-
Notifications
You must be signed in to change notification settings - Fork 6.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change health check from TCP to HTTPS #6487
Conversation
I kept seeing `TLS handshake error from 10.250.250.158:63770: EOF` from two IP addresses that correlate to my ELB. Changing the health check from TCP to HTTPS stopped the errors from being generated.
Welcome @medined! |
Hi @medined. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Isn't it strange that everything else target TCP and works fine ? (line 14 / 20 / 35 etc..) |
/ok-to-test |
My understanding is that the health check works, but generates extra logs. |
Ok in that case, why not 🤷 |
@medined how is this working out in terms of CA? With a TCP health check there is no CA to verify, but an HTTPS health check might verify the CA (depends on the AWS implementation I suppose). |
Indeed, TCP checks on a HTTPS endpoint will generate |
/lgtm |
Thank you for considering this request. I am not ignoring the comments here. I just don't feel qualified to comment on larger implications of this change. |
If you disable anon auth, the health endpoint will not respond, which could cause the LB to mark the API as down. |
kubespray defaults are using |
It's configurable by |
I'm not a big fan of changing settings behind user's back. If a user changes a default setting, I assume they know what they're doing. Specially that there are other ways to build the infrastructure beside the contrib folder and we will never catch that. |
Should we consider a flag to switch between TCP and HTTPS mode? Considering the default value of |
agree, we can approve it as it is and create another PR to add the flag "HTTPS or TCP" with HTTPS as default |
/approve |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: medined, Miouge1 The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
* 'master' of https://github.com/kubernetes-sigs/kubespray: remove variable 'etcd_ionice', because ionice removed from container image etcd:v3.4.x (kubernetes-sigs#6735) calico: default to using kdd datastore (kubernetes-sigs#6693) Update docker packages to 19.03.13 + add docker f32 (kubernetes-sigs#6712) Fix snapshot.storage apiVersion (kubernetes-sigs#6711) properly generate extravolumes in kubeadmconfig for centos (kubernetes-sigs#6708) Fix reserved memory unit in kubelet configuration (kubernetes-sigs#6725) Fix unintended SIGPIPE (kubernetes-sigs#6721) Expose offline install overrides in inventory (kubernetes-sigs#6728) Added ability to set calico vxlan vni and port. defaults to calico's … (kubernetes-sigs#6678) Change health check from TCP to HTTPS (kubernetes-sigs#6487) Add multi architeture support to flannel (kubernetes-sigs#6166) Remove pypi repo and pip extra flags (kubernetes-sigs#6729) Fails if kubeadm_version do not matches kubernetes version (kubernetes-sigs#6302) Add external_openstack_lbaas_provider setting for occm (kubernetes-sigs#6566) add new variable allowing additionnal audit webhook server options (kubernetes-sigs#6726) Fix example value for etcd_quota_backend_bytes (kubernetes-sigs#6724) Added support for setting tiller_service_account and tiller_replicas (kubernetes-sigs#6696)
I kept seeing `TLS handshake error from 10.250.250.158:63770: EOF` from two IP addresses that correlate to my ELB. Changing the health check from TCP to HTTPS stopped the errors from being generated.
I kept seeing
TLS handshake error from 10.250.250.158:63770: EOF
from two IP addresses that correlate to my ELB. Changing the health check from TCP to HTTPS stopped the errors from being generated.What type of PR is this?
What this PR does / why we need it:
This PR changes the health check of the load balancer created by the terraform scripts for AWS to be HTTPS instead of TCP. This change resolves the "TLS handshake error" messages that appears twice every 30 seconds in the apiserver logs.
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?: