POC-2020-8559 icon indicating copy to clipboard operation
POC-2020-8559 copied to clipboard

Published 20 hours ago verified publisher icon tabbysable

Improvement idea

Open tdwyer opened this issue 5 years ago • 1 comments
trafficstars

If you kill the kubelet process and then start it again right away you can put whatever commandline arguments you want. The way your doing it was the first approach I took, but in the end it seems easier uploading a rouge kubelet binary.

I think you can have your proxy listening on local host and forwarding traffic to the Kubernetes API Server using the Kubelet's cert/key and listen for the kubelet outbound traffic intended for the Kubernetes API with plain text HTTP. Then, kill the kubelet process and restart it with commandline flags telling the kubelet that the Kubernetes API server is listening on localhost without TLS.

I think you may need to have the proxy listen on like 127.0.0.2 and add an entry to /etc/hosts like 127.0.0.2 api-server.com

tdwyer avatar Jul 23 '20 02:07 tdwyer

I was initially thinking of something like that, too. As far as I can tell, it can't be done that way because the kubelet re-registers its listening address and port when restarted, and there's no way to get kubelet to turn off TLS for its listening port.

Do you have workarounds in mind for those issues? It'd be cool to simplify the data path.

tabbysable avatar Jul 24 '20 16:07 tabbysable