WIP: remove insecure-port and deprecated insecure serving #95522
Conversation
f284883 to
977a71d
Compare
aa6ac78 to
3f82c2b
Compare
|
@mfojtik: The following tests failed, say
Full PR test history. Your PR dashboard. Please help us cut down on flakes by linking to an open issue when you hit one in your PR. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
|
/triage accepted |
|
this is required to merge first: |
|
@mfojtik: PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
Hello 👋 ! Bug triage here, This PR has not been updated for a long time, so I'd like to check what's the status. The code freeze is starting 12.11.2020 (about 2 weeks from now) and while there is still plenty of time, we want to ensure that each PR has a chance to be merged on time. As the PR is tagged for 1.20, is it still planned for this release? |
|
1.20 seems doable.
|
Having the insecure-port wired to zero seems more vague than just removing it. Removing it sends a clear message its gone and you cannot rely on it anymore. If you have something like health checks or component status calls being sent to the insecure port they will stop working. Setting the value to 0 implies the same thing, but I think its better to be clear in this instance. |
The rationale was stated in #95522 (review), and focused on preventing accidents in deployers stopping setting the flag to 0 too early:
|
|
@cheftako @liggitt @neolit123 @mfojtik are there other bits/blockers to discuss to have this merged? @mfojtik is busy, I was asked to politely take over. We have one week left before the code freeze. |
|
#96216 is doing the same for kube-controller-manager. Might be better to do it per component than to open one huge PR so we don't have to rebase so often and divide the work between individuals. @ahg-g @alculquicondor for kube-scheduler. Are you aware of this effort? |
|
The insecure API server port was already removed in #95856 which was the priority for 1.20 I tend to agree that going component by component and neutering the insecure port is likely to be simpler |
|
+1 on a PR per component |
|
kube-scheduler bits: #96345 |
|
/milestone clear |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
|
Rotten issues close after 30d of inactivity. Send feedback to sig-contributor-experience at kubernetes/community. |
|
@fejta-bot: Closed this PR. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
What type of PR is this?
/kind cleanup
/kind deprecation
What this PR does / why we need it:
This removes the
insecure-portoption and the already deprecated insecure serving for kube apiserver, kube controller manager and scheduler.This means the health checks are possible only via secure port.
Does this PR introduce a user-facing change?:
YES
xref: #91506
/cc @deads2k @sttts