Cri-o should use --redirect-container-streaming=false

[jakolehm]

For added security (similar to dockershim).

See https://github.com/kubernetes/kubernetes/pull/64006 .

[SpComb]

I figure --redirect-container-streaming=false is already the default in Kube 1.11. Testing with a kubectl exec, the only connection to the cri-o port 10010 is from the kubelet to the local host:

root@terom-bionic-test:~# ss -ntp | grep 10010
ESTAB0      0                206.189.0.173:10010            206.189.0.173:64132  users:(("crio",pid=14100,fd=24))                                               
ESTAB0      0                206.189.0.173:64132            206.189.0.173:10010  users:(("kubelet",pid=15465,fd=18))                                            

However, crio still unnecessarily listens on the public IP, not localhost... see https://github.com/kubernetes-incubator/cri-o/pull/1714 for the fix

[jakolehm]

However, crio still unnecessarily listens on the public IP, not localhost

I think we can fix listen here: https://github.com/kontena/pharos-cluster/blob/master/lib/pharos/host/ubuntu/scripts/configure-cri-o.sh#L85

[SpComb]

This configuration seems to work on our version of crio:

root@terom-bionic-test:~# grep -E stream /etc/crio/crio.conf 
# stream_address is the IP address on which the stream server will listen
stream_address = "127.0.0.1"
# stream_port is the port on which the stream server will listen
stream_port = "0"

Testing with kubectl exec:

root@terom-bionic-test:~# ss -antp | grep crio
LISTEN   0      32768                  127.0.0.1:10239                  0.0.0.0:*            users:(("crio",pid=20115,fd=16))                                   
ESTAB    0      0                      127.0.0.1:10239                127.0.0.1:53864        users:(("crio",pid=20115,fd=12))