Merge pull request #54653 from ihmccreery/metadata-proxy-prom-to-sd
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. Add prometheus-to-sd-exporter to metadata-proxy addon; bump to v0.1.4 **What this PR does / why we need it**: Add metrics exporters to the metadata-proxy addon for GCE. Work toward #8867. **Which issue this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close that issue when PR gets merged)*: fixes # **Special notes for your reviewer**: **Release note**: ```release-note NONE ```
This commit is contained in:
@@ -1,88 +0,0 @@
|
|||||||
kind: ConfigMap
|
|
||||||
apiVersion: v1
|
|
||||||
metadata:
|
|
||||||
name: metadata-proxy-config
|
|
||||||
namespace: kube-system
|
|
||||||
labels:
|
|
||||||
addonmanager.kubernetes.io/mode: EnsureExists
|
|
||||||
data:
|
|
||||||
nginx.conf: |-
|
|
||||||
user www-data;
|
|
||||||
worker_processes 4;
|
|
||||||
pid /run/nginx.pid;
|
|
||||||
error_log /dev/stdout;
|
|
||||||
|
|
||||||
events {
|
|
||||||
worker_connections 20;
|
|
||||||
}
|
|
||||||
|
|
||||||
http {
|
|
||||||
access_log /dev/stdout;
|
|
||||||
server {
|
|
||||||
listen 127.0.0.1:988;
|
|
||||||
# When serving 301s, don't redirect to port 988.
|
|
||||||
port_in_redirect off;
|
|
||||||
|
|
||||||
# By default, return 403. This protects us from new API versions.
|
|
||||||
location / {
|
|
||||||
return 403 "This metadata API is not allowed by the metadata proxy.";
|
|
||||||
}
|
|
||||||
|
|
||||||
# Allow for REST discovery.
|
|
||||||
location = / {
|
|
||||||
if ($args ~* "^(.+&)?recursive=") {
|
|
||||||
return 403 "?recursive calls are not allowed by the metadata proxy.";
|
|
||||||
}
|
|
||||||
proxy_pass http://169.254.169.254;
|
|
||||||
}
|
|
||||||
location = /computeMetadata/ {
|
|
||||||
if ($args ~* "^(.+&)?recursive=") {
|
|
||||||
return 403 "?recursive calls are not allowed by the metadata proxy.";
|
|
||||||
}
|
|
||||||
proxy_pass http://169.254.169.254;
|
|
||||||
}
|
|
||||||
|
|
||||||
# By default, allow the v0.1, v1beta1, and v1 APIs.
|
|
||||||
location /0.1/ {
|
|
||||||
if ($args ~* "^(.+&)?recursive=") {
|
|
||||||
return 403 "?recursive calls are not allowed by the metadata proxy.";
|
|
||||||
}
|
|
||||||
proxy_pass http://169.254.169.254;
|
|
||||||
}
|
|
||||||
location /computeMetadata/v1beta1/ {
|
|
||||||
if ($args ~* "^(.+&)?recursive=") {
|
|
||||||
return 403 "?recursive calls are not allowed by the metadata proxy.";
|
|
||||||
}
|
|
||||||
proxy_pass http://169.254.169.254;
|
|
||||||
}
|
|
||||||
location /computeMetadata/v1/ {
|
|
||||||
if ($args ~* "^(.+&)?recursive=") {
|
|
||||||
return 403 "?recursive calls are not allowed by the metadata proxy.";
|
|
||||||
}
|
|
||||||
proxy_pass http://169.254.169.254;
|
|
||||||
}
|
|
||||||
|
|
||||||
# Return a 403 for the kube-env attribute in all allowed API versions.
|
|
||||||
location /0.1/meta-data/attributes/kube-env {
|
|
||||||
return 403 "This metadata endpoint is concealed.";
|
|
||||||
}
|
|
||||||
location /computeMetadata/v1beta1/instance/attributes/kube-env {
|
|
||||||
return 403 "This metadata endpoint is concealed.";
|
|
||||||
}
|
|
||||||
location /computeMetadata/v1/instance/attributes/kube-env {
|
|
||||||
return 403 "This metadata endpoint is concealed.";
|
|
||||||
}
|
|
||||||
|
|
||||||
# Return a 403 for instance identity in all allowed API versions.
|
|
||||||
location ~ /0.1/meta-data/service-accounts/.+/identity {
|
|
||||||
return 403 "This metadata endpoint is concealed.";
|
|
||||||
}
|
|
||||||
location ~ /computeMetadata/v1beta1/instance/service-accounts/.+/identity {
|
|
||||||
return 403 "This metadata endpoint is concealed.";
|
|
||||||
}
|
|
||||||
location ~ /computeMetadata/v1/instance/service-accounts/.+/identity {
|
|
||||||
return 403 "This metadata endpoint is concealed.";
|
|
||||||
}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
@@ -38,26 +38,32 @@ spec:
|
|||||||
dnsPolicy: Default
|
dnsPolicy: Default
|
||||||
containers:
|
containers:
|
||||||
- name: metadata-proxy
|
- name: metadata-proxy
|
||||||
image: gcr.io/google-containers/metadata-proxy:0.1.3
|
image: gcr.io/google_containers/metadata-proxy:v0.1.4
|
||||||
imagePullPolicy: Always
|
|
||||||
securityContext:
|
securityContext:
|
||||||
privileged: true
|
privileged: true
|
||||||
command:
|
|
||||||
- '/start-proxy.sh'
|
|
||||||
resources:
|
resources:
|
||||||
requests:
|
requests:
|
||||||
memory: "32Mi"
|
memory: "16Mi"
|
||||||
cpu: "30m"
|
cpu: "15m"
|
||||||
limits:
|
limits:
|
||||||
memory: "32Mi"
|
memory: "16Mi"
|
||||||
cpu: "30m"
|
cpu: "15m"
|
||||||
volumeMounts:
|
# BEGIN_PROMETHEUS_TO_SD
|
||||||
- name: config-volume
|
- name: prometheus-to-sd-exporter
|
||||||
mountPath: /etc/nginx/
|
image: gcr.io/google_containers/prometheus-to-sd:v0.2.2
|
||||||
|
command:
|
||||||
|
- /monitor
|
||||||
|
- --stackdriver-prefix={{ prometheus_to_sd_prefix }}/addons
|
||||||
|
- --api-override={{ prometheus_to_sd_endpoint }}
|
||||||
|
- --source=metadata_proxy:http://127.0.0.1:989?whitelisted=request_count
|
||||||
|
resources:
|
||||||
|
requests:
|
||||||
|
memory: "16Mi"
|
||||||
|
cpu: "15m"
|
||||||
|
limits:
|
||||||
|
memory: "16Mi"
|
||||||
|
cpu: "15m"
|
||||||
|
# END_PROMETHEUS_TO_SD
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
beta.kubernetes.io/metadata-proxy-ready: "true"
|
beta.kubernetes.io/metadata-proxy-ready: "true"
|
||||||
terminationGracePeriodSeconds: 30
|
terminationGracePeriodSeconds: 30
|
||||||
volumes:
|
|
||||||
- name: config-volume
|
|
||||||
configMap:
|
|
||||||
name: metadata-proxy-config
|
|
||||||
|
@@ -1348,6 +1348,11 @@ EOF
|
|||||||
if [[ "${ENABLE_DEFAULT_STORAGE_CLASS:-}" == "true" ]]; then
|
if [[ "${ENABLE_DEFAULT_STORAGE_CLASS:-}" == "true" ]]; then
|
||||||
setup-addon-manifests "addons" "storage-class/gce"
|
setup-addon-manifests "addons" "storage-class/gce"
|
||||||
fi
|
fi
|
||||||
|
if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]]; then
|
||||||
|
setup-addon-manifests "addons" "metadata-proxy/gce"
|
||||||
|
local -r metadata_proxy_yaml="${dst_dir}/metadata-proxy/gce/metadata-proxy.yaml"
|
||||||
|
update-prometheus-to-sd-parameters ${metadata_proxy_yaml}
|
||||||
|
fi
|
||||||
|
|
||||||
# Place addon manager pod manifest.
|
# Place addon manager pod manifest.
|
||||||
cp "${src_dir}/kube-addon-manager.yaml" /etc/kubernetes/manifests
|
cp "${src_dir}/kube-addon-manager.yaml" /etc/kubernetes/manifests
|
||||||
|
@@ -1897,6 +1897,8 @@ EOF
|
|||||||
fi
|
fi
|
||||||
if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]]; then
|
if [[ "${ENABLE_METADATA_CONCEALMENT:-}" == "true" ]]; then
|
||||||
setup-addon-manifests "addons" "metadata-proxy/gce"
|
setup-addon-manifests "addons" "metadata-proxy/gce"
|
||||||
|
local -r metadata_proxy_yaml="${dst_dir}/metadata-proxy/gce/metadata-proxy.yaml"
|
||||||
|
update-prometheus-to-sd-parameters ${metadata_proxy_yaml}
|
||||||
fi
|
fi
|
||||||
|
|
||||||
# Place addon manager pod manifest.
|
# Place addon manager pod manifest.
|
||||||
|
@@ -45,7 +45,7 @@ var _ = SIGDescribe("Metadata Concealment", func() {
|
|||||||
Containers: []v1.Container{
|
Containers: []v1.Container{
|
||||||
{
|
{
|
||||||
Name: "check-metadata-concealment",
|
Name: "check-metadata-concealment",
|
||||||
Image: "gcr.io/google_containers/check-metadata-concealment:v0.0.1",
|
Image: "gcr.io/google_containers/check-metadata-concealment:v0.0.2",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
RestartPolicy: v1.RestartPolicyOnFailure,
|
RestartPolicy: v1.RestartPolicyOnFailure,
|
||||||
|
Reference in New Issue
Block a user