Merge pull request #68982 from aruneli/master

Fixes #65869 Do not listen insecurely if secure port is specified
2018-10-03 17:32:28 -07:00 · 2018-10-03 17:32:28 -07:00 · 5dd78df7da
parent 16256296d2 1761031f5f
commit 5dd78df7da
3 changed files with 12 additions and 6 deletions
--- a/cmd/cloud-controller-manager/app/options/options.go
+++ b/cmd/cloud-controller-manager/app/options/options.go
@ -51,6 +51,8 @@ import (
 const (
 	// CloudControllerManagerUserAgent is the userAgent name when starting cloud-controller managers.
 	CloudControllerManagerUserAgent = "cloud-controller-manager"
+	// DefaultInsecureCloudControllerManagerPort is the default insecure cloud-controller manager port.
+	DefaultInsecureCloudControllerManagerPort = 0
 )

 // CloudControllerManagerOptions is the main context object for the controller manager.
@ -74,7 +76,7 @@ type CloudControllerManagerOptions struct {

 // NewCloudControllerManagerOptions creates a new ExternalCMServer with a default config.
 func NewCloudControllerManagerOptions() (*CloudControllerManagerOptions, error) {
-	componentConfig, err := NewDefaultComponentConfig(ports.InsecureCloudControllerManagerPort)
+	componentConfig, err := NewDefaultComponentConfig(DefaultInsecureCloudControllerManagerPort)
 	if err != nil {
 		return nil, err
 	}
--- a/cmd/cloud-controller-manager/app/options/options_test.go
+++ b/cmd/cloud-controller-manager/app/options/options_test.go
@ -37,8 +37,8 @@ func TestDefaultFlags(t *testing.T) {

 	expected := &CloudControllerManagerOptions{
 		Generic: &cmoptions.GenericControllerManagerConfigurationOptions{
-			Port:            10253,     // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
-			Address:         "0.0.0.0", // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
+			Port:            DefaultInsecureCloudControllerManagerPort, // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
+			Address:         "0.0.0.0",                                 // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
 			MinResyncPeriod: metav1.Duration{Duration: 12 * time.Hour},
 			ClientConnection: apimachineryconfig.ClientConnectionConfiguration{
 				ContentType: "application/vnd.kubernetes.protobuf",
@ -85,7 +85,7 @@ func TestDefaultFlags(t *testing.T) {
 		}).WithLoopback(),
 		InsecureServing: (&apiserveroptions.DeprecatedInsecureServingOptions{
 			BindAddress: net.ParseIP("0.0.0.0"),
-			BindPort:    int(10253),
+			BindPort:    int(0),
 			BindNetwork: "tcp",
 		}).WithLoopback(),
 		Authentication: &apiserveroptions.DelegatingAuthenticationOptions{
@ -155,8 +155,8 @@ func TestAddFlags(t *testing.T) {

 	expected := &CloudControllerManagerOptions{
 		Generic: &cmoptions.GenericControllerManagerConfigurationOptions{
-			Port:            10253,     // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
-			Address:         "0.0.0.0", // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
+			Port:            DefaultInsecureCloudControllerManagerPort, // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
+			Address:         "0.0.0.0",                                 // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
 			MinResyncPeriod: metav1.Duration{Duration: 100 * time.Minute},
 			ClientConnection: apimachineryconfig.ClientConnectionConfiguration{
 				ContentType: "application/vnd.kubernetes.protobuf",
--- a/test/integration/controllermanager/serving_test.go
+++ b/test/integration/controllermanager/serving_test.go
@ -213,11 +213,13 @@ func testControllerManager(t *testing.T, tester controllerManagerTester, kubecon
 		{"no-flags", nil, "/healthz", false, true, nil, nil},
 		{"insecurely /healthz", []string{
 			"--secure-port=0",
+			"--port=10253",
 			"--kubeconfig", kubeconfig,
 			"--leader-elect=false",
 		}, "/healthz", true, false, nil, intPtr(http.StatusOK)},
 		{"insecurely /metrics", []string{
 			"--secure-port=0",
+			"--port=10253",
 			"--kubeconfig", kubeconfig,
 			"--leader-elect=false",
 		}, "/metrics", true, false, nil, intPtr(http.StatusOK)},
@ -230,6 +232,7 @@ func testControllerManager(t *testing.T, tester controllerManagerTester, kubecon
 			"--kubeconfig", kubeconfig,
 			"--kubeconfig", kubeconfig,
 			"--leader-elect=false",
+			"--port=10253",
 		}, "/metrics", true, false, intPtr(http.StatusForbidden), intPtr(http.StatusOK)},
 		{"authorization skipped for /healthz with authn/authz", []string{
 			"--port=0",
@ -254,6 +257,7 @@ func testControllerManager(t *testing.T, tester controllerManagerTester, kubecon
 			"--leader-elect=false",
 		}, "/metrics", false, false, intPtr(http.StatusForbidden), nil},
 		{"not authorized /metrics with BROKEN authn/authz", []string{
+			"--port=10253",
 			"--authentication-kubeconfig", kubeconfig,
 			"--authorization-kubeconfig", brokenKubeconfig,
 			"--kubeconfig", kubeconfig,