Enable support for authenticating tokens (e.g. SAs) in the Kubelet API #650
Assignees
Labels
area/security
lifecycle/active
Indicates that an issue or PR is actively being worked on by a contributor.
priority/important-soon
Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Milestone
Comments
luxas
added
the
priority/important-soon
|
@luxas PR kubernetes/kubernetes#57997 sent. |
|
/assign @xiangpengzhao |
|
I don't know enough yet to comment about the safety of enabling this by default, but if we do move forward with this change, let's make sure to also update the rpm build so that the debs don't drift away in behavior. |
|
@luxas, can you elaborate on why this is a prerequisite for the 1.10 release? What exactly will break in 1.10 if we don't make these changes? Thanks! |
timothysc
added
help wanted
timothysc
added
help wanted
luxas
added
lifecycle/active
This was referenced May 21, 2018
k8s-github-robot
pushed a commit
to kubernetes/kubernetes
that referenced
this issue
May 24, 2018
Automatic merge from submit-queue (batch tested with PRs 64174, 64187, 64216, 63265, 64223). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. kubeadm: Improve the kubelet default configuration security-wise **What this PR does / why we need it**: - Disables the readonly port for the kubelets in the cluster - Enables delegated SA token authentication for the secure kubelet port (GCE also did this ref: #58178) - Follows up #63912 to move the last flag from the system dropin to the ComponentConfig **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes kubernetes/kubeadm#732 Fixes kubernetes/kubeadm#650 Replaces #57997 **Special notes for your reviewer**: In order to make sure this actually works, or that clusters actually are secure, we're adding e2e tests for this: kubernetes/kubeadm#838 & #64140 Depends on #63912 **Release note**: ```release-note [action required] kubeadm: kubelets in kubeadm clusters now disable the readonly port (10255). If you're relying on unauthenticated access to the readonly port, please switch to using the secure port (10250). Instead, you can now use ServiceAccount tokens when talking to the secure port, which will make it easier to get access to e.g. the `/metrics` endpoint of the kubelet securely. ``` @kubernetes/sig-cluster-lifecycle-pr-reviews @kubernetes/sig-auth-pr-reviews FYI
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Ref: https://kubernetes.io/docs/admin/kubelet-authentication-authorization/#kubelet-authentication
Thanks to @liggitt and @brancz that brought to my attention that this wasn't enabled right now (which I to be completely honest had expected intutively, but without actually checking it up)
We basically just have to pass
--authentication-token-webhookto the kubelet as well.This is a prereq for v1.10
Files to update:
https://github.com/kubernetes/kubernetes/blob/master/build/debs/10-kubeadm.conf
https://github.com/kubernetes/kubernetes/blob/master/cmd/kubeadm/app/apis/kubeadm/v1alpha1/defaults.go#L181
The text was updated successfully, but these errors were encountered: