search

kubernetes-sigs / cloud-provider-equinix-metal

Kubernetes Cloud Provider for Equinix Metal (formerly Packet Cloud Controller Manager)
https://deploy.equinix.com/labs/cloud-provider-equinix-metal
Apache License 2.0
73 stars 26 forks source link

In eip_controlplane_reconciliation : GET `/healthz` check unauthenticated OR authenticated #519

Open hh opened 4 months ago

hh commented 4 months ago

Currently we only perform an unauthenticated check here: https://github.com/kubernetes-sigs/cloud-provider-equinix-metal/blob/3fb9b358ecaa037ed271b29246ef8f9b29bab77a/metal/eip_controlplane_reconciliation.go#L250

While the default for upstream kubernetes allows anonymous.

See https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/

--anonymous-auth     Default: true Enables anonymous requests to the secure port of the API server. Requests that are not rejected by another authentication method are treated as anonymous requests. Anonymous requests have a username of system:anonymous, and a group name of system:unauthenticated.

Talos and possibly other Kubernetes distribution disable unauthenticated access to the Kubernetes API.

I suggest trying an unauthenticated request first, and if that fails, try authenticated with the credentials available to the CCM pod.

hh commented 2 months ago

We fixed this previously by adding the following:

https://github.com/sharingio/infra/blob/main/terraform/equinix-metal-talos-cluster/main.tf#L161-L164

cluster:
    apiServer:
        extraArgs:
            anonymous-auth: true
hh commented 2 months ago

This should probably get documented somewhere in the Equinix + Talos deployment pages, I'll see what I can find.