KEP-4939: Support TLS in gRPC probe

[kkoch986]

• One-line PR description: Initial KEP for TLS support in gRPC probes

• Issue link: Support TLS Credentials in gRPC Probe #4939

• Other comments: see also GRPC healthprobe cannot handle TLS kubernetes#128365

[k8s-ci-robot]

Welcome @kkoch986!

It looks like this is your first PR to kubernetes/enhancements 🎉. Please refer to our pull request process documentation to help your PR have a smooth ride to approval.

You will be prompted by a bot to use commands during the review process. Do not be afraid to follow the prompts! It is okay to experiment. Here is the bot commands documentation.

You can also check if kubernetes/enhancements has its own contribution guidelines.

You may want to refer to our testing guide if you run into trouble with your tests not passing.

If you are having difficulty getting your pull request seen, please follow the recommended escalation practices. Also, for tips and tricks in the contribution process you may want to read the Kubernetes contributor cheat sheet. We want to make sure your contribution gets all the attention it needs!

Thank you, and welcome to Kubernetes. 😃

[k8s-ci-robot]

Hi @kkoch986. Thanks for your PR.

I'm waiting for a kubernetes member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[aojea]

/ok-to-test

[kkoch986]

pushed up one more fixup to define the config option better. @aojea any other changes i should make to get this KEP merged?

[aojea]

/lgtm

I think that not having a TLS option reduce significantly the usability of this probes and is worth having parity with the http probes, also the changes requested seem to be very minimal, please @bowei take a look as you were involved with the original implementation so you may have some more historic context

/assign @thockin @dchen1107

for approval

[kkoch986]

oops @aojea looks like when i rebased it removed the lgtm tag sorry about that, didnt change anything just squashed the fixups down

[aojea]

/lgtm

[thockin]

Ugh, I missed that this did not have PRR - you need to create a file in the prod-readiness directory to trigger PRR review.

[thockin]

I am LGTM, but we need a sig-node approver

/lgtm

[mrunalp]

I can make a pass at this one. Add me as node approver. Thanks!

[kkoch986]

I can make a pass at this one. Add me as node approver. Thanks!

thanks @mrunalp! added

also added the PRR yaml

[mrunalp]

Can you add more detail here? What happens when a pod is created with the new field and deployed against

1. Older k8s release without this feature.
2. New API server with this feature enabled and older kubelet without this feature.
3. Feature gate turned on in API server but not in the kubelet.

[kkoch986]

sure i can try to update this tonight

[tallclair]

until all kubelet version skew supports the new tls configuration.

Need to clarify what the Kubelet does if it receives a pod that has a probe with the TLS configuration, but the feature gate is turned off. If the Kubelet ignores the field when the feature gate is disabled, then it will "never" be within the version skew range.

[kkoch986]

tried to reword this section a bit, let me know if that clears it up!

@tallclair @mrunalp

[thockin]

mrunalp approved these changes 26 minutes ago

/approve
/lgtm

Still needs PRR, and given the last-minute addition, this KEP is at risk of missing.

[aojea]

/lgtm

Thanks

[kkoch986]

/assign @deads2k

[thockin]

Is this going for an exception? Or just aiming for next release?

[kkoch986]

Is this going for an exception? Or just aiming for next release?

not sure if i'm the one who's able to answer that, but just wanted to confirm waiting on @deads2k is the last hurdle. more so that i'm not blocking anything at this point

[thockin]

I think the window for exceptions is closed or closing

[k8s-ci-robot]

New changes are detected. LGTM label has been removed.

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: kkoch986, mrunalp, thockin
Once this PR has been reviewed and has the lgtm label, please ask for approval from deads2k. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• keps/prod-readiness/OWNERS
• keps/sig-node/OWNERS [mrunalp]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment