Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: allow opting-into upstream probes #2505

Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

fix: allow opting-into upstream probes #2505

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
83e0cdb
fix: allow opting-into upstream probes
rexagod Sep 8, 2024
8960c79
fixup! fix: allow opting-into upstream probes
rexagod Oct 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
16 changes: 12 additions & 4 deletions jsonnet/kube-prometheus/components/kube-rbac-proxy.libsonnet
View file
Open in desktop
rexagod marked this conversation as resolved.
Show resolved Hide resolved
Original file line number Diff line number Diff line change
Expand Up @@ -38,6 +38,13 @@ local defaults = {
'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305',
'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305',
],
// Corresponds to KRP's --ignore-paths flag.
// Some components (for e.g., KSM) may utilize the flag to allow for communication with external parties in scenarios
// where the originating request(s) cannot be modified to the proxy's expectations, and thus, are passed through, as
// is, to certain endpoints that they target, without the proxy's intervention. The kubelet, in KSM's case, can thus
// query health probe endpoints without being blocked by KRP, thus allowing for http-based probes over exec-based
// ones.
ignorePaths:: [],
};


Expand All @@ -50,10 +57,11 @@ function(params) {
name: krp._config.name,
image: krp._config.image,
args: [
'--secure-listen-address=' + krp._config.secureListenAddress,
'--tls-cipher-suites=' + std.join(',', krp._config.tlsCipherSuites),
'--upstream=' + krp._config.upstream,
],
'--secure-listen-address=' + krp._config.secureListenAddress,
'--tls-cipher-suites=' + std.join(',', krp._config.tlsCipherSuites),
'--upstream=' + krp._config.upstream,
] // Optionals.
+ if std.length(krp._config.ignorePaths) > 0 then ['--ignore-paths=' + std.join(',', krp._config.ignorePaths)] else defaults.ignorePaths,
resources: krp._config.resources,
ports: krp._config.ports,
securityContext: {
Expand Down
61 changes: 42 additions & 19 deletions jsonnet/kube-prometheus/components/kube-state-metrics.libsonnet
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,12 +15,18 @@ local defaults = {
},

kubeRbacProxyMain:: {
ports: [
{ name: 'http-metrics', containerPort: 8443 },
],
resources+: {
limits+: { cpu: '40m' },
requests+: { cpu: '20m' },
},
},
kubeRbacProxySelf:: {
ports: [
{ name: 'telemetry', containerPort: 9443 },
],
resources+: {
limits+: { cpu: '20m' },
requests+: { cpu: '10m' },
Expand All @@ -46,6 +52,8 @@ local defaults = {
runbookURLPattern: 'https://runbooks.prometheus-operator.dev/runbooks/kube-state-metrics/%s',
},
},
// `enableProbes` allows users to opt-into upstream definitions for health probes.
enableProbes:: false,
};

function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-state-metrics/kube-state-metrics.libsonnet') {
Expand Down Expand Up @@ -91,14 +99,14 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
spec+: {
ports: [
{
name: 'https-main',
port: 8443,
targetPort: 'https-main',
name: defaults.kubeRbacProxyMain.ports[0].name,
port: defaults.kubeRbacProxyMain.ports[0].containerPort,
targetPort: defaults.kubeRbacProxyMain.ports[0].name,
},
{
name: 'https-self',
port: 9443,
targetPort: 'https-self',
name: defaults.kubeRbacProxySelf.ports[0].name,
port: defaults.kubeRbacProxySelf.ports[0].containerPort,
targetPort: defaults.kubeRbacProxySelf.ports[0].name,
},
],
},
Expand All @@ -107,21 +115,19 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
local kubeRbacProxyMain = krp(ksm._config.kubeRbacProxyMain {
name: 'kube-rbac-proxy-main',
upstream: 'http://127.0.0.1:8081/',
secureListenAddress: ':8443',
ports: [
{ name: 'https-main', containerPort: 8443 },
],
secureListenAddress: ':' + std.toString(defaults.kubeRbacProxyMain.ports[0].containerPort),
image: ksm._config.kubeRbacProxyImage,
// When enabling probes, kube-rbac-proxy needs to always allow the /livez endpoint.
ignorePaths: if ksm._config.enableProbes then ['/livez'] else super.ignorePaths,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

(nit) it's probably more idiomatic jsonnet.

Suggested change
ignorePaths: if ksm._config.enableProbes then ['/livez'] else super.ignorePaths,
ignorePaths+: if ksm._config.enableProbes then ['/livez'] else [],

}),

local kubeRbacProxySelf = krp(ksm._config.kubeRbacProxySelf {
name: 'kube-rbac-proxy-self',
upstream: 'http://127.0.0.1:8082/',
secureListenAddress: ':9443',
ports: [
{ name: 'https-self', containerPort: 9443 },
],
secureListenAddress: ':' + std.toString(defaults.kubeRbacProxySelf.ports[0].containerPort),
image: ksm._config.kubeRbacProxyImage,
// When enabling probes, kube-rbac-proxy needs to always allow the /readyz endpoint.
ignorePaths: if ksm._config.enableProbes then ['/readyz'] else super.ignorePaths,
}),

networkPolicy: {
Expand Down Expand Up @@ -161,14 +167,31 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
spec+: {
automountServiceAccountToken: true,
containers: std.map(function(c) c {
ports:: null,
livenessProbe:: null,
readinessProbe:: null,
securityContext+: {
runAsGroup: 65534,
},
args: ['--host=127.0.0.1', '--port=8081', '--telemetry-host=127.0.0.1', '--telemetry-port=8082'],
resources: ksm._config.resources,
} + if !ksm._config.enableProbes then {
ports:: null,
livenessProbe:: null,
readinessProbe:: null,
} else {
ports: defaults.kubeRbacProxyMain.ports + defaults.kubeRbacProxySelf.ports,
livenessProbe: {
httpGet: {
path: '/livez',
port: defaults.kubeRbacProxyMain.ports[0].name,
scheme: 'HTTPS',
},
},
readinessProbe: {
httpGet: {
path: '/readyz',
port: defaults.kubeRbacProxySelf.ports[0].name,
scheme: 'HTTPS',
},
},
}, super.containers) + [kubeRbacProxyMain, kubeRbacProxySelf],
},
},
Expand All @@ -186,7 +209,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
},
endpoints: [
{
port: 'https-main',
port: 'http-metrics',
scheme: 'https',
interval: ksm._config.scrapeInterval,
scrapeTimeout: ksm._config.scrapeTimeout,
Expand All @@ -211,7 +234,7 @@ function(params) (import 'github.com/kubernetes/kube-state-metrics/jsonnet/kube-
},
},
{
port: 'https-self',
port: 'telemetry',
scheme: 'https',
interval: ksm._config.scrapeInterval,
bearerTokenFile: '/var/run/secrets/kubernetes.io/serviceaccount/token',
Expand Down
4 changes: 2 additions & 2 deletions manifests/kubeStateMetrics-deployment.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -60,7 +60,7 @@ spec:
name: kube-rbac-proxy-main
ports:
- containerPort: 8443
name: https-main
name: http-metrics
resources:
limits:
cpu: 40m
Expand All @@ -87,7 +87,7 @@ spec:
name: kube-rbac-proxy-self
ports:
- containerPort: 9443
name: https-self
name: telemetry
resources:
limits:
cpu: 20m
Expand Down
8 changes: 4 additions & 4 deletions manifests/kubeStateMetrics-service.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,12 +11,12 @@ metadata:
spec:
clusterIP: None
ports:
- name: https-main
- name: http-metrics
port: 8443
targetPort: https-main
- name: https-self
targetPort: http-metrics
- name: telemetry
port: 9443
targetPort: https-self
targetPort: telemetry
selector:
app.kubernetes.io/component: exporter
app.kubernetes.io/name: kube-state-metrics
Expand Down
4 changes: 2 additions & 2 deletions manifests/kubeStateMetrics-serviceMonitor.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ spec:
regex: kube_endpoint_address_not_ready|kube_endpoint_address_available
sourceLabels:
- __name__
port: https-main
port: http-metrics
relabelings:
- action: labeldrop
regex: (pod|service|endpoint|namespace)
Expand All @@ -28,7 +28,7 @@ spec:
insecureSkipVerify: true
- bearerTokenFile: /var/run/secrets/kubernetes.io/serviceaccount/token
interval: 30s
port: https-self
port: telemetry
scheme: https
tlsConfig:
insecureSkipVerify: true
Expand Down