[kubernetes] drop support for configuring insecure apiserver
parent
c2700266b0
commit
24c8ba832a
|
@ -36,12 +36,6 @@ The following diagram shows how traffic to the apiserver is directed.
|
||||||
|
|
||||||
![Image](figures/loadbalancer_localhost.png?raw=true)
|
![Image](figures/loadbalancer_localhost.png?raw=true)
|
||||||
|
|
||||||
Note: Kubernetes master nodes still use insecure localhost access because
|
|
||||||
there are bugs in Kubernetes <1.5.0 in using TLS auth on master role
|
|
||||||
services. This makes backends receiving unencrypted traffic and may be a
|
|
||||||
security issue when interconnecting different nodes, or maybe not, if those
|
|
||||||
belong to the isolated management network without external access.
|
|
||||||
|
|
||||||
A user may opt to use an external loadbalancer (LB) instead. An external LB
|
A user may opt to use an external loadbalancer (LB) instead. An external LB
|
||||||
provides access for external clients, while the internal LB accepts client
|
provides access for external clients, while the internal LB accepts client
|
||||||
connections only to the localhost.
|
connections only to the localhost.
|
||||||
|
@ -129,11 +123,6 @@ Kubespray has nothing to do with it, this is informational only.
|
||||||
As you can see, the masters' internal API endpoints are always
|
As you can see, the masters' internal API endpoints are always
|
||||||
contacted via the local bind IP, which is `https://bip:sp`.
|
contacted via the local bind IP, which is `https://bip:sp`.
|
||||||
|
|
||||||
**Note** that for some cases, like healthchecks of applications deployed by
|
|
||||||
Kubespray, the masters' APIs are accessed via the insecure endpoint, which
|
|
||||||
consists of the local `kube_apiserver_insecure_bind_address` and
|
|
||||||
`kube_apiserver_insecure_port`.
|
|
||||||
|
|
||||||
## Optional configurations
|
## Optional configurations
|
||||||
|
|
||||||
### ETCD with a LB
|
### ETCD with a LB
|
||||||
|
|
|
@ -116,9 +116,6 @@ kube_network_node_prefix_ipv6: 120
|
||||||
# The port the API Server will be listening on.
|
# The port the API Server will be listening on.
|
||||||
kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}"
|
kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}"
|
||||||
kube_apiserver_port: 6443 # (https)
|
kube_apiserver_port: 6443 # (https)
|
||||||
# kube_apiserver_insecure_port: 8080 # (http)
|
|
||||||
# Set to 0 to disable insecure port - Requires RBAC in authorization_modes and kube_api_anonymous_auth: true
|
|
||||||
kube_apiserver_insecure_port: 0 # (disabled)
|
|
||||||
|
|
||||||
# Kube-proxy proxyMode configuration.
|
# Kube-proxy proxyMode configuration.
|
||||||
# Can be ipvs, iptables
|
# Can be ipvs, iptables
|
||||||
|
|
|
@ -2,9 +2,6 @@
|
||||||
# disable upgrade cluster
|
# disable upgrade cluster
|
||||||
upgrade_cluster_setup: false
|
upgrade_cluster_setup: false
|
||||||
|
|
||||||
# change to 0.0.0.0 to enable insecure access from anywhere (not recommended)
|
|
||||||
kube_apiserver_insecure_bind_address: 127.0.0.1
|
|
||||||
|
|
||||||
# By default the external API listens on all interfaces, this can be changed to
|
# By default the external API listens on all interfaces, this can be changed to
|
||||||
# listen on a specific address/interface.
|
# listen on a specific address/interface.
|
||||||
# NOTE: If you specific address/interface and use loadbalancer_apiserver_localhost
|
# NOTE: If you specific address/interface and use loadbalancer_apiserver_localhost
|
||||||
|
|
|
@ -121,12 +121,6 @@ apiServer:
|
||||||
{% endif %}
|
{% endif %}
|
||||||
authorization-mode: {{ authorization_modes | join(',') }}
|
authorization-mode: {{ authorization_modes | join(',') }}
|
||||||
bind-address: {{ kube_apiserver_bind_address }}
|
bind-address: {{ kube_apiserver_bind_address }}
|
||||||
{% if kube_apiserver_insecure_port|string != "0" %}
|
|
||||||
insecure-bind-address: {{ kube_apiserver_insecure_bind_address }}
|
|
||||||
{% endif %}
|
|
||||||
{% if kube_version is version('v1.24.0','<') %}
|
|
||||||
insecure-port: "{{ kube_apiserver_insecure_port }}"
|
|
||||||
{% endif %}
|
|
||||||
{% if kube_apiserver_enable_admission_plugins|length > 0 %}
|
{% if kube_apiserver_enable_admission_plugins|length > 0 %}
|
||||||
enable-admission-plugins: {{ kube_apiserver_enable_admission_plugins | join(',') }}
|
enable-admission-plugins: {{ kube_apiserver_enable_admission_plugins | join(',') }}
|
||||||
{% endif %}
|
{% endif %}
|
||||||
|
|
|
@ -1,7 +1,4 @@
|
||||||
---
|
---
|
||||||
# change to 0.0.0.0 to enable insecure access from anywhere (not recommended)
|
|
||||||
kube_apiserver_insecure_bind_address: 127.0.0.1
|
|
||||||
|
|
||||||
# advertised host IP for kubelet. This affects network plugin config. Take caution
|
# advertised host IP for kubelet. This affects network plugin config. Take caution
|
||||||
kubelet_address: "{{ ip | default(fallback_ips[inventory_hostname]) }}{{ (',' + ip6) if enable_dual_stack_networks and ip6 is defined else '' }}"
|
kubelet_address: "{{ ip | default(fallback_ips[inventory_hostname]) }}{{ (',' + ip6) if enable_dual_stack_networks and ip6 is defined else '' }}"
|
||||||
|
|
||||||
|
|
|
@ -121,13 +121,6 @@
|
||||||
- cloud_provider is defined and cloud_provider == "oci"
|
- cloud_provider is defined and cloud_provider == "oci"
|
||||||
- not ignore_assert_errors
|
- not ignore_assert_errors
|
||||||
|
|
||||||
- name: Stop if RBAC and anonymous-auth are not enabled when insecure port is disabled
|
|
||||||
assert:
|
|
||||||
that: rbac_enabled and kube_api_anonymous_auth
|
|
||||||
when:
|
|
||||||
- kube_apiserver_insecure_port == 0 and inventory_hostname in groups['kube_control_plane']
|
|
||||||
- not ignore_assert_errors
|
|
||||||
|
|
||||||
- name: Stop if kernel version is too low
|
- name: Stop if kernel version is too low
|
||||||
assert:
|
assert:
|
||||||
that: ansible_kernel.split('-')[0] is version('4.9.17', '>=')
|
that: ansible_kernel.split('-')[0] is version('4.9.17', '>=')
|
||||||
|
|
|
@ -233,9 +233,6 @@ kube_apiserver_bind_address: 0.0.0.0
|
||||||
|
|
||||||
# https
|
# https
|
||||||
kube_apiserver_port: 6443
|
kube_apiserver_port: 6443
|
||||||
# http
|
|
||||||
kube_apiserver_insecure_bind_address: 127.0.0.1
|
|
||||||
kube_apiserver_insecure_port: 0
|
|
||||||
|
|
||||||
# If non-empty, will use this string as identification instead of the actual hostname
|
# If non-empty, will use this string as identification instead of the actual hostname
|
||||||
kube_override_hostname: >-
|
kube_override_hostname: >-
|
||||||
|
@ -555,8 +552,6 @@ kube_apiserver_endpoint: |-
|
||||||
{%- else -%}
|
{%- else -%}
|
||||||
https://{{ first_kube_control_plane_address }}:{{ kube_apiserver_port }}
|
https://{{ first_kube_control_plane_address }}:{{ kube_apiserver_port }}
|
||||||
{%- endif %}
|
{%- endif %}
|
||||||
kube_apiserver_insecure_endpoint: >-
|
|
||||||
http://{{ kube_apiserver_insecure_bind_address | regex_replace('0\.0\.0\.0','127.0.0.1') }}:{{ kube_apiserver_insecure_port }}
|
|
||||||
kube_apiserver_client_cert: "{{ kube_cert_dir }}/ca.crt"
|
kube_apiserver_client_cert: "{{ kube_cert_dir }}/ca.crt"
|
||||||
kube_apiserver_client_key: "{{ kube_cert_dir }}/ca.key"
|
kube_apiserver_client_key: "{{ kube_cert_dir }}/ca.key"
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue