metrics-server icon indicating copy to clipboard operation
metrics-server copied to clipboard

Published 20 hours ago verified publisher icon kubernetes-sigs

feat(helm chart): Add metrics-server hardening options

Open mkilchhofer opened this issue 1 year ago • 19 comments

What this PR does / why we need it:

It adds options on howto secure the connection between metrics-server and the kube-apiserver.

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):

related to:

  • #545
  • #1230

Resolves #1230

Additional info: The accepted FR #1230 is implemented also as I need this to test the hardening feature.

/cc: @serathius

mkilchhofer avatar Jul 14 '23 13:07 mkilchhofer

CLA Signed

The committers listed above are authorized under a signed CLA.

  • :white_check_mark: login: mkilchhofer / name: Marco Kilchhofer (0f4d76f02c98b581e010c6f34dc0b7cdea459a18)

linux-foundation-easycla[bot] avatar Jul 14 '23 13:07 linux-foundation-easycla[bot]

Welcome @mkilchhofer!

It looks like this is your first PR to kubernetes-sigs/metrics-server 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes-sigs/metrics-server has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. :smiley:

k8s-ci-robot avatar Jul 14 '23 13:07 k8s-ci-robot

Hi @mkilchhofer. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Jul 14 '23 13:07 k8s-ci-robot

/assign @stevehipwell

serathius avatar Jul 14 '23 21:07 serathius

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: mkilchhofer Once this PR has been reviewed and has the lgtm label, please assign serathius for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

k8s-ci-robot avatar Jul 17 '23 06:07 k8s-ci-robot

  • There is no need to run functions for the APIService if it's not enabled

How do you mean that? The genSelfSignedCert function?

  • The helm mode would be a better default (see below)

Sure, will do

  • You don't need to recreate the cert on each Helm install, you can look up the existing secret

I think we should not rely on the lookup function. There are GitOps solutions in the wild which only use helm for rendering (helm template subcommand). The lookup function of helm returns nothing during template as it cannot talk to the kubeapi by design. Only upgrade or install talks to the apiserver.

  • I don't think the chart should support creating a secret, the secret option should only be existing

Hmm why not? It is pretty common that helm charts support this.

  • Please remove the extraObjects value, this isn't a "good" pattern

How can I test the existing secret method then? I think it is an approved feature request, so contributors can file PRs for this, ref:

  • #1230 -> See label triage/accepted

mkilchhofer avatar Jul 17 '23 11:07 mkilchhofer

How do you mean that? The genSelfSignedCert function?

You moved the test for if the APIService was enabled below the new code.

I think we should not rely on the lookup function. There are GitOps solutions in the wild which only use helm for rendering (helm template subcommand). The lookup function of helm returns nothing during template as it cannot talk to the kubeapi by design. Only upgrade or install talks to the apiserver.

In that case they can use one of the other patterns, GitOps shouldn't define architecture it should support best practice.

Hmm why not? It is pretty common that helm charts support this.

Because it's unnecessary and leaks data into the chart values.

How can I test the existing secret method then? I think it is an approved feature request, so contributors can file PRs for this, ref:

We could add a test secret as part or the CI initialisation or it could be generated through the chart as a testing resource.

stevehipwell avatar Jul 17 '23 11:07 stevehipwell

Because it's unnecessary and leaks data into the chart values.

Well, why is that an issue? This is how helm is designed for. These values are stored as a K8s secret.

mkilchhofer avatar Jul 17 '23 11:07 mkilchhofer

Well, why is that an issue? This is how helm is designed for. These values are stored as a K8s secret.

It's the unnecessary part which is the primary concern here; but the Helm implementation and increased surface area for secret information shouldn't be discounted as unimportant.

But as I've said in my other replies you can easily extend this chart by creating a wrapper chart which depends on it and at which point you can make your own architectural decisions.

stevehipwell avatar Jul 17 '23 12:07 stevehipwell

/triage accepted

dashpole avatar Jul 27 '23 16:07 dashpole

@mkilchhofer could you please rebase and then I'll review again?

stevehipwell avatar Jul 28 '23 14:07 stevehipwell

@stevehipwell rebase done

mkilchhofer avatar Jul 28 '23 18:07 mkilchhofer

PR needs rebase.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

k8s-ci-robot avatar Oct 28 '23 03:10 k8s-ci-robot

@mkilchhofer could you rebase this PR?

stevehipwell avatar Dec 01 '23 12:12 stevehipwell

The Kubernetes project currently lacks enough contributors to adequately respond to all PRs.

This bot triages PRs according to the following rules:

  • After 90d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, lifecycle/rotten is applied
  • After 30d of inactivity since lifecycle/rotten was applied, the PR is closed

You can:

  • Mark this PR as fresh with /remove-lifecycle stale
  • Close this PR with /close
  • Offer to help out with Issue Triage

Please send feedback to sig-contributor-experience at kubernetes/community.

/lifecycle stale

k8s-triage-robot avatar Feb 29 '24 12:02 k8s-triage-robot

Will try to rebase the PR as soon as I have time

mkilchhofer avatar Feb 29 '24 13:02 mkilchhofer

/remove-lifecycle stale

yangjunmyfm192085 avatar Feb 29 '24 13:02 yangjunmyfm192085