kubernetes · floreks · Mar 8, 2024 · Mar 8, 2024 · Mar 8, 2024 · Mar 8, 2024
diff --git a/docs/common/arguments.md b/docs/common/arguments.md
@@ -14,7 +14,6 @@ Dashboard containers accept multiple arguments that can be used to customize the
 | tls-key-file                 | -                                    | File containing the default x509 private key matching --tls-cert-file.                                                                                                                                                                              |
 | auto-generate-certificates   | false                                | When set to true, Dashboard will automatically generate certificates used to serve HTTPS.                                                                                                                                                           |
 | apiserver-host               | -                                    | The address of the Kubernetes Apiserver to connect to in the format of protocol://address:port, e.g., http://localhost:8080. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and local discovery is attempted. |
-| heapster-host                | -                                    | The address of the Heapster Apiserver to connect to in the format of protocol://address:port, e.g., http://localhost:8082. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and service proxy will be used.     |
 | sidecar-host                 | -                                    | The address of the Sidecar Apiserver to connect to in the format of protocol://address:port, e.g., http://localhost:8000. If not specified, the assumption is that the binary runs inside a Kubernetes cluster and service proxy will be used.      |
 | metrics-provider             | sidecar                              | Select provider type for metrics. 'none' will not check metrics.                                                                                                                                                                                    |
 | metric-client-check-period   | 30                                   | Time in seconds that defines how often configured metric client health check should be run.                                                                                                                                                         |
@@ -23,6 +22,7 @@ Dashboard containers accept multiple arguments that can be used to customize the
 | metrics-scraper-service-name | kubernetes-dashboard-metrics-scraper | Name of the dashboard metrics scraper service.                                                                                                                                                                                                      |
 | disable-csrf-protection      | false                                | Allows disabling CSRF protection.                                                                                                                                                                                                                   |
 | csrf-key                     | -                                    | Base64 encoded random 256 bytes key. Can be loaded from 'CSRF_KEY' environment variable.                                                                                                                                                            |
+| act-as-proxy                 | false                                | Forces dashboard to work in full proxy mode, meaning that any in-cluster calls are disabled.                                                                                                                                                        |
 | v                            | 1                                    | Number for the log level verbosity (default 1)                                                                                                                                                                                                      |                                                                                                                                                                                                                                                                                                |
 
 ## Auth module arguments

diff --git a/hack/scripts/conf.sh b/hack/scripts/conf.sh
@@ -26,8 +26,6 @@ RELEASE_VERSION=2.5.0
 ARCH=$(uname | awk '{print tolower($0)}')
 
 # Local cluster configuration (check start-cluster.sh script for more details).
-HEAPSTER_VERSION="v1.5.4"
-HEAPSTER_PORT=8082
 KIND_VERSION="v0.19.0"
 K8S_VERSION="v1.29.2"
 KIND_BIN=${CACHE_DIR}/kind-${KIND_VERSION}

diff --git a/hack/scripts/start-cluster.sh b/hack/scripts/start-cluster.sh
@@ -17,30 +17,9 @@
 ROOT_DIR="$(cd $(dirname "${BASH_SOURCE}")/../.. && pwd -P)"
 . "${ROOT_DIR}/hack/scripts/conf.sh"
 
-function start-ci-heapster {
-  echo "\nRunning heapster in standalone mode"
-  docker run --net=host -d registry.k8s.io/heapster-amd64:${HEAPSTER_VERSION} \
-             --heapster-port ${HEAPSTER_PORT} \
-             --source=kubernetes:http://127.0.0.1:8080?inClusterConfig=false&auth=""
-
-  echo "\nWaiting for heapster to be started"
-  for i in {1..150}
-  do
-    HEAPSTER_STATUS=$(curl -sb -H "Accept: application/json" "127.0.0.1:${HEAPSTER_PORT}/healthz")
-    if [ "${HEAPSTER_STATUS}" == "ok" ]; then
-      break
-    fi
-    sleep 2
-  done
-  echo "\nHeapster is up and running"
-}
-
 function start-kind {
   ${KIND_BIN} create cluster --name="k8s-cluster-ci" --image="kindest/node:${K8S_VERSION}" --config="${ROOT_DIR}/hack/scripts/kind-config"
   ensure-kubeconfig
-  if [ "${CI}" = true ] ; then
-    start-ci-heapster
-  fi
   echo "\nKubernetes cluster is ready to use"
 }
 

diff --git a/hack/test-resources/kubernetes-dashboard-local.yaml b/hack/test-resources/kubernetes-dashboard-local.yaml
@@ -74,14 +74,13 @@ rules:
   resources: ["configmaps"]
   resourceNames: ["kubernetes-dashboard-settings"]
   verbs: ["get", "update"]
-  # Allow Dashboard to get metrics from heapster.
 - apiGroups: [""]
   resources: ["services"]
-  resourceNames: ["heapster", "dashboard-metrics-scraper"]
+  resourceNames: ["dashboard-metrics-scraper"]
   verbs: ["proxy"]
 - apiGroups: [""]
   resources: ["services/proxy"]
-  resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
+  resourceNames: ["dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
   verbs: ["get"]
 ---
 kind: ClusterRole

diff --git a/modules/api/main.go b/modules/api/main.go
@@ -43,27 +43,19 @@ func main() {
 		client.WithInsecureTLSSkipVerify(args.ApiServerSkipTLSVerify()),
 	)
 
-	versionInfo, err := client.InClusterClient().Discovery().ServerVersion()
-	if err != nil {
-		handleFatalInitError(err)
+	if !args.IsProxyEnabled() {
+		ensureAPIServerConnectionOrDie()
+	} else {
+		klog.Info("Running in proxy mode. InClusterClient connections will be disabled.")
 	}
 
-	klog.InfoS("Successful initial request to the apiserver", "version", versionInfo.String())
-
 	// Init integrations
 	integrationManager := integration.NewIntegrationManager()
 
-	switch metricsProvider := args.MetricsProvider(); metricsProvider {
-	case "sidecar":
-		integrationManager.Metric().ConfigureSidecar(args.SidecarHost()).
-			EnableWithRetry(integrationapi.SidecarIntegrationID, time.Duration(args.MetricClientHealthCheckPeriod()))
-	case "none":
-		klog.Info("Metrics provider disabled")
-	default:
-		klog.InfoS("Invalid metrics provider", "provider", metricsProvider)
-		klog.Info("Using default metrics provider", "provider", "sidecar")
-		integrationManager.Metric().ConfigureSidecar(args.SidecarHost()).
-			EnableWithRetry(integrationapi.SidecarIntegrationID, time.Duration(args.MetricClientHealthCheckPeriod()))
+	if !args.IsProxyEnabled() {
+		configureMetricsProvider(integrationManager)
+	} else {
+		klog.Info("Skipping metrics configuration. Metrics not available in proxy mode.")
 	}
 
 	apiHandler, err := handler.CreateHTTPAPIHandler(integrationManager)
@@ -109,6 +101,30 @@ func serveTLS(certificates []tls.Certificate) {
 	go func() { klog.Fatal(server.ListenAndServeTLS("", "")) }()
 }
 
+func ensureAPIServerConnectionOrDie() {
+	versionInfo, err := client.InClusterClient().Discovery().ServerVersion()
+	if err != nil {
+		handleFatalInitError(err)
+	}
+
+	klog.InfoS("Successful initial request to the apiserver", "version", versionInfo.String())
+}
+
+func configureMetricsProvider(integrationManager integration.Manager) {
+	switch metricsProvider := args.MetricsProvider(); metricsProvider {
+	case "sidecar":
+		integrationManager.Metric().ConfigureSidecar(args.SidecarHost()).
+			EnableWithRetry(integrationapi.SidecarIntegrationID, time.Duration(args.MetricClientHealthCheckPeriod()))
+	case "none":
+		klog.Info("Metrics provider disabled")
+	default:
+		klog.InfoS("Invalid metrics provider", "provider", metricsProvider)
+		klog.Info("Using default metrics provider", "provider", "sidecar")
+		integrationManager.Metric().ConfigureSidecar(args.SidecarHost()).
+			EnableWithRetry(integrationapi.SidecarIntegrationID, time.Duration(args.MetricClientHealthCheckPeriod()))
+	}
+}
+
 /**
  * Handles fatal init error that prevents server from doing any work. Prints verbose error
  * message and quits the server.

diff --git a/modules/api/pkg/args/args.go b/modules/api/pkg/args/args.go
@@ -55,6 +55,7 @@ var (
 	argNamespace                 = pflag.String("namespace", helpers.GetEnv("POD_NAMESPACE", "kubernetes-dashboard"), "Namespace to use when accessing Dashboard specific resources, i.e. metrics scraper service")
 	argMetricsScraperServiceName = pflag.String("metrics-scraper-service-name", "kubernetes-dashboard-metrics-scraper", "name of the dashboard metrics scraper service")
 	argDisableCSRFProtection     = pflag.Bool("disable-csrf-protection", false, "allows disabling CSRF protection")
+	argIsProxyEnabled            = pflag.Bool("act-as-proxy", false, "forces dashboard to work in full proxy mode, meaning that any in-cluster calls are disabled")
 )
 
 func init() {
@@ -147,3 +148,7 @@ func Namespace() string {
 func IsCSRFProtectionEnabled() bool {
 	return !*argDisableCSRFProtection
 }
+
+func IsProxyEnabled() bool {
+	return *argIsProxyEnabled
+}
diff --git a/modules/api/pkg/handler/apihandler.go b/modules/api/pkg/handler/apihandler.go
@@ -78,7 +78,7 @@ const (
 	ResponseLogString = "[%s] Outcoming response to %s with %d status code"
 )
 
-// APIHandler is a representation of API handler. Structure contains clientapi, Heapster clientapi and clientapi configuration.
+// APIHandler is a representation of API handler. Structure contains clientapi and clientapi configuration.
 type APIHandler struct {
 	iManager integration.Manager
 }