-
Notifications
You must be signed in to change notification settings - Fork 1.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add kubeadmConfigPatches and metrics-server references to docs #1456
Conversation
Welcome @rikatz! |
Hi @rikatz. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: rikatz The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
/cc @BenTheElder @aojea |
/ok-to-test |
- "kind-control-plane" | ||
containers: | ||
- args: | ||
- --kubelet-insecure-tls |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
this seems substantially less than ideal, why do we need to do this?
I haven't looked at metrics server recently.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hi @BenTheElder,
It seems the CA that signs kubelet is different from the CA used by the APIServer.
Metrics-server is able to connect without any problem to apiserver and fetch all the nodes (E0407 12:22:00.252207 1 reststorage.go:135] unable to fetch node metrics for node "kind118-control-plane": no metrics known for node
) but when it tries to connect to the kubelet it receiver the certificate signed by unknown authority error. It seems that the certificates from the endpoints are signed by different CA.
As an example, the following is the CA of the nodes from my cluster called kind118:
issuer=CN = kind118-control-plane-ca@1586194038
And from APIServer:
issuer=CN = kubernetes
I don't know really if this is the case with KinD. Fetching the certs with openssl I really can see they're different.
To be honest I couldn't find into KinD kubelet config where it's using a specific CA, so I'm guessing it auto generates a certificate for its secure port (10250) and that's why the metrics-server Pod doesn't know which CA is that and I'm skipping the tls validation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
certificates are handled by kubeadm https://kubernetes.io/docs/tasks/administer-cluster/kubeadm/kubeadm-certs/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But also the certificates from the secure metrics endpoints (10250)? This is related to controller signing the certificates of each kubelet to communicate to api-server right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no idea 😅 , @neolit123 may help us
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@BenTheElder ok, so last comment and to be practical:
-
I can split this PR into two, one dealing only with kubeadm config patching docs, and other dealing with metrics-server
-
About @neolit123 suggestions, I think at least to move forward we can put into the
security-goose
alert the referenced issue, OR we can wait until a better solution is achieved for the integration between metrics-server and kubelet, and disregard this by now.
WDYT?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the one thing is I'd very much like to actually enable this core API in kind and I'm not inclined to do that by making it even more insecure.
whatever we document will get used widely, I feel like if metrics are important (... seems so) we can actually solve the problem
I also don't actually want people relying on kubeadm patches too heavily, they're available for power users that know what they're doing but they're a bit brittle across versions and I think most users have no idea what kubeadm config looks like etc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
every time I find a heavily patched target I'm trying to introduce a way for kind to actually be aware that you e.g. want to enable a feature gate, and handle it intelligently (like toggling it throughout kubeadm config for all the components, being able to default certain gates in kind so our system components work, etc...)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So maybe disregarding the metrics server stuff, is it a better idea to implement a way that kind understands that kube-proxy should run with IPVS instead of iptables? I can try making this happen :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
About the heavy users, anyway wouldn't be good to have the patching method documented? Or is this some feature that KinD is targeting to remove later?
@BenTheElder do you want me to split this PR, so we got the kubeadmPatch part and can discuss a little bit more about metrics-server and kubelet certs? :) |
yes please, let's do that! |
A comment from my side, I was able to deploy the
In my case, Edit: while I completely get the parameters added to the metrics-server is not suitable for production, in this case (when using kind) is perfectly suitable for me, since this is not going to be anywhere near production :) |
The hostnames should resolve now, I think (in v0.8.0). |
I've opened PR #1595 so instead of patching the kubeadm config KinD will support this as an internal configuration :D If this is fine, I can close this PR and maybe open an issue so we can discuss about the metrics-server stuff before putting this into code or docs |
Closing, as KinD now supports ipvs mode without the need of patching. |
This PR adds the following documentations: