kube-apiserver: use HTTP probes instead of exec
The existing exec probes for apiserver rely on things that do not exist in the official kubernetes release images (bash, socat). This change modifies the apiserver to use HTTP probes of the recommended liveness and readiness endpoints.[0] Also sets `--anonymous-auth=true` (the default setting), as kubelet is unable to provide a client certificate when performing the health check. RBAC rules apply, but unauthenticated users will be able to access the following endpoints: apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: system:public-info-viewer rules: - nonResourceURLs: - /healthz - /livez - /readyz - /version - /version/ verbs: - get 0: https://v1-18.docs.kubernetes.io/docs/reference/using-api/health-checks/ Change-Id: I06d739c844fe85ec6cbf47d3bb69a39cd008ddd8
This commit is contained in:
parent
be7b82e1a1
commit
fb36579e16
|
@ -36,27 +36,18 @@
|
|||
|
||||
|
||||
{{- define "livenessProbeTemplate" -}}
|
||||
exec:
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
- |-
|
||||
kubectl get nodes ${NODENAME} | grep ${NODENAME}
|
||||
exit $?
|
||||
httpGet:
|
||||
path: /livez
|
||||
port: {{ .Values.network.kubernetes_apiserver.port }}
|
||||
scheme: HTTPS
|
||||
{{- end -}}
|
||||
|
||||
|
||||
{{- define "readinessProbeTemplate" -}}
|
||||
exec:
|
||||
command:
|
||||
- /bin/bash
|
||||
- -c
|
||||
- |-
|
||||
if [ ! -f /etc/kubernetes/apiserver/pki/apiserver-both.pem ]; then
|
||||
cat /etc/kubernetes/apiserver/pki/apiserver-key.pem <(echo) /etc/kubernetes/apiserver/pki/apiserver.pem > /etc/kubernetes/apiserver/pki/apiserver-both.pem
|
||||
fi
|
||||
echo -e 'GET /healthz HTTP/1.0\r\n' | socat - openssl:localhost:{{ .Values.network.kubernetes_apiserver.port }},cert=/etc/kubernetes/apiserver/pki/apiserver-both.pem,cafile=/etc/kubernetes/apiserver/pki/cluster-ca.pem | grep '200 OK'
|
||||
exit $?
|
||||
httpGet:
|
||||
path: /readyz
|
||||
port: {{ .Values.network.kubernetes_apiserver.port }}
|
||||
scheme: HTTPS
|
||||
{{- end -}}
|
||||
|
||||
|
||||
|
|
|
@ -22,7 +22,7 @@ const:
|
|||
- kube-apiserver
|
||||
- --advertise-address=$(POD_IP)
|
||||
- --allow-privileged=true
|
||||
- --anonymous-auth=false
|
||||
- --anonymous-auth=true
|
||||
- --bind-address=0.0.0.0
|
||||
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
|
||||
- --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem
|
||||
|
|
Loading…
Reference in New Issue