apiserver: move controller-manager's insecure config into apiserver

cmd/cloud-controller-manager/app/config/config.go

@@ -22,7 +22,6 @@ import (
 	clientset "k8s.io/client-go/kubernetes"
 	restclient "k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/record"
-	genericcontrollermanager "k8s.io/kubernetes/cmd/controller-manager/app"
 	"k8s.io/kubernetes/pkg/apis/componentconfig"
 	"k8s.io/kubernetes/pkg/controller"
 )
@@ -33,7 +32,7 @@ type Config struct {
 
 	SecureServing *apiserver.SecureServingInfo
 	// TODO: remove deprecated insecure serving
-	InsecureServing *genericcontrollermanager.InsecureServingInfo
+	InsecureServing *apiserver.DeprecatedInsecureServingInfo
 	Authentication  apiserver.AuthenticationInfo
 	Authorization   apiserver.AuthorizationInfo
 

cmd/cloud-controller-manager/app/options/options.go

@@ -63,7 +63,7 @@ type CloudControllerManagerOptions struct {
 
 	SecureServing *apiserveroptions.SecureServingOptions
 	// TODO: remove insecure serving mode
-	InsecureServing *cmoptions.InsecureServingOptions
+	InsecureServing *apiserveroptions.DeprecatedInsecureServingOptions
 	Authentication  *apiserveroptions.DelegatingAuthenticationOptions
 	Authorization   *apiserveroptions.DelegatingAuthorizationOptions
 
@@ -90,7 +90,7 @@ func NewCloudControllerManagerOptions() (*CloudControllerManagerOptions, error)
 			ConcurrentServiceSyncs: componentConfig.ServiceController.ConcurrentServiceSyncs,
 		},
 		SecureServing: apiserveroptions.NewSecureServingOptions(),
-		InsecureServing: &cmoptions.InsecureServingOptions{
+		InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{
 			BindAddress: net.ParseIP(componentConfig.KubeCloudShared.Address),
 			BindPort:    int(componentConfig.KubeCloudShared.Port),
 			BindNetwork: "tcp",
@@ -140,7 +140,7 @@ func (o *CloudControllerManagerOptions) AddFlags(fs *pflag.FlagSet) {
 	o.ServiceController.AddFlags(fs)
 
 	o.SecureServing.AddFlags(fs)
-	o.InsecureServing.AddFlags(fs)
+	o.InsecureServing.AddUnqualifiedFlags(fs)
 	o.Authentication.AddFlags(fs)
 	o.Authorization.AddFlags(fs)
 

cmd/cloud-controller-manager/app/options/options_test.go

@@ -57,8 +57,8 @@ func TestDefaultFlags(t *testing.T) {
 			},
 		},
 		KubeCloudShared: &cmoptions.KubeCloudSharedOptions{
-			Port:                      10253,     // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
+			Port:                      10253,     // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config
-			Address:                   "0.0.0.0", // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
+			Address:                   "0.0.0.0", // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config
 			RouteReconciliationPeriod: metav1.Duration{Duration: 10 * time.Second},
 			NodeMonitorPeriod:         metav1.Duration{Duration: 5 * time.Second},
 			ClusterName:               "kubernetes",
@@ -79,7 +79,7 @@ func TestDefaultFlags(t *testing.T) {
 			},
 			HTTP2MaxStreamsPerConnection: 0,
 		},
-		InsecureServing: &cmoptions.InsecureServingOptions{
+		InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{
 			BindAddress: net.ParseIP("0.0.0.0"),
 			BindPort:    int(10253),
 			BindNetwork: "tcp",
@@ -154,8 +154,8 @@ func TestAddFlags(t *testing.T) {
 			},
 		},
 		KubeCloudShared: &cmoptions.KubeCloudSharedOptions{
-			Port:                      10253,     // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
+			Port:                      10253,     // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config
-			Address:                   "0.0.0.0", // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
+			Address:                   "0.0.0.0", // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config
 			RouteReconciliationPeriod: metav1.Duration{Duration: 30 * time.Second},
 			NodeMonitorPeriod:         metav1.Duration{Duration: 5 * time.Second},
 			ClusterName:               "k8s",
@@ -176,7 +176,7 @@ func TestAddFlags(t *testing.T) {
 			},
 			HTTP2MaxStreamsPerConnection: 47,
 		},
-		InsecureServing: &cmoptions.InsecureServingOptions{
+		InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{
 			BindAddress: net.ParseIP("192.168.4.10"),
 			BindPort:    int(10000),
 			BindNetwork: "tcp",

cmd/controller-manager/app/options/insecure_serving.go

@@ -1,105 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package options
-
-import (
-	"fmt"
-	"net"
-
-	"github.com/spf13/pflag"
-
-	"k8s.io/apiserver/pkg/server/options"
-	genericcontrollermanager "k8s.io/kubernetes/cmd/controller-manager/app"
-)
-
-// InsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port.
-// No one should be using these anymore.
-type InsecureServingOptions struct {
-	BindAddress net.IP
-	BindPort    int
-	// BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp",
-	// "tcp4", and "tcp6".
-	BindNetwork string
-
-	// Listener is the secure server network listener.
-	// either Listener or BindAddress/BindPort/BindNetwork is set,
-	// if Listener is set, use it and omit BindAddress/BindPort/BindNetwork.
-	Listener net.Listener
-
-	// ListenFunc can be overridden to create a custom listener, e.g. for mocking in tests.
-	// It defaults to options.CreateListener.
-	ListenFunc func(network, addr string) (net.Listener, int, error)
-}
-
-// Validate ensures that the insecure port values within the range of the port.
-func (s *InsecureServingOptions) Validate() []error {
-	if s == nil {
-		return nil
-	}
-
-	errors := []error{}
-
-	if s.BindPort < 0 || s.BindPort > 65335 {
-		errors = append(errors, fmt.Errorf("--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort))
-	}
-
-	return errors
-}
-
-// AddFlags adds flags related to insecure serving for controller manager to the specified FlagSet.
-func (s *InsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
-	if s == nil {
-		return
-	}
-
-	fs.IPVar(&s.BindAddress, "address", s.BindAddress, "DEPRECATED: the IP address on which to listen for the --port port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces). See --bind-address instead.")
-	// MarkDeprecated hides the flag from the help. We don't want that:
-	// fs.MarkDeprecated("address", "see --bind-address instead.")
-	fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: the port on which to serve HTTP insecurely without authentication and authorization. If 0, don't serve HTTPS at all. See --secure-port instead.")
-	// MarkDeprecated hides the flag from the help. We don't want that:
-	// fs.MarkDeprecated("port", "see --secure-port instead.")
-}
-
-// ApplyTo adds InsecureServingOptions to the insecureserverinfo amd kube-controller manager configuration.
-// Note: the double pointer allows to set the *InsecureServingInfo to nil without referencing the struct hosting this pointer.
-func (s *InsecureServingOptions) ApplyTo(c **genericcontrollermanager.InsecureServingInfo) error {
-	if s == nil {
-		return nil
-	}
-	if s.BindPort <= 0 {
-		return nil
-	}
-
-	if s.Listener == nil {
-		var err error
-		listen := options.CreateListener
-		if s.ListenFunc != nil {
-			listen = s.ListenFunc
-		}
-		addr := net.JoinHostPort(s.BindAddress.String(), fmt.Sprintf("%d", s.BindPort))
-		s.Listener, s.BindPort, err = listen(s.BindNetwork, addr)
-		if err != nil {
-			return fmt.Errorf("failed to create listener: %v", err)
-		}
-	}
-
-	*c = &genericcontrollermanager.InsecureServingInfo{
-		Listener: s.Listener,
-	}
-
-	return nil
-}

cmd/kube-apiserver/app/options/options_test.go

@@ -159,7 +159,7 @@ func TestAddFlags(t *testing.T) {
 			EnableWatchCache:        true,
 			DefaultWatchCacheSize:   100,
 		},
-		SecureServing: apiserveroptions.WithLoopback(&apiserveroptions.SecureServingOptions{
+		SecureServing: apiserveroptions.SecureServingOptions{
 			BindAddress: net.ParseIP("192.168.10.20"),
 			BindPort:    6443,
 			ServerCert: apiserveroptions.GeneratableKeyCert{
@@ -168,7 +168,7 @@ func TestAddFlags(t *testing.T) {
 			},
 			HTTP2MaxStreamsPerConnection: 42,
 			Required:                     true,
-		}),
+		}.WithLoopback(),
 		InsecureServing: &kubeoptions.InsecureServingOptions{
 			BindAddress: net.ParseIP("127.0.0.1"),
 			BindPort:    8080,

cmd/kube-controller-manager/app/config/config.go

@@ -21,7 +21,6 @@ import (
 	clientset "k8s.io/client-go/kubernetes"
 	restclient "k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/record"
-	genericcontrollermanager "k8s.io/kubernetes/cmd/controller-manager/app"
 	"k8s.io/kubernetes/pkg/apis/componentconfig"
 )
 
@@ -31,7 +30,7 @@ type Config struct {
 
 	SecureServing *apiserver.SecureServingInfo
 	// TODO: remove deprecated insecure serving
-	InsecureServing *genericcontrollermanager.InsecureServingInfo
+	InsecureServing *apiserver.DeprecatedInsecureServingInfo
 	Authentication  apiserver.AuthenticationInfo
 	Authorization   apiserver.AuthorizationInfo
 

cmd/kube-controller-manager/app/options/options.go

@@ -85,7 +85,7 @@ type KubeControllerManagerOptions struct {
 
 	SecureServing *apiserveroptions.SecureServingOptions
 	// TODO: remove insecure serving mode
-	InsecureServing *cmoptions.InsecureServingOptions
+	InsecureServing *apiserveroptions.DeprecatedInsecureServingOptions
 	Authentication  *apiserveroptions.DelegatingAuthenticationOptions
 	Authorization   *apiserveroptions.DelegatingAuthorizationOptions
 
@@ -178,7 +178,7 @@ func NewKubeControllerManagerOptions() (*KubeControllerManagerOptions, error) {
 		},
 		Controllers:   componentConfig.Controllers,
 		SecureServing: apiserveroptions.NewSecureServingOptions(),
-		InsecureServing: &cmoptions.InsecureServingOptions{
+		InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{
 			BindAddress: net.ParseIP(componentConfig.KubeCloudShared.Address),
 			BindPort:    int(componentConfig.KubeCloudShared.Port),
 			BindNetwork: "tcp",
@@ -234,7 +234,7 @@ func (s *KubeControllerManagerOptions) AddFlags(fs *pflag.FlagSet, allController
 	s.ServiceController.AddFlags(fs)
 
 	s.SecureServing.AddFlags(fs)
-	s.InsecureServing.AddFlags(fs)
+	s.InsecureServing.AddUnqualifiedFlags(fs)
 	s.Authentication.AddFlags(fs)
 	s.Authorization.AddFlags(fs)
 
@@ -341,10 +341,10 @@ func (s *KubeControllerManagerOptions) ApplyTo(c *kubecontrollerconfig.Config) e
 	if err := s.ServiceController.ApplyTo(&c.ComponentConfig.ServiceController); err != nil {
 		return err
 	}
-	if err := s.SecureServing.ApplyTo(&c.SecureServing); err != nil {
+	if err := s.InsecureServing.ApplyTo(&c.InsecureServing); err != nil {
 		return err
 	}
-	if err := s.InsecureServing.ApplyTo(&c.InsecureServing); err != nil {
+	if err := s.SecureServing.ApplyTo(&c.SecureServing); err != nil {
 		return err
 	}
 	if err := s.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil {

cmd/kube-controller-manager/app/options/options_test.go

@@ -140,8 +140,8 @@ func TestAddFlags(t *testing.T) {
 			},
 		},
 		KubeCloudShared: &cmoptions.KubeCloudSharedOptions{
-			Port:    10252,     // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
+			Port:    10252,     // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config
-			Address: "0.0.0.0", // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
+			Address: "0.0.0.0", // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config
 			UseServiceAccountCredentials: true,
 			RouteReconciliationPeriod:    metav1.Duration{Duration: 30 * time.Second},
 			NodeMonitorPeriod:            metav1.Duration{Duration: 10 * time.Second},
@@ -253,7 +253,7 @@ func TestAddFlags(t *testing.T) {
 			},
 			HTTP2MaxStreamsPerConnection: 47,
 		},
-		InsecureServing: &cmoptions.InsecureServingOptions{
+		InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{
 			BindAddress: net.ParseIP("192.168.4.10"),
 			BindPort:    int(10000),
 			BindNetwork: "tcp",

cmd/kube-scheduler/app/config/config.go

@@ -24,7 +24,6 @@ import (
 	v1core "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/client-go/tools/leaderelection"
 	"k8s.io/client-go/tools/record"
-	"k8s.io/kubernetes/cmd/controller-manager/app"
 	"k8s.io/kubernetes/pkg/apis/componentconfig"
 )
 
@@ -33,8 +32,8 @@ type Config struct {
 	// config is the scheduler server's configuration object.
 	ComponentConfig componentconfig.KubeSchedulerConfiguration
 
-	InsecureServing        *app.InsecureServingInfo // nil will disable serving on an insecure port
+	InsecureServing        *apiserver.DeprecatedInsecureServingInfo // nil will disable serving on an insecure port
-	InsecureMetricsServing *app.InsecureServingInfo // non-nil if metrics should be served independently
+	InsecureMetricsServing *apiserver.DeprecatedInsecureServingInfo // non-nil if metrics should be served independently
 	Authentication         apiserver.AuthenticationInfo
 	Authorization          apiserver.AuthorizationInfo
 	SecureServing          *apiserver.SecureServingInfo

cmd/kube-scheduler/app/options/insecure_serving.go

@@ -23,16 +23,16 @@ import (
 
 	"github.com/spf13/pflag"
 
-	controlleroptions "k8s.io/kubernetes/cmd/controller-manager/app/options"
+	apiserveroptions "k8s.io/apiserver/pkg/server/options"
 	schedulerappconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config"
 	"k8s.io/kubernetes/pkg/apis/componentconfig"
 )
 
 // CombinedInsecureServingOptions sets up up to two insecure listeners for healthz and metrics. The flags
-// override the ComponentConfig and InsecureServingOptions values for both.
+// override the ComponentConfig and DeprecatedInsecureServingOptions values for both.
 type CombinedInsecureServingOptions struct {
-	Healthz *controlleroptions.InsecureServingOptions
+	Healthz *apiserveroptions.DeprecatedInsecureServingOptions
-	Metrics *controlleroptions.InsecureServingOptions
+	Metrics *apiserveroptions.DeprecatedInsecureServingOptions
 
 	BindPort    int    // overrides the structs above on ApplyTo, ignored on ApplyToFromLoadedConfig
 	BindAddress string // overrides the structs above on ApplyTo, ignored on ApplyToFromLoadedConfig
@@ -53,10 +53,10 @@ func (o *CombinedInsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
 }
 
 func (o *CombinedInsecureServingOptions) applyTo(c *schedulerappconfig.Config, componentConfig *componentconfig.KubeSchedulerConfiguration) error {
-	if err := updateAddressFromInsecureServingOptions(&componentConfig.HealthzBindAddress, o.Healthz); err != nil {
+	if err := updateAddressFromDeprecatedInsecureServingOptions(&componentConfig.HealthzBindAddress, o.Healthz); err != nil {
 		return err
 	}
-	if err := updateAddressFromInsecureServingOptions(&componentConfig.MetricsBindAddress, o.Metrics); err != nil {
+	if err := updateAddressFromDeprecatedInsecureServingOptions(&componentConfig.MetricsBindAddress, o.Metrics); err != nil {
 		return err
 	}
 
@@ -98,17 +98,17 @@ func (o *CombinedInsecureServingOptions) ApplyToFromLoadedConfig(c *schedulerapp
 		return nil
 	}
 
-	if err := updateInsecureServingOptionsFromAddress(o.Healthz, componentConfig.HealthzBindAddress); err != nil {
+	if err := updateDeprecatedInsecureServingOptionsFromAddress(o.Healthz, componentConfig.HealthzBindAddress); err != nil {
 		return fmt.Errorf("invalid healthz address: %v", err)
 	}
-	if err := updateInsecureServingOptionsFromAddress(o.Metrics, componentConfig.MetricsBindAddress); err != nil {
+	if err := updateDeprecatedInsecureServingOptionsFromAddress(o.Metrics, componentConfig.MetricsBindAddress); err != nil {
 		return fmt.Errorf("invalid metrics address: %v", err)
 	}
 
 	return o.applyTo(c, componentConfig)
 }
 
-func updateAddressFromInsecureServingOptions(addr *string, is *controlleroptions.InsecureServingOptions) error {
+func updateAddressFromDeprecatedInsecureServingOptions(addr *string, is *apiserveroptions.DeprecatedInsecureServingOptions) error {
 	if is == nil {
 		*addr = ""
 	} else {
@@ -124,7 +124,7 @@ func updateAddressFromInsecureServingOptions(addr *string, is *controlleroptions
 	return nil
 }
 
-func updateInsecureServingOptionsFromAddress(is *controlleroptions.InsecureServingOptions, addr string) error {
+func updateDeprecatedInsecureServingOptionsFromAddress(is *apiserveroptions.DeprecatedInsecureServingOptions, addr string) error {
 	if is == nil {
 		return nil
 	}

cmd/kube-scheduler/app/options/insecure_serving_test.go

@@ -23,7 +23,7 @@ import (
 	"testing"
 
 	"k8s.io/apimachinery/pkg/util/rand"
-	"k8s.io/kubernetes/cmd/controller-manager/app/options"
+	apiserveroptions "k8s.io/apiserver/pkg/server/options"
 	schedulerappconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config"
 	"k8s.io/kubernetes/pkg/apis/componentconfig"
 )
@@ -46,8 +46,8 @@ func TestOptions_ApplyTo(t *testing.T) {
 					MetricsBindAddress: "1.2.3.4:1234",
 				},
 				CombinedInsecureServing: &CombinedInsecureServingOptions{
-					Healthz:  &options.InsecureServingOptions{},
+					Healthz:  &apiserveroptions.DeprecatedInsecureServingOptions{},
-					Metrics:  &options.InsecureServingOptions{},
+					Metrics:  &apiserveroptions.DeprecatedInsecureServingOptions{},
 					BindPort: 0,
 				},
 			},
@@ -61,7 +61,7 @@ func TestOptions_ApplyTo(t *testing.T) {
 					MetricsBindAddress: "1.2.3.4:1234",
 				},
 				CombinedInsecureServing: &CombinedInsecureServingOptions{
-					Healthz:  &options.InsecureServingOptions{},
+					Healthz:  &apiserveroptions.DeprecatedInsecureServingOptions{},
 					BindPort: 0,
 				},
 			},
@@ -79,7 +79,7 @@ func TestOptions_ApplyTo(t *testing.T) {
 					MetricsBindAddress: "1.2.3.4:1234",
 				},
 				CombinedInsecureServing: &CombinedInsecureServingOptions{
-					Metrics:  &options.InsecureServingOptions{},
+					Metrics:  &apiserveroptions.DeprecatedInsecureServingOptions{},
 					BindPort: 0,
 				},
 			},
@@ -97,8 +97,8 @@ func TestOptions_ApplyTo(t *testing.T) {
 					MetricsBindAddress: "1.2.3.4:1234",
 				},
 				CombinedInsecureServing: &CombinedInsecureServingOptions{
-					Healthz:  &options.InsecureServingOptions{},
+					Healthz:  &apiserveroptions.DeprecatedInsecureServingOptions{},
-					Metrics:  &options.InsecureServingOptions{},
+					Metrics:  &apiserveroptions.DeprecatedInsecureServingOptions{},
 					BindPort: 0,
 				},
 			},
@@ -118,8 +118,8 @@ func TestOptions_ApplyTo(t *testing.T) {
 					MetricsBindAddress: "1.2.3.4:1235",
 				},
 				CombinedInsecureServing: &CombinedInsecureServingOptions{
-					Healthz:  &options.InsecureServingOptions{},
+					Healthz:  &apiserveroptions.DeprecatedInsecureServingOptions{},
-					Metrics:  &options.InsecureServingOptions{},
+					Metrics:  &apiserveroptions.DeprecatedInsecureServingOptions{},
 					BindPort: 0,
 				},
 			},
@@ -141,8 +141,8 @@ func TestOptions_ApplyTo(t *testing.T) {
 					MetricsBindAddress: "1.2.3.4:1234",
 				},
 				CombinedInsecureServing: &CombinedInsecureServingOptions{
-					Healthz:     &options.InsecureServingOptions{},
+					Healthz:     &apiserveroptions.DeprecatedInsecureServingOptions{},
-					Metrics:     &options.InsecureServingOptions{},
+					Metrics:     &apiserveroptions.DeprecatedInsecureServingOptions{},
 					BindPort:    1236,
 					BindAddress: "1.2.3.4",
 				},
@@ -163,8 +163,8 @@ func TestOptions_ApplyTo(t *testing.T) {
 					MetricsBindAddress: "1.2.3.4:1234",
 				},
 				CombinedInsecureServing: &CombinedInsecureServingOptions{
-					Healthz:     &options.InsecureServingOptions{},
+					Healthz:     &apiserveroptions.DeprecatedInsecureServingOptions{},
-					Metrics:     &options.InsecureServingOptions{},
+					Metrics:     &apiserveroptions.DeprecatedInsecureServingOptions{},
 					BindAddress: "2.3.4.5",
 					BindPort:    1234,
 				},
@@ -185,8 +185,8 @@ func TestOptions_ApplyTo(t *testing.T) {
 					MetricsBindAddress: "1.2.3.4:1234",
 				},
 				CombinedInsecureServing: &CombinedInsecureServingOptions{
-					Healthz:     &options.InsecureServingOptions{},
+					Healthz:     &apiserveroptions.DeprecatedInsecureServingOptions{},
-					Metrics:     &options.InsecureServingOptions{},
+					Metrics:     &apiserveroptions.DeprecatedInsecureServingOptions{},
 					BindAddress: "2.3.4.5",
 					BindPort:    0,
 				},

cmd/kube-scheduler/app/options/options.go

@@ -41,7 +41,6 @@ import (
 	"k8s.io/client-go/tools/leaderelection"
 	"k8s.io/client-go/tools/leaderelection/resourcelock"
 	"k8s.io/client-go/tools/record"
-	controlleroptions "k8s.io/kubernetes/cmd/controller-manager/app/options"
 	schedulerappconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	"k8s.io/kubernetes/pkg/apis/componentconfig"
@@ -86,10 +85,10 @@ func NewOptions() (*Options, error) {
 		ComponentConfig: *cfg,
 		SecureServing:   nil, // TODO: enable with apiserveroptions.NewSecureServingOptions()
 		CombinedInsecureServing: &CombinedInsecureServingOptions{
-			Healthz: &controlleroptions.InsecureServingOptions{
+			Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{
 				BindNetwork: "tcp",
 			},
-			Metrics: &controlleroptions.InsecureServingOptions{
+			Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{
 				BindNetwork: "tcp",
 			},
 			BindPort:    hport,

pkg/kubeapiserver/options/serving.go

@@ -33,7 +33,7 @@ import (
 // NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by
 // "normal" API servers running on the platform
 func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback {
-	return genericoptions.WithLoopback(&genericoptions.SecureServingOptions{
+	o := genericoptions.SecureServingOptions{
 		BindAddress: net.ParseIP("0.0.0.0"),
 		BindPort:    6443,
 		Required:    true,
@@ -41,7 +41,8 @@ func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback
 			PairName:      "apiserver",
 			CertDirectory: "/var/run/kubernetes",
 		},
-	})
+	}
+	return o.WithLoopback()
 }
 
 // DefaultAdvertiseAddress sets the field AdvertiseAddress if

staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package app
+package server
 
 import (
 	"net"
@@ -23,11 +23,11 @@ import (
 
 	"github.com/golang/glog"
 
-	"k8s.io/apiserver/pkg/server"
+	"k8s.io/client-go/rest"
 )
 
-// InsecureServingInfo is the main context object for the insecure http server.
+// DeprecatedInsecureServingInfo is the main context object for the insecure http server.
-type InsecureServingInfo struct {
+type DeprecatedInsecureServingInfo struct {
 	// Listener is the secure server network listener.
 	Listener net.Listener
 	// optional server name for log messages
@@ -36,7 +36,7 @@ type InsecureServingInfo struct {
 
 // Serve starts an insecure http server with the given handler. It fails only if
 // the initial listen call fails. It does not block.
-func (s *InsecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Duration, stopCh <-chan struct{}) error {
+func (s *DeprecatedInsecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Duration, stopCh <-chan struct{}) error {
 	insecureServer := &http.Server{
 		Addr:           s.Listener.Addr().String(),
 		Handler:        handler,
@@ -48,5 +48,25 @@ func (s *InsecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.D
 	} else {
 		glog.Infof("Serving insecurely on %s", s.Listener.Addr())
 	}
-	return server.RunServer(insecureServer, s.Listener, shutdownTimeout, stopCh)
+	return RunServer(insecureServer, s.Listener, shutdownTimeout, stopCh)
+}
+
+func (s *DeprecatedInsecureServingInfo) NewLoopbackClientConfig() (*rest.Config, error) {
+	if s == nil {
+		return nil, nil
+	}
+
+	host, port, err := LoopbackHostPort(s.Listener.Addr().String())
+	if err != nil {
+		return nil, err
+	}
+
+	return &rest.Config{
+		Host: "http://" + net.JoinHostPort(host, port),
+		// Increase QPS limits. The client is currently passed to all admission plugins,
+		// and those can be throttled in case of higher load on apiserver - see #22340 and #22422
+		// for more details. Once #22422 is fixed, we may want to remove it.
+		QPS:   50,
+		Burst: 100,
+	}, nil
 }

staging/src/k8s.io/apiserver/pkg/server/options/deprecated_insecure_serving.go

@@ -0,0 +1,164 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/spf13/pflag"
+
+	"k8s.io/apiserver/pkg/server"
+	"k8s.io/client-go/rest"
+)
+
+// DeprecatedInsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port.
+// No one should be using these anymore.
+// DEPRECATED: all insecure serving options are removed in a future version
+type DeprecatedInsecureServingOptions struct {
+	BindAddress net.IP
+	BindPort    int
+	// BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp",
+	// "tcp4", and "tcp6".
+	BindNetwork string
+
+	// Listener is the secure server network listener.
+	// either Listener or BindAddress/BindPort/BindNetwork is set,
+	// if Listener is set, use it and omit BindAddress/BindPort/BindNetwork.
+	Listener net.Listener
+
+	// ListenFunc can be overridden to create a custom listener, e.g. for mocking in tests.
+	// It defaults to options.CreateListener.
+	ListenFunc func(network, addr string) (net.Listener, int, error)
+}
+
+// Validate ensures that the insecure port values within the range of the port.
+func (s *DeprecatedInsecureServingOptions) Validate() []error {
+	if s == nil {
+		return nil
+	}
+
+	errors := []error{}
+
+	if s.BindPort < 0 || s.BindPort > 65335 {
+		errors = append(errors, fmt.Errorf("insecure port %v must be between 0 and 65335, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort))
+	}
+
+	return errors
+}
+
+// AddFlags adds flags related to insecure serving to the specified FlagSet.
+func (s *DeprecatedInsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
+	if s == nil {
+		return
+	}
+
+	fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
+		"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).")
+	fs.MarkDeprecated("insecure-bind-address", "This flag will be removed in a future version.")
+	fs.Lookup("insecure-bind-address").Hidden = false
+
+	fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
+		"The port on which to serve unsecured, unauthenticated access.")
+	fs.MarkDeprecated("insecure-port", "This flag will be removed in a future version.")
+	fs.Lookup("insecure-port").Hidden = false
+}
+
+// AddUnqualifiedFlags adds flags related to insecure serving without the --insecure prefix to the specified FlagSet.
+func (s *DeprecatedInsecureServingOptions) AddUnqualifiedFlags(fs *pflag.FlagSet) {
+	if s == nil {
+		return
+	}
+
+	fs.IPVar(&s.BindAddress, "address", s.BindAddress,
+		"DEPRECATED: see --bind-address instead.")
+	fs.MarkDeprecated("address", "see --bind-address instead.")
+
+	fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --secure-port instead.")
+	fs.MarkDeprecated("port", "see --secure-port instead.")
+}
+
+// ApplyTo adds DeprecatedInsecureServingOptions to the insecureserverinfo amd kube-controller manager configuration.
+// Note: the double pointer allows to set the *DeprecatedInsecureServingInfo to nil without referencing the struct hosting this pointer.
+func (s *DeprecatedInsecureServingOptions) ApplyTo(c **server.DeprecatedInsecureServingInfo) error {
+	if s == nil {
+		return nil
+	}
+	if s.BindPort <= 0 {
+		return nil
+	}
+
+	if s.Listener == nil {
+		var err error
+		listen := CreateListener
+		if s.ListenFunc != nil {
+			listen = s.ListenFunc
+		}
+		addr := net.JoinHostPort(s.BindAddress.String(), fmt.Sprintf("%d", s.BindPort))
+		s.Listener, s.BindPort, err = listen(s.BindNetwork, addr)
+		if err != nil {
+			return fmt.Errorf("failed to create listener: %v", err)
+		}
+	}
+
+	*c = &server.DeprecatedInsecureServingInfo{
+		Listener: s.Listener,
+	}
+
+	return nil
+}
+
+// WithLoopback adds loopback functionality to the serving options.
+func (o *DeprecatedInsecureServingOptions) WithLoopback() *DeprecatedInsecureServingOptionsWithLoopback {
+	return &DeprecatedInsecureServingOptionsWithLoopback{o}
+}
+
+// DeprecatedInsecureServingOptionsWithLoopback adds loopback functionality to the DeprecatedInsecureServingOptions.
+// DEPRECATED: all insecure serving options are removed in a future version
+type DeprecatedInsecureServingOptionsWithLoopback struct {
+	*DeprecatedInsecureServingOptions
+}
+
+// ApplyTo fills up serving information in the server configuration.
+func (s *DeprecatedInsecureServingOptionsWithLoopback) ApplyTo(insecureServingInfo **server.DeprecatedInsecureServingInfo, loopbackClientConfig **rest.Config) error {
+	if s == nil || s.DeprecatedInsecureServingOptions == nil || insecureServingInfo == nil {
+		return nil
+	}
+
+	if err := s.DeprecatedInsecureServingOptions.ApplyTo(insecureServingInfo); err != nil {
+		return err
+	}
+
+	if *insecureServingInfo == nil || loopbackClientConfig == nil {
+		return nil
+	}
+
+	secureLoopbackClientConfig, err := (*insecureServingInfo).NewLoopbackClientConfig()
+	switch {
+	// if we failed and there's no fallback loopback client config, we need to fail
+	case err != nil && secureLoopbackClientConfig == nil:
+		return err
+
+		// if we failed, but we already have a fallback loopback client config (usually insecure), allow it
+	case err != nil && secureLoopbackClientConfig != nil:
+
+	default:
+		*loopbackClientConfig = secureLoopbackClientConfig
+	}
+
+	return nil
+}

staging/src/k8s.io/apiserver/pkg/server/options/recommended.go

@@ -54,7 +54,7 @@ func NewRecommendedOptions(prefix string, codec runtime.Codec) *RecommendedOptio
 
 	return &RecommendedOptions{
 		Etcd:                       NewEtcdOptions(storagebackend.NewDefaultConfig(prefix, codec)),
-		SecureServing:              WithLoopback(sso),
+		SecureServing:              sso.WithLoopback(),
 		Authentication:             NewDelegatingAuthenticationOptions(),
 		Authorization:              NewDelegatingAuthorizationOptions(),
 		Audit:                      NewAuditOptions(),

staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go

@@ -464,7 +464,7 @@ func TestServerRunWithSNI(t *testing.T) {
 			config.Version = &v
 
 			config.EnableIndex = true
-			secureOptions := WithLoopback(&SecureServingOptions{
+			secureOptions := SecureServingOptions{
 				BindAddress: net.ParseIP("127.0.0.1"),
 				BindPort:    6443,
 				ServerCert: GeneratableKeyCert{
@@ -474,7 +474,7 @@ func TestServerRunWithSNI(t *testing.T) {
 					},
 				},
 				SNICertKeys: namedCertKeys,
-			})
+			}.WithLoopback()
 			// use a random free port
 			ln, err := net.Listen("tcp", "127.0.0.1:0")
 			if err != nil {

staging/src/k8s.io/apiserver/pkg/server/options/serving_with_loopback.go

@@ -31,7 +31,7 @@ type SecureServingOptionsWithLoopback struct {
 	*SecureServingOptions
 }
 
-func WithLoopback(o *SecureServingOptions) *SecureServingOptionsWithLoopback {
+func (o *SecureServingOptions) WithLoopback() *SecureServingOptionsWithLoopback {
 	return &SecureServingOptionsWithLoopback{o}
 }