Kubernetes-commit: 5ed26a348b017c3ece8ac468d15770ddf8b922ae
This was referenced Sep 10, 2018
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR enables authn+authz (delegated to the kube-apiserver) and the secure port 10257 for the kube-controller-manager. In addition, the insecure port is disabled.
Moreover, it adds integration test coverage for the
--portand--secure-portflags, plus the testserver infrastructure to tests flags in general inside integration tests.