KEP-4939: Support TLS in gRPC probe #5029
Conversation
kkoch986
commented
Jan 8, 2025
kkoch986
commented
- One-line PR description: Initial KEP for TLS support in gRPC probes
- Issue link: Support TLS Credentials in gRPC Probe #4939
- Other comments: see also GRPC healthprobe cannot handle TLS kubernetes#128365
k8s-ci-robot
added
cncf-cla: yes
|
Welcome @kkoch986! |
|
Hi @kkoch986. Thanks for your PR. I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
k8s-ci-robot
added
the
needs-ok-to-test
k8s-ci-robot
added
the
size/XL
| either through providing a CA certificate from a secret | ||
| or disabling certificate verification. |
There was a problem hiding this comment.
we don't validate certificates with HTTPS probes, I don't feel we should add this complexity in this iteration and just make grpc probes the same as http probes
There was a problem hiding this comment.
👍 that makes sense to me, just pushed up some fixups to update the KEP 09308e9
| [Probe GRPCAction](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#Probe). | ||
|
|
||
| They can be used to indicate whether or not TLS should be used | ||
| as well as provide a reference to the certificate to use or the ability to disable verification. |
There was a problem hiding this comment.
+100 on supporting TLS without validation certiticates, skeptical about the ROI on adding certificate validation, I suggest moving only with one option
There was a problem hiding this comment.
updated that section to remove the part about providing certs 09308e9
| If configured to to no-verify TLS: | ||
|
|
||
| ```go | ||
| tlsConfig := &tls.Config{ | ||
| InsecureSkipVerify: true, | ||
| } | ||
| tlsCredentials := credentials.NewTLS(tlsConfig) | ||
|
|
||
| opts := []grpc.DialOption{ | ||
| // ... | ||
| grpc.WithTransportCredentials(tlsCredentials), | ||
| // ... | ||
| } | ||
| ``` |
There was a problem hiding this comment.
this seems simple to implement, the other need to deal with the input of passing certificates that will make probes more complex
| latest-milestone: "v1.19" | ||
|
|
||
| # The milestone at which this feature was, or is targeted to be, at each stage. | ||
| milestone: | ||
| alpha: "v1.19" | ||
| beta: "v1.20" | ||
| stable: "v1.22" |
There was a problem hiding this comment.
yea i wasnt 100% sure what to put in there, for now just updated this to 1.33 although since this is my first contribution may take me some more time to actually implement 😄
| - "@kkoch986" | ||
| owning-sig: sig-node | ||
| participating-sigs: | ||
| - sig-node |
There was a problem hiding this comment.
you can add sig-network as participating and enlist me as reviewer
There was a problem hiding this comment.
done, thanks! i pushed up some fixups so its easier to see the changes, i can rebase once everything is looking good
|
/ok-to-test |
k8s-ci-robot
added
ok-to-test
|
pushed up one more fixup to define the config option better. @aojea any other changes i should make to get this KEP merged? |
|
/lgtm I think that not having a TLS option reduce significantly the usability of this probes and is worth having parity with the http probes, also the changes requested seem to be very minimal, please @bowei take a look as you were involved with the original implementation so you may have some more historic context /assign @thockin @dchen1107 for approval |
k8s-ci-robot
added
the
lgtm
kkoch986
force-pushed
the
grpc-probe-auth
branch
from
093742b to
4855713
Compare
k8s-ci-robot
removed
the
lgtm
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: kkoch986 The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
oops @aojea looks like when i rebased it removed the |
|
/lgtm |
k8s-ci-robot
added
the
lgtm
|
|
||
| They can be used to indicate whether or not TLS should be used. | ||
|
|
||
| ### User Stories (Optional) |
There was a problem hiding this comment.
Either fill these optional section in or remove them :)
| [testing-guidelines]: https://git.k8s.io/community/contributors/devel/sig-testing/testing.md | ||
| --> | ||
|
|
||
| [ ] I/we understand the owners of the involved components may require updates to |
There was a problem hiding this comment.
you gotta check the box :) It's like your bank's EULA - what are you going to do, not sign it?
| implementing this enhancement to ensure the enhancements have also solid foundations. | ||
| --> | ||
|
|
||
| ##### Unit tests |
There was a problem hiding this comment.
please describe the tests you think will be needed. Take a look at nearby tests and see how you would extend them - unit seems obvious, maybe node_e2e is sufficient?
|
|
||
| - <test>: <link to test coverage> | ||
|
|
||
| ### Graduation Criteria |
There was a problem hiding this comment.
Please fill in the rest of the doc.
| reviewers: | ||
| - aojea | ||
| approvers: | ||
| - TBD |
There was a problem hiding this comment.
@SergeyKanzhelev @dchen1107 @mrunalp can you suggest an approver?
|
Antonio probably did the heavy lifting here. I didn't find much other than some prods filling out the testing and production related templates. Thanks! |
|
|
||
| ### Test Plan | ||
|
|
||
| <!-- |
There was a problem hiding this comment.
It would be good to spec out what tests you plan on adding -- probably mirror those already done for gRPC.
|
|
||
| We should add a boolean field to the | ||
| [GRPCAction](https://github.com/kubernetes/kubernetes/blob/f422a58398d457a88ac7b05afca85a0e6b805605/pkg/apis/core/types.go#L2665-L2676) | ||
| named `useTLS` which is optional and would default to `false`. |
There was a problem hiding this comment.
Proposal looks generally OK.
There are couple of things. Note: I don't think these will change the general design and KEP:
- In HTTP, we chose based on
scheme, but it looks like gRPC does not have such a notion exposed, so there is no need to push for consistency in naming there. - gRPC over QUIC only works with TLS. This means if/when we support gRPC over HTTP/3, this will require adding some validation that UseTLS is true.
|
|
||
| ### Graduation Criteria | ||
|
|
||
| <!-- |
There was a problem hiding this comment.
Please fill this out -- you can use the original gRPC probe KEP as a reference.
|
|
||
| ## Production Readiness Review Questionnaire | ||
|
|
||
| <!-- |
| --> | ||
|
|
||
| We should add a boolean field to the | ||
| [GRPCAction](https://github.com/kubernetes/kubernetes/blob/f422a58398d457a88ac7b05afca85a0e6b805605/pkg/apis/core/types.go#L2665-L2676) |
There was a problem hiding this comment.
Boolean flags are generally a bad idea. They almost always end up insufficient. For example, I can imagine a future where someone wants to do secure verification against a known CA or set of CAs. Perhaps they load a volume with their CA's pubkey or something.
In this particular case it doesn't seem terrible, it's just hard to know what we don't know.
For example, this could evolve to:
grpcAction:
port: 12345
useTLS: true
tlsConfig:
mode: Verify
certVolume: my-certs
But let's consider options. What if this was instead framed as:
grpcAction:
port: 12345
tls:
mode: NoVerify
The existence of the tls field implies a demand for TLS. The mode only has one value, so it's optional. People could write: tls: {}
It's not markedly better, so I'm not demanding it (yet?).
Are there ANY OTHER configuration knobs we want in the short term?
