kube-scheduler authentication/authorisation not configured
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Kubernetes Control Plane Charm |
New
|
Undecided
|
Unassigned |
Bug Description
The kube-scheduler configuration does not permit authenticated HTTP access. Deploying kubernetes-
/snap/
As the --authenticatio
curl -k https:/
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "forbidden: User \"system:
"reason": "Forbidden",
"details": {},
"code": 403
}
This should result in a 401 Unauthorized.
An example service which *is* configured to allow this is kube-controller
/snap/
An example API call (with an invalid service account token):
curl -k https:/
{
"kind": "Status",
"apiVersion": "v1",
"metadata": {},
"status": "Failure",
"message": "Unauthorized",
"reason": "Unauthorized",
"code": 401
}
I propose specifying the --authenticatio
(Could also go the whole hog and copy over most of the flags already in `kube-controlle
Note a 'mirror image' bug in kubeadm here: https:/ /github. com/kubernetes/ kubeadm/ issues/ 1285. Resolved here: https:/ /github. com/kubernetes/ kubernetes/ pull/80951.