github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
a32e5b6a59
kubernetes/pkg/kubelet/container
History
Kubernetes Submit Queue 8d10a8f74f
Merge pull request #64006 from Random-Liu/streaming-auth 
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

Add proxy for container streaming in kubelet for streaming auth.

For https://github.com/kubernetes/kubernetes/issues/36666, option 2 of https://github.com/kubernetes/kubernetes/issues/36666#issuecomment-378440458.

This PR:
1. Removed the `DirectStreamingRuntime`, and changed `IndirectStreamingRuntime` to `StreamingRuntime`. All `DirectStreamingRuntime`s, `dockertools` and `rkt`, were removed.
2. Proxy container streaming in kubelet instead of returning redirect to apiserver. This solves the container runtime authentication issue, which is what we agreed on in https://github.com/kubernetes/kubernetes/issues/36666.

Please note that, this PR replaced the redirect with proxy directly instead of adding a knob to switch between the 2 behaviors. For existing CRI runtimes like containerd and cri-o, they should change to serve container streaming on localhost, so as to make the whole container streaming connection secure.

 If a general authentication mechanism proposed in https://github.com/kubernetes/kubernetes/issues/62747 is ready, we can switch back to redirect, and all code can be found in github history.

Please also note that this added some overhead in kubelet when there are container streaming connections. However, the actual bottleneck is in the apiserver anyway, because it does proxy for all container streaming happens in the cluster. So it seems fine to get security and simplicity with this overhead. @derekwaynecarr @mrunalp Are you ok with this? Or do you prefer a knob?

@yujuhong @timstclair @dchen1107 @mikebrow @feiskyer 
/cc @kubernetes/sig-node-pr-reviews 
**Release note**:

```release-note
Kubelet now proxies container streaming between apiserver and container runtime. The connection between kubelet and apiserver is authenticated. Container runtime should change streaming server to serve on localhost, to make the connection between kubelet and container runtime local.

In this way, the whole container streaming connection is secure. To switch back to the old behavior, set `--redirect-container-streaming=true` flag.
```
2018-05-31 22:45:29 -07:00
..
testing Remove direct and indirect streaming runtime interface. 2018-05-29 15:08:15 -07:00
BUILD Update bazel. 2018-05-31 15:26:32 -07:00
cache_test.go start the apimachinery repo 2017-01-11 09:09:48 -05:00
cache.go start the apimachinery repo 2017-01-11 09:09:48 -05:00
container_gc.go reevaluate eviction thresholds after reclaim functions 2018-02-16 08:35:24 -08:00
container_reference_manager.go revert workaround in PR 46246 as APIs have been consistent 2017-07-09 20:38:01 +08:00
helpers_test.go Add dynamic environment variable substitution to subpaths 2018-05-29 17:01:09 +01:00
helpers.go Merge pull request #64006 from Random-Liu/streaming-auth 2018-05-31 22:45:29 -07:00
os.go small nit in the annotations 2017-12-12 14:30:24 +08:00
ref_test.go update tests to be specific about the versions they are testing instead of floating 2018-05-01 13:18:41 -04:00
ref.go pkg/api/legacyscheme: fixup imports 2017-10-18 17:23:55 +02:00
resize.go Use range in loops; misc fixes 2018-03-29 22:55:25 +11:00
runtime_cache_fake.go fix go vet errors 2016-08-10 16:45:41 -07:00
runtime_cache_test.go Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
runtime_cache.go Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
runtime.go Remove direct and indirect streaming runtime interface. 2018-05-29 15:08:15 -07:00
sync_result_test.go Remove "All rights reserved" from all the headers. 2016-06-29 17:47:36 -07:00
sync_result.go start the apimachinery repo 2017-01-11 09:09:48 -05:00