Are kops clusters subject to Kubernetes known issue: etcd client balancer with secure endpoints

[Nuru]

Kubernetes documentation lists a "known issue": etcd client balancer with secure endpoints

The etcd v3 client, released in etcd v3.3.13 or earlier, has a critical bug which affects the kube-apiserver and HA deployments. The etcd client balancer failover does not properly work against secure endpoints. As a result, etcd servers may fail or disconnect briefly from the kube-apiserver. This affects kube-apiserver HA deployments.

This issue is reported at kubernetes/kubernetes#83028 and kubernetes/kubernetes#72102 and a workaround (using wildcard SANs in etcd TLS certificates) is mentioned at kubernetes/kubernetes#72102 (comment). The comments suggest Kubernetes will not have a fix for this until Kubernetes v1.16.3, and that all versions of Kubernetes using etcd3 with TLS certificates (which is kops 1.12 and later, right?) are affected.

Are clusters deployed by kops affected by this issue, or has kops installed a workaround or later etcd3 version?

Please document what is and is not affected and any suggested mitigations.

[rainchei]

Using kops Version 1.17.0-alpha.1 (git-501baf7e5) and below manifest
(remember to export KOPS_FEATURE_FLAGS=SkipEtcdVersionCheck)

  etcdClusters:
  - name: main
    version: 3.4.3
    etcdMembers:
    - instanceGroup: master-us-east-2a
      name: a
    - instanceGroup: master-us-east-2b
      name: b
    - instanceGroup: master-us-east-2c
      name: c
  - name: events
    version: 3.4.3
    etcdMembers:
    - instanceGroup: master-us-east-2a
      name: a
    - instanceGroup: master-us-east-2b
      name: b
    - instanceGroup: master-us-east-2c
      name: c

we seems to be able to upgrade to etcd 3.4.3

./etcd-manager-ctl -backup-store=<xxx-yyy> get
Backup Store: <xxx-yyy>
member_count:3 etcd_version:"3.4.3"

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

[k8s-ci-robot]

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.