Configure secure serving for controller-manager & scheduler

最新推荐文章于 2021-08-16 23:07:08 发布
最新推荐文章于 2021-08-16 23:07:08 发布
阅读量528 收藏
点赞数
分类专栏: K8S
原文链接:https://github.com/kubernetes/kubeadm/issues/1285
版权
K8S 专栏收录该内容
104 篇文章 134 订阅
订阅专栏

Closed

luxas opened this issue Nov 28, 2018 · 8 comments

Closed

Configure secure serving for controller-manager & scheduler #1285

luxas opened this issue Nov 28, 2018 · 8 comments

Comments

Member

luxas commented Nov 28, 2018

xref: #1285

insecure serving is deprecated. We should switch to secure serving.
controller-manager logs in v1.13.0-rc.1:

I1128 12:40:04.680584       1 serving.go:318] Generated self-signed cert in-memory
I1128 12:40:05.697603       1 controllermanager.go:151] Version: v1.13.0-rc.1
I1128 12:40:05.699084       1 secure_serving.go:116] Serving securely on [::]:10257
I1128 12:40:05.699649       1 deprecated_insecure_serving.go:51] Serving insecurely on 127.0.0.1:10252

scheduler logs in v1.13.0-rc.1:

I1128 12:40:04.787327       1 serving.go:318] Generated self-signed cert in-memory
W1128 12:40:05.278190       1 authentication.go:373] failed to read in-cluster kubeconfig for delegated authentication: failed to read token file "/var/run/secrets/kubernetes.io/serviceaccount/token": open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory
W1128 12:40:05.278217       1 authentication.go:235] No authentication-kubeconfig provided in order to lookup client-ca-file in configmap/extension-apiserver-authentication in kube-system, so client certificate authentication won't work.
W1128 12:40:05.278227       1 authentication.go:238] No authentication-kubeconfig provided in order to lookup requestheader-client-ca-file in configmap/extension-apiserver-authentication in kube-system, so request-header client certificate authentication won't work.
W1128 12:40:05.278252       1 authorization.go:177] failed to read in-cluster kubeconfig for delegated authorization: failed to read token file "/var/run/secrets/kubernetes.io/serviceaccount/token": open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory
W1128 12:40:05.278411       1 authorization.go:146] No authorization-kubeconfig provided, so SubjectAccessReview of authorization tokens won't work.
W1128 12:40:05.285538       1 authorization.go:47] Authorization is disabled
W1128 12:40:05.285562       1 authentication.go:55] Authentication is disabled
I1128 12:40:05.285579       1 deprecated_insecure_serving.go:49] Serving healthz insecurely on 127.0.0.1:10251
I1128 12:40:05.286312       1 secure_serving.go:116] Serving securely on [::]:10259

@sttts What do we need to do here?

luxas added area/security priority/important-longterm kind/feature labels Nov 28, 2018

luxas added this to the v1.14 milestone Nov 28, 2018

luxas changed the title Properly configure secure serving for the controller-manager Configure secure serving for controller-manager & scheduler Nov 28, 2018

Member Author

luxas commented Nov 28, 2018

cc @timothysc @liztio

neolit123 mentioned this issue Nov 28, 2018

Kubeadm use deprecated controller-manager and scheduller flags #1234

Closed

neolit123 mentioned this issue Nov 28, 2018

Use --bind-address for the controller-manager #1284

Closed

sttts commented Nov 29, 2018

You have to pass --authentication-kubeconfig and --authorization-kubeconfig and then configure RBAC to

luxas mentioned this issue Dec 20, 2018

Use secure port for scheduler and controller-manager liveness probe #1327

Closed

joshrosso mentioned this issue Jan 8, 2019

cmd/kubeadm: use secure port for liveness probe on controller-manager and scheduler kubernetes/kubernetes#72159

Closed

Member

alexbrand commented Jan 30, 2019

To be able to scrape metrics on the secure port of the scheduler, we need to set the --authentication-kubeconfig and authorization-kubeconfig flags. We already do this on the controller manager.

In the case of the scheduler, where the flags are not set, any request to /metrics on the secure port are rejected, because they are not authentication/authorized. By setting the flag, we tell the scheduler to perform tokenaccessreview and subjectaccessreview for requests coming in on the secure port.

timothysc assigned yagonobre Feb 13, 2019

lbogdan mentioned this issue Feb 26, 2019

Further exploration octetz/secure-port-k8s-cm-sched#1

Open

lbogdan commented Feb 27, 2019

All RBAC setup was already done in kubernetes/kubernetes#72491 , so it looks like it's only a matter of adding --authentication-kubeconfig and --authorization-kubeconfig to kube-scheduler. If no one is working on this, I'd like to take a shot at it.

Member

neolit123 commented Mar 7, 2019

@lbogdan sorry for the delayed reply.

I'd like to take a shot at it.

that would be appreciated, but mind that we are in code freeze soon, so a PR for this can be merged after 1.14 is out.

neolit123 removed this from the v1.14 milestone Mar 7, 2019

neolit123 added this to the v1.15 milestone Mar 7, 2019

daili mentioned this issue Apr 9, 2019

install kubernetes 1.14.0 using kube-aws won't work kubernetes-retired/kube-aws#1578

Closed

fl-max commented Apr 23, 2019

For those that stumble upon this and are using Kubeadm, the Kubeconfig is already generated and is mounted into the scheduler pod at /etc/kubernetes/scheduler.conf. You simply need to add authentication-kubeconfig & authorization-kubeconfig to your configuration like so:

apiVersion: kubeadm.k8s.io/v1beta1
kind: ClusterConfiguration
...
scheduler:
  extraArgs:
    authentication-kubeconfig: "/etc/kubernetes/scheduler.conf"
    authorization-kubeconfig: "/etc/kubernetes/scheduler.conf"

Member

fabriziopandini commented Apr 26, 2019

/assign

k8s-ci-robot assigned fabriziopandini Apr 26, 2019

dannymk commented May 21, 2019

Hmmm...

I added those flags to: /etc/kubernetes/manifests/kube-scheduler.yaml
...
- --authentication-kubeconfig=/etc/kubernetes/scheduler.conf
- --authorization-kubeconfig=/etc/kubernetes/scheduler.conf
...

I also added the kubernetes generated ca to the system:
sudo cp /etc/kubernetes/pki/ca.crt /usr/local/share/ca-certificates/kubernetes-local-ca.crt
sudo update-ca-certificates

That did the trick for me.

neolit123 removed this from the v1.15 milestone Jun 3, 2019

neolit123 added this to the v1.16 milestone Jun 3, 2019

StanYago mentioned this issue Jul 4, 2019

Serviced accounts blocked in mirror pods brancz/kube-rbac-proxy#49

Closed

neolit123 unassigned yagonobre Jul 25, 2019

neolit123 mentioned this issue Aug 3, 2019

kubeadm: enable secure serving for the kube-scheduler kubernetes/kubernetes#80951

Merged

neolit123 self-assigned this Aug 3, 2019

neolit123 added the lifecycle/active label Aug 3, 2019

k8s-ci-robot closed this in #80951 Aug 5, 2019

转载至https://github.com/kubernetes/kubeadm/issues/1285

victoruu
关注
  • 0
    点赞
  • 0
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
专栏目录
nginx-1.14.0&zlib-1.2.11&pcre-8.42
04-21
- 对于PCRE:`./configure --prefix=/usr/local/pcre && make && make install` - 对于Nginx:`./configure --with-http_ssl_module --with-pcre=/path/to/pcre/install --with-zlib=/path/to/zlib/install && ...
CSDN-CODE:停止维护 -->移步 https
05-11
Hadoop-Configure-配置文件 core-site.xml hadoop-env.sh hdfs-site.xml mapred-site.xml yarn-site.xml bash-脚本 hadoop2.7.3.sh jdk1.8.sh 增加Spring案例 .jupyter jupyter_notebook_config.py migrated mycert....
kubernetes二进制部署k8s-master集群controller-manager服务unhealthy问题
li123128的博客
12-29 7318
  一.问题现象      我们使用二进制部署k8s的高可用集群时,在部署多master时,kube-controller-manager服务提示Unhealthy      [root@ceph-01 system]# kubectl get cs      NAME                 STATUS      MESSAGE                             ...
kubernetes集群安装指南:kube-scheduler组件集群部署
Vic的博客
08-16 762
kube-scheduler为master节点组件。kube-scheduler集群包含 3 个节点,启动后将通过竞争选举机制产生一个 leader 节点,其它节点为阻塞状态。当 leader 节点不可用后,剩余节点将再次进行选举产生新的 leader 节点,从而保证服务的高可用性。 1 安装准备 特别说明:这里所有的操作都是在devops这台机器上通过ansible工具执行;kube-scheduler 在如下两种情况下使用该证书: 与 kube-apiserver 的安全端口通信使用; 在安全端
CentOS 使用二进制部署 Kubernetes 1.13集群
u010719917的专栏
02-26 848
参考:https://www.kubernetes.org.cn/4963.html部份错误已更改     1、安装环境准备: 部署节点说明 IP地址 主机名 CPU 内存 磁盘 192.168.136.150 master 4C 4G 50G 192.168.136.151 node1 4C 4G 50G 192.168.136.152 node2 4C...
k8s通过Kuboard安装Metrics server报错的解决办法
qq_34168515的博客
05-15 5506
文章目录通过Kuboard安装Metrics server确认 metrics-server 是否正常运行确认 ApiService 是否正常排查步骤1,根据ApiService的日志,查443端口排查步骤2,metrics-server pod日志 查4443端口解决,既然443端口访问不了,那么久访问4443,改造server顺利解决 通过Kuboard安装Metrics server 出现的问题可以参考官网:https://kuboard.cn/install/faq/metrics-server.h
手动部署kubernetes集群(1.13.1最新版)
weixin_33978016的博客
12-15 249
为什么80%的码农都做不了架构师?>>> ...
6.8.1 Packet Tracer - Configure NAT for IPv4
05-27
6.8.1 Packet Tracer - Configure NAT for IPv4 Cisco Packet Tracer 思科模拟器 正确答案文件 可直接上交正确答案文件 本答案版权归mewhaku所有,严禁再次转载!!! Copyright @mewhaku 2022 All Rights ...
redis-session-manager-redis-session-manager-2.0.3.tar.gz
06-02
Redis Session Manager是一款基于Redis数据库实现的会话管理工具,它主要用在Web应用程序中,用于高效、安全地存储和管理用户的会话数据。这个压缩包文件"redis-session-manager-redis-session-manager-2.0.3.tar.gz...
redis-session-manager-redis-session-manager-2.1.0.tar.gz
最新发布
06-02
Redis Session Manager是一款基于Redis数据库实现的会话管理工具,它主要用在Web应用程序中,用于存储用户的会话数据。在Web应用中,session是用于跟踪用户状态的重要机制,当用户登录后,服务器会为该用户创建一个...
Kubernetes1.91(K8s)安装部署过程(四)--Master节点安装
weixin_34252686的博客
01-04 226
再次明确下架构: 三台虚拟机 centos 7.4系统,docker为17版本,ip为10.10.90.105到107,其中105位master,接下来的master相关组件安装到此机器上。 etcd集群为3台,分别复用这3台虚拟机。 作为k8s的核心,master节点主要包含三个组件,分别是: 三个组件:kube-apiserver kube-scheduler ku...
解决kubernetes:v1.18.6 get cs127.0.0.1 connection refused错误
迷离的博客
08-05 2654
在我们正常安装kubernetes1.18.6之后,可能会出现一下错误: [root@k8s-master manifests]# kubectl get cs NAME STATUS MESSAGE ERROR scheduler Unhealthy Get http://
Kubernetes踩坑(一): 部署问题记录
热门推荐
ywq935的博客
04-27 2万+
一、etcd服务启动后报错etcd cluster ID mismatch: 检车service配置cluster选项有无问题,若无问题,则可能是此前的etcd bootstrap加速启动缓存残留导致,坑爹的是rm -rf /var/lib/etcd/* 删除完了之后还是报错,必须 rm -rf /var/lib/etcd/才能彻底清除,删除完成后记得再创建该路径mkdir /...
Kubernetes14--Kubeadm详解
大魔王
12-06 1886
之前用Kubeadm安装k8s集群遇到了好多问题,后来想扩展CoreDns,Metrics-server等功能发现对于内部机理不太清楚,因此把kubeadm的内部机理学习一下。 kubeadm的常见命令: 主要学习一下init初始化过程: 使用kubeadm来部署集群的一般步骤: kubeadm init export KUBECONFIG=/etc/kubernetes/admin...
kubeadm国内部署-Ubuntu16.04
迷失的专栏
10-12 7228
系统信息 root@ubuntu:~# cat /etc/*release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04.2 LTS" NAME="Ubuntu&amp
kubernetes(k8s)中部署metrics-server遇到的问题
Nick学习PHP的点点滴滴
05-31 8883
个人博客原文:kubernetes(k8s)中部署metrics-server遇到的问题 metrics-server版本:k8s.gcr.io/metrics-server-amd64:v0.3.3 k8s版本:v1.14.1 The '--source' flag is unavailable right now (v0.3.0-alpha.1) containers: - name...
configure:4204: gcc -v >&5
04-25
configure:4204: gcc -v >&5 是一个命令行指令,用于获取gcc编译器的版本信息,并将结果输出到文件描述符5中。该指令的作用是查看gcc编译器的详细版本信息。 相关问题: 1. 如何使用gcc编译器获取版本信息? 2. ...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值