Page MenuHomePhabricator
Create Task
Maniphest T383413

Remove the kubelet readOnlyPort
Closed, ResolvedPublic
Actions

Description

We're running our kubelet's with readOnlyPort (tcp/10255, plaintext HTTP) enabled and use that port to scrape kubelet and cadvisor metrics. With proper RBAC rules and client cert authentication in place for prometheus, we should be in a position to disable the readOnlyPort and use the default kubelet port (tcp/10250) instead.

Details

Related Changes in Gerrit:
SubjectRepoBranchLines +/-
kubelet: Disable the readOnlyPortoperations/puppetproduction+0 -6
prometheus::k8s: Move away from kubelet readOnlyPortoperations/puppetproduction+6 -8
kubelet: Use the chained certificate for TLSoperations/puppetproduction+1 -1
admin_ng RBAC: Fix prometheus clusterroleoperations/deployment-chartsmaster+11 -5
Customize query in gerrit

Related Objects
Search...

StatusSubtypeAssignedTask
 ResolvedJMeybohmT341984 Update Kubernetes clusters to 1.31
 ResolvedJMeybohmT383413 Remove the kubelet readOnlyPort

Event Timeline

JMeybohm created this task.Jan 10 2025, 3:28 PM
gerritbot added a comment.Jan 10 2025, 3:36 PM

Change #1109728 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/deployment-charts@master] admin_ng RBAC: Fix prometheus clusterrole

https://gerrit.wikimedia.org/r/1109728

gerritbot added a project: Patch-For-Review.Jan 10 2025, 3:36 PM
gerritbot added a comment.Jan 10 2025, 3:47 PM

Change #1109733 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/puppet@production] kubelet: Use the chained certificate for TLS

https://gerrit.wikimedia.org/r/1109733

gerritbot added a comment.Jan 10 2025, 3:47 PM

Change #1109734 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/puppet@production] prometheus::k8s: Move away from kubelet readOnlyPort

https://gerrit.wikimedia.org/r/1109734

gerritbot added a comment.Jan 10 2025, 3:47 PM

Change #1109735 had a related patch set uploaded (by JMeybohm; author: JMeybohm):

[operations/puppet@production] kubelet: Disable the readOnlyPort

https://gerrit.wikimedia.org/r/1109735

JMeybohm claimed this task.Jan 10 2025, 3:47 PM
gerritbot added a comment.Jan 13 2025, 11:41 AM

Change #1109728 merged by jenkins-bot:

[operations/deployment-charts@master] admin_ng RBAC: Fix prometheus clusterrole

https://gerrit.wikimedia.org/r/1109728

Stashbot added a comment.Jan 13 2025, 11:51 AM

Mentioned in SAL (#wikimedia-operations) [2025-01-13T11:51:19Z] <jayme> disabling puppet on all hosts running kubelet - T383413

gerritbot added a comment.Jan 13 2025, 11:52 AM

Change #1109733 merged by JMeybohm:

[operations/puppet@production] kubelet: Use the chained certificate for TLS

https://gerrit.wikimedia.org/r/1109733

Stashbot added a comment.Jan 13 2025, 11:57 AM

Mentioned in SAL (#wikimedia-operations) [2025-01-13T11:57:55Z] <jayme> re-enabling puppet on all hosts running kubelet - T383413

gerritbot added a comment.Jan 13 2025, 2:02 PM

Change #1109734 merged by JMeybohm:

[operations/puppet@production] prometheus::k8s: Move away from kubelet readOnlyPort

https://gerrit.wikimedia.org/r/1109734

Stashbot added a comment.Jan 13 2025, 2:41 PM

Mentioned in SAL (#wikimedia-operations) [2025-01-13T14:41:56Z] <jayme> disabling puppet on all hosts running kubelet - T383413

gerritbot added a comment.Jan 13 2025, 2:43 PM

Change #1109735 merged by JMeybohm:

[operations/puppet@production] kubelet: Disable the readOnlyPort

https://gerrit.wikimedia.org/r/1109735

Stashbot added a comment.Jan 13 2025, 2:48 PM

Mentioned in SAL (#wikimedia-operations) [2025-01-13T14:48:28Z] <jayme> re-enabling puppet on all hosts running kubelet - T383413

JMeybohm closed this task as Resolved.Jan 13 2025, 2:49 PM

This last unauthenticated access to k8s components should be gone in the next 30'

Maintenance_bot removed a project: Patch-For-Review.Jan 13 2025, 3:30 PM
Gehel edited projects, added Data-Platform-SRE (2025.01.11 - 2025.01.31); removed Data-Platform-SRE.Jan 17 2025, 9:06 AM
Gehel moved this task from Backlog - project to Done on the Data-Platform-SRE (2025.01.11 - 2025.01.31) board.Jan 17 2025, 9:10 AM
Gehel moved this task from Done to Reported on the Data-Platform-SRE (2025.01.11 - 2025.01.31) board.Jan 17 2025, 10:14 AM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits