From 1d9a896066b3e10e8c1a0d506e00bc354b7772f0 Mon Sep 17 00:00:00 2001 From: "Dr. Stefan Schimanski" Date: Thu, 16 Aug 2018 20:47:15 +0200 Subject: [PATCH] apiserver: move controller-manager's insecure config into apiserver --- .../app/config/config.go | 3 +- .../app/options/options.go | 6 +- .../app/options/options_test.go | 12 +- .../app/options/insecure_serving.go | 105 ----------- .../app/options/options_test.go | 4 +- .../app/config/config.go | 3 +- .../app/options/options.go | 10 +- .../app/options/options_test.go | 6 +- cmd/kube-scheduler/app/config/config.go | 5 +- .../app/options/insecure_serving.go | 20 +-- .../app/options/insecure_serving_test.go | 30 ++-- cmd/kube-scheduler/app/options/options.go | 5 +- pkg/kubeapiserver/options/serving.go | 5 +- .../pkg/server/deprecated_insecure_serving.go | 32 +++- .../options/deprecated_insecure_serving.go | 164 ++++++++++++++++++ .../pkg/server/options/recommended.go | 2 +- .../pkg/server/options/serving_test.go | 4 +- .../server/options/serving_with_loopback.go | 2 +- .../server/{serve.go => secure_serving.go} | 0 19 files changed, 247 insertions(+), 171 deletions(-) delete mode 100644 cmd/controller-manager/app/options/insecure_serving.go rename cmd/controller-manager/app/insecure_serving.go => staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go (55%) create mode 100644 staging/src/k8s.io/apiserver/pkg/server/options/deprecated_insecure_serving.go rename staging/src/k8s.io/apiserver/pkg/server/{serve.go => secure_serving.go} (100%) diff --git a/cmd/cloud-controller-manager/app/config/config.go b/cmd/cloud-controller-manager/app/config/config.go index 9282cfd106..abd2df05ad 100644 --- a/cmd/cloud-controller-manager/app/config/config.go +++ b/cmd/cloud-controller-manager/app/config/config.go @@ -22,7 +22,6 @@ import ( clientset "k8s.io/client-go/kubernetes" restclient "k8s.io/client-go/rest" "k8s.io/client-go/tools/record" - genericcontrollermanager "k8s.io/kubernetes/cmd/controller-manager/app" "k8s.io/kubernetes/pkg/apis/componentconfig" "k8s.io/kubernetes/pkg/controller" ) @@ -33,7 +32,7 @@ type Config struct { SecureServing *apiserver.SecureServingInfo // TODO: remove deprecated insecure serving - InsecureServing *genericcontrollermanager.InsecureServingInfo + InsecureServing *apiserver.DeprecatedInsecureServingInfo Authentication apiserver.AuthenticationInfo Authorization apiserver.AuthorizationInfo diff --git a/cmd/cloud-controller-manager/app/options/options.go b/cmd/cloud-controller-manager/app/options/options.go index 854a1450c9..21c1351644 100644 --- a/cmd/cloud-controller-manager/app/options/options.go +++ b/cmd/cloud-controller-manager/app/options/options.go @@ -63,7 +63,7 @@ type CloudControllerManagerOptions struct { SecureServing *apiserveroptions.SecureServingOptions // TODO: remove insecure serving mode - InsecureServing *cmoptions.InsecureServingOptions + InsecureServing *apiserveroptions.DeprecatedInsecureServingOptions Authentication *apiserveroptions.DelegatingAuthenticationOptions Authorization *apiserveroptions.DelegatingAuthorizationOptions @@ -90,7 +90,7 @@ func NewCloudControllerManagerOptions() (*CloudControllerManagerOptions, error) ConcurrentServiceSyncs: componentConfig.ServiceController.ConcurrentServiceSyncs, }, SecureServing: apiserveroptions.NewSecureServingOptions(), - InsecureServing: &cmoptions.InsecureServingOptions{ + InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{ BindAddress: net.ParseIP(componentConfig.KubeCloudShared.Address), BindPort: int(componentConfig.KubeCloudShared.Port), BindNetwork: "tcp", @@ -140,7 +140,7 @@ func (o *CloudControllerManagerOptions) AddFlags(fs *pflag.FlagSet) { o.ServiceController.AddFlags(fs) o.SecureServing.AddFlags(fs) - o.InsecureServing.AddFlags(fs) + o.InsecureServing.AddUnqualifiedFlags(fs) o.Authentication.AddFlags(fs) o.Authorization.AddFlags(fs) diff --git a/cmd/cloud-controller-manager/app/options/options_test.go b/cmd/cloud-controller-manager/app/options/options_test.go index 84ff245685..f7215ea658 100644 --- a/cmd/cloud-controller-manager/app/options/options_test.go +++ b/cmd/cloud-controller-manager/app/options/options_test.go @@ -57,8 +57,8 @@ func TestDefaultFlags(t *testing.T) { }, }, KubeCloudShared: &cmoptions.KubeCloudSharedOptions{ - Port: 10253, // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config - Address: "0.0.0.0", // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config + Port: 10253, // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config + Address: "0.0.0.0", // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config RouteReconciliationPeriod: metav1.Duration{Duration: 10 * time.Second}, NodeMonitorPeriod: metav1.Duration{Duration: 5 * time.Second}, ClusterName: "kubernetes", @@ -79,7 +79,7 @@ func TestDefaultFlags(t *testing.T) { }, HTTP2MaxStreamsPerConnection: 0, }, - InsecureServing: &cmoptions.InsecureServingOptions{ + InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{ BindAddress: net.ParseIP("0.0.0.0"), BindPort: int(10253), BindNetwork: "tcp", @@ -154,8 +154,8 @@ func TestAddFlags(t *testing.T) { }, }, KubeCloudShared: &cmoptions.KubeCloudSharedOptions{ - Port: 10253, // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config - Address: "0.0.0.0", // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config + Port: 10253, // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config + Address: "0.0.0.0", // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config RouteReconciliationPeriod: metav1.Duration{Duration: 30 * time.Second}, NodeMonitorPeriod: metav1.Duration{Duration: 5 * time.Second}, ClusterName: "k8s", @@ -176,7 +176,7 @@ func TestAddFlags(t *testing.T) { }, HTTP2MaxStreamsPerConnection: 47, }, - InsecureServing: &cmoptions.InsecureServingOptions{ + InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{ BindAddress: net.ParseIP("192.168.4.10"), BindPort: int(10000), BindNetwork: "tcp", diff --git a/cmd/controller-manager/app/options/insecure_serving.go b/cmd/controller-manager/app/options/insecure_serving.go deleted file mode 100644 index 3f98437a6c..0000000000 --- a/cmd/controller-manager/app/options/insecure_serving.go +++ /dev/null @@ -1,105 +0,0 @@ -/* -Copyright 2017 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package options - -import ( - "fmt" - "net" - - "github.com/spf13/pflag" - - "k8s.io/apiserver/pkg/server/options" - genericcontrollermanager "k8s.io/kubernetes/cmd/controller-manager/app" -) - -// InsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port. -// No one should be using these anymore. -type InsecureServingOptions struct { - BindAddress net.IP - BindPort int - // BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp", - // "tcp4", and "tcp6". - BindNetwork string - - // Listener is the secure server network listener. - // either Listener or BindAddress/BindPort/BindNetwork is set, - // if Listener is set, use it and omit BindAddress/BindPort/BindNetwork. - Listener net.Listener - - // ListenFunc can be overridden to create a custom listener, e.g. for mocking in tests. - // It defaults to options.CreateListener. - ListenFunc func(network, addr string) (net.Listener, int, error) -} - -// Validate ensures that the insecure port values within the range of the port. -func (s *InsecureServingOptions) Validate() []error { - if s == nil { - return nil - } - - errors := []error{} - - if s.BindPort < 0 || s.BindPort > 65335 { - errors = append(errors, fmt.Errorf("--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort)) - } - - return errors -} - -// AddFlags adds flags related to insecure serving for controller manager to the specified FlagSet. -func (s *InsecureServingOptions) AddFlags(fs *pflag.FlagSet) { - if s == nil { - return - } - - fs.IPVar(&s.BindAddress, "address", s.BindAddress, "DEPRECATED: the IP address on which to listen for the --port port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces). See --bind-address instead.") - // MarkDeprecated hides the flag from the help. We don't want that: - // fs.MarkDeprecated("address", "see --bind-address instead.") - fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: the port on which to serve HTTP insecurely without authentication and authorization. If 0, don't serve HTTPS at all. See --secure-port instead.") - // MarkDeprecated hides the flag from the help. We don't want that: - // fs.MarkDeprecated("port", "see --secure-port instead.") -} - -// ApplyTo adds InsecureServingOptions to the insecureserverinfo amd kube-controller manager configuration. -// Note: the double pointer allows to set the *InsecureServingInfo to nil without referencing the struct hosting this pointer. -func (s *InsecureServingOptions) ApplyTo(c **genericcontrollermanager.InsecureServingInfo) error { - if s == nil { - return nil - } - if s.BindPort <= 0 { - return nil - } - - if s.Listener == nil { - var err error - listen := options.CreateListener - if s.ListenFunc != nil { - listen = s.ListenFunc - } - addr := net.JoinHostPort(s.BindAddress.String(), fmt.Sprintf("%d", s.BindPort)) - s.Listener, s.BindPort, err = listen(s.BindNetwork, addr) - if err != nil { - return fmt.Errorf("failed to create listener: %v", err) - } - } - - *c = &genericcontrollermanager.InsecureServingInfo{ - Listener: s.Listener, - } - - return nil -} diff --git a/cmd/kube-apiserver/app/options/options_test.go b/cmd/kube-apiserver/app/options/options_test.go index 234961d81e..dc712d18c8 100644 --- a/cmd/kube-apiserver/app/options/options_test.go +++ b/cmd/kube-apiserver/app/options/options_test.go @@ -159,7 +159,7 @@ func TestAddFlags(t *testing.T) { EnableWatchCache: true, DefaultWatchCacheSize: 100, }, - SecureServing: apiserveroptions.WithLoopback(&apiserveroptions.SecureServingOptions{ + SecureServing: apiserveroptions.SecureServingOptions{ BindAddress: net.ParseIP("192.168.10.20"), BindPort: 6443, ServerCert: apiserveroptions.GeneratableKeyCert{ @@ -168,7 +168,7 @@ func TestAddFlags(t *testing.T) { }, HTTP2MaxStreamsPerConnection: 42, Required: true, - }), + }.WithLoopback(), InsecureServing: &kubeoptions.InsecureServingOptions{ BindAddress: net.ParseIP("127.0.0.1"), BindPort: 8080, diff --git a/cmd/kube-controller-manager/app/config/config.go b/cmd/kube-controller-manager/app/config/config.go index 4713e9dfe2..c565f23ab6 100644 --- a/cmd/kube-controller-manager/app/config/config.go +++ b/cmd/kube-controller-manager/app/config/config.go @@ -21,7 +21,6 @@ import ( clientset "k8s.io/client-go/kubernetes" restclient "k8s.io/client-go/rest" "k8s.io/client-go/tools/record" - genericcontrollermanager "k8s.io/kubernetes/cmd/controller-manager/app" "k8s.io/kubernetes/pkg/apis/componentconfig" ) @@ -31,7 +30,7 @@ type Config struct { SecureServing *apiserver.SecureServingInfo // TODO: remove deprecated insecure serving - InsecureServing *genericcontrollermanager.InsecureServingInfo + InsecureServing *apiserver.DeprecatedInsecureServingInfo Authentication apiserver.AuthenticationInfo Authorization apiserver.AuthorizationInfo diff --git a/cmd/kube-controller-manager/app/options/options.go b/cmd/kube-controller-manager/app/options/options.go index eb818c9e5b..96864ef126 100644 --- a/cmd/kube-controller-manager/app/options/options.go +++ b/cmd/kube-controller-manager/app/options/options.go @@ -85,7 +85,7 @@ type KubeControllerManagerOptions struct { SecureServing *apiserveroptions.SecureServingOptions // TODO: remove insecure serving mode - InsecureServing *cmoptions.InsecureServingOptions + InsecureServing *apiserveroptions.DeprecatedInsecureServingOptions Authentication *apiserveroptions.DelegatingAuthenticationOptions Authorization *apiserveroptions.DelegatingAuthorizationOptions @@ -178,7 +178,7 @@ func NewKubeControllerManagerOptions() (*KubeControllerManagerOptions, error) { }, Controllers: componentConfig.Controllers, SecureServing: apiserveroptions.NewSecureServingOptions(), - InsecureServing: &cmoptions.InsecureServingOptions{ + InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{ BindAddress: net.ParseIP(componentConfig.KubeCloudShared.Address), BindPort: int(componentConfig.KubeCloudShared.Port), BindNetwork: "tcp", @@ -234,7 +234,7 @@ func (s *KubeControllerManagerOptions) AddFlags(fs *pflag.FlagSet, allController s.ServiceController.AddFlags(fs) s.SecureServing.AddFlags(fs) - s.InsecureServing.AddFlags(fs) + s.InsecureServing.AddUnqualifiedFlags(fs) s.Authentication.AddFlags(fs) s.Authorization.AddFlags(fs) @@ -341,10 +341,10 @@ func (s *KubeControllerManagerOptions) ApplyTo(c *kubecontrollerconfig.Config) e if err := s.ServiceController.ApplyTo(&c.ComponentConfig.ServiceController); err != nil { return err } - if err := s.SecureServing.ApplyTo(&c.SecureServing); err != nil { + if err := s.InsecureServing.ApplyTo(&c.InsecureServing); err != nil { return err } - if err := s.InsecureServing.ApplyTo(&c.InsecureServing); err != nil { + if err := s.SecureServing.ApplyTo(&c.SecureServing); err != nil { return err } if err := s.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil { diff --git a/cmd/kube-controller-manager/app/options/options_test.go b/cmd/kube-controller-manager/app/options/options_test.go index c5c4b83a0b..f8e31d4fd1 100644 --- a/cmd/kube-controller-manager/app/options/options_test.go +++ b/cmd/kube-controller-manager/app/options/options_test.go @@ -140,8 +140,8 @@ func TestAddFlags(t *testing.T) { }, }, KubeCloudShared: &cmoptions.KubeCloudSharedOptions{ - Port: 10252, // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config - Address: "0.0.0.0", // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config + Port: 10252, // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config + Address: "0.0.0.0", // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config UseServiceAccountCredentials: true, RouteReconciliationPeriod: metav1.Duration{Duration: 30 * time.Second}, NodeMonitorPeriod: metav1.Duration{Duration: 10 * time.Second}, @@ -253,7 +253,7 @@ func TestAddFlags(t *testing.T) { }, HTTP2MaxStreamsPerConnection: 47, }, - InsecureServing: &cmoptions.InsecureServingOptions{ + InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{ BindAddress: net.ParseIP("192.168.4.10"), BindPort: int(10000), BindNetwork: "tcp", diff --git a/cmd/kube-scheduler/app/config/config.go b/cmd/kube-scheduler/app/config/config.go index e57f9c224c..4f1e674dd3 100644 --- a/cmd/kube-scheduler/app/config/config.go +++ b/cmd/kube-scheduler/app/config/config.go @@ -24,7 +24,6 @@ import ( v1core "k8s.io/client-go/kubernetes/typed/core/v1" "k8s.io/client-go/tools/leaderelection" "k8s.io/client-go/tools/record" - "k8s.io/kubernetes/cmd/controller-manager/app" "k8s.io/kubernetes/pkg/apis/componentconfig" ) @@ -33,8 +32,8 @@ type Config struct { // config is the scheduler server's configuration object. ComponentConfig componentconfig.KubeSchedulerConfiguration - InsecureServing *app.InsecureServingInfo // nil will disable serving on an insecure port - InsecureMetricsServing *app.InsecureServingInfo // non-nil if metrics should be served independently + InsecureServing *apiserver.DeprecatedInsecureServingInfo // nil will disable serving on an insecure port + InsecureMetricsServing *apiserver.DeprecatedInsecureServingInfo // non-nil if metrics should be served independently Authentication apiserver.AuthenticationInfo Authorization apiserver.AuthorizationInfo SecureServing *apiserver.SecureServingInfo diff --git a/cmd/kube-scheduler/app/options/insecure_serving.go b/cmd/kube-scheduler/app/options/insecure_serving.go index 5abe57cbb8..b7353789fa 100644 --- a/cmd/kube-scheduler/app/options/insecure_serving.go +++ b/cmd/kube-scheduler/app/options/insecure_serving.go @@ -23,16 +23,16 @@ import ( "github.com/spf13/pflag" - controlleroptions "k8s.io/kubernetes/cmd/controller-manager/app/options" + apiserveroptions "k8s.io/apiserver/pkg/server/options" schedulerappconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config" "k8s.io/kubernetes/pkg/apis/componentconfig" ) // CombinedInsecureServingOptions sets up up to two insecure listeners for healthz and metrics. The flags -// override the ComponentConfig and InsecureServingOptions values for both. +// override the ComponentConfig and DeprecatedInsecureServingOptions values for both. type CombinedInsecureServingOptions struct { - Healthz *controlleroptions.InsecureServingOptions - Metrics *controlleroptions.InsecureServingOptions + Healthz *apiserveroptions.DeprecatedInsecureServingOptions + Metrics *apiserveroptions.DeprecatedInsecureServingOptions BindPort int // overrides the structs above on ApplyTo, ignored on ApplyToFromLoadedConfig BindAddress string // overrides the structs above on ApplyTo, ignored on ApplyToFromLoadedConfig @@ -53,10 +53,10 @@ func (o *CombinedInsecureServingOptions) AddFlags(fs *pflag.FlagSet) { } func (o *CombinedInsecureServingOptions) applyTo(c *schedulerappconfig.Config, componentConfig *componentconfig.KubeSchedulerConfiguration) error { - if err := updateAddressFromInsecureServingOptions(&componentConfig.HealthzBindAddress, o.Healthz); err != nil { + if err := updateAddressFromDeprecatedInsecureServingOptions(&componentConfig.HealthzBindAddress, o.Healthz); err != nil { return err } - if err := updateAddressFromInsecureServingOptions(&componentConfig.MetricsBindAddress, o.Metrics); err != nil { + if err := updateAddressFromDeprecatedInsecureServingOptions(&componentConfig.MetricsBindAddress, o.Metrics); err != nil { return err } @@ -98,17 +98,17 @@ func (o *CombinedInsecureServingOptions) ApplyToFromLoadedConfig(c *schedulerapp return nil } - if err := updateInsecureServingOptionsFromAddress(o.Healthz, componentConfig.HealthzBindAddress); err != nil { + if err := updateDeprecatedInsecureServingOptionsFromAddress(o.Healthz, componentConfig.HealthzBindAddress); err != nil { return fmt.Errorf("invalid healthz address: %v", err) } - if err := updateInsecureServingOptionsFromAddress(o.Metrics, componentConfig.MetricsBindAddress); err != nil { + if err := updateDeprecatedInsecureServingOptionsFromAddress(o.Metrics, componentConfig.MetricsBindAddress); err != nil { return fmt.Errorf("invalid metrics address: %v", err) } return o.applyTo(c, componentConfig) } -func updateAddressFromInsecureServingOptions(addr *string, is *controlleroptions.InsecureServingOptions) error { +func updateAddressFromDeprecatedInsecureServingOptions(addr *string, is *apiserveroptions.DeprecatedInsecureServingOptions) error { if is == nil { *addr = "" } else { @@ -124,7 +124,7 @@ func updateAddressFromInsecureServingOptions(addr *string, is *controlleroptions return nil } -func updateInsecureServingOptionsFromAddress(is *controlleroptions.InsecureServingOptions, addr string) error { +func updateDeprecatedInsecureServingOptionsFromAddress(is *apiserveroptions.DeprecatedInsecureServingOptions, addr string) error { if is == nil { return nil } diff --git a/cmd/kube-scheduler/app/options/insecure_serving_test.go b/cmd/kube-scheduler/app/options/insecure_serving_test.go index f04dfd8d1f..78f45eecf1 100644 --- a/cmd/kube-scheduler/app/options/insecure_serving_test.go +++ b/cmd/kube-scheduler/app/options/insecure_serving_test.go @@ -23,7 +23,7 @@ import ( "testing" "k8s.io/apimachinery/pkg/util/rand" - "k8s.io/kubernetes/cmd/controller-manager/app/options" + apiserveroptions "k8s.io/apiserver/pkg/server/options" schedulerappconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config" "k8s.io/kubernetes/pkg/apis/componentconfig" ) @@ -46,8 +46,8 @@ func TestOptions_ApplyTo(t *testing.T) { MetricsBindAddress: "1.2.3.4:1234", }, CombinedInsecureServing: &CombinedInsecureServingOptions{ - Healthz: &options.InsecureServingOptions{}, - Metrics: &options.InsecureServingOptions{}, + Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, + Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, BindPort: 0, }, }, @@ -61,7 +61,7 @@ func TestOptions_ApplyTo(t *testing.T) { MetricsBindAddress: "1.2.3.4:1234", }, CombinedInsecureServing: &CombinedInsecureServingOptions{ - Healthz: &options.InsecureServingOptions{}, + Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, BindPort: 0, }, }, @@ -79,7 +79,7 @@ func TestOptions_ApplyTo(t *testing.T) { MetricsBindAddress: "1.2.3.4:1234", }, CombinedInsecureServing: &CombinedInsecureServingOptions{ - Metrics: &options.InsecureServingOptions{}, + Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, BindPort: 0, }, }, @@ -97,8 +97,8 @@ func TestOptions_ApplyTo(t *testing.T) { MetricsBindAddress: "1.2.3.4:1234", }, CombinedInsecureServing: &CombinedInsecureServingOptions{ - Healthz: &options.InsecureServingOptions{}, - Metrics: &options.InsecureServingOptions{}, + Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, + Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, BindPort: 0, }, }, @@ -118,8 +118,8 @@ func TestOptions_ApplyTo(t *testing.T) { MetricsBindAddress: "1.2.3.4:1235", }, CombinedInsecureServing: &CombinedInsecureServingOptions{ - Healthz: &options.InsecureServingOptions{}, - Metrics: &options.InsecureServingOptions{}, + Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, + Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, BindPort: 0, }, }, @@ -141,8 +141,8 @@ func TestOptions_ApplyTo(t *testing.T) { MetricsBindAddress: "1.2.3.4:1234", }, CombinedInsecureServing: &CombinedInsecureServingOptions{ - Healthz: &options.InsecureServingOptions{}, - Metrics: &options.InsecureServingOptions{}, + Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, + Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, BindPort: 1236, BindAddress: "1.2.3.4", }, @@ -163,8 +163,8 @@ func TestOptions_ApplyTo(t *testing.T) { MetricsBindAddress: "1.2.3.4:1234", }, CombinedInsecureServing: &CombinedInsecureServingOptions{ - Healthz: &options.InsecureServingOptions{}, - Metrics: &options.InsecureServingOptions{}, + Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, + Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, BindAddress: "2.3.4.5", BindPort: 1234, }, @@ -185,8 +185,8 @@ func TestOptions_ApplyTo(t *testing.T) { MetricsBindAddress: "1.2.3.4:1234", }, CombinedInsecureServing: &CombinedInsecureServingOptions{ - Healthz: &options.InsecureServingOptions{}, - Metrics: &options.InsecureServingOptions{}, + Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, + Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, BindAddress: "2.3.4.5", BindPort: 0, }, diff --git a/cmd/kube-scheduler/app/options/options.go b/cmd/kube-scheduler/app/options/options.go index 08990fda36..2150dea1aa 100644 --- a/cmd/kube-scheduler/app/options/options.go +++ b/cmd/kube-scheduler/app/options/options.go @@ -41,7 +41,6 @@ import ( "k8s.io/client-go/tools/leaderelection" "k8s.io/client-go/tools/leaderelection/resourcelock" "k8s.io/client-go/tools/record" - controlleroptions "k8s.io/kubernetes/cmd/controller-manager/app/options" schedulerappconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config" "k8s.io/kubernetes/pkg/api/legacyscheme" "k8s.io/kubernetes/pkg/apis/componentconfig" @@ -86,10 +85,10 @@ func NewOptions() (*Options, error) { ComponentConfig: *cfg, SecureServing: nil, // TODO: enable with apiserveroptions.NewSecureServingOptions() CombinedInsecureServing: &CombinedInsecureServingOptions{ - Healthz: &controlleroptions.InsecureServingOptions{ + Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{ BindNetwork: "tcp", }, - Metrics: &controlleroptions.InsecureServingOptions{ + Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{ BindNetwork: "tcp", }, BindPort: hport, diff --git a/pkg/kubeapiserver/options/serving.go b/pkg/kubeapiserver/options/serving.go index c2bad3e892..9091564507 100644 --- a/pkg/kubeapiserver/options/serving.go +++ b/pkg/kubeapiserver/options/serving.go @@ -33,7 +33,7 @@ import ( // NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by // "normal" API servers running on the platform func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback { - return genericoptions.WithLoopback(&genericoptions.SecureServingOptions{ + o := genericoptions.SecureServingOptions{ BindAddress: net.ParseIP("0.0.0.0"), BindPort: 6443, Required: true, @@ -41,7 +41,8 @@ func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback PairName: "apiserver", CertDirectory: "/var/run/kubernetes", }, - }) + } + return o.WithLoopback() } // DefaultAdvertiseAddress sets the field AdvertiseAddress if diff --git a/cmd/controller-manager/app/insecure_serving.go b/staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go similarity index 55% rename from cmd/controller-manager/app/insecure_serving.go rename to staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go index 156fbadfc3..3e88dd49db 100644 --- a/cmd/controller-manager/app/insecure_serving.go +++ b/staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package app +package server import ( "net" @@ -23,11 +23,11 @@ import ( "github.com/golang/glog" - "k8s.io/apiserver/pkg/server" + "k8s.io/client-go/rest" ) -// InsecureServingInfo is the main context object for the insecure http server. -type InsecureServingInfo struct { +// DeprecatedInsecureServingInfo is the main context object for the insecure http server. +type DeprecatedInsecureServingInfo struct { // Listener is the secure server network listener. Listener net.Listener // optional server name for log messages @@ -36,7 +36,7 @@ type InsecureServingInfo struct { // Serve starts an insecure http server with the given handler. It fails only if // the initial listen call fails. It does not block. -func (s *InsecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Duration, stopCh <-chan struct{}) error { +func (s *DeprecatedInsecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Duration, stopCh <-chan struct{}) error { insecureServer := &http.Server{ Addr: s.Listener.Addr().String(), Handler: handler, @@ -48,5 +48,25 @@ func (s *InsecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.D } else { glog.Infof("Serving insecurely on %s", s.Listener.Addr()) } - return server.RunServer(insecureServer, s.Listener, shutdownTimeout, stopCh) + return RunServer(insecureServer, s.Listener, shutdownTimeout, stopCh) +} + +func (s *DeprecatedInsecureServingInfo) NewLoopbackClientConfig() (*rest.Config, error) { + if s == nil { + return nil, nil + } + + host, port, err := LoopbackHostPort(s.Listener.Addr().String()) + if err != nil { + return nil, err + } + + return &rest.Config{ + Host: "http://" + net.JoinHostPort(host, port), + // Increase QPS limits. The client is currently passed to all admission plugins, + // and those can be throttled in case of higher load on apiserver - see #22340 and #22422 + // for more details. Once #22422 is fixed, we may want to remove it. + QPS: 50, + Burst: 100, + }, nil } diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/deprecated_insecure_serving.go b/staging/src/k8s.io/apiserver/pkg/server/options/deprecated_insecure_serving.go new file mode 100644 index 0000000000..e8e3d7feb3 --- /dev/null +++ b/staging/src/k8s.io/apiserver/pkg/server/options/deprecated_insecure_serving.go @@ -0,0 +1,164 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package options + +import ( + "fmt" + "net" + + "github.com/spf13/pflag" + + "k8s.io/apiserver/pkg/server" + "k8s.io/client-go/rest" +) + +// DeprecatedInsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port. +// No one should be using these anymore. +// DEPRECATED: all insecure serving options are removed in a future version +type DeprecatedInsecureServingOptions struct { + BindAddress net.IP + BindPort int + // BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp", + // "tcp4", and "tcp6". + BindNetwork string + + // Listener is the secure server network listener. + // either Listener or BindAddress/BindPort/BindNetwork is set, + // if Listener is set, use it and omit BindAddress/BindPort/BindNetwork. + Listener net.Listener + + // ListenFunc can be overridden to create a custom listener, e.g. for mocking in tests. + // It defaults to options.CreateListener. + ListenFunc func(network, addr string) (net.Listener, int, error) +} + +// Validate ensures that the insecure port values within the range of the port. +func (s *DeprecatedInsecureServingOptions) Validate() []error { + if s == nil { + return nil + } + + errors := []error{} + + if s.BindPort < 0 || s.BindPort > 65335 { + errors = append(errors, fmt.Errorf("insecure port %v must be between 0 and 65335, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort)) + } + + return errors +} + +// AddFlags adds flags related to insecure serving to the specified FlagSet. +func (s *DeprecatedInsecureServingOptions) AddFlags(fs *pflag.FlagSet) { + if s == nil { + return + } + + fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+ + "The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).") + fs.MarkDeprecated("insecure-bind-address", "This flag will be removed in a future version.") + fs.Lookup("insecure-bind-address").Hidden = false + + fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+ + "The port on which to serve unsecured, unauthenticated access.") + fs.MarkDeprecated("insecure-port", "This flag will be removed in a future version.") + fs.Lookup("insecure-port").Hidden = false +} + +// AddUnqualifiedFlags adds flags related to insecure serving without the --insecure prefix to the specified FlagSet. +func (s *DeprecatedInsecureServingOptions) AddUnqualifiedFlags(fs *pflag.FlagSet) { + if s == nil { + return + } + + fs.IPVar(&s.BindAddress, "address", s.BindAddress, + "DEPRECATED: see --bind-address instead.") + fs.MarkDeprecated("address", "see --bind-address instead.") + + fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --secure-port instead.") + fs.MarkDeprecated("port", "see --secure-port instead.") +} + +// ApplyTo adds DeprecatedInsecureServingOptions to the insecureserverinfo amd kube-controller manager configuration. +// Note: the double pointer allows to set the *DeprecatedInsecureServingInfo to nil without referencing the struct hosting this pointer. +func (s *DeprecatedInsecureServingOptions) ApplyTo(c **server.DeprecatedInsecureServingInfo) error { + if s == nil { + return nil + } + if s.BindPort <= 0 { + return nil + } + + if s.Listener == nil { + var err error + listen := CreateListener + if s.ListenFunc != nil { + listen = s.ListenFunc + } + addr := net.JoinHostPort(s.BindAddress.String(), fmt.Sprintf("%d", s.BindPort)) + s.Listener, s.BindPort, err = listen(s.BindNetwork, addr) + if err != nil { + return fmt.Errorf("failed to create listener: %v", err) + } + } + + *c = &server.DeprecatedInsecureServingInfo{ + Listener: s.Listener, + } + + return nil +} + +// WithLoopback adds loopback functionality to the serving options. +func (o *DeprecatedInsecureServingOptions) WithLoopback() *DeprecatedInsecureServingOptionsWithLoopback { + return &DeprecatedInsecureServingOptionsWithLoopback{o} +} + +// DeprecatedInsecureServingOptionsWithLoopback adds loopback functionality to the DeprecatedInsecureServingOptions. +// DEPRECATED: all insecure serving options are removed in a future version +type DeprecatedInsecureServingOptionsWithLoopback struct { + *DeprecatedInsecureServingOptions +} + +// ApplyTo fills up serving information in the server configuration. +func (s *DeprecatedInsecureServingOptionsWithLoopback) ApplyTo(insecureServingInfo **server.DeprecatedInsecureServingInfo, loopbackClientConfig **rest.Config) error { + if s == nil || s.DeprecatedInsecureServingOptions == nil || insecureServingInfo == nil { + return nil + } + + if err := s.DeprecatedInsecureServingOptions.ApplyTo(insecureServingInfo); err != nil { + return err + } + + if *insecureServingInfo == nil || loopbackClientConfig == nil { + return nil + } + + secureLoopbackClientConfig, err := (*insecureServingInfo).NewLoopbackClientConfig() + switch { + // if we failed and there's no fallback loopback client config, we need to fail + case err != nil && secureLoopbackClientConfig == nil: + return err + + // if we failed, but we already have a fallback loopback client config (usually insecure), allow it + case err != nil && secureLoopbackClientConfig != nil: + + default: + *loopbackClientConfig = secureLoopbackClientConfig + } + + return nil +} diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/recommended.go b/staging/src/k8s.io/apiserver/pkg/server/options/recommended.go index d792d87515..5016145bd1 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/recommended.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/recommended.go @@ -54,7 +54,7 @@ func NewRecommendedOptions(prefix string, codec runtime.Codec) *RecommendedOptio return &RecommendedOptions{ Etcd: NewEtcdOptions(storagebackend.NewDefaultConfig(prefix, codec)), - SecureServing: WithLoopback(sso), + SecureServing: sso.WithLoopback(), Authentication: NewDelegatingAuthenticationOptions(), Authorization: NewDelegatingAuthorizationOptions(), Audit: NewAuditOptions(), diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go b/staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go index 939566a027..0cc21d6a38 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go @@ -464,7 +464,7 @@ func TestServerRunWithSNI(t *testing.T) { config.Version = &v config.EnableIndex = true - secureOptions := WithLoopback(&SecureServingOptions{ + secureOptions := SecureServingOptions{ BindAddress: net.ParseIP("127.0.0.1"), BindPort: 6443, ServerCert: GeneratableKeyCert{ @@ -474,7 +474,7 @@ func TestServerRunWithSNI(t *testing.T) { }, }, SNICertKeys: namedCertKeys, - }) + }.WithLoopback() // use a random free port ln, err := net.Listen("tcp", "127.0.0.1:0") if err != nil { diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/serving_with_loopback.go b/staging/src/k8s.io/apiserver/pkg/server/options/serving_with_loopback.go index df4750d9ac..ac9635d2dd 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/serving_with_loopback.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/serving_with_loopback.go @@ -31,7 +31,7 @@ type SecureServingOptionsWithLoopback struct { *SecureServingOptions } -func WithLoopback(o *SecureServingOptions) *SecureServingOptionsWithLoopback { +func (o *SecureServingOptions) WithLoopback() *SecureServingOptionsWithLoopback { return &SecureServingOptionsWithLoopback{o} } diff --git a/staging/src/k8s.io/apiserver/pkg/server/serve.go b/staging/src/k8s.io/apiserver/pkg/server/secure_serving.go similarity index 100% rename from staging/src/k8s.io/apiserver/pkg/server/serve.go rename to staging/src/k8s.io/apiserver/pkg/server/secure_serving.go