kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
kops/cmd/kube-apiserver-healthcheck
History
Eng Zer Jun 425173ae9f
refactor: move from io/ioutil to io and os packages 
The io/ioutil package has been deprecated as of Go 1.16, see
https://golang.org/doc/go1.16#ioutil. This commit replaces the existing
io/ioutil functions with their new definitions in io and os packages.

Signed-off-by: Eng Zer Jun <engzerjun@gmail.com>
 		2021-11-12 15:37:18 +08:00
..
BUILD.bazel Upgrade Go v1.15.6 / Bazel v3.4.1 2021-01-10 18:13:12 +00:00
README.md
main.go refactor: move from io/ioutil to io and os packages 2021-11-12 15:37:18 +08:00
proxy_test.go

README.md

kube-apiserver-healthcheck

This is a small sidecar container that allows for health-checking the kube-apiserver without enabling anonymous authentication and without enabling the unauthenticated port.

It listens on port 3990 (http), and proxies a few known-safe requests to the real apiserver listening on 443. It uses a client certificate to authenticate itself to the apiserver.

This lets us turn off the unauthenticated kube-apiserver endpoint, but it also lets us have better load-balancer health-checks.

Because it runs as a sidecar next to kube-apiserver, it is in the same network namespace, and thus it can reach apiserver on https://127.0.0.1 . The kube-apiserver-healthcheck process listens on 3990, but the health checks for the apiserver container are configured for :8080 and actually go via the sidecar.