Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add ability to Disable the kubelet read-only port in GKE clusters and Node Pools #2748

Open
3 tasks done
PurseChicken opened this issue Sep 19, 2024 · 0 comments
Open
3 tasks done

Add ability to Disable the kubelet read-only port in GKE clusters and Node Pools #2748

PurseChicken opened this issue Sep 19, 2024 · 0 comments
Labels
enhancement New feature or request

Comments

@PurseChicken
Copy link

PurseChicken commented Sep 19, 2024
edited
Loading

Checklist

  • I did not find a related open enhancement request.
  • I understand that enhancement requests filed in the GitHub repository are by default low priority.
  • If this request is time-sensitive, I have submitted a corresponding issue with GCP support.

Describe the feature or resource

Google is sending out notifications to disable the insecure unauthenticated port in the kubelet server. This includes modifying both the Cluster and Node Pool configuration.

This is currently a manual process as there does not appear to be an ability to do this directly with the ContainerCluster or ContainerNodePool config connector resources.

Additional information

https://cloud.google.com/kubernetes-engine/docs/how-to/disable-kubelet-readonly-port

I imagine we will want to extend the nodePoolDefaults.nodeConfigDefaults section of ContainerCluster to include 'insecureKubeletReadonlyPortEnabled' (boolean)
E.G.

nodePoolDefaults:
  nodeConfigDefaults:
    gcfsConfig:
      enabled: boolean
    loggingVariant: string
    insecureKubeletReadonlyPortEnabled: boolean

Additionally, modify nodeConfig.kubeletConfig section of ContainerNodePool to include 'insecureKubeletReadonlyPortEnabled' (boolean)
E.G.

nodeConfig:
  kubeletConfig:
    cpuCfsQuota: boolean
    cpuCfsQuotaPeriod: string
    cpuManagerPolicy: string
    podPidsLimit: integer
    insecureKubeletReadonlyPortEnabled: boolean

Finally, for autopilot clusters, modify nodePoolAutoConfig to include \ control nodeKubeletConfig and be able to set 'insecureKubeletReadonlyPortEnabled' (boolean) within ContainerCluster
E.G.

nodePoolAutoConfig:
  networkTags:
    tags:
    - string
  nodeKubeletConfig:
    insecureKubeletReadonlyPortEnabled: boolean

Importance

I imagine that as more and more users get instruction to disable this insecure configuration, there will be more users that will want this capability using config-connector. In my opinion this should be considered a medium urgency.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@PurseChicken