Kubernetes local cluster should be configured for secure access

aparamon commented 5 years ago

[x] I have tried with the latest version of my channel (Stable or Edge)
[x] I have uploaded Diagnostics
Diagnostics ID: 92DF728C-3FAA-47C7-AD28-3064722AA675/20190118104344

Expected behavior

Kubernetes local cluster should be configured for secure access with TLS cert validation, so clients like Python library do not issue unnecessary warnings. Generated cluster in .kube/config should look like

- cluster:
    certificate-authority: C:\ProgramData\DockerDesktop\pki\apiserver.crt
    server: https://localhost:6445
  name: docker-for-desktop-cluster

or

- cluster:
    certificate-authority-data: LS0tLS1CRUdJ<skip>tCg==
    server: https://localhost:6445
  name: docker-for-desktop-cluster

For comparison, Minikube creates

- cluster:
    certificate-authority: /home/username/.minikube/ca.crt
    server: https://127.0.0.1:8443
  name: minikube

Actual behavior

Docker for Desktop specifies insecure-skip-tls-verify:

- cluster:
    insecure-skip-tls-verify: true
    server: https://localhost:6445
  name: docker-for-desktop-cluster

Information

Windows Version: Windows 10 Version 1809 Build 17763.107
Docker for Windows Version: Decker Descktop CE Version 2.0.0.2 (30215) Channel "stable" Build 0b030e1 Docker version 18.09.1 build 4c52b90 Kubernetes v1.10.11

Steps to reproduce the behavior

Start Kubernetes local cluster.

Run minimal Kubernetes Python client script:

>python example1.py
Listing pods with their IPs:
C:\ProgramData\Anaconda3\lib\site-packages\urllib3\connectionpool.py:847: InsecureRequestWarning: Unverified HTTPS request is being made. Adding certificate verification is strongly advised. See: https://urllib3.r
eadthedocs.io/en/latest/advanced-usage.html#ssl-warnings
InsecureRequestWarning)
10.1.0.202      docker  compose-74649b4db6-tqwwc
192.168.65.3    docker  compose-api-569784c5b6-8jd87
192.168.65.3    kube-system     etcd-docker-for-desktop
192.168.65.3    kube-system     kube-apiserver-docker-for-desktop
192.168.65.3    kube-system     kube-controller-manager-docker-for-desktop
10.1.0.203      kube-system     kube-dns-86f4d74b45-2c7pk
192.168.65.3    kube-system     kube-proxy-2lq7j
192.168.65.3    kube-system     kube-scheduler-docker-for-desktop

docker-robott commented 5 years ago

Issues go stale after 90d of inactivity. Mark the issue as fresh with /remove-lifecycle stale comment. Stale issues will be closed after an additional 30d of inactivity.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so.

Send feedback to Docker Community Slack channels #docker-for-mac or #docker-for-windows. /lifecycle stale

aparamon commented 5 years ago

/lifecycle frozen

docker / for-win