github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
66,208 Commits 1 Branch 31 Tags 1,019 MiB
Go 97%
Shell 2.6%
PowerShell 0.2%
8d10a8f74f
Go to file
Kubernetes Submit Queue 8d10a8f74f
Merge pull request #64006 from Random-Liu/streaming-auth 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Add proxy for container streaming in kubelet for streaming auth.

For https://github.com/kubernetes/kubernetes/issues/36666, option 2 of https://github.com/kubernetes/kubernetes/issues/36666#issuecomment-378440458.

This PR:
1. Removed the `DirectStreamingRuntime`, and changed `IndirectStreamingRuntime` to `StreamingRuntime`. All `DirectStreamingRuntime`s, `dockertools` and `rkt`, were removed.
2. Proxy container streaming in kubelet instead of returning redirect to apiserver. This solves the container runtime authentication issue, which is what we agreed on in https://github.com/kubernetes/kubernetes/issues/36666.

Please note that, this PR replaced the redirect with proxy directly instead of adding a knob to switch between the 2 behaviors. For existing CRI runtimes like containerd and cri-o, they should change to serve container streaming on localhost, so as to make the whole container streaming connection secure.

 If a general authentication mechanism proposed in https://github.com/kubernetes/kubernetes/issues/62747 is ready, we can switch back to redirect, and all code can be found in github history.

Please also note that this added some overhead in kubelet when there are container streaming connections. However, the actual bottleneck is in the apiserver anyway, because it does proxy for all container streaming happens in the cluster. So it seems fine to get security and simplicity with this overhead. @derekwaynecarr @mrunalp Are you ok with this? Or do you prefer a knob?

@yujuhong @timstclair @dchen1107 @mikebrow @feiskyer 
/cc @kubernetes/sig-node-pr-reviews 
**Release note**:

```release-note
Kubelet now proxies container streaming between apiserver and container runtime. The connection between kubelet and apiserver is authenticated. Container runtime should change streaming server to serve on localhost, to make the connection between kubelet and container runtime local.

In this way, the whole container streaming connection is secure. To switch back to the old behavior, set `--redirect-container-streaming=true` flag.
```
2018-05-31 22:45:29 -07:00
.github modify outdate link 2018-05-03 09:23:36 +08:00
api Merge pull request #63445 from ericchiang/deprecate-git-repo-volume 2018-05-31 16:20:07 -07:00
build Phase out rescheduler in favor of priority and preemption 2018-05-29 19:52:06 -04:00
cluster Merge pull request #59938 from rramkumar1/gce-cluster-up-ipvs 2018-05-31 20:55:44 -07:00
cmd Merge pull request #64006 from Random-Liu/streaming-auth 2018-05-31 22:45:29 -07:00
docs Merge pull request #63445 from ericchiang/deprecate-git-repo-volume 2018-05-31 16:20:07 -07:00
Godeps bump(github.com/evanphx/json-patch): 94e38aa1586e8a6c8a75770bddf5ff84c48a106b 2018-05-25 22:29:07 -04:00
hack Merge pull request #58442 from m1093782566/ipvs-ga 2018-05-30 21:21:42 -07:00
logo Don't use strokes in the logo SVG 2017-10-12 09:38:56 -07:00
pkg Merge pull request #64006 from Random-Liu/streaming-auth 2018-05-31 22:45:29 -07:00
plugin Merge pull request #64403 from jsafrane/aws-read-only-attach 2018-05-30 18:49:23 -07:00
staging Merge pull request #63777 from hzxuzhonghu/dynamic-logging-verbosity 2018-05-31 21:29:11 -07:00
test Merge pull request #63999 from mikedanese/validatetr 2018-05-31 21:29:17 -07:00
third_party Fix error message in Equalities.DeepEqual 2018-05-20 02:22:09 +03:00
translations Adds initial Korean translations for kubectl 2018-05-12 11:16:49 +09:00
vendor bump(github.com/evanphx/json-patch): 94e38aa1586e8a6c8a75770bddf5ff84c48a106b 2018-05-25 22:29:07 -04:00
.bazelrc move build related files out of the root directory 2017-05-15 15:53:54 -07:00
.generated_files Move .generated_docs to docs/ so docs OWNERS can review / approve 2017-02-16 10:11:57 -08:00
.gitattributes Hide generated files only on github 2018-01-22 10:58:48 +01:00
.gitignore Remove pkg/generated/bindata.go from the repo 2018-04-25 09:44:22 -07:00
.kazelcfg.json Switch from gazel to kazel, and move kazelcfg into build/root 2017-07-18 12:48:51 -07:00
BUILD.bazel move build related files out of the root directory 2017-05-15 15:53:54 -07:00
CHANGELOG-1.2.md Update TOC of CHANGELOG 2017-09-09 13:38:29 +08:00
CHANGELOG-1.3.md fix the format for github error 2018-01-31 14:49:29 +08:00
CHANGELOG-1.4.md fix the format for github error 2018-02-02 18:44:27 +08:00
CHANGELOG-1.5.md fix typo in kubeadm 2018-02-06 13:48:18 +08:00
CHANGELOG-1.6.md Fix typo 2018-02-01 19:11:19 +08:00
CHANGELOG-1.7.md Update CHANGELOG-1.7.md for v1.7.16. 2018-04-04 13:07:30 +00:00
CHANGELOG-1.8.md Update CHANGELOG-1.8.md for v1.8.13. 2018-05-15 19:34:20 +00:00
CHANGELOG-1.9.md Update CHANGELOG-1.9.md for v1.9.8. 2018-05-21 19:58:50 +00:00
CHANGELOG-1.10.md Update CHANGELOG-1.10.md for v1.10.3. 2018-05-21 10:36:05 +00:00
CHANGELOG-1.11.md Update CHANGELOG-1.11.md for v1.11.0-beta.1. 2018-06-01 00:34:55 +00:00
CHANGELOG.md Marks 1.10 as the current release 2018-03-26 17:08:54 -07:00
code-of-conduct.md Update code-of-conduct.md 2017-12-20 13:33:36 -05:00
CONTRIBUTING.md Pointed to community/contributors/guide/README.md 2017-12-15 22:08:34 +05:30
labels.yaml Merge pull request #51848 from xiangpengzhao/milestone-label 2017-09-05 15:46:19 -07:00
LICENSE LICENSE: revert modifications to Apache license 2016-11-22 11:44:46 -08:00
Makefile move build related files out of the root directory 2017-05-15 15:53:54 -07:00
Makefile.generated_files move build related files out of the root directory 2017-05-15 15:53:54 -07:00
OWNERS root OWNERS: escape backslashes 2018-04-13 10:42:22 -07:00
OWNERS_ALIASES Add myself to sig-scheduling maintainers/approvers list. 2018-04-26 14:15:14 -04:00
README.md Update README.md 2018-02-11 04:34:01 +00:00
SUPPORT.md Add a SUPPORT.md file for github 2017-08-11 14:42:36 -04:00
WORKSPACE move build related files out of the root directory 2017-05-15 15:53:54 -07:00

README.md

Kubernetes

Submit Queue Widget GoDoc Widget CII Best Practices

Kubernetes is an open source system for managing containerized applications across multiple hosts; providing basic mechanisms for deployment, maintenance, and scaling of applications.

Kubernetes builds upon a decade and a half of experience at Google running production workloads at scale using a system called Borg, combined with best-of-breed ideas and practices from the community.

Kubernetes is hosted by the Cloud Native Computing Foundation (CNCF). If you are a company that wants to help shape the evolution of technologies that are container-packaged, dynamically-scheduled and microservices-oriented, consider joining the CNCF. For details about who's involved and how Kubernetes plays a role, read the CNCF announcement.

To start using Kubernetes

See our documentation on kubernetes.io.

Try our interactive tutorial.

Take a free course on Scalable Microservices with Kubernetes.

To start developing Kubernetes

The community repository hosts all information about building Kubernetes from source, how to contribute code and documentation, who to contact about what, etc.

If you want to build Kubernetes right away there are two options:

You have a working Go environment.
$ go get -d k8s.io/kubernetes
$ cd $GOPATH/src/k8s.io/kubernetes
$ make
You have a working Docker environment.
$ git clone https://github.com/kubernetes/kubernetes
$ cd kubernetes
$ make quick-release

For the full story, head over to the developer's documentation.

Support

If you need support, start with the troubleshooting guide, and work your way through the process that we've outlined.

That said, if you have questions, reach out to us one way or another.

Analytics