C12s/c12s-kubespray
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

[kubernetes] drop support for configuring insecure apiserver

Browse source
This commit is contained in:
Calin Cristian Andrei 2022-06-14 12:57:54 +03:00 committed by Kubernetes Prow Robot
parent c2700266b0
commit 24c8ba832a
7 changed files with 0 additions and 38 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
docs/ha-mode.md
View file

@ -36,12 +36,6 @@ The following diagram shows how traffic to the apiserver is directed.
![Image](figures/loadbalancer_localhost.png?raw=true) ![Image](figures/loadbalancer_localhost.png?raw=true)
Note: Kubernetes master nodes still use insecure localhost access because
there are bugs in Kubernetes <1.5.0 in using TLS auth on master role
services. This makes backends receiving unencrypted traffic and may be a
security issue when interconnecting different nodes, or maybe not, if those
belong to the isolated management network without external access.
A user may opt to use an external loadbalancer (LB) instead. An external LB A user may opt to use an external loadbalancer (LB) instead. An external LB
provides access for external clients, while the internal LB accepts client provides access for external clients, while the internal LB accepts client
connections only to the localhost. connections only to the localhost.
@ -129,11 +123,6 @@ Kubespray has nothing to do with it, this is informational only.
As you can see, the masters' internal API endpoints are always As you can see, the masters' internal API endpoints are always
contacted via the local bind IP, which is `https://bip:sp`. contacted via the local bind IP, which is `https://bip:sp`.
**Note** that for some cases, like healthchecks of applications deployed by
Kubespray, the masters' APIs are accessed via the insecure endpoint, which
consists of the local `kube_apiserver_insecure_bind_address` and
`kube_apiserver_insecure_port`.
## Optional configurations ## Optional configurations
### ETCD with a LB ### ETCD with a LB

3
inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
View file

@ -116,9 +116,6 @@ kube_network_node_prefix_ipv6: 120
# The port the API Server will be listening on. # The port the API Server will be listening on.
kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}" kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}"
kube_apiserver_port: 6443 # (https) kube_apiserver_port: 6443 # (https)
# kube_apiserver_insecure_port: 8080 # (http)
# Set to 0 to disable insecure port - Requires RBAC in authorization_modes and kube_api_anonymous_auth: true
kube_apiserver_insecure_port: 0 # (disabled)
# Kube-proxy proxyMode configuration. # Kube-proxy proxyMode configuration.
# Can be ipvs, iptables # Can be ipvs, iptables

3
roles/kubernetes/control-plane/defaults/main/main.yml
View file

@ -2,9 +2,6 @@
# disable upgrade cluster # disable upgrade cluster
upgrade_cluster_setup: false upgrade_cluster_setup: false
# change to 0.0.0.0 to enable insecure access from anywhere (not recommended)
kube_apiserver_insecure_bind_address: 127.0.0.1
# By default the external API listens on all interfaces, this can be changed to # By default the external API listens on all interfaces, this can be changed to
# listen on a specific address/interface. # listen on a specific address/interface.
# NOTE: If you specific address/interface and use loadbalancer_apiserver_localhost # NOTE: If you specific address/interface and use loadbalancer_apiserver_localhost

6
roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2
View file

@ -121,12 +121,6 @@ apiServer:
{% endif %} {% endif %}
authorization-mode: {{ authorization_modes | join(',') }} authorization-mode: {{ authorization_modes | join(',') }}
bind-address: {{ kube_apiserver_bind_address }} bind-address: {{ kube_apiserver_bind_address }}
{% if kube_apiserver_insecure_port|string != "0" %}
insecure-bind-address: {{ kube_apiserver_insecure_bind_address }}
{% endif %}
{% if kube_version is version('v1.24.0','<') %}
insecure-port: "{{ kube_apiserver_insecure_port }}"
{% endif %}
{% if kube_apiserver_enable_admission_plugins|length > 0 %} {% if kube_apiserver_enable_admission_plugins|length > 0 %}
enable-admission-plugins: {{ kube_apiserver_enable_admission_plugins | join(',') }} enable-admission-plugins: {{ kube_apiserver_enable_admission_plugins | join(',') }}
{% endif %} {% endif %}

3
roles/kubernetes/node/defaults/main.yml
View file

@ -1,7 +1,4 @@
--- ---
# change to 0.0.0.0 to enable insecure access from anywhere (not recommended)
kube_apiserver_insecure_bind_address: 127.0.0.1
# advertised host IP for kubelet. This affects network plugin config. Take caution # advertised host IP for kubelet. This affects network plugin config. Take caution
kubelet_address: "{{ ip | default(fallback_ips[inventory_hostname]) }}{{ (',' + ip6) if enable_dual_stack_networks and ip6 is defined else '' }}" kubelet_address: "{{ ip | default(fallback_ips[inventory_hostname]) }}{{ (',' + ip6) if enable_dual_stack_networks and ip6 is defined else '' }}"

7
roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
View file

@ -121,13 +121,6 @@
- cloud_provider is defined and cloud_provider == "oci" - cloud_provider is defined and cloud_provider == "oci"
- not ignore_assert_errors - not ignore_assert_errors
- name: Stop if RBAC and anonymous-auth are not enabled when insecure port is disabled
assert:
that: rbac_enabled and kube_api_anonymous_auth
when:
- kube_apiserver_insecure_port == 0 and inventory_hostname in groups['kube_control_plane']
- not ignore_assert_errors
- name: Stop if kernel version is too low - name: Stop if kernel version is too low
assert: assert:
that: ansible_kernel.split('-')[0] is version('4.9.17', '>=') that: ansible_kernel.split('-')[0] is version('4.9.17', '>=')

5
roles/kubespray-defaults/defaults/main.yaml
View file

@ -233,9 +233,6 @@ kube_apiserver_bind_address: 0.0.0.0
# https # https
kube_apiserver_port: 6443 kube_apiserver_port: 6443
# http
kube_apiserver_insecure_bind_address: 127.0.0.1
kube_apiserver_insecure_port: 0
# If non-empty, will use this string as identification instead of the actual hostname # If non-empty, will use this string as identification instead of the actual hostname
kube_override_hostname: >- kube_override_hostname: >-
@ -555,8 +552,6 @@ kube_apiserver_endpoint: |-
{%- else -%} {%- else -%}
https://{{ first_kube_control_plane_address }}:{{ kube_apiserver_port }} https://{{ first_kube_control_plane_address }}:{{ kube_apiserver_port }}
{%- endif %} {%- endif %}
kube_apiserver_insecure_endpoint: >-
http://{{ kube_apiserver_insecure_bind_address | regex_replace('0\.0\.0\.0','127.0.0.1') }}:{{ kube_apiserver_insecure_port }}
kube_apiserver_client_cert: "{{ kube_cert_dir }}/ca.crt" kube_apiserver_client_cert: "{{ kube_cert_dir }}/ca.crt"
kube_apiserver_client_key: "{{ kube_cert_dir }}/ca.key" kube_apiserver_client_key: "{{ kube_cert_dir }}/ca.key"