From fb36579e1610c5ed74c4b8ea353657ce36d472c8 Mon Sep 17 00:00:00 2001
From: Phil Sphicas <phil.sphicas@att.com>
Date: Sun, 27 Sep 2020 19:43:10 +0000
Subject: [PATCH] kube-apiserver: use HTTP probes instead of exec

The existing exec probes for apiserver rely on things that do not exist
in the official kubernetes release images (bash, socat).

This change modifies the apiserver to use HTTP probes of the recommended
liveness and readiness endpoints.[0]

Also sets `--anonymous-auth=true` (the default setting), as kubelet is
unable to provide a client certificate when performing the health check.
RBAC rules apply, but unauthenticated users will be able to access the
following endpoints:

    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRole
    metadata:
      name: system:public-info-viewer
    rules:
    - nonResourceURLs:
      - /healthz
      - /livez
      - /readyz
      - /version
      - /version/
      verbs:
      - get

0: https://v1-18.docs.kubernetes.io/docs/reference/using-api/health-checks/

Change-Id: I06d739c844fe85ec6cbf47d3bb69a39cd008ddd8
---
 .../etc/_kubernetes-apiserver.yaml.tpl        | 25 ++++++-------------
 charts/apiserver/values.yaml                  |  2 +-
 2 files changed, 9 insertions(+), 18 deletions(-)

diff --git a/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl b/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
index cc54a9b1..acd7f5e1 100644
--- a/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
+++ b/charts/apiserver/templates/etc/_kubernetes-apiserver.yaml.tpl
@@ -36,27 +36,18 @@
 
 
 {{- define "livenessProbeTemplate" -}}
-exec:
-  command:
-  - /bin/bash
-  - -c
-  - |-
-    kubectl get nodes ${NODENAME} | grep ${NODENAME}
-    exit $?
+httpGet:
+  path: /livez
+  port: {{ .Values.network.kubernetes_apiserver.port }}
+  scheme: HTTPS
 {{- end -}}
 
 
 {{- define "readinessProbeTemplate" -}}
-exec:
-  command:
-  - /bin/bash
-  - -c
-  - |-
-    if [ ! -f /etc/kubernetes/apiserver/pki/apiserver-both.pem ]; then
-      cat /etc/kubernetes/apiserver/pki/apiserver-key.pem <(echo) /etc/kubernetes/apiserver/pki/apiserver.pem > /etc/kubernetes/apiserver/pki/apiserver-both.pem
-    fi
-    echo -e 'GET /healthz HTTP/1.0\r\n' | socat - openssl:localhost:{{ .Values.network.kubernetes_apiserver.port }},cert=/etc/kubernetes/apiserver/pki/apiserver-both.pem,cafile=/etc/kubernetes/apiserver/pki/cluster-ca.pem | grep '200 OK'
-    exit $?
+httpGet:
+  path: /readyz
+  port: {{ .Values.network.kubernetes_apiserver.port }}
+  scheme: HTTPS
 {{- end -}}
 
 
diff --git a/charts/apiserver/values.yaml b/charts/apiserver/values.yaml
index 0dc94f21..0549111e 100644
--- a/charts/apiserver/values.yaml
+++ b/charts/apiserver/values.yaml
@@ -22,7 +22,7 @@ const:
     - kube-apiserver
     - --advertise-address=$(POD_IP)
     - --allow-privileged=true
-    - --anonymous-auth=false
+    - --anonymous-auth=true
     - --bind-address=0.0.0.0
     - --client-ca-file=/etc/kubernetes/apiserver/pki/cluster-ca.pem
     - --etcd-cafile=/etc/kubernetes/apiserver/pki/etcd-client-ca.pem