kube-rbac-proxy icon indicating copy to clipboard operation
kube-rbac-proxy copied to clipboard

Published 20 hours ago verified publisher icon brancz

Support upstream via unix socket

Open alebedev87 opened this issue 3 years ago • 3 comments

Add support for the proxing to the upstream via a unix socket. This may help to reduce the number of the ports occupied by the POD which uses kube-rbac-proxy (e.g. when POD uses hostnetwork).

Test PR whose e2e targets a POD's container endpoint via kube-rbac-proxy: https://github.com/openshift/node-observability-operator/pull/113

Manual test:

# start upstream which listens on unix socket
$ ./bin/node-observability-agent -unixSocket /tmp/nobagent.sock -preferUnixSocket -crioPreferUnixSocket=false -caCertFile=kubelet.crt -tokenFile=token
INFO[0000] Starting node-observability-agent version: "v0.0.0-unknown", commit: "da7d110", build date: "2022-11-16T09:16:10Z", go version: "go1.19.2", GOOS: "linux", GOARCH: "amd64" at log level info 
INFO[0000] Start listening on unix:///tmp/nobagent.sock  module=server
INFO[0000] Targeting node 192.168.130.11                 module=server

$ sudo ss -lxp | grep node
u_str LISTEN 0      128                                                                /tmp/nobagent.sock 297621            * 0      users:(("node-observabil",pid=95712,fd=3)) 

# start kube-rbac-proxy
$ ./_output/kube-rbac-proxy --kubeconfig=/home/alebedev/.crc/machines/crc/kubeconfig --upstream-unix-socket=/tmp/nobagent.sock --secure-listen-address=0.0.0.0:8443 --tls-cert-file=tls.crt --tls-private-key-file=tls.key
I1116 10:52:57.726306   95991 main.go:209] Valid token audiences: 
I1116 10:52:57.726524   95991 main.go:355] Reading certificate files
I1116 10:52:57.726751   95991 main.go:389] Starting TCP socket on 0.0.0.0:8443
I1116 10:52:57.734420   95991 main.go:396] Listening securely on 0.0.0.0:8443

# send request via proxy
$ curl -k -H "Authorization: Bearer ${TOKEN}" https://localhost:8443/node-observability-status
Service is ready

# see the logs of the upstream to verify it got the request
$ ./bin/node-observability-agent -unixSocket /tmp/nobagent.sock -preferUnixSocket -crioPreferUnixSocket=false -caCertFile=kubelet.crt -tokenFile=token
INFO[0000] Starting node-observability-agent version: "v0.0.0-unknown", commit: "da7d110", build date: "2022-11-16T09:16:10Z", go version: "go1.19.2", GOOS: "linux", GOARCH: "amd64" at log level info 
INFO[0000] Start listening on unix:///tmp/nobagent.sock  module=server
INFO[0000] Targeting node 192.168.130.11                 module=server
INFO[0100] start handling status request                 module=handler
INFO[0100] agent is ready                                module=handler

alebedev87 avatar Nov 16 '22 09:11 alebedev87

Sorry, I was busy. I will try to take a look this week.

ibihim avatar Nov 28 '22 13:11 ibihim

Fixed merged conflicts, there were quite some changes in main.go and transport.go.

alebedev87 avatar Dec 05 '22 09:12 alebedev87

Firstly, I want to apologize for the delayed response on this.

We value your contribution and think that this feature could be beneficial. However, we're currently in the midst of the k8s sig-auth acceptance process, and adding any new features at this stage could increase the workload on our reviewers.

Once we complete the acceptance process, we would love to revisit your feature. If you're okay with this, we will reach back out to you at that time.

We appreciate your understanding and look forward to your continued contributions. Thank you for your efforts!

ibihim avatar May 31 '23 08:05 ibihim