apply public endpoint filter only for kubelet-readonly

Signed-off-by: Benedikt Bongartz <bongartz@klimlive.de>
2025-08-10 12:32:03 +00:00 · 2024-01-11 00:43:41 +01:00 · 2024-01-11 00:43:41 +01:00 · c823a21a7a
commit c823a21a7a
parent 099eba784b
2 changed files with 13 additions and 10 deletions
--- a/pkg/kubelet/server/server.go
+++ b/pkg/kubelet/server/server.go
@ -160,7 +160,12 @@ func ListenAndServeKubeletServer(
 	address := netutils.ParseIPSloppy(kubeCfg.Address)
 	port := uint(kubeCfg.Port)
 	klog.InfoS("Starting to listen", "address", address, "port", port)
-	handler := NewServer(host, resourceAnalyzer, auth, tp, kubeCfg)
+	handler := NewServer(host, resourceAnalyzer, auth, kubeCfg)
+
+	if utilfeature.DefaultFeatureGate.Enabled(features.KubeletTracing) {
+		handler.InstallTracingFilter(tp)
+	}
+
 	s := &http.Server{
 		Addr:           net.JoinHostPort(address.String(), strconv.FormatUint(uint64(port), 10)),
 		Handler:        &handler,
@ -193,7 +198,11 @@ func ListenAndServeKubeletReadOnlyServer(
 	port uint,
 	tp oteltrace.TracerProvider) {
 	klog.InfoS("Starting to listen read-only", "address", address, "port", port)
-	s := NewServer(host, resourceAnalyzer, nil, tp, nil)
+	s := NewServer(host, resourceAnalyzer, nil, nil)
+
+	if utilfeature.DefaultFeatureGate.Enabled(features.KubeletTracing) {
+		s.InstallTracingFilter(tp, otelrestful.WithPublicEndpoint())
+	}

 	server := &http.Server{
 		Addr:           net.JoinHostPort(address.String(), strconv.FormatUint(uint64(port), 10)),
@ -270,7 +279,6 @@ func NewServer(
 	host HostInterface,
 	resourceAnalyzer stats.ResourceAnalyzer,
 	auth AuthInterface,
-	tp oteltrace.TracerProvider,
 	kubeCfg *kubeletconfiginternal.KubeletConfiguration) Server {

 	server := Server{
@ -284,9 +292,6 @@ func NewServer(
 	if auth != nil {
 		server.InstallAuthFilter()
 	}
-	if utilfeature.DefaultFeatureGate.Enabled(features.KubeletTracing) {
-		server.InstallTracingFilter(tp)
-	}
 	server.InstallDefaultHandlers()
 	if kubeCfg != nil && kubeCfg.EnableDebuggingHandlers {
 		server.InstallDebuggingHandlers()
@ -340,8 +345,8 @@ func (s *Server) InstallAuthFilter() {
 }

 // InstallTracingFilter installs OpenTelemetry tracing filter with the restful Container.
-func (s *Server) InstallTracingFilter(tp oteltrace.TracerProvider) {
-	s.restfulCont.Filter(otelrestful.OTelFilter("kubelet", otelrestful.WithTracerProvider(tp), otelrestful.WithPublicEndpoint()))
+func (s *Server) InstallTracingFilter(tp oteltrace.TracerProvider, opts ...otelrestful.Option) {
+	s.restfulCont.Filter(otelrestful.OTelFilter("kubelet", append(opts, otelrestful.WithTracerProvider(tp))...))
 }

 // addMetricsBucketMatcher adds a regexp matcher and the relevant bucket to use when
--- a/pkg/kubelet/server/server_test.go
+++ b/pkg/kubelet/server/server_test.go
@ -37,7 +37,6 @@ import (
 	cadvisorapiv2 "github.com/google/cadvisor/info/v2"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
-	oteltrace "go.opentelemetry.io/otel/trace"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@ -371,7 +370,6 @@ func newServerTestWithDebuggingHandlers(kubeCfg *kubeletconfiginternal.KubeletCo
 		fw.fakeKubelet,
 		stats.NewResourceAnalyzer(fw.fakeKubelet, time.Minute, &record.FakeRecorder{}),
 		fw.fakeAuth,
-		oteltrace.NewNoopTracerProvider(),
 		kubeCfg,
 	)
 	fw.serverUnderTest = &server