Kubespray: Full TLS for cluster components
Users want option to deploy K8s clusters by Kargo with nothing using unsecure HTTP connections, even to localhost:port. Related http://kubernetes.io/docs/admin/kube-apiserver/ and https://github.com/kubernetes/kubernetes/issues/10159
bogdando
All 5 comments
+1 - also, I believe that kargo should setup secure by default for the control plane. The only situation where this may have a challenge is when an external etcd cluster is used : in which case --etcd-cafile=/var/lib/kubernetes/ca.pem and --etcd-servers=https://10.240.0.10:2379,https://10.240.0.11:2379,https://10.240.0.12:2379 can anyways be used.
bugs to consider - https://github.com/kubernetes/kubernetes/issues/14977, https://github.com/kubernetes/kubernetes/issues/15056, https://github.com/kubernetes/kubernetes/issues/29330 , https://github.com/kubernetes/kubernetes/issues/27343, https://github.com/juju-solutions/bundle-canonical-kubernetes/issues/153
there seems to be a hardcoding issue - https://github.com/kubernetes/kubernetes/issues/27343#issuecomment-226137088
sandys
on 27 Dec 2016
which pieces are missing ? I think only the localhost:8080 nginx for HA masters ?
ant31
on 15 Aug 2018
Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.
If this issue is safe to close now please do so with /close.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten
fejta-bot
on 11 Apr 2019
Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.
Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close
fejta-bot
on 11 May 2019
@fejta-bot: Closing this issue.
In response to this:
Rotten issues close after 30d of inactivity.
Reopen the issue with/reopen.
Mark the issue as fresh with/remove-lifecycle rotten.Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
k8s-ci-robot
on 11 May 2019
Related issues
TurboTim
路
4Comments
njdevils9
路
3Comments
nghiepvo
路
3Comments
danielm0hr
路
4Comments
ionsquare
路
4Comments
Most helpful comment
+1 - also, I believe that kargo should setup secure by default for the control plane. The only situation where this may have a challenge is when an external etcd cluster is used : in which case
--etcd-cafile=/var/lib/kubernetes/ca.pemand--etcd-servers=https://10.240.0.10:2379,https://10.240.0.11:2379,https://10.240.0.12:2379can anyways be used.bugs to consider - https://github.com/kubernetes/kubernetes/issues/14977, https://github.com/kubernetes/kubernetes/issues/15056, https://github.com/kubernetes/kubernetes/issues/29330 , https://github.com/kubernetes/kubernetes/issues/27343, https://github.com/juju-solutions/bundle-canonical-kubernetes/issues/153
there seems to be a hardcoding issue - https://github.com/kubernetes/kubernetes/issues/27343#issuecomment-226137088