k3s-io
/
k3s
mirror of https://github.com/k3s-io/k3s.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Run cAdvisor on the same interface as kubelet 

cAdvisor currently binds to all interfaces. Currently the only
solution is to use iptables to block access to the port. We
are better off making cAdvisor to bind to the interface that
kubelet uses for better security.

Fixes #11710
pull/6/head
Davanum Srinivas 2017-06-08 15:56:59 -04:00
parent 038d194723
commit 7e5c43a042
5 changed files with 10 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/kubelet/app/server.go
View File

@ -522,7 +522,7 @@ func run(s *options.KubeletServer, kubeDeps *kubelet.KubeletDeps) (err error) {
}
if kubeDeps.CAdvisorInterface == nil {
kubeDeps.CAdvisorInterface, err = cadvisor.New(uint(s.CAdvisorPort), s.ContainerRuntime, s.RootDirectory)
kubeDeps.CAdvisorInterface, err = cadvisor.New(s.Address, uint(s.CAdvisorPort), s.ContainerRuntime, s.RootDirectory)
if err != nil {
return err
}

10
pkg/kubelet/cadvisor/cadvisor_linux.go
View File

@ -21,7 +21,9 @@ package cadvisor
import (
"flag"
"fmt"
"net"
"net/http"
"strconv"
"time"
"github.com/golang/glog"
@ -94,7 +96,7 @@ func containerLabels(c *cadvisorapi.ContainerInfo) map[string]string {
}
// New creates a cAdvisor and exports its API on the specified port if port > 0.
func New(port uint, runtime string, rootPath string) (Interface, error) {
func New(address string, port uint, runtime string, rootPath string) (Interface, error) {
sysFs := sysfs.NewRealSysFs()
// Create and start the cAdvisor container manager.
@ -109,7 +111,7 @@ func New(port uint, runtime string, rootPath string) (Interface, error) {
Manager: m,
}
err = cadvisorClient.exportHTTP(port)
err = cadvisorClient.exportHTTP(address, port)
if err != nil {
return nil, err
}
@ -120,7 +122,7 @@ func (cc *cadvisorClient) Start() error {
return cc.Manager.Start()
}
func (cc *cadvisorClient) exportHTTP(port uint) error {
func (cc *cadvisorClient) exportHTTP(address string, port uint) error {
// Register the handlers regardless as this registers the prometheus
// collector properly.
mux := http.NewServeMux()
@ -134,7 +136,7 @@ func (cc *cadvisorClient) exportHTTP(port uint) error {
// Only start the http server if port > 0
if port > 0 {
serv := &http.Server{
Addr: fmt.Sprintf(":%d", port),
Addr: net.JoinHostPort(address, strconv.Itoa(int(port))),
Handler: mux,
}

2
pkg/kubelet/cadvisor/cadvisor_unsupported.go
View File

@ -31,7 +31,7 @@ type cadvisorUnsupported struct {
var _ Interface = new(cadvisorUnsupported)
func New(port uint, runtime string, rootPath string) (Interface, error) {
func New(address string, port uint, runtime string, rootPath string) (Interface, error) {
return &cadvisorUnsupported{}, nil
}

2
pkg/kubelet/cadvisor/cadvisor_windows.go
View File

@ -30,7 +30,7 @@ type cadvisorClient struct {
var _ Interface = new(cadvisorClient)
// New creates a cAdvisor and exports its API on the specified port if port > 0.
func New(port uint, runtime string, rootPath string) (Interface, error) {
func New(address string, port uint, runtime string, rootPath string) (Interface, error) {
return &cadvisorClient{}, nil
}

2
test/e2e_node/environment/conformance.go
View File

@ -99,7 +99,7 @@ func containerRuntime() error {
}
// Setup cadvisor to check the container environment
c, err := cadvisor.New(0 /*don't start the http server*/, "docker", "/var/lib/kubelet")
c, err := cadvisor.New("", 0 /*don't start the http server*/, "docker", "/var/lib/kubelet")
if err != nil {
return printError("Container Runtime Check: %s Could not start cadvisor %v", failed, err)
}