github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #77447 from dekkagaijin/mip 

disable the apiserver's insecure port by default
k3s-v1.15.3
Kubernetes Prow Robot 2019-05-07 22:14:32 -07:00 committed by GitHub
parent 7673b2d161 e4d521e825
commit 0befec7fb6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 16 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
cluster/gce/gci/configure-helper.sh
View File

@ -604,6 +604,9 @@ function create-master-auth {
if [[ -n "${KUBE_BEARER_TOKEN:-}" ]]; then
append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_BEARER_TOKEN}," "admin,admin,system:masters"
fi
if [[ -n "${KUBE_BOOTSTRAP_TOKEN:-}" ]]; then
append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_BOOTSTRAP_TOKEN}," "system:cluster-bootstrap,uid:system:cluster-bootstrap,system:masters"
fi
if [[ -n "${KUBE_CONTROLLER_MANAGER_TOKEN:-}" ]]; then
append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_CONTROLLER_MANAGER_TOKEN}," "system:kube-controller-manager,uid:system:kube-controller-manager"
fi
@ -1562,7 +1565,7 @@ function start-kube-apiserver {
params+=" --etcd-keyfile=${ETCD_APISERVER_CLIENT_KEY_PATH}"
fi
params+=" --secure-port=443"
if [[ "${ENABLE_APISERVER_INSECURE_PORT:-true}" != "true" ]]; then
if [[ "${ENABLE_APISERVER_INSECURE_PORT:-false}" != "true" ]]; then
# Default is :8080
params+=" --insecure-port=0"
fi
@ -2866,6 +2869,14 @@ function wait-till-apiserver-ready() {
done
}
function ensure-bootstrap-kubectl-auth {
# Creating an authenticated kubeconfig is only necessary if the insecure port is disabled.
if [[ -n "${KUBE_BOOTSTRAP_TOKEN}" ]]; then
create-kubeconfig "cluster-bootstrap" ${KUBE_BOOTSTRAP_TOKEN}
export KUBECONFIG=/etc/srv/kubernetes/cluster-bootstrap/kubeconfig
fi
}
########### Main Function ###########
function main() {
echo "Start to configure instance for kubernetes"
@ -2913,10 +2924,12 @@ function main() {
fi
fi
# generate the controller manager, scheduler and cluster autoscaler tokens here since they are only used on the master.
KUBE_CONTROLLER_MANAGER_TOKEN="$(secure_random 32)"
KUBE_SCHEDULER_TOKEN="$(secure_random 32)"
KUBE_CLUSTER_AUTOSCALER_TOKEN="$(secure_random 32)"
if [[ "${ENABLE_APISERVER_INSECURE_PORT:-false}" != "true" ]]; then
KUBE_BOOTSTRAP_TOKEN="$(secure_random 32)"
fi
if [[ "${ENABLE_L7_LOADBALANCING:-}" == "glbc" ]]; then
GCE_GLBC_TOKEN="$(secure_random 32)"
fi
@ -2933,6 +2946,7 @@ function main() {
create-node-pki
create-master-pki
create-master-auth
ensure-bootstrap-kubectl-auth
create-master-kubelet-auth
create-master-etcd-auth
create-master-etcd-apiserver-auth