Kubernetes Control Plane Charm

kube-scheduler authentication/authorisation not configured

Bug #1988303 reported by Alex Pearce on 2022-08-31

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Kubernetes Control Plane Charm	New	Undecided	Unassigned

Bug Description

The kube-scheduler configuration does not permit authenticated HTTP access. Deploying kubernetes-control-plane 1.24.4 I see this process:

/snap/kube-scheduler/2582/kube-scheduler --v=2 --logtostderr=true --profiling=false --config=/root/cdk/kube-scheduler-config.yaml --feature-gates=

As the --authentication-kubeconfig and --authorization-kubeconfig arguments are missing one cannot make calls to the HTTP metrics API with any service token.

    curl -k https://localhost:10259/metrics --header 'Authorization: Bearer abc123'
    {
      "kind": "Status",
      "apiVersion": "v1",
      "metadata": {},
      "status": "Failure",
      "message": "forbidden: User \"system:anonymous\" cannot get path \"/metrics\"",
      "reason": "Forbidden",
      "details": {},
      "code": 403
    }

This should result in a 401 Unauthorized.

An example service which *is* configured to allow this is kube-controller-manager:

/snap/kube-controller-manager/2657/kube-controller-manager --min-resync-period=3m --v=2 --root-ca-file=/root/cdk/ca.crt --logtostderr=true --kubeconfig=/root/cdk/kubecontrollermanagerconfig --authorization-kubeconfig=/root/cdk/kubecontrollermanagerconfig --authentication-kubeconfig=/root/cdk/kubecontrollermanagerconfig --use-service-account-credentials=true --service-account-private-key-file=/root/cdk/serviceaccount.key --tls-cert-file=/root/cdk/server.crt --tls-private-key-file=/root/cdk/server.key --cluster-name=kubernetes-f0xbikvswmnnjjamkboa5uvg05j2raqc --terminated-pod-gc-threshold=12500 --profiling=false --service-cluster-ip-range=10.152.183.0/24 --cluster-cidr=10.1.0.0/16 --feature-gates=RotateKubeletServerCertificate=true

An example API call (with an invalid service account token):

    curl -k https://localhost:10257/metrics --header 'Authorization: Bearer abc123'
    {
      "kind": "Status",
      "apiVersion": "v1",
      "metadata": {},
      "status": "Failure",
      "message": "Unauthorized",
      "reason": "Unauthorized",
      "code": 401
    }

I propose specifying the --authentication-kubeconfig and --authorization-kubeconfig flags by default on the kube-scheduler component. The kubeconfig already exists at /root/cdk/kubeschedulerconfig.

(Could also go the whole hog and copy over most of the flags already in `kube-controller-manager` related to HTTP access, e.g. the `--tls-*` flags.)

Revision history for this message

Alex Pearce (alexpearce) wrote on 2022-08-31:

Note a 'mirror image' bug in kubeadm here: https://github.com/kubernetes/kubeadm/issues/1285. Resolved here: https://github.com/kubernetes/kubernetes/pull/80951.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

auto-github-kubernetes-kubeadm #1285 Edit

Bug watches keep track of this bug in other bug trackers.