KEP for statusz page for Kubernetes Components #4830
Conversation
richabanker
commented
Sep 6, 2024
richabanker
commented
- One-line PR description: Add a KEP for statusz page in Kubernetes components.
- Issue link: Statusz for Kubernetes Components #4827
k8s-ci-robot
added
the
cncf-cla: yes
k8s-ci-robot
added
kind/kep
|
/assign @logicalhan |
richabanker
force-pushed
the
component-statusz
branch
2 times, most recently
from
70c5c71
to
88c67e5
Compare
richabanker
force-pushed
the
component-statusz
branch
3 times, most recently
from
05e08ad
to
69f0be3
Compare
|
/approve |
richabanker
force-pushed
the
component-statusz
branch
2 times, most recently
from
b5c46f5
to
ab4b0cf
Compare
|
/assign @rexagod |
richabanker
force-pushed
the
component-statusz
branch
2 times, most recently
from
0eb76a3
to
37aa937
Compare
|
/approve |
richabanker
force-pushed
the
component-statusz
branch
2 times, most recently
from
e35b408
to
745deac
Compare
richabanker
force-pushed
the
component-statusz
branch
2 times, most recently
from
4503a4b
to
1c5aac3
Compare
k8s-ci-robot
added
the
lgtm
|
|
||
| ### Authz and authn | ||
|
|
||
| Access to the endpoint will be limited to members of the `system:monitoring group` ([ref](https://github.com/kubernetes/kubernetes/blob/release-1.31/staging/src/k8s.io/apiserver/pkg/authentication/user/user.go#L73)), which is how paths like /healthz, /livez, /readyz are restricted today. |
There was a problem hiding this comment.
for kubelet can you please add details about what the RBAC permissions will be for accessing this endpoint?
system:monitoring does not have the ability to call the kubelet's endpoints AFAIK. What subresource will allow a user access to kubelet's statsz endpoint?
There was a problem hiding this comment.
Does this endpoint expect to be programmatically queried? I was assuming no, which makes it feel different than the endpoints that are granted to system:monitoring.
There was a problem hiding this comment.
@richabanker - I think it would help to clarify what you will be adding. Can you add a markdown code section of what changes you will make to the system:monitoring ClusterRole.
There was a problem hiding this comment.
I don't think this will work. Here is how I tested this.
Create a serviceaccount
kubectl create serviceaccount hello --namespace default
Create a binding to system:monitoring ClusterRole
kubectl create clusterrolebinding --clusterrole=system:monitoring --serviceaccount default:hello helloissystemmonitor
Call the kubelet metrics endpoint via apiserver proxy.
kubectl get --raw /api/v1/nodes/$(kubectl get nodes --no-headers | awk '{print $1}')/proxy/metrics --token $(kubectl create token hello)
Error from server (Forbidden): nodes "gke-test-default-pool-93fcb923-nt6x" is forbidden: User "system:serviceaccount:default:hello" cannot get resource "nodes/proxy" in API group "" at the cluster scope
Now lets try directly accessing the kubelet API of the node
Create a file called pod.yaml with these contents
apiVersion: v1
kind: Pod
metadata:
name: ubuntu-sleeper
spec:
serviceAccount: hello
containers:
- name: ubuntu
image: ubuntu:latest # Use the latest Ubuntu image
command: ["/bin/bash", "-c", "apt-get update && apt-get install -y curl jq && sleep infinity"] # Start a bash shell
env:
- name: NODE_IP
valueFrom:
fieldRef:
fieldPath: status.hostIP
Create a pod
kubectl apply -f pod.yaml
Exec into the pod
kubectl exec ubuntu-sleeper -it -- /bin/bash
Run the following command inside the pod
root@ubuntu-sleeper:/# curl -k https://$NODE_IP:10250/metrics -H "Authorization: Bearer $(cat /var/run/secrets/kubernetes.io/serviceaccount/
token)"
Forbidden (user=system:serviceaccount:default:hello, verb=get, resource=nodes, subresource=metrics)
Now lets check the permissions that hello has
kubectl auth can-i --list --as system:serviceaccount:default:hello ok test kube
Warning: the list may be incomplete: webhook authorizer does not support user rule resolution
Resources Non-Resource URLs Resource Names Verbs
selfsubjectreviews.authentication.k8s.io [] [] [create]
selfsubjectaccessreviews.authorization.k8s.io [] [] [create]
selfsubjectrulesreviews.authorization.k8s.io [] [] [create]
[/.well-known/openid-configuration/] [] [get]
[/.well-known/openid-configuration] [] [get]
[/api/*] [] [get]
[/api] [] [get]
[/apis/*] [] [get]
[/apis] [] [get]
[/healthz/*] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/healthz] [] [get]
[/livez/*] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/livez] [] [get]
[/metrics/slis] [] [get]
[/metrics] [] [get]
[/openapi/*] [] [get]
[/openapi] [] [get]
[/openid/v1/jwks/] [] [get]
[/openid/v1/jwks] [] [get]
[/readyz/*] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/readyz] [] [get]
[/version/] [] [get]
[/version/] [] [get]
[/version] [] [get]
[/version] [] [get]
notice that it has /metrics permissions but that won't give it permissions for kubelet. For kubelet you will have to extend the rbac to something like nodes/statusz or something like that.
There was a problem hiding this comment.
I have added a markdown for changes that we can do to system:monitoring role to allow access to kubelet's /statusz. Does this look ok now @vinayakankugoyal ?
There was a problem hiding this comment.
Hmm... I am not sure about this.
It seems like system:monitoring did not previously have permissions to call kubelet API do we really want to grant this permission?
There was a problem hiding this comment.
I added these changes to system:monitoring as placeholder for now. We can have a final decision on this once @tallclair (sig-node) is available for comments. Also filed kubernetes/kubernetes#127990 to track the discussion.
richabanker
force-pushed
the
component-statusz
branch
from
1c5aac3
to
acd0c8a
Compare
k8s-ci-robot
removed
the
lgtm
|
|
||
| ### Authz and authn | ||
|
|
||
| Access to the endpoint will be limited to members of the `system:monitoring group` ([ref](https://github.com/kubernetes/kubernetes/blob/release-1.31/staging/src/k8s.io/apiserver/pkg/authentication/user/user.go#L73)), which is how paths like /healthz, /livez, /readyz are restricted today. |
There was a problem hiding this comment.
Hmm... I am not sure about this.
It seems like system:monitoring did not previously have permissions to call kubelet API do we really want to grant this permission?
|
|
||
| #### As a developer | ||
|
|
||
| - I want to quickly identify the exact version of a binary running in production so I can correlate it with known issues or recent code changes |
There was a problem hiding this comment.
You can already do this by calling, why not just use that?
kubectl get --raw /version
{
"major": "1",
"minor": "31",
"gitVersion": "v1.31.1-gke.1472000",
"gitCommit": "e21141bf6951009a138dda22624a11674fb9be02",
"gitTreeState": "clean",
"buildDate": "2024-09-23T20:27:37Z",
"goVersion": "go1.22.6 X:boringcrypto",
"compiler": "gc",
"platform": "linux/amd64"
}%
There was a problem hiding this comment.
This information is also exposed via a metric
kubectl get --raw /metrics|grep "^kubernetes_build_info.*" INT|INT err 1m 10s test kube
kubernetes_build_info{build_date="2024-09-23T20:27:37Z",compiler="gc",git_commit="e21141bf6951009a138dda22624a11674fb9be02",git_tree_state="clean",git_version="v1.31.1-gke.500",go_version="go1.22.6 X:boringcrypto",major="1",minor="31",platform="linux/amd64"} 1
There was a problem hiding this comment.
I understand that the proposed statusz endpoint might seem a bit redundant given the existing /version endpoint. However, statusz offers a dedicated space for comprehensive component information, going beyond just version details. It has the potential to serve as a central debugging hub, providing not only component status but also links to other relevant z-pages for deeper observability.
Co-authored-by: Pranshu Srivastava <[email protected]> Co-authored-by: Pranshu Srivastava <[email protected]> Co-authored-by: Pranshu Srivastava <[email protected]>
richabanker
force-pushed
the
component-statusz
branch
from
acd0c8a
to
81b7494
Compare
|
|
||
| Access to the endpoint will be limited to members of the `system:monitoring group` ([ref](https://github.com/kubernetes/kubernetes/blob/release-1.31/staging/src/k8s.io/apiserver/pkg/authentication/user/user.go#L73)), which is how paths like /healthz, /livez, /readyz are restricted today. | ||
|
|
||
| // NOTE: Placeholder suggestion for handling kubelet auth. Subject to change based on https://github.com/kubernetes/kubernetes/issues/127990 |
There was a problem hiding this comment.
I am fine with deciding on it during implementation
/lgtm
k8s-ci-robot
added
the
lgtm
|
/lgtm |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: jpbetz, logicalhan, richabanker, SergeyKanzhelev The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
k8s-ci-robot
added
the
approved
