No way to add authentication/ authorisation in kubelet endpoint 10255 in GKE private cluster (version: 1.13.6-gke.13)

What happened :
I have created a GKE private cluster (version: 1.13.6-gke.13). I can see that the port (10255) is open in both the nodes (or we can say GCP compute instances) created in the above cluster.

If I create a simple GCP compute instances and try to access the internal IP of the GKE node on 10255 port from this VM I am able to access it without any authentication or authorization.

If I send a simple GET request to ( xxx.xx.xx.xx:10255/pods , xxx.xx.xx.xx:10255/metrics or http://xxx.xx.xx.xx:10255/stats/summary ) I get tons of information about the pods and other things. As I can see in the documentation of Kubernetes here , it is mentioned that:

--read-only-port int32
     The read-only port for the Kubelet to serve on with no authentication/authorization (set to 0 to disable) (default 10255)
However, if I create a VM in the same VPC but different subnet, I am not able to access this open port until and unless I add the IP of this VM in master authorized networks (Refer Setting Up a Private cluster for more details). I find no way in GKE to secure the access to this port from the VMs in the same subnet as the cluster.
I see multiple ways in Kubernetes in general to add authentication/authorization but not in GKE.

What you expected to happen:

There should be a way in which, the access to this endpoint can be secured and only authenticated/authorized VMs should be allowed to access this port.

How to reproduce it:

Create a private cluster (with any number of nodes) and a VM in the same VPC, same Subnet in GKE.

Command used to create the private cluster:
gcloud container clusters create a-cluster-with-user-pass \
 --network vpc-name \
 --subnetwork subnet-name    \
 --enable-master-authorized-networks \
 --username random \
 --password averylongpassword \
 --enable-ip-alias \
 --enable-private-nodes \
 --enable-private-endpoint \
 --master-ipv4-cidr xxx.xx.xx.xx/28 \
 --cluster-version 1.13.6-gke.13 \
 --num-nodes 2 \
 --zone asia-south1-a
Command used to create the GCP compute instance (VM):
gcloud compute instances create vm-name \
 --network vpc-name \
 --subnetwork subnet-name    \
 --zone asia-south1-a
SSH into the VM and send a get request to VMs IP address to port 10255 and all of the following endpoints are accessible :
http://xxx.xx.xx.xx:10255/pods
http://xxx.xx.xx.xx:10255/stats/summary
http://xxx.xx.xx.xx:10255/metrics
xxx.xx.xx.xx above indicates the IP of any of the nodes of the cluster.

Environment:
Kubernetes version (use kubectl version): kubectl is not used
Cloud provider or hardware configuration: Google Cloud Platform
Cluster node: Container-Optimized OS

Node created to access the cluster: Debian GNU/Linux 9 (stretch)

No way to add authentication/ authorisation in kubelet endpoint 10255 in GKE private cluster (version: 1.13.6-gke.13) #79881

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

No way to add authentication/ authorisation in kubelet endpoint 10255 in GKE private cluster (version: 1.13.6-gke.13) #79881

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions