How to enable https and authentication for kubelet?

4,096 views
Skip to first unread message
Assigned to me

Qian Zhang

unread,
May 3, 2017, 10:38:41 AM5/3/17
to Kubernetes user discussion and Q&A
Hi,

I have a Kubernetes cluster, and currently the kubelet listens on two ports: 10250 and 10255, if I understand correctly, 10250 serves https and 10255 serves http. Now I can always run the following command to access kubelet:
    curl http://<node-IP>:10255/spec/
And and this command even for the https port:
    curl --insecure https://<node-IP>:10250/spec/

This is not secure to me, I do not want to expose http port, so I think I should start kubelet with the flag "--read-only-port=0" to disable 10255, and for the https port (10250), I do not want anonymous user to access it, and in the meantime I still want kube-apiserver can access kubelet (e.g., when I run "kubectl logs ...", kube-apiserver can still talk to kubelet to get logs), and I also want Heapster (running as a deployment in my Kubernetes cluster) can still access kubelet to get metrics. Can anyone please let me know what else flags I should specify to start kubelet?


Thanks,
Qian

Brandon Philips

unread,
May 3, 2017, 4:36:12 PM5/3/17
to Kubernetes user discussion and Q&A
Hello Qian-

10255 is the "read-only" port, to disable it remove --read-only-port  from kubelet config.

To configure authentication on the kubelet port use --client-ca-file. The API server has flags to authenticate using these CAs: https://github.com/coreos/tectonic-installer/blob/master/modules/bootkube/resources/manifests/kube-apiserver.yaml#L45-L46

Hope that helps.

Brandon

--
You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-use...@googlegroups.com.
To post to this group, send email to kubernet...@googlegroups.com.
Visit this group at https://groups.google.com/group/kubernetes-users.
For more options, visit https://groups.google.com/d/optout.

Brandon Philips

unread,
May 3, 2017, 5:39:52 PM5/3/17
to Kubernetes user discussion and Q&A

Qian Zhang

unread,
May 3, 2017, 10:41:41 PM5/3/17
to kubernet...@googlegroups.com
Thanks Brandon!

10255 is the "read-only" port, to disable it remove --read-only-port  from kubelet config.

Based on https://kubernetes.io/docs/admin/kubelet/, I think, to disable it, I should set "--read-only-port" to 0.

Now I have added these flags "--read-only-port=0 --client-ca-file=/var/lib/kubelet/ca.crt --authentication-token-webhook --anonymous-auth=false" to start kubelet, the command "curl --insecure https://<node-IP>:10250/spec/" does not work anymore (it shows an error "Unauthorized") which is what I expect, and I also restarted Heapster with this flag "--source=kubernetes.summary_api:https://kubernetes.default?kubeletHttps=true&kubeletPort=10250&insecure=true" so that it can connect to kubelet's 10250 port.

The only issue is that kube-apiserver can not connect to kubelet anymore:
$ kubectl logs <pod-name> <container-name> --namespace=kube-system            
error: You must be logged in to the server (the server has asked for the client to provide credentials)

I have specified "--kubelet-client-certificate=/etc/cfc/conf/server.cert --kubelet-client-key=/etc/cfc/conf/server.key" to start kube-apiserver, maybe the files I specified here are not correct?



Regards,
Qian Zhang

On Thu, May 4, 2017 at 5:39 AM, Brandon Philips <brandon...@coreos.com> wrote:
On Wed, May 3, 2017 at 1:35 PM Brandon Philips <brandon...@coreos.com> wrote:
Hello Qian-

10255 is the "read-only" port, to disable it remove --read-only-port  from kubelet config.

To configure authentication on the kubelet port use --client-ca-file. The API server has flags to authenticate using these CAs: https://github.com/coreos/tectonic-installer/blob/master/modules/bootkube/resources/manifests/kube-apiserver.yaml#L45-L46

Hope that helps.

Brandon

On Wed, May 3, 2017 at 7:38 AM Qian Zhang <zhq5...@gmail.com> wrote:
Hi,

I have a Kubernetes cluster, and currently the kubelet listens on two ports: 10250 and 10255, if I understand correctly, 10250 serves https and 10255 serves http. Now I can always run the following command to access kubelet:
    curl http://<node-IP>:10255/spec/
And and this command even for the https port:
    curl --insecure https://<node-IP>:10250/spec/

This is not secure to me, I do not want to expose http port, so I think I should start kubelet with the flag "--read-only-port=0" to disable 10255, and for the https port (10250), I do not want anonymous user to access it, and in the meantime I still want kube-apiserver can access kubelet (e.g., when I run "kubectl logs ...", kube-apiserver can still talk to kubelet to get logs), and I also want Heapster (running as a deployment in my Kubernetes cluster) can still access kubelet to get metrics. Can anyone please let me know what else flags I should specify to start kubelet?


Thanks,
Qian

--
You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-users+unsubscribe@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.

--
You received this message because you are subscribed to a topic in the Google Groups "Kubernetes user discussion and Q&A" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/kubernetes-users/1cS3Wm9sETw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to kubernetes-users+unsubscribe@googlegroups.com.
To post to this group, send email to kubernetes-users@googlegroups.com.

Qian Zhang

unread,
May 4, 2017, 5:01:12 AM5/4/17
to kubernet...@googlegroups.com
I have figured it out, for kube-apiserver's flags "--kubelet-client-certificate" and "--kubelet-client-key", I should generate a pair of client cert/key rather than server's.


Regards,
Qian Zhang

Brandon Philips

unread,
May 4, 2017, 5:10:13 PM5/4/17
to kubernet...@googlegroups.com
Glad you got it sorted!



Regards,
Qian Zhang

To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-use...@googlegroups.com.
To post to this group, send email to kubernet...@googlegroups.com.

--
You received this message because you are subscribed to a topic in the Google Groups "Kubernetes user discussion and Q&A" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/kubernetes-users/1cS3Wm9sETw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to kubernetes-use...@googlegroups.com.
To post to this group, send email to kubernet...@googlegroups.com.


--
You received this message because you are subscribed to the Google Groups "Kubernetes user discussion and Q&A" group.
To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-use...@googlegroups.com.
To post to this group, send email to kubernet...@googlegroups.com.

Jeremy Wang

unread,
Aug 23, 2018, 1:59:46 AM8/23/18
to Kubernetes user discussion and Q&A
Do you know why apiserver can't connect with kubelet with server's certificate and must use a new generated certificate to make it works?

在 2017年5月4日星期四 UTC+8下午5:01:12,Qian Zhang写道:


Regards,
Qian Zhang



Regards,
Qian Zhang

To unsubscribe from this group and stop receiving emails from it, send an email to kubernetes-use...@googlegroups.com.
To post to this group, send email to kubernet...@googlegroups.com.

--
You received this message because you are subscribed to a topic in the Google Groups "Kubernetes user discussion and Q&A" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/kubernetes-users/1cS3Wm9sETw/unsubscribe.
To unsubscribe from this group and all its topics, send an email to kubernetes-use...@googlegroups.com.
To post to this group, send email to kubernet...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages