github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
8d10a8f74f
kubernetes/pkg
History
Kubernetes Submit Queue 8d10a8f74f
Merge pull request #64006 from Random-Liu/streaming-auth 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Add proxy for container streaming in kubelet for streaming auth.

For https://github.com/kubernetes/kubernetes/issues/36666, option 2 of https://github.com/kubernetes/kubernetes/issues/36666#issuecomment-378440458.

This PR:
1. Removed the `DirectStreamingRuntime`, and changed `IndirectStreamingRuntime` to `StreamingRuntime`. All `DirectStreamingRuntime`s, `dockertools` and `rkt`, were removed.
2. Proxy container streaming in kubelet instead of returning redirect to apiserver. This solves the container runtime authentication issue, which is what we agreed on in https://github.com/kubernetes/kubernetes/issues/36666.

Please note that, this PR replaced the redirect with proxy directly instead of adding a knob to switch between the 2 behaviors. For existing CRI runtimes like containerd and cri-o, they should change to serve container streaming on localhost, so as to make the whole container streaming connection secure.

 If a general authentication mechanism proposed in https://github.com/kubernetes/kubernetes/issues/62747 is ready, we can switch back to redirect, and all code can be found in github history.

Please also note that this added some overhead in kubelet when there are container streaming connections. However, the actual bottleneck is in the apiserver anyway, because it does proxy for all container streaming happens in the cluster. So it seems fine to get security and simplicity with this overhead. @derekwaynecarr @mrunalp Are you ok with this? Or do you prefer a knob?

@yujuhong @timstclair @dchen1107 @mikebrow @feiskyer 
/cc @kubernetes/sig-node-pr-reviews 
**Release note**:

```release-note
Kubelet now proxies container streaming between apiserver and container runtime. The connection between kubelet and apiserver is authenticated. Container runtime should change streaming server to serve on localhost, to make the connection between kubelet and container runtime local.

In this way, the whole container streaming connection is secure. To switch back to the old behavior, set `--redirect-container-streaming=true` flag.
```
2018-05-31 22:45:29 -07:00
..
api remove API dependency on printers 2018-05-21 13:46:53 -04:00
apis Merge pull request #63999 from mikedanese/validatetr 2018-05-31 21:29:17 -07:00
auth add myself as an approver in various auth related directories 2018-05-17 11:32:37 -07:00
capabilities Autogenerated: hack/update-bazel.sh 2018-02-16 13:43:01 -08:00
client Autogenerated code 2018-05-15 21:38:54 +02:00
cloudprovider Merge pull request #64528 from MrHohn/gce-backend-service-beta 2018-05-30 22:54:15 -07:00
controller Merge pull request #64431 from wojtek-t/fix_taint_controller 2018-05-31 21:29:20 -07:00
credentialprovider Use new clients in Azure credential provider 2018-04-26 09:38:48 +08:00
features Rename online resizine feature gate 2018-05-31 17:28:12 -04:00
fieldpath Autogenerated: hack/update-bazel.sh 2018-02-16 13:43:01 -08:00
generated Generated 2018-05-12 02:01:09 -04:00
kubeapiserver Merge pull request #64326 from andrewsykim/default-disable-pvl 2018-05-28 03:19:17 -07:00
kubectl Merge pull request #62991 from tomoe/cronjob-prune 2018-05-30 13:24:09 -07:00
kubelet Merge pull request #64006 from Random-Liu/streaming-auth 2018-05-31 22:45:29 -07:00
kubemark Remove signal handler registration from pkg/kubelet 2018-05-24 20:44:12 +01:00
master Merge pull request #63774 from wgliang/master.test-master 2018-05-31 14:12:18 -07:00
printers kubectl: Use apps/v1 Deployment/ReplicaSet. 2018-05-22 13:43:06 -07:00
probe Autogenerated: hack/update-bazel.sh 2018-02-16 13:43:01 -08:00
proxy Merge pull request #61077 from islinwb/fix_ipvs_warninfo 2018-05-31 20:01:26 -07:00
quota Resources prefixed with *kubernetes.io/ should remain unscheduled if they are not exposed on the node. 2018-03-28 17:24:30 -07:00
registry svcacct: validate min and max expiration seconds on TokenRequest 2018-05-30 17:32:49 -07:00
routes Remove /ui/ redirect 2018-02-12 10:54:33 -05:00
scheduler Merge pull request #64339 from liztio/pronouns 2018-05-30 17:34:25 -07:00
security Replace UserIDRange/GroupIDRange by IDRange in internal type to reduce difference with external type. 2018-05-04 18:31:42 +02:00
securitycontext remove unused code in securitycontext 2018-03-29 23:32:48 -07:00
serviceaccount add myself as an approver in various auth related directories 2018-05-17 11:32:37 -07:00
ssh Use Dial with context 2018-05-19 08:14:37 +10:00
util add utils to patch pod status 2018-05-30 11:15:47 -07:00
version Require boilerplate on Bazel Skylark source files 2018-02-16 13:44:04 -08:00
volume implement kubelet side online file system resize for volume 2018-05-31 17:10:24 +08:00
watch/json
windows/service Add support for binaries to run as Windows services 2018-03-07 00:51:36 +01:00
.import-restrictions
BUILD pkg/api/unversioned related cleanup 2018-03-13 17:20:16 +08:00
OWNERS