kops/kube-apiserver-healthcheck at d97eb510dcfd816beae1ba70764b2b10b59e82c0 - kops

History

Peter Rifel 4d9f0128a3 Upgrade to klog2 This splits up the kubernetes 1.19 PR to make it easier to keep up to date until we get it sorted out.		2020-08-16 20:56:48 -05:00
..
BUILD.bazel	Upgrade to klog2	2020-08-16 20:56:48 -05:00
README.md	Move kube-apiserver-healthcheck to port 3990	2020-06-12 22:00:14 -07:00
main.go	Upgrade to klog2	2020-08-16 20:56:48 -05:00
proxy_test.go	Move kube-apiserver-healthcheck to port 3990	2020-06-12 22:00:14 -07:00

README.md

kube-apiserver-healthcheck

This is a small sidecar container that allows for health-checking the kube-apiserver without enabling anonymous authentication and without enabling the unauthenticated port.

It listens on port 3990 (http), and proxies a few known-safe requests to the real apiserver listening on 443. It uses a client certificate to authenticate itself to the apiserver.

This lets us turn off the unauthenticated kube-apiserver endpoint, but it also lets us have better load-balancer health-checks.

Because it runs as a sidecar next to kube-apiserver, it is in the same network namespace, and thus it can reach apiserver on https://127.0.0.1 . The kube-apiserver-healthcheck process listens on 3990, but the health checks for the apiserver container are configured for :8080 and actually go via the sidecar.