refactor(apiserver): remove the insecure flags #106859
Merged
+14
−88
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
/cc @liggitt |
Signed-off-by: Jian Zeng <anonymousknight96@gmail.com>
2ce7a0e to
9573b4a
Compare
|
hi @knight42 i found that i issued a duplicate pr on that, maybe u can checkout my pr which is barely same as ur's but remove some in kubeadm test files. would be grateful if u add me as a co-author on this |
|
change looks good, but is the e2e bringup failure legitimate? is that invocation setting one of the deprecated flags? |
Signed-off-by: haoyun <yun.hao@daocloud.io>
Signed-off-by: Jian Zeng <anonymousknight96@gmail.com>
b488573 to
fe44878
Compare
|
@liggitt Hi! All tests passed now. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: knight42, liggitt The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
/triage accepted |
acumino
added a commit
to gardener/gardener
that referenced
this pull request
May 19, 2022
acumino
added a commit
to gardener/gardener
that referenced
this pull request
May 23, 2022
acumino
added a commit
to gardener/gardener
that referenced
this pull request
May 26, 2022
acumino
added a commit
to gardener/gardener
that referenced
this pull request
May 26, 2022
gardener-prow bot
pushed a commit
to gardener/gardener
that referenced
this pull request
May 27, 2022
* Extend docs to support kubernetes v1.24 and allow client creation * Adapt kubernetes feature gates ./hack/compare-k8s-feature-gates.sh 1.23 1.24 ✔ Feature gates added in 1.24 compared to 1.23: CSIMigrationRBD CronJobTimeZone LegacyServiceAccountTokenNoAutoGeneration MaxUnavailableStatefulSet MinDomainsInPodTopologySpread NetworkPolicyStatus NodeOutOfServiceVolumeDetach ServiceIPStaticSubrange Feature gates removed in 1.24 compared to 1.23: HugePageStorageMediumSize ImmutableEphemeralVolumes MigrationRBD NamespaceDefaultLabelName RuntimeClass SetHostnameAsFQDN StreamingProxyRedirects ValidateProxyRedirects WarningHeaders Feature gates locked to default in 1.24 compared to 1.23: CSIMigrationOpenStack CSIStorageCapacity CSRDuration ControllerManagerLeaderMigration DefaultPodTopologySpread EfficientWatchResumption IndexedJob NonPreemptingPriority PodAffinityNamespaceSelector PodOverhead PreferNominatedNode RemoveSelfLink ServiceLBNodePortControl ServiceLoadBalancerClass SuspendJob * Use 1.24 for local shoot * Drop removed flag --insecure-port for v1.24 ref kubernetes/kubernetes#106859 * Drop removed flag --port for v1.24 ref kubernetes/kubernetes#106860 * Remove deprecated usages of metadata.Selflink * Use 1.24 e2e test * Bump kindest/node image to v1.24 * Adapt changes for with k/k v1.24 Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount ref kubernetes/kubernetes#108309 * Add unit test
krgostev
pushed a commit
to krgostev/gardener
that referenced
this pull request
Jul 5, 2022
* Extend docs to support kubernetes v1.24 and allow client creation * Adapt kubernetes feature gates ./hack/compare-k8s-feature-gates.sh 1.23 1.24 ✔ Feature gates added in 1.24 compared to 1.23: CSIMigrationRBD CronJobTimeZone LegacyServiceAccountTokenNoAutoGeneration MaxUnavailableStatefulSet MinDomainsInPodTopologySpread NetworkPolicyStatus NodeOutOfServiceVolumeDetach ServiceIPStaticSubrange Feature gates removed in 1.24 compared to 1.23: HugePageStorageMediumSize ImmutableEphemeralVolumes MigrationRBD NamespaceDefaultLabelName RuntimeClass SetHostnameAsFQDN StreamingProxyRedirects ValidateProxyRedirects WarningHeaders Feature gates locked to default in 1.24 compared to 1.23: CSIMigrationOpenStack CSIStorageCapacity CSRDuration ControllerManagerLeaderMigration DefaultPodTopologySpread EfficientWatchResumption IndexedJob NonPreemptingPriority PodAffinityNamespaceSelector PodOverhead PreferNominatedNode RemoveSelfLink ServiceLBNodePortControl ServiceLoadBalancerClass SuspendJob * Use 1.24 for local shoot * Drop removed flag --insecure-port for v1.24 ref kubernetes/kubernetes#106859 * Drop removed flag --port for v1.24 ref kubernetes/kubernetes#106860 * Remove deprecated usages of metadata.Selflink * Use 1.24 e2e test * Bump kindest/node image to v1.24 * Adapt changes for with k/k v1.24 Secret API objects containing service account tokens are no longer auto-generated for every ServiceAccount ref kubernetes/kubernetes#108309 * Add unit test
kl52752
pushed a commit
to kl52752/kubernetes
that referenced
this pull request
Dec 23, 2022
…secure-port flags GKE config script version of kubernetes#106859 Bug: 209962139 Change-Id: I551cfc12fd94a927383fcff89013a3a78fb61592
8 tasks
aojea
pushed a commit
to aojea/kubernetes
that referenced
this pull request
Jun 14, 2023
kube-apiserver: Change kube-apiserver liveness probe config setup Prior OSS attempt: kubernetes#94076 Bug: b/164955956 Change-Id: Ia2f75ac5e97f4eb6aa4dc9b00fc2bb3112db9360 kube-apiserver: Set profiling false for kube-apiserver Change-Id: I052a53d72acfc3c5aa8d03f695beb93cadc0be87 kube-apiserver: allow adding memory limit to kube-apiserver via the KUBE_APISERVER_MEMORY_LIMIT environment variable bug: 181991030 Change-Id: I1a01766e6f2415eba31d6d865f7f39d7855f969e kube-apiserver: Drop removed insecure --address and --insecure-port flags GKE config script version of kubernetes#106859 Bug: 209962139 Change-Id: I551cfc12fd94a927383fcff89013a3a78fb61592 kube-apiserver: Readd KUBE_APISERVER_EVENT_TTL_SEC env for kube-apiserver --event-ttl Bug: b/176806841 Change-Id: I5c651a555287af0e891e9592dfb7c172b6bb24a2 kube-apiserver: Re-enable the deprecated behavior of CommonName on X.509 as a diagnoser to detect the fleet level impact on the deprecation Change-Id: If4962b6ecb3294878bfa37ab0ebcd4441fae7140 kube-apiserver: Update permissions of /etc/srv/kubernetes/abac-authz-policy.jsonl if kube-apiserver is running as non-root. BUG=199669294 Change-Id: Ic9ae9add0a35b7df99781e470c917b2427bee289 kube-apiserver: Remove reference to deleted target-ram-mb flag Change-Id: I57d0c80eb2285ec9d93b075b1845f1805e0fd748 kube-apiserver: Re-enable SHA1 signatures with GODEBUG=x509sha1=1 Bug: b/227456358 Bug: b/226424430 Change-Id: I5165e6c2fe73e8e1b2a617ced591133228b6d275
serathius
pushed a commit
to serathius/kubernetes
that referenced
this pull request
Mar 14, 2024
kube-apiserver: Change kube-apiserver liveness probe config setup Prior OSS attempt: kubernetes#94076 Bug: b/164955956 Change-Id: Ia2f75ac5e97f4eb6aa4dc9b00fc2bb3112db9360 kube-apiserver: Set profiling false for kube-apiserver Change-Id: I052a53d72acfc3c5aa8d03f695beb93cadc0be87 kube-apiserver: allow adding memory limit to kube-apiserver via the KUBE_APISERVER_MEMORY_LIMIT environment variable bug: 181991030 Change-Id: I1a01766e6f2415eba31d6d865f7f39d7855f969e kube-apiserver: Drop removed insecure --address and --insecure-port flags GKE config script version of kubernetes#106859 Bug: 209962139 Change-Id: I551cfc12fd94a927383fcff89013a3a78fb61592 kube-apiserver: Readd KUBE_APISERVER_EVENT_TTL_SEC env for kube-apiserver --event-ttl Bug: b/176806841 Change-Id: I5c651a555287af0e891e9592dfb7c172b6bb24a2 kube-apiserver: Re-enable the deprecated behavior of CommonName on X.509 as a diagnoser to detect the fleet level impact on the deprecation Change-Id: If4962b6ecb3294878bfa37ab0ebcd4441fae7140 kube-apiserver: Update permissions of /etc/srv/kubernetes/abac-authz-policy.jsonl if kube-apiserver is running as non-root. BUG=199669294 Change-Id: Ic9ae9add0a35b7df99781e470c917b2427bee289 kube-apiserver: Remove reference to deleted target-ram-mb flag Change-Id: I57d0c80eb2285ec9d93b075b1845f1805e0fd748 kube-apiserver: Re-enable SHA1 signatures with GODEBUG=x509sha1=1 Bug: b/227456358 Bug: b/226424430 Change-Id: I5165e6c2fe73e8e1b2a617ced591133228b6d275 kube-apiserver: use --api-audiences as --service-account-api-audiences is deprecated Copy of kubernetes#103078 Change-Id: I88c2f2eb8bde4378b115e01cbbe9700c27f03955 Expose UDS with profiling data for kube-apiserver. Added in kubernetes#114191. See go/no-gke-tcp-pprof for policy. Refs b/273485199 Change-Id: Ic772c9249468fdf7f516d62bd2a0bfbfe933c1bb Allow specifying terminationGracePeriodSeconds for kube-apiserver. Refs b/252987333 Change-Id: I20699501f429630fe74531cb086091eb9ed3611c
hoskeri
pushed a commit
to hoskeri/kubernetes
that referenced
this pull request
Jul 23, 2024
kube-apiserver: Change kube-apiserver liveness probe config setup Prior OSS attempt: kubernetes#94076 Bug: b/164955956 Change-Id: Ia2f75ac5e97f4eb6aa4dc9b00fc2bb3112db9360 kube-apiserver: Set profiling false for kube-apiserver Change-Id: I052a53d72acfc3c5aa8d03f695beb93cadc0be87 kube-apiserver: allow adding memory limit to kube-apiserver via the KUBE_APISERVER_MEMORY_LIMIT environment variable bug: 181991030 Change-Id: I1a01766e6f2415eba31d6d865f7f39d7855f969e kube-apiserver: Drop removed insecure --address and --insecure-port flags GKE config script version of kubernetes#106859 Bug: 209962139 Change-Id: I551cfc12fd94a927383fcff89013a3a78fb61592 kube-apiserver: Readd KUBE_APISERVER_EVENT_TTL_SEC env for kube-apiserver --event-ttl Bug: b/176806841 Change-Id: I5c651a555287af0e891e9592dfb7c172b6bb24a2 kube-apiserver: Re-enable the deprecated behavior of CommonName on X.509 as a diagnoser to detect the fleet level impact on the deprecation Change-Id: If4962b6ecb3294878bfa37ab0ebcd4441fae7140 kube-apiserver: Update permissions of /etc/srv/kubernetes/abac-authz-policy.jsonl if kube-apiserver is running as non-root. BUG=199669294 Change-Id: Ic9ae9add0a35b7df99781e470c917b2427bee289 kube-apiserver: Remove reference to deleted target-ram-mb flag Change-Id: I57d0c80eb2285ec9d93b075b1845f1805e0fd748 kube-apiserver: Re-enable SHA1 signatures with GODEBUG=x509sha1=1 Bug: b/227456358 Bug: b/226424430 Change-Id: I5165e6c2fe73e8e1b2a617ced591133228b6d275 kube-apiserver: use --api-audiences as --service-account-api-audiences is deprecated Copy of kubernetes#103078 Change-Id: I88c2f2eb8bde4378b115e01cbbe9700c27f03955 Expose UDS with profiling data for kube-apiserver. Added in kubernetes#114191. See go/no-gke-tcp-pprof for policy. Refs b/273485199 Change-Id: Ic772c9249468fdf7f516d62bd2a0bfbfe933c1bb Allow specifying terminationGracePeriodSeconds for kube-apiserver. Refs b/252987333 Change-Id: I20699501f429630fe74531cb086091eb9ed3611c Run kube-apiserver with cloud-provider=external Bug: 299159412 Change-Id: I8db8e72377f1c63a3874ee9f0567be264c40ba58
hoskeri
pushed a commit
to hoskeri/kubernetes
that referenced
this pull request
Jul 23, 2024
kube-apiserver: Change kube-apiserver liveness probe config setup Prior OSS attempt: kubernetes#94076 Bug: b/164955956 Change-Id: Ia2f75ac5e97f4eb6aa4dc9b00fc2bb3112db9360 kube-apiserver: Set profiling false for kube-apiserver Change-Id: I052a53d72acfc3c5aa8d03f695beb93cadc0be87 kube-apiserver: allow adding memory limit to kube-apiserver via the KUBE_APISERVER_MEMORY_LIMIT environment variable bug: 181991030 Change-Id: I1a01766e6f2415eba31d6d865f7f39d7855f969e kube-apiserver: Drop removed insecure --address and --insecure-port flags GKE config script version of kubernetes#106859 Bug: 209962139 Change-Id: I551cfc12fd94a927383fcff89013a3a78fb61592 kube-apiserver: Readd KUBE_APISERVER_EVENT_TTL_SEC env for kube-apiserver --event-ttl Bug: b/176806841 Change-Id: I5c651a555287af0e891e9592dfb7c172b6bb24a2 kube-apiserver: Re-enable the deprecated behavior of CommonName on X.509 as a diagnoser to detect the fleet level impact on the deprecation Change-Id: If4962b6ecb3294878bfa37ab0ebcd4441fae7140 kube-apiserver: Update permissions of /etc/srv/kubernetes/abac-authz-policy.jsonl if kube-apiserver is running as non-root. BUG=199669294 Change-Id: Ic9ae9add0a35b7df99781e470c917b2427bee289 kube-apiserver: Remove reference to deleted target-ram-mb flag Change-Id: I57d0c80eb2285ec9d93b075b1845f1805e0fd748 kube-apiserver: Re-enable SHA1 signatures with GODEBUG=x509sha1=1 Bug: b/227456358 Bug: b/226424430 Change-Id: I5165e6c2fe73e8e1b2a617ced591133228b6d275 kube-apiserver: use --api-audiences as --service-account-api-audiences is deprecated Copy of kubernetes#103078 Change-Id: I88c2f2eb8bde4378b115e01cbbe9700c27f03955 Expose UDS with profiling data for kube-apiserver. Added in kubernetes#114191. See go/no-gke-tcp-pprof for policy. Refs b/273485199 Change-Id: Ic772c9249468fdf7f516d62bd2a0bfbfe933c1bb Allow specifying terminationGracePeriodSeconds for kube-apiserver. Refs b/252987333 Change-Id: I20699501f429630fe74531cb086091eb9ed3611c Run kube-apiserver with cloud-provider=external Bug: 299159412 Change-Id: I8db8e72377f1c63a3874ee9f0567be264c40ba58
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Jian Zeng anonymousknight96@gmail.com
What type of PR is this?
/kind cleanup
/kind deprecation
What this PR does / why we need it:
Which issue(s) this PR fixes:
Fixes #
Special notes for your reviewer:
Does this PR introduce a user-facing change?
Additional documentation e.g., KEPs (Kubernetes Enhancement Proposals), usage docs, etc.: