I am not currently running k8s with TLS on either the api servers or the kubelet. I w

API server is running on localhost:8080: <div class="snippet-clipboard-content not

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

When using --in-cluster=false then <code class="notra

<a class="user-mention notranslate" data-hovercard-type="user" data-hovercard-url="/us

Support non-ssl api server about kube-state-metrics HOT 12 CLOSED

kubernetes commented on August 27, 2024 4

Support non-ssl api server

from kube-state-metrics.

Comments (12)

matthughes commented on August 27, 2024

API server is running on localhost:8080:

core@master0 ~ $ curl localhost:8080 | head
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   533  100   533    0     0  71123      0 --:--:-- --:--:-- --:--:-- 88833
{
  "paths": [
    "/api",
    "/api/v1",
    "/apis",
    "/apis/apps",
    "/apis/apps/v1alpha1",
    "/apis/autoscaling",
    "/apis/autoscaling/v1",
    "/apis/batch",

But when you try to run with the flags given in the README, the app complains about invalid config:

core@master0 ~ $ docker run -i -t gcr.io/google_containers/kube-state-metrics:v0.3.0 --apiserver=localhost:8080 --in-cluster=false
F1025 20:35:46.021743       1 main.go:86] Failed to create client: invalid configuration: no configuration has been provided
goroutine 1 [running]:
k8s.io/kube-state-metrics/vendor/github.com/golang/glog.stacks(0x1cc5700, 0xc400000000, 0x7d, 0xa0)
  src/k8s.io/kube-state-metrics/vendor/github.com/golang/glog/glog.go:766 +0xa5
k8s.io/kube-state-metrics/vendor/github.com/golang/glog.(*loggingT).output(0x1ca5220, 0xc400000003, 0xc42006ac00, 0x1c402df, 0x7, 0x56, 0x0)
  src/k8s.io/kube-state-metrics/vendor/github.com/golang/glog/glog.go:717 +0x337
k8s.io/kube-state-metrics/vendor/github.com/golang/glog.(*loggingT).printf(0x1ca5220, 0x3, 0x1475343, 0x1b, 0xc42065fec8, 0x1, 0x1)
  src/k8s.io/kube-state-metrics/vendor/github.com/golang/glog/glog.go:655 +0x14c
k8s.io/kube-state-metrics/vendor/github.com/golang/glog.Fatalf(0x1475343, 0x1b, 0xc42065fec8, 0x1, 0x1)
  src/k8s.io/kube-state-metrics/vendor/github.com/golang/glog/glog.go:1145 +0x67
main.main()
  src/k8s.io/kube-state-metrics/main.go:86 +0x20b

from kube-state-metrics.

agsmith commented on August 27, 2024

@matthughes It looks like that you can't set the apiserver directly, if the --in-cluster flag is false.
https://github.com/kubernetes/kube-state-metrics/blob/master/main.go#L95

Can you try just setting the --apiserver, leaving the --in-cluster flag to default to true?

from kube-state-metrics.

aabed commented on August 27, 2024

kube-state-metrics --apiserver=http://127.0.0.1 --in-cluster=false --port=8080
F1107 18:28:01.456102 39302 main.go:86] Failed to create client: invalid configuration: no configuration has been provided goroutine 1 [running]: github.com/kube-state-metrics/vendor/github.com/golang/glog.stacks(0x2667300, 0x0, 0x0, 0x0) /home/mc/work/src/github.com/kube-state-metrics/vendor/github.com/golang/glog/glog.go:766 +0xb8 github.com/kube-state-metrics/vendor/github.com/golang/glog.(*loggingT).output(0x2646f40, 0xc800000003, 0xc8200d8d80, 0x25f7ece, 0x7, 0x56, 0x0) /home/mc/work/src/github.com/kube-state-metrics/vendor/github.com/golang/glog/glog.go:717 +0x259 github.com/kube-state-metrics/vendor/github.com/golang/glog.(*loggingT).printf(0x2646f40, 0x3, 0x1c0b2a0, 0x1b, 0xc82053bea0, 0x1, 0x1) /home/mc/work/src/github.com/kube-state-metrics/vendor/github.com/golang/glog/glog.go:655 +0x1d4 github.com/kube-state-metrics/vendor/github.com/golang/glog.Fatalf(0x1c0b2a0, 0x1b, 0xc82053bea0, 0x1, 0x1) /home/mc/work/src/github.com/kube-state-metrics/vendor/github.com/golang/glog/glog.go:1145 +0x5d main.main() /home/mc/work/src/github.com/kube-state-metrics/main.go:86 +0x3ad

from kube-state-metrics.

brancz commented on August 27, 2024

When using --in-cluster=false then kube-state-metrics tries to find configuration using the default config loading mechanisms which means it will try to load it from your ~/.kube/config. My guess is that that is the case. Otherwise I guess we can add allowing the apiserver to be set when using --in-cluster, however, that seems like an antipattern and using TLS is definitely recommended.

from kube-state-metrics.

Sudneo commented on August 27, 2024

@brancz I am currently running k8s without TLS anywhere , and I faced this issue also. I also had the error of failed serviceAccount token check. Are these elements really necessary or I can hack around (passing some dummy values, for example?). If they are necessary, will I be able to switch to TLS for the whole API server or just for this specific case?

from kube-state-metrics.

therc commented on August 27, 2024

I can confirm that --apiserver=http://... works, without setting --in-cluster=false.

Now the sad thing is that, if I pass an HTTPS endpoint with a certificate that the cluster does not know about, but which is valid, passing chain verification from public roots, i.e. not a self-signed one, the state-metrics pod complains with "certificate signed by unknown authority". This is because the Docker image has no /etc/ssl/certs/ca-certificates.crt file. :-(

from kube-state-metrics.

brancz commented on August 27, 2024

@therc I'm confused as to where you are trying to run kube-state-metrics, inside or outside of your kubernetes cluster? If outside, you can specify the ca file in your kubeconfig and if inside it should be properly set by the ServiceAccount.

@Sudneo you have the option of specifying your own kubeconfig even when running it inside your cluster by setting --in-cluster to false and specifying everything correctly in the kubeconfig. The token is just a secret provided through the ServiceAcccount. In other words it's a Secret like any other and you can use it for the for kube-state-metrics as well.

from kube-state-metrics.

therc commented on August 27, 2024

@brancz This is inside the cluster. But I have the masters in a high-availability setup, behind an AWS load balancer, which has a real certificate from AWS' Certificate Manager, i.e. not self-signed. Are admins expected to put Amazon's CA certificate in Kubeconfig?

from kube-state-metrics.

brancz commented on August 27, 2024

I'm not sure I understand why you don't run kube-state-metrics in cluster and let Kubernetes load balance the requests?

from kube-state-metrics.

fejta-bot commented on August 27, 2024

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

Prevent issues from auto-closing with an /lifecycle frozen comment.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle stale

from kube-state-metrics.

fejta-bot commented on August 27, 2024

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or @fejta.
/lifecycle rotten
/remove-lifecycle stale

from kube-state-metrics.

fejta-bot commented on August 27, 2024

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

from kube-state-metrics.

Support non-ssl api server about kube-state-metrics HOT 12 CLOSED

Comments (12)

Related Issues (20)

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent