Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Disable Kubelet read-only port 10255 #324

Merged
merged 1 commit into from
Oct 19, 2018
Merged

Disable Kubelet read-only port 10255 #324

merged 1 commit into from
Oct 19, 2018

Conversation

dghubble
Copy link
Member

Closes: #322

@dghubble
Disable Kubelet read-only port 10255
99a6d54 
* We can finally disable the Kubelet read-only port 10255!
* Journey: #322 (comment)
@dghubble dghubble merged commit 99a6d54 into master Oct 19, 2018
@dghubble dghubble deleted the disable-kubelet-read-only-port branch October 19, 2018 06:31
@sbv-trueenergy
Copy link

As you've noticed in kubernetes-retired/bootkube#1025 the pod-checkpointer still depends on the insecurePort.

For now this makes a lot of noise:

E1122 09:28:41.566220       1 kubelet.go:54] failed to list local parent pods, assuming none are running: Get http://127.0.0.1:10255/pods/: dial tcp 127.0.0.1:10255: connect: connection refused
E1122 09:28:46.591077       1 kubelet.go:54] failed to list local parent pods, assuming none are running: Get http://127.0.0.1:10255/pods/: dial tcp 127.0.0.1:10255: connect: connection refused
E1122 09:28:51.623905       1 kubelet.go:54] failed to list local parent pods, assuming none are running: Get http://127.0.0.1:10255/pods/: dial tcp 127.0.0.1:10255: connect: connection refused
E1122 09:28:56.661652       1 kubelet.go:54] failed to list local parent pods, assuming none are running: Get http://127.0.0.1:10255/pods/: dial tcp 127.0.0.1:10255: connect: connection refused
E1122 09:29:01.691568       1 kubelet.go:54] failed to list local parent pods, assuming none are running: Get http://127.0.0.1:10255/pods/: dial tcp 127.0.0.1:10255: connect: connection refused
E1122 09:29:06.716961       1 kubelet.go:54] failed to list local parent pods, assuming none are running: Get http://127.0.0.1:10255/pods/: dial tcp 127.0.0.1:10255: connect: connection refused
E1122 09:29:11.749546       1 kubelet.go:54] failed to list local parent pods, assuming none are running: Get http://127.0.0.1:10255/pods/: dial tcp 127.0.0.1:10255: connect: connection refused
E1122 09:29:16.779674       1 kubelet.go:54] failed to list local parent pods, assuming none are running: Get http://127.0.0.1:10255/pods/: dial tcp 127.0.0.1:10255: connect: connection refused
E1122 09:29:21.848972       1 kubelet.go:54] failed to list local parent pods, assuming none are running: Get http://127.0.0.1:10255/pods/: dial tcp 127.0.0.1:10255: connect: connection refused
E1122 09:29:26.874059       1 kubelet.go:54] failed to list local parent pods, assuming none are running: Get http://127.0.0.1:10255/pods/: dial tcp 127.0.0.1:10255: connect: connection refused

Should I just filter this in my papertrail destination for now or should I be worried?

@dghubble
Copy link
Member Author

Yep, those logs are in my clusters too. Its noisy, but shouldn't be concerning, recovery through power-cycles has been exercised a bunch and that's where pod-checkpointer is used. I've found no issues.

Going forward, this should be resolved whenever bootkube#1027 merges and a new checkpointer image gets released.

If you're wanting something in the short term, you could try 55f0b95cf1471d8179b083c031f43a3a3bcabd0a from here being tested via terraform-render-bookube patch and typhoon patch or building it yourself. Although I'm planning to wait for the upstream image and not merge those linked patches, since a Typhoon cluster shouldn't require any trust in images I've built.

dghubble added a commit to poseidon/terraform-render-bootstrap that referenced this pull request Nov 27, 2018
@dghubble
Update pod-checkpointer image to query Kubelet secure api
bffb5d5 
* Updates pod-checkpointer to prefer the Kubelet secure
API (before falling back to the Kubelet read-only API that
is disabled on Typhoon clusters since
poseidon/typhoon#324)
* Previously, pod-checkpointer checkpointed an initial set
of pods during bootstrapping so recovery from power cycling
clusters was unaffected, but logs were noisy
* kubernetes-retired/bootkube#1027
* kubernetes-retired/bootkube#1025
@dghubble dghubble mentioned this pull request Nov 27, 2018
Merged
dghubble added a commit that referenced this pull request Nov 27, 2018
@dghubble
Update pod-checkpointer image to query Kubelet secure API
840b73f 
* Updates pod-checkpointer to prefer the Kubelet secure
API (before falling back to the Kubelet read-only API that
is disabled on Typhoon clusters since
#324)
* Previously, pod-checkpointer checkpointed an initial set
of pods during bootstrapping so recovery from power cycling
clusters was unaffected, but logs were noisy
* kubernetes-retired/bootkube#1027
* kubernetes-retired/bootkube#1025
@dghubble dghubble mentioned this pull request Nov 27, 2018
Merged
dghubble-robot pushed a commit to poseidon/terraform-onprem-kubernetes that referenced this pull request Nov 27, 2018
@dghubble
Update pod-checkpointer image to query Kubelet secure API
d562c85 
* Updates pod-checkpointer to prefer the Kubelet secure
API (before falling back to the Kubelet read-only API that
is disabled on Typhoon clusters since
poseidon/typhoon#324)
* Previously, pod-checkpointer checkpointed an initial set
of pods during bootstrapping so recovery from power cycling
clusters was unaffected, but logs were noisy
* kubernetes-retired/bootkube#1027
* kubernetes-retired/bootkube#1025
dghubble-robot pushed a commit to poseidon/terraform-digitalocean-kubernetes that referenced this pull request Nov 27, 2018
@dghubble
Update pod-checkpointer image to query Kubelet secure API
34721c2 
* Updates pod-checkpointer to prefer the Kubelet secure
API (before falling back to the Kubelet read-only API that
is disabled on Typhoon clusters since
poseidon/typhoon#324)
* Previously, pod-checkpointer checkpointed an initial set
of pods during bootstrapping so recovery from power cycling
clusters was unaffected, but logs were noisy
* kubernetes-retired/bootkube#1027
* kubernetes-retired/bootkube#1025
dghubble-robot pushed a commit to poseidon/terraform-aws-kubernetes that referenced this pull request Nov 27, 2018
@dghubble
Update pod-checkpointer image to query Kubelet secure API
117087b 
* Updates pod-checkpointer to prefer the Kubelet secure
API (before falling back to the Kubelet read-only API that
is disabled on Typhoon clusters since
poseidon/typhoon#324)
* Previously, pod-checkpointer checkpointed an initial set
of pods during bootstrapping so recovery from power cycling
clusters was unaffected, but logs were noisy
* kubernetes-retired/bootkube#1027
* kubernetes-retired/bootkube#1025
dghubble-robot pushed a commit to poseidon/terraform-google-kubernetes that referenced this pull request Nov 27, 2018
@dghubble
Update pod-checkpointer image to query Kubelet secure API
e10b83b 
* Updates pod-checkpointer to prefer the Kubelet secure
API (before falling back to the Kubelet read-only API that
is disabled on Typhoon clusters since
poseidon/typhoon#324)
* Previously, pod-checkpointer checkpointed an initial set
of pods during bootstrapping so recovery from power cycling
clusters was unaffected, but logs were noisy
* kubernetes-retired/bootkube#1027
* kubernetes-retired/bootkube#1025
sphw pushed a commit to m10io/tokenx-typhoon that referenced this pull request Dec 17, 2018
@dghubble @sphw
Update pod-checkpointer image to query Kubelet secure API
5072d9b 
* Updates pod-checkpointer to prefer the Kubelet secure
API (before falling back to the Kubelet read-only API that
is disabled on Typhoon clusters since
poseidon#324)
* Previously, pod-checkpointer checkpointed an initial set
of pods during bootstrapping so recovery from power cycling
clusters was unaffected, but logs were noisy
* kubernetes-retired/bootkube#1027
* kubernetes-retired/bootkube#1025
dghubble-robot pushed a commit to poseidon/terraform-azure-kubernetes that referenced this pull request May 25, 2020
@dghubble
Update pod-checkpointer image to query Kubelet secure API
efe2645 
* Updates pod-checkpointer to prefer the Kubelet secure
API (before falling back to the Kubelet read-only API that
is disabled on Typhoon clusters since
poseidon/typhoon#324)
* Previously, pod-checkpointer checkpointed an initial set
of pods during bootstrapping so recovery from power cycling
clusters was unaffected, but logs were noisy
* kubernetes-retired/bootkube#1027
* kubernetes-retired/bootkube#1025
Snaipe pushed a commit to aristanetworks/monsoon that referenced this pull request Apr 13, 2023
@dghubble
Update pod-checkpointer image to query Kubelet secure API
a2b8e59 
* Updates pod-checkpointer to prefer the Kubelet secure
API (before falling back to the Kubelet read-only API that
is disabled on Typhoon clusters since
poseidon#324)
* Previously, pod-checkpointer checkpointed an initial set
of pods during bootstrapping so recovery from power cycling
clusters was unaffected, but logs were noisy
* kubernetes-retired/bootkube#1027
* kubernetes-retired/bootkube#1025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@dghubble @sbv-trueenergy