Closed jakolehm closed 6 years ago
I figure --redirect-container-streaming=false
is already the default in Kube 1.11. Testing with a kubectl exec
, the only connection to the cri-o port 10010 is from the kubelet to the local host:
root@terom-bionic-test:~# ss -ntp | grep 10010
ESTAB0 0 206.189.0.173:10010 206.189.0.173:64132 users:(("crio",pid=14100,fd=24))
ESTAB0 0 206.189.0.173:64132 206.189.0.173:10010 users:(("kubelet",pid=15465,fd=18))
However, crio still unnecessarily listens on the public IP, not localhost... see https://github.com/kubernetes-incubator/cri-o/pull/1714 for the fix
However, crio still unnecessarily listens on the public IP, not localhost
I think we can fix listen here: https://github.com/kontena/pharos-cluster/blob/master/lib/pharos/host/ubuntu/scripts/configure-cri-o.sh#L85
This configuration seems to work on our version of crio:
root@terom-bionic-test:~# grep -E stream /etc/crio/crio.conf
# stream_address is the IP address on which the stream server will listen
stream_address = "127.0.0.1"
# stream_port is the port on which the stream server will listen
stream_port = "0"
Testing with kubectl exec
:
root@terom-bionic-test:~# ss -antp | grep crio
LISTEN 0 32768 127.0.0.1:10239 0.0.0.0:* users:(("crio",pid=20115,fd=16))
ESTAB 0 0 127.0.0.1:10239 127.0.0.1:53864 users:(("crio",pid=20115,fd=12))
For added security (similar to dockershim).
See https://github.com/kubernetes/kubernetes/pull/64006 .