airship
/
promenade
Code Issues Proposed changes

kube-apiserver: use HTTP probes instead of exec 

The existing exec probes for apiserver rely on things that do not exist
in the official kubernetes release images (bash, socat).

This change modifies the apiserver to use HTTP probes of the recommended
liveness and readiness endpoints.[0]

Also sets `--anonymous-auth=true` (the default setting), as kubelet is
unable to provide a client certificate when performing the health check.
RBAC rules apply, but unauthenticated users will be able to access the
following endpoints:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: system:public-info-viewer
    rules:
    - nonResourceURLs:
      - /healthz
      - /livez
      - /readyz
      - /version
      - /version/
      verbs:
      - get

0: https://v1-18.docs.kubernetes.io/docs/reference/using-api/health-checks/

Change-Id: I06d739c844fe85ec6cbf47d3bb69a39cd008ddd8
This commit is contained in:
Phil Sphicas 2020-09-27 19:43:10 +00:00
parent be7b82e1a1
commit fb36579e16
2 changed files with 9 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
View File

@ -36,27 +36,18 @@
{{- define "livenessProbeTemplate" -}}
exec:
command:
- /bin/bash
- -c
- |-
kubectl get nodes ${NODENAME} | grep ${NODENAME}
exit $?
httpGet:
path: /livez
port: {{ .Values.network.kubernetes_apiserver.port }}
scheme: HTTPS
{{- end -}}
{{- define "readinessProbeTemplate" -}}
exec:
command:
- /bin/bash
- -c
- |-
if [ ! -f /etc/kubernetes/apiserver/pki/apiserver-both.pem ]; then
cat /etc/kubernetes/apiserver/pki/apiserver-key.pem <(echo) /etc/kubernetes/apiserver/pki/apiserver.pem > /etc/kubernetes/apiserver/pki/apiserver-both.pem
fi
echo -e 'GET /healthz HTTP/1.0\r\n' | socat - openssl:localhost:{{ .Values.network.kubernetes_apiserver.port }},cert=/etc/kubernetes/apiserver/pki/apiserver-both.pem,cafile=/etc/kubernetes/apiserver/pki/cluster-ca.pem | grep '200 OK'
exit $?
httpGet:
path: /readyz
port: {{ .Values.network.kubernetes_apiserver.port }}
scheme: HTTPS
{{- end -}}

2
charts/apiserver/values.yaml
View File

@ -22,7 +22,7 @@ const:
- kube-apiserver
- --advertise-address=$(POD_IP)
- --allow-privileged=true
- --anonymous-auth=false
- --anonymous-auth=true
- --bind-address=0.0.0.0
- --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
- --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem