Skip to content

Commit

Permalink
Disable Kubelet read-only port 10255
Browse files Browse the repository at this point in the history 
* We can finally disable the Kubelet read-only port 10255!
* Journey: #322 (comment)
  • Loading branch information
@dghubble
dghubble committed Oct 19, 2018
1 parent bc750ae commit 99a6d54
Show file tree
Hide file tree
Showing 24 changed files with 19 additions and 144 deletions.
1 change: 1 addition & 0 deletions CHANGES.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,7 @@ Notable changes between versions.
## Latest

* Fix CoreDNS AntiAffinity spec to prefer spreading replicas
* Disable Kubelet read-only port ([#324](https://github.com/poseidon/typhoon/pull/324))

#### AWS

Expand Down
1 change: 1 addition & 0 deletions aws/container-linux/kubernetes/cl/controller.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@ systemd:
--node-labels=node-role.kubernetes.io/master \
--node-labels=node-role.kubernetes.io/controller="true" \
--pod-manifest-path=/etc/kubernetes/manifests \
--read-only-port=0 \
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
Expand Down
42 changes: 0 additions & 42 deletions aws/container-linux/kubernetes/security.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,27 +104,6 @@ resource "aws_security_group_rule" "controller-kubelet-self" {
self = true
}

# Allow heapster / metrics-server to scrape kubelet read-only
resource "aws_security_group_rule" "controller-kubelet-read" {
security_group_id = "${aws_security_group.controller.id}"

type = "ingress"
protocol = "tcp"
from_port = 10255
to_port = 10255
source_security_group_id = "${aws_security_group.worker.id}"
}

resource "aws_security_group_rule" "controller-kubelet-read-self" {
security_group_id = "${aws_security_group.controller.id}"

type = "ingress"
protocol = "tcp"
from_port = 10255
to_port = 10255
self = true
}

resource "aws_security_group_rule" "controller-bgp" {
security_group_id = "${aws_security_group.controller.id}"

Expand Down Expand Up @@ -300,27 +279,6 @@ resource "aws_security_group_rule" "worker-kubelet-self" {
self = true
}

# Allow heapster / metrics-server to scrape kubelet read-only
resource "aws_security_group_rule" "worker-kubelet-read" {
security_group_id = "${aws_security_group.worker.id}"

type = "ingress"
protocol = "tcp"
from_port = 10255
to_port = 10255
source_security_group_id = "${aws_security_group.controller.id}"
}

resource "aws_security_group_rule" "worker-kubelet-read-self" {
security_group_id = "${aws_security_group.worker.id}"

type = "ingress"
protocol = "tcp"
from_port = 10255
to_port = 10255
self = true
}

resource "aws_security_group_rule" "worker-bgp" {
security_group_id = "${aws_security_group.worker.id}"

Expand Down
1 change: 1 addition & 0 deletions aws/container-linux/kubernetes/workers/cl/worker.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ systemd:
--network-plugin=cni \
--node-labels=node-role.kubernetes.io/node \
--pod-manifest-path=/etc/kubernetes/manifests \
--read-only-port=0 \
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
Restart=always
Expand Down
1 change: 1 addition & 0 deletions aws/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ write_files:
--node-labels=node-role.kubernetes.io/master \
--node-labels=node-role.kubernetes.io/controller="true" \
--pod-manifest-path=/etc/kubernetes/manifests \
--read-only-port=0 \
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
--volume-plugin-dir=/var/lib/kubelet/volumeplugins"
- path: /etc/kubernetes/kubeconfig
Expand Down
42 changes: 0 additions & 42 deletions aws/fedora-atomic/kubernetes/security.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -104,27 +104,6 @@ resource "aws_security_group_rule" "controller-kubelet-self" {
self = true
}

# Allow heapster / metrics-server to scrape kubelet read-only
resource "aws_security_group_rule" "controller-kubelet-read" {
security_group_id = "${aws_security_group.controller.id}"

type = "ingress"
protocol = "tcp"
from_port = 10255
to_port = 10255
source_security_group_id = "${aws_security_group.worker.id}"
}

resource "aws_security_group_rule" "controller-kubelet-read-self" {
security_group_id = "${aws_security_group.controller.id}"

type = "ingress"
protocol = "tcp"
from_port = 10255
to_port = 10255
self = true
}

resource "aws_security_group_rule" "controller-bgp" {
security_group_id = "${aws_security_group.controller.id}"

Expand Down Expand Up @@ -300,27 +279,6 @@ resource "aws_security_group_rule" "worker-kubelet-self" {
self = true
}

# Allow heapster / metrics-server to scrape kubelet read-only
resource "aws_security_group_rule" "worker-kubelet-read" {
security_group_id = "${aws_security_group.worker.id}"

type = "ingress"
protocol = "tcp"
from_port = 10255
to_port = 10255
source_security_group_id = "${aws_security_group.controller.id}"
}

resource "aws_security_group_rule" "worker-kubelet-read-self" {
security_group_id = "${aws_security_group.worker.id}"

type = "ingress"
protocol = "tcp"
from_port = 10255
to_port = 10255
self = true
}

resource "aws_security_group_rule" "worker-bgp" {
security_group_id = "${aws_security_group.worker.id}"

Expand Down
1 change: 1 addition & 0 deletions aws/fedora-atomic/kubernetes/workers/cloudinit/worker.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ write_files:
--network-plugin=cni \
--node-labels=node-role.kubernetes.io/node \
--pod-manifest-path=/etc/kubernetes/manifests \
--read-only-port=0 \
--volume-plugin-dir=/var/lib/kubelet/volumeplugins"
- path: /etc/kubernetes/kubeconfig
permissions: '0644'
Expand Down
1 change: 1 addition & 0 deletions azure/container-linux/kubernetes/cl/controller.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@ systemd:
--node-labels=node-role.kubernetes.io/master \
--node-labels=node-role.kubernetes.io/controller="true" \
--pod-manifest-path=/etc/kubernetes/manifests \
--read-only-port=0 \
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
Expand Down
32 changes: 0 additions & 32 deletions azure/container-linux/kubernetes/security.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -117,22 +117,6 @@ resource "azurerm_network_security_rule" "controller-kubelet" {
destination_address_prefix = "${azurerm_subnet.controller.address_prefix}"
}

# Allow heapster / metrics-server to scrape kubelet read-only
resource "azurerm_network_security_rule" "controller-kubelet-read" {
resource_group_name = "${azurerm_resource_group.cluster.name}"

name = "allow-kubelet-read"
network_security_group_name = "${azurerm_network_security_group.controller.name}"
priority = "2035"
access = "Allow"
direction = "Inbound"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "10255"
source_address_prefix = "${azurerm_subnet.worker.address_prefix}"
destination_address_prefix = "${azurerm_subnet.controller.address_prefix}"
}

# Override Azure AllowVNetInBound and AllowAzureLoadBalancerInBound
# https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules

Expand Down Expand Up @@ -269,22 +253,6 @@ resource "azurerm_network_security_rule" "worker-kubelet" {
destination_address_prefix = "${azurerm_subnet.worker.address_prefix}"
}

# Allow heapster / metrics-server to scrape kubelet read-only
resource "azurerm_network_security_rule" "worker-kubelet-read" {
resource_group_name = "${azurerm_resource_group.cluster.name}"

name = "allow-kubelet-read"
network_security_group_name = "${azurerm_network_security_group.worker.name}"
priority = "2030"
access = "Allow"
direction = "Inbound"
protocol = "Tcp"
source_port_range = "*"
destination_port_range = "10255"
source_address_prefix = "${azurerm_subnet.worker.address_prefix}"
destination_address_prefix = "${azurerm_subnet.worker.address_prefix}"
}

# Override Azure AllowVNetInBound and AllowAzureLoadBalancerInBound
# https://docs.microsoft.com/en-us/azure/virtual-network/security-overview#default-security-rules

Expand Down
1 change: 1 addition & 0 deletions azure/container-linux/kubernetes/workers/cl/worker.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ systemd:
--network-plugin=cni \
--node-labels=node-role.kubernetes.io/node \
--pod-manifest-path=/etc/kubernetes/manifests \
--read-only-port=0 \
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
Restart=always
Expand Down
1 change: 1 addition & 0 deletions bare-metal/container-linux/kubernetes/cl/controller.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,7 @@ systemd:
--node-labels=node-role.kubernetes.io/master \
--node-labels=node-role.kubernetes.io/controller="true" \
--pod-manifest-path=/etc/kubernetes/manifests \
--read-only-port=0 \
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
Expand Down
1 change: 1 addition & 0 deletions bare-metal/container-linux/kubernetes/cl/worker.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,7 @@ systemd:
--network-plugin=cni \
--node-labels=node-role.kubernetes.io/node \
--pod-manifest-path=/etc/kubernetes/manifests \
--read-only-port=0 \
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
Restart=always
Expand Down
1 change: 1 addition & 0 deletions bare-metal/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,7 @@ write_files:
--node-labels=node-role.kubernetes.io/master \
--node-labels=node-role.kubernetes.io/controller="true" \
--pod-manifest-path=/etc/kubernetes/manifests \
--read-only-port=0 \
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
--volume-plugin-dir=/var/lib/kubelet/volumeplugins"
- path: /etc/systemd/system/kubelet.path
Expand Down
1 change: 1 addition & 0 deletions bare-metal/fedora-atomic/kubernetes/cloudinit/worker.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ write_files:
--network-plugin=cni \
--node-labels=node-role.kubernetes.io/node \
--pod-manifest-path=/etc/kubernetes/manifests \
--read-only-port=0 \
--volume-plugin-dir=/var/lib/kubelet/volumeplugins"
- path: /etc/systemd/system/kubelet.path
content: |
Expand Down
1 change: 1 addition & 0 deletions digital-ocean/container-linux/kubernetes/cl/controller.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,7 @@ systemd:
--node-labels=node-role.kubernetes.io/master \
--node-labels=node-role.kubernetes.io/controller="true" \
--pod-manifest-path=/etc/kubernetes/manifests \
--read-only-port=0 \
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
Expand Down
1 change: 1 addition & 0 deletions digital-ocean/container-linux/kubernetes/cl/worker.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -72,6 +72,7 @@ systemd:
--network-plugin=cni \
--node-labels=node-role.kubernetes.io/node \
--pod-manifest-path=/etc/kubernetes/manifests \
--read-only-port=0 \
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
Restart=always
Expand Down
1 change: 1 addition & 0 deletions digital-ocean/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -65,6 +65,7 @@ write_files:
--node-labels=node-role.kubernetes.io/master \
--node-labels=node-role.kubernetes.io/controller="true" \
--pod-manifest-path=/etc/kubernetes/manifests \
--read-only-port=0 \
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
--volume-plugin-dir=/var/lib/kubelet/volumeplugins"
- path: /etc/systemd/system/kubelet.path
Expand Down
1 change: 1 addition & 0 deletions digital-ocean/fedora-atomic/kubernetes/cloudinit/worker.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ write_files:
--network-plugin=cni \
--node-labels=node-role.kubernetes.io/node \
--pod-manifest-path=/etc/kubernetes/manifests \
--read-only-port=0 \
--volume-plugin-dir=/var/lib/kubelet/volumeplugins"
- path: /etc/systemd/system/kubelet.path
content: |
Expand Down
1 change: 1 addition & 0 deletions google-cloud/container-linux/kubernetes/cl/controller.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,7 @@ systemd:
--node-labels=node-role.kubernetes.io/controller="true" \
--pod-manifest-path=/etc/kubernetes/manifests \
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
--read-only-port=0 \
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
Restart=always
Expand Down
14 changes: 0 additions & 14 deletions google-cloud/container-linux/kubernetes/network.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,20 +123,6 @@ resource "google_compute_firewall" "internal-kubelet" {
target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
}

# Allow heapster / metrics-server to scrape kubelet read-only
resource "google_compute_firewall" "internal-kubelet-readonly" {
name = "${var.cluster_name}-internal-kubelet-readonly"
network = "${google_compute_network.network.name}"

allow {
protocol = "tcp"
ports = [10255]
}

source_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
}

# Workers

resource "google_compute_firewall" "allow-ingress" {
Expand Down
1 change: 1 addition & 0 deletions google-cloud/container-linux/kubernetes/workers/cl/worker.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -61,6 +61,7 @@ systemd:
--network-plugin=cni \
--node-labels=node-role.kubernetes.io/node \
--pod-manifest-path=/etc/kubernetes/manifests \
--read-only-port=0 \
--volume-plugin-dir=/var/lib/kubelet/volumeplugins
ExecStop=-/usr/bin/rkt stop --uuid-file=/var/cache/kubelet-pod.uuid
Restart=always
Expand Down
1 change: 1 addition & 0 deletions google-cloud/fedora-atomic/kubernetes/cloudinit/controller.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,7 @@ write_files:
--node-labels=node-role.kubernetes.io/master \
--node-labels=node-role.kubernetes.io/controller="true" \
--pod-manifest-path=/etc/kubernetes/manifests \
--read-only-port=0 \
--register-with-taints=node-role.kubernetes.io/master=:NoSchedule \
--volume-plugin-dir=/var/lib/kubelet/volumeplugins"
- path: /etc/kubernetes/kubeconfig
Expand Down
14 changes: 0 additions & 14 deletions google-cloud/fedora-atomic/kubernetes/network.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -123,20 +123,6 @@ resource "google_compute_firewall" "internal-kubelet" {
target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
}

# Allow heapster / metrics-server to scrape kubelet read-only
resource "google_compute_firewall" "internal-kubelet-readonly" {
name = "${var.cluster_name}-internal-kubelet-readonly"
network = "${google_compute_network.network.name}"

allow {
protocol = "tcp"
ports = [10255]
}

source_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
target_tags = ["${var.cluster_name}-controller", "${var.cluster_name}-worker"]
}

# Workers

resource "google_compute_firewall" "allow-ingress" {
Expand Down
1 change: 1 addition & 0 deletions google-cloud/fedora-atomic/kubernetes/workers/cloudinit/worker.yaml.tmpl
View file
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ write_files:
--network-plugin=cni \
--node-labels=node-role.kubernetes.io/node \
--pod-manifest-path=/etc/kubernetes/manifests \
--read-only-port=0 \
--volume-plugin-dir=/var/lib/kubelet/volumeplugins"
- path: /etc/kubernetes/kubeconfig
permissions: '0644'
Expand Down

0 comments on commit 99a6d54

Please sign in to comment.