Kubernetes Control Plane Charm

basic auth is deprecated

Bug #1841226 reported by George Kraft
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Kubernetes Control Plane Charm
Fix Released
High
Kevin W Monroe
Kubernetes Control Plane Charm 1.19

Bug Description

Forked from https://bugs.launchpad.net/charm-kubernetes-master/+bug/1841199

kube-apiserver's --basic-auth-file option has been deprecated as of k8s 1.16: https://github.com/kubernetes/kubernetes/pull/81152

It is unclear when basic auth support will be removed entirely. We will need to use token auth where we currently use basic auth.

See original description
George Kraft (cynerva)
description: updated
Revision history for this message
Cory Johns (johnsca) wrote :

Basic auth support is removed entirely in 1.19.

Changed in charm-kubernetes-master:
milestone: none → 1.19
importance: Undecided → Critical
status: New → Triaged
Revision history for this message
Cory Johns (johnsca) wrote :

This is now preventing kube-apiserver from starting, with the following error:

kube-apiserver.daemon[117438]: Error: unknown flag: --basic-auth-file

Revision history for this message
George Kraft (cynerva) wrote :

Switching to token auth is the obvious answer, but CIS doesn't like it: https://github.com/aquasecurity/kube-bench/blob/7cd6b32ebb5f6c9503daf6069fe8480e41020505/cfg/cis-1.5/master.yaml#L336-L360

We also need to update kubernetes-dashboard authentication-mode config:
https://github.com/charmed-kubernetes/cdk-addons/blob/d7db3be73e96f1eb13db069c0e61f2f458e4e63a/cdk-addons/apply#L63
https://github.com/charmed-kubernetes/charm-kubernetes-master/blob/1e090ff6c9371a8be014f3f0774a4fcd1882cc89/config.yaml#L272-L278
https://github.com/charmed-kubernetes/charm-kubernetes-master/blob/1e090ff6c9371a8be014f3f0774a4fcd1882cc89/reactive/kubernetes_master.py#L1231-L1235
https://github.com/kubernetes/dashboard/blob/1f66b1c1fde5282f2b5146c6e94018a916610b28/docs/common/dashboard-arguments.md

kubernetes-dashboard appears to only support basic and token auth. If we move away from token auth for CIS then we might need to drop kubernetes-dashboard too.

Changed in cdk-addons:
importance: Undecided → Critical
milestone: none → 1.19
status: New → Triaged
Kevin W Monroe (kwmonroe)
Changed in charm-kubernetes-master:
assignee: nobody → Kevin W Monroe (kwmonroe)
status: Triaged → In Progress
Revision history for this message
Kevin W Monroe (kwmonroe) wrote :

Fixed with https://github.com/charmed-kubernetes/charm-kubernetes-master/pull/96

Changed in charm-kubernetes-master:
status: In Progress → Fix Committed
Revision history for this message
Kevin W Monroe (kwmonroe) wrote :

Nothing to fix in cdk-addons for the basic-auth removal. We just force it to 'token' in k8s-master.py now.

We'll look at removing this option fully when token-auth goes away as well.

Changed in cdk-addons:
assignee: nobody → Kevin W Monroe (kwmonroe)
status: Triaged → Invalid
Kevin W Monroe (kwmonroe)
Changed in cdk-addons:
importance: Critical → Undecided
Revision history for this message
Kevin W Monroe (kwmonroe) wrote :

This fix works for upgrades, but not quite right for new deployments. We'll need to make basic_auth.csv optional for k8s-master followers.

Changed in charm-kubernetes-master:
status: Fix Committed → In Progress
George Kraft (cynerva)
Changed in charm-kubernetes-master:
importance: Critical → High
no longer affects: cdk-addons
Revision history for this message
Kevin W Monroe (kwmonroe) wrote :

The issue noted in comment #6 was resolved in bug 1879545. Basic auth removal PRs have all been committed.

Changed in charm-kubernetes-master:
status: In Progress → Fix Committed
Tim Van Steenburgh (tvansteenburgh)
Changed in charm-kubernetes-master:
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.