From 8416c5cc51580c98bf4cc8c646514f688933c125 Mon Sep 17 00:00:00 2001 From: Ben Hu Date: Tue, 20 Oct 2020 22:38:44 +0000 Subject: [PATCH] Use host IP instead of 127.0.0.1 for kube-apiserver healthcheck. --- cluster/gce/config-default.sh | 6 +++++- cluster/gce/config-test.sh | 6 +++++- cluster/gce/gci/configure-kubeapiserver.sh | 6 ++++++ cluster/gce/manifests/kube-apiserver.manifest | 4 ++-- 4 files changed, 18 insertions(+), 4 deletions(-) diff --git a/cluster/gce/config-default.sh b/cluster/gce/config-default.sh index 444b34a8aa7..e7858c0e72a 100755 --- a/cluster/gce/config-default.sh +++ b/cluster/gce/config-default.sh @@ -539,7 +539,11 @@ export KONNECTIVITY_SERVICE_PROXY_PROTOCOL_MODE="${KUBE_KONNECTIVITY_SERVICE_PRO # Optional: Enable Windows CSI-Proxy export ENABLE_CSI_PROXY="${ENABLE_CSI_PROXY:-true}" -# ETCD_LISTEN_ON_HOST_IP decides whether etcd servers should also listen on host IP, +# KUBE_APISERVER_HEALTHCHECK_ON_HOST_IP decides whether +# kube-apiserver is healthchecked on host IP instead of 127.0.0.1. +export KUBE_APISERVER_HEALTHCHECK_ON_HOST_IP="${KUBE_APISERVER_HEALTHCHECK_ON_HOST_IP:-false}" + +# ETCD_LISTEN_ON_HOST_IP decides whether etcd servers should also listen on host IP, # in addition to listening to 127.0.0.1, and whether kube-apiserver should connect to etcd servers # through host IP. export ETCD_LISTEN_ON_HOST_IP="${ETCD_LISTEN_ON_HOST_IP:-false}" diff --git a/cluster/gce/config-test.sh b/cluster/gce/config-test.sh index 37a97148ac3..6f810985fa9 100755 --- a/cluster/gce/config-test.sh +++ b/cluster/gce/config-test.sh @@ -575,7 +575,11 @@ export GCE_UPLOAD_KUBCONFIG_TO_MASTER_METADATA=true # Optoinal: Enable Windows CSI-Proxy export ENABLE_CSI_PROXY="${ENABLE_CSI_PROXY:-true}" -# ETCD_LISTEN_ON_HOST_IP decides whether etcd servers should also listen on host IP, +# KUBE_APISERVER_HEALTHCHECK_ON_HOST_IP decides whether +# kube-apiserver is healthchecked on host IP instead of 127.0.0.1. +export KUBE_APISERVER_HEALTHCHECK_ON_HOST_IP="${KUBE_APISERVER_HEALTHCHECK_ON_HOST_IP:-false}" + +# ETCD_LISTEN_ON_HOST_IP decides whether etcd servers should also listen on host IP, # in addition to listening to 127.0.0.1, and whether kube-apiserver should connect to etcd servers # through host IP. export ETCD_LISTEN_ON_HOST_IP="${ETCD_LISTEN_ON_HOST_IP:-false}" diff --git a/cluster/gce/gci/configure-kubeapiserver.sh b/cluster/gce/gci/configure-kubeapiserver.sh index f51e1e8caa1..5010e6cf3f4 100644 --- a/cluster/gce/gci/configure-kubeapiserver.sh +++ b/cluster/gce/gci/configure-kubeapiserver.sh @@ -374,6 +374,11 @@ function start-kube-apiserver { # params is passed by reference, so no "$" setup-etcd-encryption "${src_file}" params + local healthcheck_ip="127.0.0.1" + if [[ ${KUBE_APISERVER_HEALTHCHECK_ON_HOST_IP:-} == "true" ]]; then + healthcheck_ip=$(hostname -i) + fi + params="$(convert-manifest-params "${params}")" # Evaluate variables. local -r kube_apiserver_docker_tag="${KUBE_API_SERVER_DOCKER_TAG:-$(cat /home/kubernetes/kube-docker-files/kube-apiserver.docker_tag)}" @@ -404,6 +409,7 @@ function start-kube-apiserver { sed -i -e "s@{{webhook_exec_auth_plugin_volume}}@${webhook_exec_auth_plugin_volume}@g" "${src_file}" sed -i -e "s@{{konnectivity_socket_mount}}@${default_konnectivity_socket_mnt}@g" "${src_file}" sed -i -e "s@{{konnectivity_socket_volume}}@${default_konnectivity_socket_vol}@g" "${src_file}" + sed -i -e "s@{{healthcheck_ip}}@${healthcheck_ip}@g" "${src_file}" cp "${src_file}" "${ETC_MANIFESTS:-/etc/kubernetes/manifests}" } diff --git a/cluster/gce/manifests/kube-apiserver.manifest b/cluster/gce/manifests/kube-apiserver.manifest index b79ffbe2650..092fda75740 100644 --- a/cluster/gce/manifests/kube-apiserver.manifest +++ b/cluster/gce/manifests/kube-apiserver.manifest @@ -37,7 +37,7 @@ "livenessProbe": { "httpGet": { "scheme": "HTTPS", - "host": "127.0.0.1", + "host": "{{healthcheck_ip}}", "port": {{secure_port}}, "path": "/livez?exclude=etcd&exclude=kms-provider-0&exclude=kms-provider-1" }, @@ -47,7 +47,7 @@ "readinessProbe": { "httpGet": { "scheme": "HTTPS", - "host": "127.0.0.1", + "host": "{{healthcheck_ip}}", "port": {{secure_port}}, "path": "/readyz" },