github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
8d10a8f74f
kubernetes/pkg/kubelet
History
Kubernetes Submit Queue 8d10a8f74f
Merge pull request #64006 from Random-Liu/streaming-auth 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Add proxy for container streaming in kubelet for streaming auth.

For https://github.com/kubernetes/kubernetes/issues/36666, option 2 of https://github.com/kubernetes/kubernetes/issues/36666#issuecomment-378440458.

This PR:
1. Removed the `DirectStreamingRuntime`, and changed `IndirectStreamingRuntime` to `StreamingRuntime`. All `DirectStreamingRuntime`s, `dockertools` and `rkt`, were removed.
2. Proxy container streaming in kubelet instead of returning redirect to apiserver. This solves the container runtime authentication issue, which is what we agreed on in https://github.com/kubernetes/kubernetes/issues/36666.

Please note that, this PR replaced the redirect with proxy directly instead of adding a knob to switch between the 2 behaviors. For existing CRI runtimes like containerd and cri-o, they should change to serve container streaming on localhost, so as to make the whole container streaming connection secure.

 If a general authentication mechanism proposed in https://github.com/kubernetes/kubernetes/issues/62747 is ready, we can switch back to redirect, and all code can be found in github history.

Please also note that this added some overhead in kubelet when there are container streaming connections. However, the actual bottleneck is in the apiserver anyway, because it does proxy for all container streaming happens in the cluster. So it seems fine to get security and simplicity with this overhead. @derekwaynecarr @mrunalp Are you ok with this? Or do you prefer a knob?

@yujuhong @timstclair @dchen1107 @mikebrow @feiskyer 
/cc @kubernetes/sig-node-pr-reviews 
**Release note**:

```release-note
Kubelet now proxies container streaming between apiserver and container runtime. The connection between kubelet and apiserver is authenticated. Container runtime should change streaming server to serve on localhost, to make the connection between kubelet and container runtime local.

In this way, the whole container streaming connection is secure. To switch back to the old behavior, set `--redirect-container-streaming=true` flag.
```
2018-05-31 22:45:29 -07:00
..
apis Add probe based mechanism for kubelet plugin discovery 2018-05-29 12:00:37 -04:00
cadvisor Remove rktnetes code 2018-03-27 09:29:35 -07:00
certificate Extract connection rotating dialer into a package 2018-05-16 10:30:53 -07:00
checkpoint Make 'pod' package to use unified checkpointManager 2018-04-16 01:30:20 -04:00
checkpointmanager Make 'pod' package to use unified checkpointManager 2018-04-16 01:30:20 -04:00
client Use Dial with context 2018-05-19 08:14:37 +10:00
cm Add GetSELinuxSupport to mounter. 2018-05-17 13:36:37 +02:00
config Merge pull request #64006 from Random-Liu/streaming-auth 2018-05-31 22:45:29 -07:00
configmap Refactor ConfigMapManager 2018-05-17 11:37:35 +02:00
container Merge pull request #64006 from Random-Liu/streaming-auth 2018-05-31 22:45:29 -07:00
custommetrics Autogenerated: hack/update-bazel.sh 2018-02-16 13:43:01 -08:00
dockershim Proxy container streaming in kubelet. 2018-05-31 15:26:32 -07:00
envvars Autogenerated: hack/update-bazel.sh 2018-02-16 13:43:01 -08:00
events Improve messaging on resize 2018-01-29 15:07:51 -05:00
eviction add metadata to kubelet eviction event annotations 2018-05-23 16:12:54 -07:00
images Promote LocalStorageCapacityIsolation feature to beta 2018-03-02 15:10:08 -08:00
kubeletconfig remove unused status per TODO 2018-05-29 17:34:00 -07:00
kuberuntime Remove direct and indirect streaming runtime interface. 2018-05-29 15:08:15 -07:00
leaky
lifecycle Remove unused code 2018-04-30 14:57:26 -04:00
logs fix typo: peirodically->periodically 2018-05-11 14:39:07 +08:00
metrics Merge pull request #63434 from adfinis-forks/bug_typo_kubelet_volume_stats 2018-05-24 11:44:20 -07:00
mountpod Make 'pod' package to use unified checkpointManager 2018-04-16 01:30:20 -04:00
network Update bazel BUILD files 2018-04-11 09:26:02 -07:00
pleg Autogenerated: hack/update-bazel.sh 2018-02-16 13:43:01 -08:00
pod Make 'pod' package to use unified checkpointManager 2018-04-16 01:30:20 -04:00
preemption Delete in-tree support for NVIDIA GPUs. 2018-04-02 20:17:01 -07:00
prober reset resultRun to 0 on pod restart 2018-04-19 22:58:19 +08:00
qos Make a few code paths compile cleanly with 32-bit Go. 2018-02-27 13:53:32 -08:00
remote pkg: kubelet: remote: increase grpc client default size 2018-05-17 17:32:33 +02:00
secret Refactor ConfigMapManager 2018-05-17 11:37:35 +02:00
server Update bazel. 2018-05-31 15:26:32 -07:00
stats Use a []string for CgroupName, which is a more accurate internal representation 2018-05-01 08:29:06 -07:00
status change kubelet status manager to use patch instead of put to update pod status 2018-05-30 11:15:47 -07:00
sysctl Update generated files. 2018-04-11 18:35:24 +02:00
types Merge pull request #64364 from ravisantoshgudimetla/remove-rescheduler 2018-05-30 22:20:26 -07:00
util Add probe based mechanism for kubelet plugin discovery 2018-05-29 12:00:37 -04:00
volumemanager Rename online resizine feature gate 2018-05-31 17:28:12 -04:00
winstats fix "make test" 2018-02-24 17:39:21 +08:00
active_deadline_test.go
active_deadline.go
BUILD Merge pull request #64006 from Random-Liu/streaming-auth 2018-05-31 22:45:29 -07:00
doc.go
kubelet_getters_test.go
kubelet_getters.go Apply pod name and namespace labels for pod cgroup for cadvisor metrics 2018-05-07 14:51:12 -04:00
kubelet_network_test.go Move the kubelet network package down to dockershim 2018-04-11 09:25:56 -07:00
kubelet_network.go Move hairpin mode logic to dockershim 2018-04-11 09:21:17 -07:00
kubelet_node_status_test.go Merge pull request #64170 from mtaufen/cap-node-num-images 2018-05-30 17:34:18 -07:00
kubelet_node_status.go add a flag to control the cap on images reported in node status 2018-05-30 12:54:30 -07:00
kubelet_pods_test.go Merge pull request #64006 from Random-Liu/streaming-auth 2018-05-31 22:45:29 -07:00
kubelet_pods_windows_test.go Add dynamic environment variable substitution to subpaths 2018-05-29 17:01:09 +01:00
kubelet_pods.go Merge pull request #64006 from Random-Liu/streaming-auth 2018-05-31 22:45:29 -07:00
kubelet_resources_test.go
kubelet_resources.go
kubelet_test.go Make 'pod' package to use unified checkpointManager 2018-04-16 01:30:20 -04:00
kubelet_volumes_test.go boring 2018-04-18 09:55:57 -07:00
kubelet_volumes.go Fix issue with race condition during pod deletion 2018-03-15 15:35:37 -07:00
kubelet.go Merge pull request #64006 from Random-Liu/streaming-auth 2018-05-31 22:45:29 -07:00
oom_watcher_test.go
oom_watcher.go
OWNERS
pod_container_deletor_test.go
pod_container_deletor.go kubelet: force filterContainerID to empty string when removeAll is true 2018-04-30 16:29:17 -05:00
pod_workers_test.go Correct TestUpdatePod comment 2017-10-20 09:41:18 +08:00
pod_workers.go fixes document grammar 2018-02-20 10:38:41 -05:00
reason_cache_test.go
reason_cache.go
runonce_test.go Make 'pod' package to use unified checkpointManager 2018-04-16 01:30:20 -04:00
runonce.go fix todo:add function getFailContainer to report which containers failed the pod 2018-03-15 09:38:02 +08:00
runtime.go Remove setInitError. 2018-01-29 21:44:54 -08:00
util.go
volume_host.go Only count mounts that are from other pods 2018-04-19 15:40:51 -07:00