diff --git a/CHANGES.md b/CHANGES.md index a2eba4c4..481c633b 100644 --- a/CHANGES.md +++ b/CHANGES.md @@ -5,6 +5,7 @@ Notable changes between versions. ## Latest * Fix CoreDNS AntiAffinity spec to prefer spreading replicas +* Disable Kubelet read-only port ([#324](https://github.com/poseidon/typhoon/pull/324)) #### AWS diff --git a/aws/container-linux/kubernetes/cl/controller.yaml.tmpl b/aws/container-linux/kubernetes/cl/controller.yaml.tmpl index 8a8079b4..584adbc4 100644 --- a/aws/container-linux/kubernetes/cl/controller.yaml.tmpl +++ b/aws/container-linux/kubernetes/cl/controller.yaml.tmpl @@ -88,6 +88,7 @@ systemd: --node-labels=node-role.kubernetes.io/master \ --node-labels=node-role.kubernetes.io/controller="true" \ --pod-manifest-path=/etc/kubernetes/manifests \ + --read-only-port=0 \ --register-with-taints=node-role.kubernetes.io/master=:NoSchedule \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid diff --git a/aws/container-linux/kubernetes/security.tf b/aws/container-linux/kubernetes/security.tf index 95ba1b0c..fc7b959a 100644 --- a/aws/container-linux/kubernetes/security.tf +++ b/aws/container-linux/kubernetes/security.tf @@ -104,27 +104,6 @@ resource "aws_security_group_rule" "controller-kubelet-self" { self = true } -# Allow heapster / metrics-server to scrape kubelet read-only -resource "aws_security_group_rule" "controller-kubelet-read" { - security_group_id = "${aws_security_group.controller.id}" - - type = "ingress" - protocol = "tcp" - from_port = 10255 - to_port = 10255 - source_security_group_id = "${aws_security_group.worker.id}" -} - -resource "aws_security_group_rule" "controller-kubelet-read-self" { - security_group_id = "${aws_security_group.controller.id}" - - type = "ingress" - protocol = "tcp" - from_port = 10255 - to_port = 10255 - self = true -} - resource "aws_security_group_rule" "controller-bgp" { security_group_id = "${aws_security_group.controller.id}" @@ -300,27 +279,6 @@ resource "aws_security_group_rule" "worker-kubelet-self" { self = true } -# Allow heapster / metrics-server to scrape kubelet read-only -resource "aws_security_group_rule" "worker-kubelet-read" { - security_group_id = "${aws_security_group.worker.id}" - - type = "ingress" - protocol = "tcp" - from_port = 10255 - to_port = 10255 - source_security_group_id = "${aws_security_group.controller.id}" -} - -resource "aws_security_group_rule" "worker-kubelet-read-self" { - security_group_id = "${aws_security_group.worker.id}" - - type = "ingress" - protocol = "tcp" - from_port = 10255 - to_port = 10255 - self = true -} - resource "aws_security_group_rule" "worker-bgp" { security_group_id = "${aws_security_group.worker.id}" diff --git a/aws/container-linux/kubernetes/workers/cl/worker.yaml.tmpl b/aws/container-linux/kubernetes/workers/cl/worker.yaml.tmpl index 6b30be62..ffff777c 100644 --- a/aws/container-linux/kubernetes/workers/cl/worker.yaml.tmpl +++ b/aws/container-linux/kubernetes/workers/cl/worker.yaml.tmpl @@ -60,6 +60,7 @@ systemd: --network-plugin=cni \ --node-labels=node-role.kubernetes.io/node \ --pod-manifest-path=/etc/kubernetes/manifests \ + --read-only-port=0 \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid Restart=always diff --git a/aws/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl b/aws/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl index 7f75d258..3d1ed6f7 100644 --- a/aws/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl +++ b/aws/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl @@ -65,6 +65,7 @@ write_files: --node-labels=node-role.kubernetes.io/master \ --node-labels=node-role.kubernetes.io/controller="true" \ --pod-manifest-path=/etc/kubernetes/manifests \ + --read-only-port=0 \ --register-with-taints=node-role.kubernetes.io/master=:NoSchedule \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins" - path: /etc/kubernetes/kubeconfig diff --git a/aws/fedora-atomic/kubernetes/security.tf b/aws/fedora-atomic/kubernetes/security.tf index 95ba1b0c..fc7b959a 100644 --- a/aws/fedora-atomic/kubernetes/security.tf +++ b/aws/fedora-atomic/kubernetes/security.tf @@ -104,27 +104,6 @@ resource "aws_security_group_rule" "controller-kubelet-self" { self = true } -# Allow heapster / metrics-server to scrape kubelet read-only -resource "aws_security_group_rule" "controller-kubelet-read" { - security_group_id = "${aws_security_group.controller.id}" - - type = "ingress" - protocol = "tcp" - from_port = 10255 - to_port = 10255 - source_security_group_id = "${aws_security_group.worker.id}" -} - -resource "aws_security_group_rule" "controller-kubelet-read-self" { - security_group_id = "${aws_security_group.controller.id}" - - type = "ingress" - protocol = "tcp" - from_port = 10255 - to_port = 10255 - self = true -} - resource "aws_security_group_rule" "controller-bgp" { security_group_id = "${aws_security_group.controller.id}" @@ -300,27 +279,6 @@ resource "aws_security_group_rule" "worker-kubelet-self" { self = true } -# Allow heapster / metrics-server to scrape kubelet read-only -resource "aws_security_group_rule" "worker-kubelet-read" { - security_group_id = "${aws_security_group.worker.id}" - - type = "ingress" - protocol = "tcp" - from_port = 10255 - to_port = 10255 - source_security_group_id = "${aws_security_group.controller.id}" -} - -resource "aws_security_group_rule" "worker-kubelet-read-self" { - security_group_id = "${aws_security_group.worker.id}" - - type = "ingress" - protocol = "tcp" - from_port = 10255 - to_port = 10255 - self = true -} - resource "aws_security_group_rule" "worker-bgp" { security_group_id = "${aws_security_group.worker.id}" diff --git a/aws/fedora-atomic/kubernetes/workers/cloudinit/worker.yaml.tmpl b/aws/fedora-atomic/kubernetes/workers/cloudinit/worker.yaml.tmpl index 2d845b31..47e93fbb 100644 --- a/aws/fedora-atomic/kubernetes/workers/cloudinit/worker.yaml.tmpl +++ b/aws/fedora-atomic/kubernetes/workers/cloudinit/worker.yaml.tmpl @@ -43,6 +43,7 @@ write_files: --network-plugin=cni \ --node-labels=node-role.kubernetes.io/node \ --pod-manifest-path=/etc/kubernetes/manifests \ + --read-only-port=0 \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins" - path: /etc/kubernetes/kubeconfig permissions: '0644' diff --git a/azure/container-linux/kubernetes/cl/controller.yaml.tmpl b/azure/container-linux/kubernetes/cl/controller.yaml.tmpl index 8a8079b4..584adbc4 100644 --- a/azure/container-linux/kubernetes/cl/controller.yaml.tmpl +++ b/azure/container-linux/kubernetes/cl/controller.yaml.tmpl @@ -88,6 +88,7 @@ systemd: --node-labels=node-role.kubernetes.io/master \ --node-labels=node-role.kubernetes.io/controller="true" \ --pod-manifest-path=/etc/kubernetes/manifests \ + --read-only-port=0 \ --register-with-taints=node-role.kubernetes.io/master=:NoSchedule \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid diff --git a/azure/container-linux/kubernetes/security.tf b/azure/container-linux/kubernetes/security.tf index 9967b9b7..9f1d3463 100644 --- a/azure/container-linux/kubernetes/security.tf +++ b/azure/container-linux/kubernetes/security.tf @@ -117,22 +117,6 @@ resource "azurerm_network_security_rule" "controller-kubelet" { destination_address_prefix = "${azurerm_subnet.controller.address_prefix}" } -# Allow heapster / metrics-server to scrape kubelet read-only -resource "azurerm_network_security_rule" "controller-kubelet-read" { - resource_group_name = "${azurerm_resource_group.cluster.name}" - - name = "allow-kubelet-read" - network_security_group_name = "${azurerm_network_security_group.controller.name}" - priority = "2035" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "10255" - source_address_prefix = "${azurerm_subnet.worker.address_prefix}" - destination_address_prefix = "${azurerm_subnet.controller.address_prefix}" -} - # Override Azure AllowVNetInBound and AllowAzureLoadBalancerInBound # https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules @@ -269,22 +253,6 @@ resource "azurerm_network_security_rule" "worker-kubelet" { destination_address_prefix = "${azurerm_subnet.worker.address_prefix}" } -# Allow heapster / metrics-server to scrape kubelet read-only -resource "azurerm_network_security_rule" "worker-kubelet-read" { - resource_group_name = "${azurerm_resource_group.cluster.name}" - - name = "allow-kubelet-read" - network_security_group_name = "${azurerm_network_security_group.worker.name}" - priority = "2030" - access = "Allow" - direction = "Inbound" - protocol = "Tcp" - source_port_range = "*" - destination_port_range = "10255" - source_address_prefix = "${azurerm_subnet.worker.address_prefix}" - destination_address_prefix = "${azurerm_subnet.worker.address_prefix}" -} - # Override Azure AllowVNetInBound and AllowAzureLoadBalancerInBound # https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules diff --git a/azure/container-linux/kubernetes/workers/cl/worker.yaml.tmpl b/azure/container-linux/kubernetes/workers/cl/worker.yaml.tmpl index a4d64047..3b45e87c 100644 --- a/azure/container-linux/kubernetes/workers/cl/worker.yaml.tmpl +++ b/azure/container-linux/kubernetes/workers/cl/worker.yaml.tmpl @@ -60,6 +60,7 @@ systemd: --network-plugin=cni \ --node-labels=node-role.kubernetes.io/node \ --pod-manifest-path=/etc/kubernetes/manifests \ + --read-only-port=0 \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid Restart=always diff --git a/bare-metal/container-linux/kubernetes/cl/controller.yaml.tmpl b/bare-metal/container-linux/kubernetes/cl/controller.yaml.tmpl index 806cd409..38f07927 100644 --- a/bare-metal/container-linux/kubernetes/cl/controller.yaml.tmpl +++ b/bare-metal/container-linux/kubernetes/cl/controller.yaml.tmpl @@ -97,6 +97,7 @@ systemd: --node-labels=node-role.kubernetes.io/master \ --node-labels=node-role.kubernetes.io/controller="true" \ --pod-manifest-path=/etc/kubernetes/manifests \ + --read-only-port=0 \ --register-with-taints=node-role.kubernetes.io/master=:NoSchedule \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid diff --git a/bare-metal/container-linux/kubernetes/cl/worker.yaml.tmpl b/bare-metal/container-linux/kubernetes/cl/worker.yaml.tmpl index 4cb85f00..9f4d1601 100644 --- a/bare-metal/container-linux/kubernetes/cl/worker.yaml.tmpl +++ b/bare-metal/container-linux/kubernetes/cl/worker.yaml.tmpl @@ -69,6 +69,7 @@ systemd: --network-plugin=cni \ --node-labels=node-role.kubernetes.io/node \ --pod-manifest-path=/etc/kubernetes/manifests \ + --read-only-port=0 \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid Restart=always diff --git a/bare-metal/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl b/bare-metal/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl index 90f0da80..637f2eb8 100644 --- a/bare-metal/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl +++ b/bare-metal/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl @@ -51,6 +51,7 @@ write_files: --node-labels=node-role.kubernetes.io/master \ --node-labels=node-role.kubernetes.io/controller="true" \ --pod-manifest-path=/etc/kubernetes/manifests \ + --read-only-port=0 \ --register-with-taints=node-role.kubernetes.io/master=:NoSchedule \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins" - path: /etc/systemd/system/kubelet.path diff --git a/bare-metal/fedora-atomic/kubernetes/cloudinit/worker.yaml.tmpl b/bare-metal/fedora-atomic/kubernetes/cloudinit/worker.yaml.tmpl index cd77449a..4aaa12c7 100644 --- a/bare-metal/fedora-atomic/kubernetes/cloudinit/worker.yaml.tmpl +++ b/bare-metal/fedora-atomic/kubernetes/cloudinit/worker.yaml.tmpl @@ -29,6 +29,7 @@ write_files: --network-plugin=cni \ --node-labels=node-role.kubernetes.io/node \ --pod-manifest-path=/etc/kubernetes/manifests \ + --read-only-port=0 \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins" - path: /etc/systemd/system/kubelet.path content: | diff --git a/digital-ocean/container-linux/kubernetes/cl/controller.yaml.tmpl b/digital-ocean/container-linux/kubernetes/cl/controller.yaml.tmpl index 88e0444d..d728063f 100644 --- a/digital-ocean/container-linux/kubernetes/cl/controller.yaml.tmpl +++ b/digital-ocean/container-linux/kubernetes/cl/controller.yaml.tmpl @@ -100,6 +100,7 @@ systemd: --node-labels=node-role.kubernetes.io/master \ --node-labels=node-role.kubernetes.io/controller="true" \ --pod-manifest-path=/etc/kubernetes/manifests \ + --read-only-port=0 \ --register-with-taints=node-role.kubernetes.io/master=:NoSchedule \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid diff --git a/digital-ocean/container-linux/kubernetes/cl/worker.yaml.tmpl b/digital-ocean/container-linux/kubernetes/cl/worker.yaml.tmpl index e7fa0802..5c79be70 100644 --- a/digital-ocean/container-linux/kubernetes/cl/worker.yaml.tmpl +++ b/digital-ocean/container-linux/kubernetes/cl/worker.yaml.tmpl @@ -72,6 +72,7 @@ systemd: --network-plugin=cni \ --node-labels=node-role.kubernetes.io/node \ --pod-manifest-path=/etc/kubernetes/manifests \ + --read-only-port=0 \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid Restart=always diff --git a/digital-ocean/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl b/digital-ocean/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl index 1518dd42..836b97c0 100644 --- a/digital-ocean/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl +++ b/digital-ocean/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl @@ -65,6 +65,7 @@ write_files: --node-labels=node-role.kubernetes.io/master \ --node-labels=node-role.kubernetes.io/controller="true" \ --pod-manifest-path=/etc/kubernetes/manifests \ + --read-only-port=0 \ --register-with-taints=node-role.kubernetes.io/master=:NoSchedule \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins" - path: /etc/systemd/system/kubelet.path diff --git a/digital-ocean/fedora-atomic/kubernetes/cloudinit/worker.yaml.tmpl b/digital-ocean/fedora-atomic/kubernetes/cloudinit/worker.yaml.tmpl index 8d0153f2..fbfe181d 100644 --- a/digital-ocean/fedora-atomic/kubernetes/cloudinit/worker.yaml.tmpl +++ b/digital-ocean/fedora-atomic/kubernetes/cloudinit/worker.yaml.tmpl @@ -43,6 +43,7 @@ write_files: --network-plugin=cni \ --node-labels=node-role.kubernetes.io/node \ --pod-manifest-path=/etc/kubernetes/manifests \ + --read-only-port=0 \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins" - path: /etc/systemd/system/kubelet.path content: | diff --git a/google-cloud/container-linux/kubernetes/cl/controller.yaml.tmpl b/google-cloud/container-linux/kubernetes/cl/controller.yaml.tmpl index 8bdedc57..b04a8740 100644 --- a/google-cloud/container-linux/kubernetes/cl/controller.yaml.tmpl +++ b/google-cloud/container-linux/kubernetes/cl/controller.yaml.tmpl @@ -90,6 +90,7 @@ systemd: --node-labels=node-role.kubernetes.io/controller="true" \ --pod-manifest-path=/etc/kubernetes/manifests \ --register-with-taints=node-role.kubernetes.io/master=:NoSchedule \ + --read-only-port=0 \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid Restart=always diff --git a/google-cloud/container-linux/kubernetes/network.tf b/google-cloud/container-linux/kubernetes/network.tf index 5734200e..9477110b 100644 --- a/google-cloud/container-linux/kubernetes/network.tf +++ b/google-cloud/container-linux/kubernetes/network.tf @@ -123,20 +123,6 @@ resource "google_compute_firewall" "internal-kubelet" { target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] } -# Allow heapster / metrics-server to scrape kubelet read-only -resource "google_compute_firewall" "internal-kubelet-readonly" { - name = "${var.cluster_name}-internal-kubelet-readonly" - network = "${google_compute_network.network.name}" - - allow { - protocol = "tcp" - ports = [10255] - } - - source_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] - target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] -} - # Workers resource "google_compute_firewall" "allow-ingress" { diff --git a/google-cloud/container-linux/kubernetes/workers/cl/worker.yaml.tmpl b/google-cloud/container-linux/kubernetes/workers/cl/worker.yaml.tmpl index 534bdbe6..0408159f 100644 --- a/google-cloud/container-linux/kubernetes/workers/cl/worker.yaml.tmpl +++ b/google-cloud/container-linux/kubernetes/workers/cl/worker.yaml.tmpl @@ -61,6 +61,7 @@ systemd: --network-plugin=cni \ --node-labels=node-role.kubernetes.io/node \ --pod-manifest-path=/etc/kubernetes/manifests \ + --read-only-port=0 \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid Restart=always diff --git a/google-cloud/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl b/google-cloud/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl index a63131a7..76a501e7 100644 --- a/google-cloud/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl +++ b/google-cloud/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl @@ -66,6 +66,7 @@ write_files: --node-labels=node-role.kubernetes.io/master \ --node-labels=node-role.kubernetes.io/controller="true" \ --pod-manifest-path=/etc/kubernetes/manifests \ + --read-only-port=0 \ --register-with-taints=node-role.kubernetes.io/master=:NoSchedule \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins" - path: /etc/kubernetes/kubeconfig diff --git a/google-cloud/fedora-atomic/kubernetes/network.tf b/google-cloud/fedora-atomic/kubernetes/network.tf index 5734200e..9477110b 100644 --- a/google-cloud/fedora-atomic/kubernetes/network.tf +++ b/google-cloud/fedora-atomic/kubernetes/network.tf @@ -123,20 +123,6 @@ resource "google_compute_firewall" "internal-kubelet" { target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] } -# Allow heapster / metrics-server to scrape kubelet read-only -resource "google_compute_firewall" "internal-kubelet-readonly" { - name = "${var.cluster_name}-internal-kubelet-readonly" - network = "${google_compute_network.network.name}" - - allow { - protocol = "tcp" - ports = [10255] - } - - source_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] - target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"] -} - # Workers resource "google_compute_firewall" "allow-ingress" { diff --git a/google-cloud/fedora-atomic/kubernetes/workers/cloudinit/worker.yaml.tmpl b/google-cloud/fedora-atomic/kubernetes/workers/cloudinit/worker.yaml.tmpl index e4084aa4..297f6dfa 100644 --- a/google-cloud/fedora-atomic/kubernetes/workers/cloudinit/worker.yaml.tmpl +++ b/google-cloud/fedora-atomic/kubernetes/workers/cloudinit/worker.yaml.tmpl @@ -44,6 +44,7 @@ write_files: --network-plugin=cni \ --node-labels=node-role.kubernetes.io/node \ --pod-manifest-path=/etc/kubernetes/manifests \ + --read-only-port=0 \ --volume-plugin-dir=/var/lib/kubelet/volumeplugins" - path: /etc/kubernetes/kubeconfig permissions: '0644'