Merge pull request #116 from DirectXMan12/feature/restore-super-insec…

…ure-option

Add deprecated completely insecure Kubelet option

cmd/metrics-server/app/start.go

@@ -56,11 +56,14 @@ func NewCommandStartMetricsServer(out, errOut io.Writer, stopCh <-chan struct{})
 	flags := cmd.Flags()
 	flags.DurationVar(&o.MetricResolution, "metric-resolution", o.MetricResolution, "The resolution at which metrics-server will retain metrics.")
 
-	flags.BoolVar(&o.InsecureKubeletTLS, "kubelet-insecure-tls", o.InsecureKubeletTLS, "Do not verify CA of serving certificates presented by Kubelets")
+	flags.BoolVar(&o.InsecureKubeletTLS, "kubelet-insecure-tls", o.InsecureKubeletTLS, "Do not verify CA of serving certificates presented by Kubelets.  For testing purposes only.")
+	flags.BoolVar(&o.DeprecatedCompletelyInsecureKubelet, "deprecated-kubelet-completely-insecure", o.DeprecatedCompletelyInsecureKubelet, "Do not use any encryption, authorization, or authentication when communicating with the Kubelet.")
 	flags.IntVar(&o.KubeletPort, "kubelet-port", o.KubeletPort, "The port to use to connect to Kubelets (defaults to 10250)")
 	flags.StringVar(&o.Kubeconfig, "kubeconfig", o.Kubeconfig, "The path to the kubeconfig used to connect to the Kubernetes API server and the Kubelets (defaults to in-cluster config)")
 	flags.StringSliceVar(&o.KubeletPreferredAddressTypes, "kubelet-preferred-address-types", o.KubeletPreferredAddressTypes, "The priority of node address types to use when determining which address to use to connect to a particular node")
 
+	flags.MarkDeprecated("deprecated-kubelet-completely-insecure", "This is rarely the right option, since it leaves kubelet communication completely insecure.  If you encounter auth errors, make sure you've enabled token webhook auth on the Kubelet, and if you're in a test cluster with self-signed Kubelet certificates, consider using kubelet-insecure-tls instead.")
+
 	o.SecureServing.AddFlags(flags)
 	o.Authentication.AddFlags(flags)
 	o.Authorization.AddFlags(flags)
@@ -86,6 +89,8 @@ type MetricsServerOptions struct {
 	KubeletPort                  int
 	InsecureKubeletTLS           bool
 	KubeletPreferredAddressTypes []string
+
+	DeprecatedCompletelyInsecureKubelet bool
 }
 
 // NewMetricsServerOptions constructs a new set of default options for metrics-server.
@@ -166,7 +171,7 @@ func (o MetricsServerOptions) Run(stopCh <-chan struct{}) error {
 	informerFactory := informers.NewSharedInformerFactory(kubeClient, 0)
 
 	// set up the source manager
-	kubeletConfig := summary.GetKubeletConfig(clientConfig, o.KubeletPort, o.InsecureKubeletTLS)
+	kubeletConfig := summary.GetKubeletConfig(clientConfig, o.KubeletPort, o.InsecureKubeletTLS, o.DeprecatedCompletelyInsecureKubelet)
 	kubeletClient, err := summary.KubeletClientFor(kubeletConfig)
 	if err != nil {
 		return fmt.Errorf("unable to construct a client to connect to the kubelets: %v", err)

pkg/sources/summary/client.go

@@ -35,8 +35,9 @@ type KubeletInterface interface {
 }
 
 type kubeletClient struct {
-	port   int
-	client *http.Client
+	port            int
+	deprecatedNoTLS bool
+	client          *http.Client
 }
 
 type ErrNotFound struct {
@@ -83,8 +84,12 @@ func (kc *kubeletClient) makeRequestAndGetValue(client *http.Client, req *http.R
 }
 
 func (kc *kubeletClient) GetSummary(ctx context.Context, host string) (*stats.Summary, error) {
+	scheme := "https"
+	if kc.deprecatedNoTLS {
+		scheme = "http"
+	}
 	url := url.URL{
-		Scheme: "https",
+		Scheme: scheme,
 		Host:   net.JoinHostPort(host, strconv.Itoa(kc.port)),
 		Path:   "/stats/summary/",
 	}
@@ -102,12 +107,13 @@ func (kc *kubeletClient) GetSummary(ctx context.Context, host string) (*stats.Su
 	return summary, err
 }
 
-func NewKubeletClient(transport http.RoundTripper, port int) (KubeletInterface, error) {
+func NewKubeletClient(transport http.RoundTripper, port int, deprecatedNoTLS bool) (KubeletInterface, error) {
 	c := &http.Client{
 		Transport: transport,
 	}
 	return &kubeletClient{
-		port:   port,
-		client: c,
+		port:            port,
+		client:          c,
+		deprecatedNoTLS: deprecatedNoTLS,
 	}, nil
 }

pkg/sources/summary/configs.go

@@ -21,25 +21,30 @@ import (
 )
 
 // GetKubeletConfig fetches connection config for connecting to the Kubelet.
-func GetKubeletConfig(baseKubeConfig *rest.Config, port int, insecureTLS bool) *KubeletClientConfig {
+func GetKubeletConfig(baseKubeConfig *rest.Config, port int, insecureTLS bool, completelyInsecure bool) *KubeletClientConfig {
 	cfg := rest.CopyConfig(baseKubeConfig)
-	if insecureTLS {
+	if completelyInsecure {
+		cfg = rest.AnonymousClientConfig(cfg)        // don't use auth to avoid leaking auth details to insecure endpoints
+		cfg.TLSClientConfig = rest.TLSClientConfig{} // empty TLS config --> no TLS
+	} else if insecureTLS {
 		cfg.TLSClientConfig.Insecure = true
 		cfg.TLSClientConfig.CAData = nil
 		cfg.TLSClientConfig.CAFile = ""
 	}
 	kubeletConfig := &KubeletClientConfig{
-		Port:       port,
-		RESTConfig: cfg,
+		Port:                         port,
+		RESTConfig:                   cfg,
+		DeprecatedCompletelyInsecure: completelyInsecure,
 	}
 
 	return kubeletConfig
 }
 
 // KubeletClientConfig represents configuration for connecting to Kubelets.
 type KubeletClientConfig struct {
-	Port       int
-	RESTConfig *rest.Config
+	Port                         int
+	RESTConfig                   *rest.Config
+	DeprecatedCompletelyInsecure bool
 }
 
 // KubeletClientFor constructs a new KubeletInterface for the given configuration.
@@ -49,5 +54,5 @@ func KubeletClientFor(config *KubeletClientConfig) (KubeletInterface, error) {
 		return nil, fmt.Errorf("unable to construct transport: %v", err)
 	}
 
-	return NewKubeletClient(transport, config.Port)
+	return NewKubeletClient(transport, config.Port, config.DeprecatedCompletelyInsecure)
 }