mirror of
https://github.com/coreos/prometheus-operator.git
synced 2026-02-05 06:45:27 +01:00
Merge pull request #8350 from Arpit529Srivastava/kubelet-cmd-flag
feat: add flag to disable insecure kubelet metrics port
This commit is contained in:
Arpit Srivastava
@@ -75,6 +75,8 @@ Arguments:
|
||||
Create Endpoints objects for kubelet targets. (default true)
|
||||
-kubelet-endpointslice
|
||||
Create EndpointSlice objects for kubelet targets.
|
||||
-kubelet-http-metrics
|
||||
Include HTTP metrics port (10255) in kubelet service. Set to false if your cluster has disabled the insecure kubelet read-only port (e.g., GKE 1.32+). (default true)
|
||||
-kubelet-node-address-priority value
|
||||
Node address priority used by kubelet. Either 'internal' or 'external'. Default: 'internal'.
|
||||
-kubelet-selector value
|
||||
|
||||
@@ -128,6 +128,7 @@ var (
|
||||
kubeletEndpoints bool
|
||||
kubeletEndpointSlice bool
|
||||
kubeletSyncPeriod time.Duration
|
||||
kubeletHTTPMetrics bool
|
||||
|
||||
featureGates = k8sflag.NewMapStringBool(ptr.To(map[string]bool{}))
|
||||
)
|
||||
@@ -150,6 +151,7 @@ func parseFlags(fs *flag.FlagSet) {
|
||||
fs.BoolVar(&kubeletEndpointSlice, "kubelet-endpointslice", false, "Create EndpointSlice objects for kubelet targets.")
|
||||
fs.BoolVar(&kubeletEndpoints, "kubelet-endpoints", true, "Create Endpoints objects for kubelet targets.")
|
||||
fs.DurationVar(&kubeletSyncPeriod, "kubelet-sync-period", 3*time.Minute, "How often the operator reconciles the kubelet Endpoints and EndpointSlice objects (e.g., 10s, 2m, 1h30m).")
|
||||
fs.BoolVar(&kubeletHTTPMetrics, "kubelet-http-metrics", true, "Include HTTP metrics port (10255) in kubelet service. Set to false if your cluster has disabled the insecure kubelet read-only port (e.g., GKE 1.32+).")
|
||||
|
||||
// The Prometheus config reloader image is released along with the
|
||||
// Prometheus Operator image, tagged with the same semver version. Default to
|
||||
@@ -661,6 +663,7 @@ func start() int {
|
||||
opts := []kubelet.ControllerOption{
|
||||
kubelet.WithNodeAddressPriority(nodeAddressPriority.String()),
|
||||
kubelet.WithSyncPeriod(kubeletSyncPeriod),
|
||||
kubelet.WithHTTPMetrics(kubeletHTTPMetrics),
|
||||
}
|
||||
|
||||
kubeletService := strings.Split(kubeletObject, "/")
|
||||
|
||||
@@ -74,6 +74,11 @@ type Controller struct {
|
||||
manageEndpointSlice bool
|
||||
manageEndpoints bool
|
||||
syncPeriod time.Duration
|
||||
|
||||
// httpMetricsEnabled controls whether to include the insecure HTTP metrics
|
||||
// port (10255) in the kubelet Service. Set to false when the cluster has
|
||||
// disabled the insecure kubelet read-only port (e.g., GKE 1.32+).
|
||||
httpMetricsEnabled bool
|
||||
}
|
||||
|
||||
type ControllerOption func(*Controller)
|
||||
@@ -108,6 +113,16 @@ func WithSyncPeriod(d time.Duration) ControllerOption {
|
||||
}
|
||||
}
|
||||
|
||||
// WithHTTPMetrics controls whether to include the insecure HTTP metrics port
|
||||
// (10255) in the kubelet Service. When disabled, only the secure HTTPS port
|
||||
// (10250) and cAdvisor port (4194) are included. This is useful when the
|
||||
// cluster has disabled the insecure kubelet read-only port (e.g., GKE 1.32+).
|
||||
func WithHTTPMetrics(enabled bool) ControllerOption {
|
||||
return func(c *Controller) {
|
||||
c.httpMetricsEnabled = enabled
|
||||
}
|
||||
}
|
||||
|
||||
func New(
|
||||
logger *slog.Logger,
|
||||
kclient kubernetes.Interface,
|
||||
@@ -433,20 +448,7 @@ func (c *Controller) syncEndpoints(ctx context.Context, addresses []nodeAddress)
|
||||
Subsets: []v1.EndpointSubset{
|
||||
{
|
||||
Addresses: make([]v1.EndpointAddress, len(addresses)),
|
||||
Ports: []v1.EndpointPort{
|
||||
{
|
||||
Name: httpsPortName,
|
||||
Port: httpsPort,
|
||||
},
|
||||
{
|
||||
Name: httpPortName,
|
||||
Port: httpPort,
|
||||
},
|
||||
{
|
||||
Name: cAdvisorPortName,
|
||||
Port: cAdvisorPort,
|
||||
},
|
||||
},
|
||||
Ports: c.endpointPorts(),
|
||||
},
|
||||
},
|
||||
}
|
||||
@@ -486,20 +488,7 @@ func (c *Controller) syncService(ctx context.Context) (*v1.Service, error) {
|
||||
Spec: v1.ServiceSpec{
|
||||
Type: v1.ServiceTypeClusterIP,
|
||||
ClusterIP: v1.ClusterIPNone,
|
||||
Ports: []v1.ServicePort{
|
||||
{
|
||||
Name: httpsPortName,
|
||||
Port: httpsPort,
|
||||
},
|
||||
{
|
||||
Name: httpPortName,
|
||||
Port: httpPort,
|
||||
},
|
||||
{
|
||||
Name: cAdvisorPortName,
|
||||
Port: cAdvisorPort,
|
||||
},
|
||||
},
|
||||
Ports: c.servicePorts(),
|
||||
},
|
||||
}
|
||||
|
||||
@@ -626,20 +615,7 @@ func (c *Controller) syncEndpointSlice(ctx context.Context, svc *v1.Service, add
|
||||
},
|
||||
},
|
||||
},
|
||||
Ports: []discoveryv1.EndpointPort{
|
||||
{
|
||||
Name: ptr.To(httpsPortName),
|
||||
Port: ptr.To(httpsPort),
|
||||
},
|
||||
{
|
||||
Name: ptr.To(httpPortName),
|
||||
Port: ptr.To(httpPort),
|
||||
},
|
||||
{
|
||||
Name: ptr.To(cAdvisorPortName),
|
||||
Port: ptr.To(cAdvisorPort),
|
||||
},
|
||||
},
|
||||
Ports: c.endpointSlicePorts(),
|
||||
}
|
||||
|
||||
if a.ipv4 {
|
||||
@@ -688,3 +664,75 @@ func (c *Controller) syncEndpointSlice(ctx context.Context, svc *v1.Service, add
|
||||
func (c *Controller) fullCapacity(eps []discoveryv1.Endpoint) bool {
|
||||
return len(eps) >= c.maxEndpointsPerSlice
|
||||
}
|
||||
|
||||
// servicePorts returns the list of ServicePort for the kubelet Service.
|
||||
// If httpMetricsEnabled is false, the insecure HTTP port (10255) is excluded.
|
||||
func (c *Controller) servicePorts() []v1.ServicePort {
|
||||
ports := []v1.ServicePort{
|
||||
{
|
||||
Name: httpsPortName,
|
||||
Port: httpsPort,
|
||||
},
|
||||
{
|
||||
Name: cAdvisorPortName,
|
||||
Port: cAdvisorPort,
|
||||
},
|
||||
}
|
||||
|
||||
if c.httpMetricsEnabled {
|
||||
ports = append(ports, v1.ServicePort{
|
||||
Name: httpPortName,
|
||||
Port: httpPort,
|
||||
})
|
||||
}
|
||||
|
||||
return ports
|
||||
}
|
||||
|
||||
// endpointPorts returns the list of EndpointPort for the kubelet Endpoints.
|
||||
// If httpMetricsEnabled is false, the insecure HTTP port (10255) is excluded.
|
||||
func (c *Controller) endpointPorts() []v1.EndpointPort {
|
||||
ports := []v1.EndpointPort{
|
||||
{
|
||||
Name: httpsPortName,
|
||||
Port: httpsPort,
|
||||
},
|
||||
{
|
||||
Name: cAdvisorPortName,
|
||||
Port: cAdvisorPort,
|
||||
},
|
||||
}
|
||||
|
||||
if c.httpMetricsEnabled {
|
||||
ports = append(ports, v1.EndpointPort{
|
||||
Name: httpPortName,
|
||||
Port: httpPort,
|
||||
})
|
||||
}
|
||||
|
||||
return ports
|
||||
}
|
||||
|
||||
// endpointSlicePorts returns the list of EndpointPort for the kubelet EndpointSlice.
|
||||
// If httpMetricsEnabled is false, the insecure HTTP port (10255) is excluded.
|
||||
func (c *Controller) endpointSlicePorts() []discoveryv1.EndpointPort {
|
||||
ports := []discoveryv1.EndpointPort{
|
||||
{
|
||||
Name: ptr.To(httpsPortName),
|
||||
Port: ptr.To(httpsPort),
|
||||
},
|
||||
{
|
||||
Name: ptr.To(cAdvisorPortName),
|
||||
Port: ptr.To(cAdvisorPort),
|
||||
},
|
||||
}
|
||||
|
||||
if c.httpMetricsEnabled {
|
||||
ports = append(ports, discoveryv1.EndpointPort{
|
||||
Name: ptr.To(httpPortName),
|
||||
Port: ptr.To(httpPort),
|
||||
})
|
||||
}
|
||||
|
||||
return ports
|
||||
}
|
||||
|
||||
@@ -584,3 +584,73 @@ func newLogger() *slog.Logger {
|
||||
|
||||
return l
|
||||
}
|
||||
|
||||
func TestHTTPMetricsPorts(t *testing.T) {
|
||||
for _, tc := range []struct {
|
||||
name string
|
||||
httpMetricsEnabled bool
|
||||
expectedServicePorts int
|
||||
expectedEndpointPorts int
|
||||
expectHTTPMetricsPort bool
|
||||
}{
|
||||
{
|
||||
name: "HTTP metrics enabled (default)",
|
||||
httpMetricsEnabled: true,
|
||||
expectedServicePorts: 3, // https-metrics, http-metrics, cadvisor
|
||||
expectedEndpointPorts: 3,
|
||||
expectHTTPMetricsPort: true,
|
||||
},
|
||||
{
|
||||
name: "HTTP metrics disabled",
|
||||
httpMetricsEnabled: false,
|
||||
expectedServicePorts: 2, // https-metrics, cadvisor (no http-metrics)
|
||||
expectedEndpointPorts: 2,
|
||||
expectHTTPMetricsPort: false,
|
||||
},
|
||||
} {
|
||||
t.Run(tc.name, func(t *testing.T) {
|
||||
c := &Controller{
|
||||
httpMetricsEnabled: tc.httpMetricsEnabled,
|
||||
}
|
||||
|
||||
// Test servicePorts
|
||||
svcPorts := c.servicePorts()
|
||||
require.Len(t, svcPorts, tc.expectedServicePorts, "unexpected number of service ports")
|
||||
|
||||
hasHTTPPort := false
|
||||
for _, p := range svcPorts {
|
||||
if p.Name == httpPortName && p.Port == httpPort {
|
||||
hasHTTPPort = true
|
||||
break
|
||||
}
|
||||
}
|
||||
require.Equal(t, tc.expectHTTPMetricsPort, hasHTTPPort, "http-metrics port presence mismatch in service ports")
|
||||
|
||||
// Test endpointPorts
|
||||
epPorts := c.endpointPorts()
|
||||
require.Len(t, epPorts, tc.expectedEndpointPorts, "unexpected number of endpoint ports")
|
||||
|
||||
hasHTTPPort = false
|
||||
for _, p := range epPorts {
|
||||
if p.Name == httpPortName && p.Port == httpPort {
|
||||
hasHTTPPort = true
|
||||
break
|
||||
}
|
||||
}
|
||||
require.Equal(t, tc.expectHTTPMetricsPort, hasHTTPPort, "http-metrics port presence mismatch in endpoint ports")
|
||||
|
||||
// Test endpointSlicePorts
|
||||
epsPorts := c.endpointSlicePorts()
|
||||
require.Len(t, epsPorts, tc.expectedEndpointPorts, "unexpected number of endpointslice ports")
|
||||
|
||||
hasHTTPPort = false
|
||||
for _, p := range epsPorts {
|
||||
if p.Name != nil && *p.Name == httpPortName && p.Port != nil && *p.Port == httpPort {
|
||||
hasHTTPPort = true
|
||||
break
|
||||
}
|
||||
}
|
||||
require.Equal(t, tc.expectHTTPMetricsPort, hasHTTPPort, "http-metrics port presence mismatch in endpointslice ports")
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user