github
/
k3s
mirror of https://github.com/k3s-io/k3s
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Merge pull request #67060 from sttts/sttts-unify-insecure-serving 

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

kube-{apiserver,ctrl-mgr}: unify into DeprecatedInsecureServingOptions

**What this PR does / why we need it**:

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #

**Special notes for your reviewer**:

**Release note**:
```release-note

```
pull/8/head
Kubernetes Submit Queue 2018-08-17 08:50:36 -07:00 committed by GitHub
parent de1656abbb c2724793e8
commit b9544382ba
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
32 changed files with 276 additions and 353 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
cmd/cloud-controller-manager/app/config/BUILD
View File

@ -6,7 +6,6 @@ go_library(
importpath = "k8s.io/kubernetes/cmd/cloud-controller-manager/app/config",
visibility = ["//visibility:public"],
deps = [
"//cmd/controller-manager/app:go_default_library",
"//pkg/apis/componentconfig:go_default_library",
"//pkg/controller:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/server:go_default_library",

3
cmd/cloud-controller-manager/app/config/config.go
View File

@ -22,7 +22,6 @@ import (
clientset "k8s.io/client-go/kubernetes"
restclient "k8s.io/client-go/rest"
"k8s.io/client-go/tools/record"
genericcontrollermanager "k8s.io/kubernetes/cmd/controller-manager/app"
"k8s.io/kubernetes/pkg/apis/componentconfig"
"k8s.io/kubernetes/pkg/controller"
)
@ -33,7 +32,7 @@ type Config struct {
SecureServing *apiserver.SecureServingInfo
// TODO: remove deprecated insecure serving
InsecureServing *genericcontrollermanager.InsecureServingInfo
InsecureServing *apiserver.DeprecatedInsecureServingInfo
Authentication apiserver.AuthenticationInfo
Authorization apiserver.AuthorizationInfo

6
cmd/cloud-controller-manager/app/options/options.go
View File

@ -63,7 +63,7 @@ type CloudControllerManagerOptions struct {
SecureServing *apiserveroptions.SecureServingOptions
// TODO: remove insecure serving mode
InsecureServing *cmoptions.InsecureServingOptions
InsecureServing *apiserveroptions.DeprecatedInsecureServingOptions
Authentication *apiserveroptions.DelegatingAuthenticationOptions
Authorization *apiserveroptions.DelegatingAuthorizationOptions
@ -90,7 +90,7 @@ func NewCloudControllerManagerOptions() (*CloudControllerManagerOptions, error)
ConcurrentServiceSyncs: componentConfig.ServiceController.ConcurrentServiceSyncs,
},
SecureServing: apiserveroptions.NewSecureServingOptions(),
InsecureServing: &cmoptions.InsecureServingOptions{
InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{
BindAddress: net.ParseIP(componentConfig.KubeCloudShared.Address),
BindPort: int(componentConfig.KubeCloudShared.Port),
BindNetwork: "tcp",
@ -140,7 +140,7 @@ func (o *CloudControllerManagerOptions) AddFlags(fs *pflag.FlagSet) {
o.ServiceController.AddFlags(fs)
o.SecureServing.AddFlags(fs)
o.InsecureServing.AddFlags(fs)
o.InsecureServing.AddUnqualifiedFlags(fs)
o.Authentication.AddFlags(fs)
o.Authorization.AddFlags(fs)

12
cmd/cloud-controller-manager/app/options/options_test.go
View File

@ -57,8 +57,8 @@ func TestDefaultFlags(t *testing.T) {
},
},
KubeCloudShared: &cmoptions.KubeCloudSharedOptions{
Port: 10253, // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
Address: "0.0.0.0", // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
Port: 10253, // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config
Address: "0.0.0.0", // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config
RouteReconciliationPeriod: metav1.Duration{Duration: 10 * time.Second},
NodeMonitorPeriod: metav1.Duration{Duration: 5 * time.Second},
ClusterName: "kubernetes",
@ -79,7 +79,7 @@ func TestDefaultFlags(t *testing.T) {
},
HTTP2MaxStreamsPerConnection: 0,
},
InsecureServing: &cmoptions.InsecureServingOptions{
InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{
BindAddress: net.ParseIP("0.0.0.0"),
BindPort: int(10253),
BindNetwork: "tcp",
@ -154,8 +154,8 @@ func TestAddFlags(t *testing.T) {
},
},
KubeCloudShared: &cmoptions.KubeCloudSharedOptions{
Port: 10253, // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
Address: "0.0.0.0", // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
Port: 10253, // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config
Address: "0.0.0.0", // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config
RouteReconciliationPeriod: metav1.Duration{Duration: 30 * time.Second},
NodeMonitorPeriod: metav1.Duration{Duration: 5 * time.Second},
ClusterName: "k8s",
@ -176,7 +176,7 @@ func TestAddFlags(t *testing.T) {
},
HTTP2MaxStreamsPerConnection: 47,
},
InsecureServing: &cmoptions.InsecureServingOptions{
InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{
BindAddress: net.ParseIP("192.168.4.10"),
BindPort: int(10000),
BindNetwork: "tcp",

1
cmd/controller-manager/app/BUILD
View File

@ -4,7 +4,6 @@ go_library(
name = "go_default_library",
srcs = [
"helper.go",
"insecure_serving.go",
"serve.go",
],
importpath = "k8s.io/kubernetes/cmd/controller-manager/app",

3
cmd/controller-manager/app/options/BUILD
View File

@ -6,19 +6,16 @@ go_library(
"cloudprovider.go",
"debugging.go",
"generic.go",
"insecure_serving.go",
"kubecloudshared.go",
"servicecontroller.go",
],
importpath = "k8s.io/kubernetes/cmd/controller-manager/app/options",
visibility = ["//visibility:public"],
deps = [
"//cmd/controller-manager/app:go_default_library",
"//pkg/apis/componentconfig:go_default_library",
"//pkg/client/leaderelectionconfig:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/apis/config:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library",
"//vendor/github.com/spf13/pflag:go_default_library",
],
)

105
cmd/controller-manager/app/options/insecure_serving.go
View File

@ -1,105 +0,0 @@
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package options
import (
"fmt"
"net"
"github.com/spf13/pflag"
"k8s.io/apiserver/pkg/server/options"
genericcontrollermanager "k8s.io/kubernetes/cmd/controller-manager/app"
)
// InsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port.
// No one should be using these anymore.
type InsecureServingOptions struct {
BindAddress net.IP
BindPort int
// BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp",
// "tcp4", and "tcp6".
BindNetwork string
// Listener is the secure server network listener.
// either Listener or BindAddress/BindPort/BindNetwork is set,
// if Listener is set, use it and omit BindAddress/BindPort/BindNetwork.
Listener net.Listener
// ListenFunc can be overridden to create a custom listener, e.g. for mocking in tests.
// It defaults to options.CreateListener.
ListenFunc func(network, addr string) (net.Listener, int, error)
}
// Validate ensures that the insecure port values within the range of the port.
func (s *InsecureServingOptions) Validate() []error {
if s == nil {
return nil
}
errors := []error{}
if s.BindPort < 0 || s.BindPort > 65335 {
errors = append(errors, fmt.Errorf("--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort))
}
return errors
}
// AddFlags adds flags related to insecure serving for controller manager to the specified FlagSet.
func (s *InsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
if s == nil {
return
}
fs.IPVar(&s.BindAddress, "address", s.BindAddress, "DEPRECATED: the IP address on which to listen for the --port port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces). See --bind-address instead.")
// MarkDeprecated hides the flag from the help. We don't want that:
// fs.MarkDeprecated("address", "see --bind-address instead.")
fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: the port on which to serve HTTP insecurely without authentication and authorization. If 0, don't serve HTTPS at all. See --secure-port instead.")
// MarkDeprecated hides the flag from the help. We don't want that:
// fs.MarkDeprecated("port", "see --secure-port instead.")
}
// ApplyTo adds InsecureServingOptions to the insecureserverinfo amd kube-controller manager configuration.
// Note: the double pointer allows to set the *InsecureServingInfo to nil without referencing the struct hosting this pointer.
func (s *InsecureServingOptions) ApplyTo(c **genericcontrollermanager.InsecureServingInfo) error {
if s == nil {
return nil
}
if s.BindPort <= 0 {
return nil
}
if s.Listener == nil {
var err error
listen := options.CreateListener
if s.ListenFunc != nil {
listen = s.ListenFunc
}
addr := net.JoinHostPort(s.BindAddress.String(), fmt.Sprintf("%d", s.BindPort))
s.Listener, s.BindPort, err = listen(s.BindNetwork, addr)
if err != nil {
return fmt.Errorf("failed to create listener: %v", err)
}
}
*c = &genericcontrollermanager.InsecureServingInfo{
Listener: s.Listener,
}
return nil
}

4
cmd/kube-apiserver/app/options/options.go
View File

@ -41,7 +41,7 @@ type ServerRunOptions struct {
GenericServerRunOptions *genericoptions.ServerRunOptions
Etcd *genericoptions.EtcdOptions
SecureServing *genericoptions.SecureServingOptionsWithLoopback
InsecureServing *kubeoptions.InsecureServingOptions
InsecureServing *genericoptions.DeprecatedInsecureServingOptionsWithLoopback
Audit *genericoptions.AuditOptions
Features *genericoptions.FeatureOptions
Admission *kubeoptions.AdmissionOptions
@ -128,7 +128,7 @@ func (s *ServerRunOptions) Flags() (fss apiserverflag.NamedFlagSets) {
s.Etcd.AddFlags(fss.FlagSet("etcd"))
s.SecureServing.AddFlags(fss.FlagSet("secure serving"))
s.InsecureServing.AddFlags(fss.FlagSet("insecure serving"))
s.InsecureServing.AddDeprecatedFlags(fss.FlagSet("insecure serving"))
s.InsecureServing.AddUnqualifiedFlags(fss.FlagSet("insecure serving")) // TODO: remove it until kops stops using `--address`
s.Audit.AddFlags(fss.FlagSet("auditing"))
s.Features.AddFlags(fss.FlagSet("features"))
s.Authentication.AddFlags(fss.FlagSet("authentication"))

8
cmd/kube-apiserver/app/options/options_test.go
View File

@ -159,7 +159,7 @@ func TestAddFlags(t *testing.T) {
EnableWatchCache: true,
DefaultWatchCacheSize: 100,
},
SecureServing: apiserveroptions.WithLoopback(&apiserveroptions.SecureServingOptions{
SecureServing: (&apiserveroptions.SecureServingOptions{
BindAddress: net.ParseIP("192.168.10.20"),
BindPort: 6443,
ServerCert: apiserveroptions.GeneratableKeyCert{
@ -168,11 +168,11 @@ func TestAddFlags(t *testing.T) {
},
HTTP2MaxStreamsPerConnection: 42,
Required: true,
}),
InsecureServing: &kubeoptions.InsecureServingOptions{
}).WithLoopback(),
InsecureServing: (&apiserveroptions.DeprecatedInsecureServingOptions{
BindAddress: net.ParseIP("127.0.0.1"),
BindPort: 8080,
},
}).WithLoopback(),
EventTTL: 1 * time.Hour,
KubeletConfig: kubeletclient.KubeletClientConfig{
Port: 10250,

14
cmd/kube-apiserver/app/server.go
View File

@ -166,7 +166,7 @@ func CreateServerChain(completedOptions completedServerRunOptions, stopCh <-chan
return nil, err
}
kubeAPIServerConfig, insecureServingOptions, serviceResolver, pluginInitializer, admissionPostStartHook, err := CreateKubeAPIServerConfig(completedOptions, nodeTunneler, proxyTransport)
kubeAPIServerConfig, insecureServingInfo, serviceResolver, pluginInitializer, admissionPostStartHook, err := CreateKubeAPIServerConfig(completedOptions, nodeTunneler, proxyTransport)
if err != nil {
return nil, err
}
@ -204,9 +204,9 @@ func CreateServerChain(completedOptions completedServerRunOptions, stopCh <-chan
return nil, err
}
if insecureServingOptions != nil {
if insecureServingInfo != nil {
insecureHandlerChain := kubeserver.BuildInsecureHandlerChain(aggregatorServer.GenericAPIServer.UnprotectedHandler(), kubeAPIServerConfig.GenericConfig)
if err := kubeserver.NonBlockingRun(insecureServingOptions, insecureHandlerChain, kubeAPIServerConfig.GenericConfig.RequestTimeout, stopCh); err != nil {
if err := insecureServingInfo.Serve(insecureHandlerChain, kubeAPIServerConfig.GenericConfig.RequestTimeout, stopCh); err != nil {
return nil, err
}
}
@ -278,7 +278,7 @@ func CreateKubeAPIServerConfig(
proxyTransport *http.Transport,
) (
config *master.Config,
insecureServingInfo *kubeserver.InsecureServingInfo,
insecureServingInfo *genericapiserver.DeprecatedInsecureServingInfo,
serviceResolver aggregatorapiserver.ServiceResolver,
pluginInitializers []admission.PluginInitializer,
admissionPostStartHook genericapiserver.PostStartHookFunc,
@ -421,7 +421,7 @@ func buildGenericConfig(
genericConfig *genericapiserver.Config,
sharedInformers informers.SharedInformerFactory,
versionedInformers clientgoinformers.SharedInformerFactory,
insecureServingInfo *kubeserver.InsecureServingInfo,
insecureServingInfo *genericapiserver.DeprecatedInsecureServingInfo,
serviceResolver aggregatorapiserver.ServiceResolver,
pluginInitializers []admission.PluginInitializer,
admissionPostStartHook genericapiserver.PostStartHookFunc,
@ -435,7 +435,7 @@ func buildGenericConfig(
return
}
if insecureServingInfo, lastErr = s.InsecureServing.ApplyTo(genericConfig); lastErr != nil {
if lastErr = s.InsecureServing.ApplyTo(&insecureServingInfo, &genericConfig.LoopbackClientConfig); lastErr != nil {
return
}
if lastErr = s.SecureServing.ApplyTo(&genericConfig.SecureServing, &genericConfig.LoopbackClientConfig); lastErr != nil {
@ -652,7 +652,7 @@ func Complete(s *options.ServerRunOptions) (completedServerRunOptions, error) {
if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing.SecureServingOptions); err != nil {
return options, err
}
if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing); err != nil {
if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing.DeprecatedInsecureServingOptions); err != nil {
return options, err
}
serviceIPRange, apiServerServiceIP, err := master.DefaultServiceIPRange(s.ServiceClusterIPRange)

1
cmd/kube-controller-manager/app/config/BUILD
View File

@ -6,7 +6,6 @@ go_library(
importpath = "k8s.io/kubernetes/cmd/kube-controller-manager/app/config",
visibility = ["//visibility:public"],
deps = [
"//cmd/controller-manager/app:go_default_library",
"//pkg/apis/componentconfig:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
"//staging/src/k8s.io/client-go/kubernetes:go_default_library",

3
cmd/kube-controller-manager/app/config/config.go
View File

@ -21,7 +21,6 @@ import (
clientset "k8s.io/client-go/kubernetes"
restclient "k8s.io/client-go/rest"
"k8s.io/client-go/tools/record"
genericcontrollermanager "k8s.io/kubernetes/cmd/controller-manager/app"
"k8s.io/kubernetes/pkg/apis/componentconfig"
)
@ -31,7 +30,7 @@ type Config struct {
SecureServing *apiserver.SecureServingInfo
// TODO: remove deprecated insecure serving
InsecureServing *genericcontrollermanager.InsecureServingInfo
InsecureServing *apiserver.DeprecatedInsecureServingInfo
Authentication apiserver.AuthenticationInfo
Authorization apiserver.AuthorizationInfo

10
cmd/kube-controller-manager/app/options/options.go
View File

@ -85,7 +85,7 @@ type KubeControllerManagerOptions struct {
SecureServing *apiserveroptions.SecureServingOptions
// TODO: remove insecure serving mode
InsecureServing *cmoptions.InsecureServingOptions
InsecureServing *apiserveroptions.DeprecatedInsecureServingOptions
Authentication *apiserveroptions.DelegatingAuthenticationOptions
Authorization *apiserveroptions.DelegatingAuthorizationOptions
@ -178,7 +178,7 @@ func NewKubeControllerManagerOptions() (*KubeControllerManagerOptions, error) {
},
Controllers: componentConfig.Controllers,
SecureServing: apiserveroptions.NewSecureServingOptions(),
InsecureServing: &cmoptions.InsecureServingOptions{
InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{
BindAddress: net.ParseIP(componentConfig.KubeCloudShared.Address),
BindPort: int(componentConfig.KubeCloudShared.Port),
BindNetwork: "tcp",
@ -234,7 +234,7 @@ func (s *KubeControllerManagerOptions) AddFlags(fs *pflag.FlagSet, allController
s.ServiceController.AddFlags(fs)
s.SecureServing.AddFlags(fs)
s.InsecureServing.AddFlags(fs)
s.InsecureServing.AddUnqualifiedFlags(fs)
s.Authentication.AddFlags(fs)
s.Authorization.AddFlags(fs)
@ -341,10 +341,10 @@ func (s *KubeControllerManagerOptions) ApplyTo(c *kubecontrollerconfig.Config) e
if err := s.ServiceController.ApplyTo(&c.ComponentConfig.ServiceController); err != nil {
return err
}
if err := s.SecureServing.ApplyTo(&c.SecureServing); err != nil {
if err := s.InsecureServing.ApplyTo(&c.InsecureServing); err != nil {
return err
}
if err := s.InsecureServing.ApplyTo(&c.InsecureServing); err != nil {
if err := s.SecureServing.ApplyTo(&c.SecureServing); err != nil {
return err
}
if err := s.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil {

6
cmd/kube-controller-manager/app/options/options_test.go
View File

@ -140,8 +140,8 @@ func TestAddFlags(t *testing.T) {
},
},
KubeCloudShared: &cmoptions.KubeCloudSharedOptions{
Port: 10252, // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
Address: "0.0.0.0", // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
Port: 10252, // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config
Address: "0.0.0.0", // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config
UseServiceAccountCredentials: true,
RouteReconciliationPeriod: metav1.Duration{Duration: 30 * time.Second},
NodeMonitorPeriod: metav1.Duration{Duration: 10 * time.Second},
@ -253,7 +253,7 @@ func TestAddFlags(t *testing.T) {
},
HTTP2MaxStreamsPerConnection: 47,
},
InsecureServing: &cmoptions.InsecureServingOptions{
InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{
BindAddress: net.ParseIP("192.168.4.10"),
BindPort: int(10000),
BindNetwork: "tcp",

1
cmd/kube-scheduler/app/config/BUILD
View File

@ -6,7 +6,6 @@ go_library(
importpath = "k8s.io/kubernetes/cmd/kube-scheduler/app/config",
visibility = ["//visibility:public"],
deps = [
"//cmd/controller-manager/app:go_default_library",
"//pkg/apis/componentconfig:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
"//staging/src/k8s.io/client-go/informers:go_default_library",

5
cmd/kube-scheduler/app/config/config.go
View File

@ -24,7 +24,6 @@ import (
v1core "k8s.io/client-go/kubernetes/typed/core/v1"
"k8s.io/client-go/tools/leaderelection"
"k8s.io/client-go/tools/record"
"k8s.io/kubernetes/cmd/controller-manager/app"
"k8s.io/kubernetes/pkg/apis/componentconfig"
)
@ -33,8 +32,8 @@ type Config struct {
// config is the scheduler server's configuration object.
ComponentConfig componentconfig.KubeSchedulerConfiguration
InsecureServing *app.InsecureServingInfo // nil will disable serving on an insecure port
InsecureMetricsServing *app.InsecureServingInfo // non-nil if metrics should be served independently
InsecureServing *apiserver.DeprecatedInsecureServingInfo // nil will disable serving on an insecure port
InsecureMetricsServing *apiserver.DeprecatedInsecureServingInfo // non-nil if metrics should be served independently
Authentication apiserver.AuthenticationInfo
Authorization apiserver.AuthorizationInfo
SecureServing *apiserver.SecureServingInfo

3
cmd/kube-scheduler/app/options/BUILD
View File

@ -11,7 +11,6 @@ go_library(
importpath = "k8s.io/kubernetes/cmd/kube-scheduler/app/options",
visibility = ["//visibility:public"],
deps = [
"//cmd/controller-manager/app/options:go_default_library",
"//cmd/kube-scheduler/app/config:go_default_library",
"//pkg/api/legacyscheme:go_default_library",
"//pkg/apis/componentconfig:go_default_library",
@ -64,7 +63,6 @@ go_test(
],
embed = [":go_default_library"],
deps = [
"//cmd/controller-manager/app/options:go_default_library",
"//cmd/kube-scheduler/app/config:go_default_library",
"//pkg/apis/componentconfig:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/apis/config:go_default_library",
@ -72,5 +70,6 @@ go_test(
"//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
"//staging/src/k8s.io/apimachinery/pkg/util/rand:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/apis/config:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library",
],
)

20
cmd/kube-scheduler/app/options/insecure_serving.go
View File

@ -23,16 +23,16 @@ import (
"github.com/spf13/pflag"
controlleroptions "k8s.io/kubernetes/cmd/controller-manager/app/options"
apiserveroptions "k8s.io/apiserver/pkg/server/options"
schedulerappconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config"
"k8s.io/kubernetes/pkg/apis/componentconfig"
)
// CombinedInsecureServingOptions sets up up to two insecure listeners for healthz and metrics. The flags
// override the ComponentConfig and InsecureServingOptions values for both.
// override the ComponentConfig and DeprecatedInsecureServingOptions values for both.
type CombinedInsecureServingOptions struct {
Healthz *controlleroptions.InsecureServingOptions
Metrics *controlleroptions.InsecureServingOptions
Healthz *apiserveroptions.DeprecatedInsecureServingOptions
Metrics *apiserveroptions.DeprecatedInsecureServingOptions
BindPort int // overrides the structs above on ApplyTo, ignored on ApplyToFromLoadedConfig
BindAddress string // overrides the structs above on ApplyTo, ignored on ApplyToFromLoadedConfig
@ -53,10 +53,10 @@ func (o *CombinedInsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
}
func (o *CombinedInsecureServingOptions) applyTo(c *schedulerappconfig.Config, componentConfig *componentconfig.KubeSchedulerConfiguration) error {
if err := updateAddressFromInsecureServingOptions(&componentConfig.HealthzBindAddress, o.Healthz); err != nil {
if err := updateAddressFromDeprecatedInsecureServingOptions(&componentConfig.HealthzBindAddress, o.Healthz); err != nil {
return err
}
if err := updateAddressFromInsecureServingOptions(&componentConfig.MetricsBindAddress, o.Metrics); err != nil {
if err := updateAddressFromDeprecatedInsecureServingOptions(&componentConfig.MetricsBindAddress, o.Metrics); err != nil {
return err
}
@ -98,17 +98,17 @@ func (o *CombinedInsecureServingOptions) ApplyToFromLoadedConfig(c *schedulerapp
return nil
}
if err := updateInsecureServingOptionsFromAddress(o.Healthz, componentConfig.HealthzBindAddress); err != nil {
if err := updateDeprecatedInsecureServingOptionsFromAddress(o.Healthz, componentConfig.HealthzBindAddress); err != nil {
return fmt.Errorf("invalid healthz address: %v", err)
}
if err := updateInsecureServingOptionsFromAddress(o.Metrics, componentConfig.MetricsBindAddress); err != nil {
if err := updateDeprecatedInsecureServingOptionsFromAddress(o.Metrics, componentConfig.MetricsBindAddress); err != nil {
return fmt.Errorf("invalid metrics address: %v", err)
}
return o.applyTo(c, componentConfig)
}
func updateAddressFromInsecureServingOptions(addr *string, is *controlleroptions.InsecureServingOptions) error {
func updateAddressFromDeprecatedInsecureServingOptions(addr *string, is *apiserveroptions.DeprecatedInsecureServingOptions) error {
if is == nil {
*addr = ""
} else {
@ -124,7 +124,7 @@ func updateAddressFromInsecureServingOptions(addr *string, is *controlleroptions
return nil
}
func updateInsecureServingOptionsFromAddress(is *controlleroptions.InsecureServingOptions, addr string) error {
func updateDeprecatedInsecureServingOptionsFromAddress(is *apiserveroptions.DeprecatedInsecureServingOptions, addr string) error {
if is == nil {
return nil
}

30
cmd/kube-scheduler/app/options/insecure_serving_test.go
View File

@ -23,7 +23,7 @@ import (
"testing"
"k8s.io/apimachinery/pkg/util/rand"
"k8s.io/kubernetes/cmd/controller-manager/app/options"
apiserveroptions "k8s.io/apiserver/pkg/server/options"
schedulerappconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config"
"k8s.io/kubernetes/pkg/apis/componentconfig"
)
@ -46,8 +46,8 @@ func TestOptions_ApplyTo(t *testing.T) {
MetricsBindAddress: "1.2.3.4:1234",
},
CombinedInsecureServing: &CombinedInsecureServingOptions{
Healthz: &options.InsecureServingOptions{},
Metrics: &options.InsecureServingOptions{},
Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{},
Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{},
BindPort: 0,
},
},
@ -61,7 +61,7 @@ func TestOptions_ApplyTo(t *testing.T) {
MetricsBindAddress: "1.2.3.4:1234",
},
CombinedInsecureServing: &CombinedInsecureServingOptions{
Healthz: &options.InsecureServingOptions{},
Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{},
BindPort: 0,
},
},
@ -79,7 +79,7 @@ func TestOptions_ApplyTo(t *testing.T) {
MetricsBindAddress: "1.2.3.4:1234",
},
CombinedInsecureServing: &CombinedInsecureServingOptions{
Metrics: &options.InsecureServingOptions{},
Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{},
BindPort: 0,
},
},
@ -97,8 +97,8 @@ func TestOptions_ApplyTo(t *testing.T) {
MetricsBindAddress: "1.2.3.4:1234",
},
CombinedInsecureServing: &CombinedInsecureServingOptions{
Healthz: &options.InsecureServingOptions{},
Metrics: &options.InsecureServingOptions{},
Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{},
Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{},
BindPort: 0,
},
},
@ -118,8 +118,8 @@ func TestOptions_ApplyTo(t *testing.T) {
MetricsBindAddress: "1.2.3.4:1235",
},
CombinedInsecureServing: &CombinedInsecureServingOptions{
Healthz: &options.InsecureServingOptions{},
Metrics: &options.InsecureServingOptions{},
Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{},
Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{},
BindPort: 0,
},
},
@ -141,8 +141,8 @@ func TestOptions_ApplyTo(t *testing.T) {
MetricsBindAddress: "1.2.3.4:1234",
},
CombinedInsecureServing: &CombinedInsecureServingOptions{
Healthz: &options.InsecureServingOptions{},
Metrics: &options.InsecureServingOptions{},
Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{},
Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{},
BindPort: 1236,
BindAddress: "1.2.3.4",
},
@ -163,8 +163,8 @@ func TestOptions_ApplyTo(t *testing.T) {
MetricsBindAddress: "1.2.3.4:1234",
},
CombinedInsecureServing: &CombinedInsecureServingOptions{
Healthz: &options.InsecureServingOptions{},
Metrics: &options.InsecureServingOptions{},
Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{},
Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{},
BindAddress: "2.3.4.5",
BindPort: 1234,
},
@ -185,8 +185,8 @@ func TestOptions_ApplyTo(t *testing.T) {
MetricsBindAddress: "1.2.3.4:1234",
},
CombinedInsecureServing: &CombinedInsecureServingOptions{
Healthz: &options.InsecureServingOptions{},
Metrics: &options.InsecureServingOptions{},
Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{},
Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{},
BindAddress: "2.3.4.5",
BindPort: 0,
},

5
cmd/kube-scheduler/app/options/options.go
View File

@ -41,7 +41,6 @@ import (
"k8s.io/client-go/tools/leaderelection"
"k8s.io/client-go/tools/leaderelection/resourcelock"
"k8s.io/client-go/tools/record"
controlleroptions "k8s.io/kubernetes/cmd/controller-manager/app/options"
schedulerappconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config"
"k8s.io/kubernetes/pkg/api/legacyscheme"
"k8s.io/kubernetes/pkg/apis/componentconfig"
@ -86,10 +85,10 @@ func NewOptions() (*Options, error) {
ComponentConfig: *cfg,
SecureServing: nil, // TODO: enable with apiserveroptions.NewSecureServingOptions()
CombinedInsecureServing: &CombinedInsecureServingOptions{
Healthz: &controlleroptions.InsecureServingOptions{
Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{
BindNetwork: "tcp",
},
Metrics: &controlleroptions.InsecureServingOptions{
Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{
BindNetwork: "tcp",
},
BindPort: hport,

1
pkg/kubeapiserver/options/BUILD
View File

@ -27,7 +27,6 @@ go_library(
"//pkg/kubeapiserver/authenticator:go_default_library",
"//pkg/kubeapiserver/authorizer:go_default_library",
"//pkg/kubeapiserver/authorizer/modes:go_default_library",
"//pkg/kubeapiserver/server:go_default_library",
"//plugin/pkg/admission/admit:go_default_library",
"//plugin/pkg/admission/alwayspullimages:go_default_library",
"//plugin/pkg/admission/antiaffinity:go_default_library",

96
pkg/kubeapiserver/options/serving.go
View File

@ -20,20 +20,15 @@ package options
import (
"fmt"
"net"
"strconv"
"github.com/spf13/pflag"
utilnet "k8s.io/apimachinery/pkg/util/net"
"k8s.io/apiserver/pkg/server"
genericoptions "k8s.io/apiserver/pkg/server/options"
kubeserver "k8s.io/kubernetes/pkg/kubeapiserver/server"
)
// NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by
// "normal" API servers running on the platform
func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback {
return genericoptions.WithLoopback(&genericoptions.SecureServingOptions{
o := genericoptions.SecureServingOptions{
BindAddress: net.ParseIP("0.0.0.0"),
BindPort: 6443,
Required: true,
@ -41,20 +36,31 @@ func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback
PairName: "apiserver",
CertDirectory: "/var/run/kubernetes",
},
})
}
return o.WithLoopback()
}
// NewInsecureServingOptions gives default values for the kube-apiserver.
// TODO: switch insecure serving off by default
func NewInsecureServingOptions() *genericoptions.DeprecatedInsecureServingOptionsWithLoopback {
o := genericoptions.DeprecatedInsecureServingOptions{
BindAddress: net.ParseIP("127.0.0.1"),
BindPort: 8080,
}
return o.WithLoopback()
}
// DefaultAdvertiseAddress sets the field AdvertiseAddress if
// unset. The field will be set based on the SecureServingOptions. If
// the SecureServingOptions is not present, DefaultExternalAddress
// will fall back to the insecure ServingOptions.
func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *InsecureServingOptions) error {
func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *genericoptions.DeprecatedInsecureServingOptions) error {
if insecure == nil {
return nil
}
if s.AdvertiseAddress == nil || s.AdvertiseAddress.IsUnspecified() {
hostIP, err := insecure.DefaultExternalAddress()
hostIP, err := utilnet.ChooseBindAddress(insecure.BindAddress)
if err != nil {
return fmt.Errorf("unable to find suitable network address.error='%v'. "+
"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this", err)
@ -64,75 +70,3 @@ func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *Insec
return nil
}
// InsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port.
// No one should be using these anymore.
type InsecureServingOptions struct {
BindAddress net.IP
BindPort int
}
// NewInsecureServingOptions is for creating an unauthenticated, unauthorized, insecure port.
// No one should be using these anymore.
func NewInsecureServingOptions() *InsecureServingOptions {
return &InsecureServingOptions{
BindAddress: net.ParseIP("127.0.0.1"),
BindPort: 8080,
}
}
func (s InsecureServingOptions) Validate() []error {
errors := []error{}
if s.BindPort < 0 || s.BindPort > 65535 {
errors = append(errors, fmt.Errorf("--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort))
}
return errors
}
func (s *InsecureServingOptions) DefaultExternalAddress() (net.IP, error) {
return utilnet.ChooseBindAddress(s.BindAddress)
}
func (s *InsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).")
fs.MarkDeprecated("insecure-bind-address", "This flag will be removed in a future version.")
fs.Lookup("insecure-bind-address").Hidden = false
fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
"The port on which to serve unsecured, unauthenticated access. It is assumed "+
"that firewall rules are set up such that this port is not reachable from outside of "+
"the cluster and that port 443 on the cluster's public address is proxied to this "+
"port. This is performed by nginx in the default setup. Set to zero to disable.")
fs.MarkDeprecated("insecure-port", "This flag will be removed in a future version.")
fs.Lookup("insecure-port").Hidden = false
}
// TODO: remove it until kops stop using `--address`
func (s *InsecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
fs.IPVar(&s.BindAddress, "address", s.BindAddress,
"DEPRECATED: see --insecure-bind-address instead.")
fs.MarkDeprecated("address", "see --insecure-bind-address instead.")
fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --insecure-port instead.")
fs.MarkDeprecated("port", "see --insecure-port instead.")
}
func (s *InsecureServingOptions) ApplyTo(c *server.Config) (*kubeserver.InsecureServingInfo, error) {
if s.BindPort <= 0 {
return nil, nil
}
ret := &kubeserver.InsecureServingInfo{
BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)),
}
var err error
if c.LoopbackClientConfig, err = ret.NewLoopbackClientConfig(); err != nil {
return nil, err
}
return ret, nil
}

3
pkg/kubeapiserver/server/BUILD
View File

@ -15,10 +15,7 @@ go_library(
"//staging/src/k8s.io/apiserver/pkg/features:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/server/filters:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library",
"//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
"//staging/src/k8s.io/client-go/rest:go_default_library",
"//vendor/github.com/golang/glog:go_default_library",
],
)

80
pkg/kubeapiserver/server/insecure_handler.go
View File

@ -17,25 +17,19 @@ limitations under the License.
package server
import (
"net"
"net/http"
"time"
"github.com/golang/glog"
"k8s.io/apiserver/pkg/authentication/user"
genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
"k8s.io/apiserver/pkg/features"
"k8s.io/apiserver/pkg/server"
genericfilters "k8s.io/apiserver/pkg/server/filters"
"k8s.io/apiserver/pkg/server/options"
utilfeature "k8s.io/apiserver/pkg/util/feature"
"k8s.io/client-go/rest"
)
// InsecureServingInfo is required to serve http. HTTP does NOT include authentication or authorization.
// DeprecatedInsecureServingInfo is required to serve http. HTTP does NOT include authentication or authorization.
// You shouldn't be using this. It makes sig-auth sad.
// InsecureServingInfo *ServingInfo
// DeprecatedInsecureServingInfo *ServingInfo
func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.Handler {
handler := apiHandler
@ -55,76 +49,6 @@ func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.H
return handler
}
type InsecureServingInfo struct {
// BindAddress is the ip:port to serve on
BindAddress string
// BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp",
// "tcp4", and "tcp6".
BindNetwork string
}
func (s *InsecureServingInfo) NewLoopbackClientConfig() (*rest.Config, error) {
if s == nil {
return nil, nil
}
host, port, err := server.LoopbackHostPort(s.BindAddress)
if err != nil {
return nil, err
}
return &rest.Config{
Host: "http://" + net.JoinHostPort(host, port),
// Increase QPS limits. The client is currently passed to all admission plugins,
// and those can be throttled in case of higher load on apiserver - see #22340 and #22422
// for more details. Once #22422 is fixed, we may want to remove it.
QPS: 50,
Burst: 100,
}, nil
}
// NonBlockingRun spawns the insecure http server. An error is
// returned if the ports cannot be listened on.
func NonBlockingRun(insecureServingInfo *InsecureServingInfo, insecureHandler http.Handler, shutDownTimeout time.Duration, stopCh <-chan struct{}) error {
// Use an internal stop channel to allow cleanup of the listeners on error.
internalStopCh := make(chan struct{})
if insecureServingInfo != nil && insecureHandler != nil {
if err := serveInsecurely(insecureServingInfo, insecureHandler, shutDownTimeout, internalStopCh); err != nil {
close(internalStopCh)
return err
}
}
// Now that the listener has bound successfully, it is the
// responsibility of the caller to close the provided channel to
// ensure cleanup.
go func() {
<-stopCh
close(internalStopCh)
}()
return nil
}
// serveInsecurely run the insecure http server. It fails only if the initial listen
// call fails. The actual server loop (stoppable by closing stopCh) runs in a go
// routine, i.e. serveInsecurely does not block.
func serveInsecurely(insecureServingInfo *InsecureServingInfo, insecureHandler http.Handler, shutDownTimeout time.Duration, stopCh <-chan struct{}) error {
insecureServer := &http.Server{
Addr: insecureServingInfo.BindAddress,
Handler: insecureHandler,
MaxHeaderBytes: 1 << 20,
}
glog.Infof("Serving insecurely on %s", insecureServingInfo.BindAddress)
ln, _, err := options.CreateListener(insecureServingInfo.BindNetwork, insecureServingInfo.BindAddress)
if err != nil {
return err
}
err = server.RunServer(insecureServer, ln, shutDownTimeout, stopCh)
return err
}
// insecureSuperuser implements authenticator.Request to always return a superuser.
// This is functionally equivalent to skipping authentication and authorization,
// but allows apiserver code to stop special-casing a nil user to skip authorization checks.

3
staging/src/k8s.io/apiserver/pkg/server/BUILD
View File

@ -45,13 +45,14 @@ go_library(
srcs = [
"config.go",
"config_selfclient.go",
"deprecated_insecure_serving.go",
"doc.go",
"genericapiserver.go",
"handler.go",
"healthz.go",
"hooks.go",
"plugins.go",
"serve.go",
"secure_serving.go",
"signal.go",
"signal_posix.go",
"signal_windows.go",

32
cmd/controller-manager/app/insecure_serving.go → staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go
View File

@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
limitations under the License.
*/
package app
package server
import (
"net"
@ -23,11 +23,11 @@ import (
"github.com/golang/glog"
"k8s.io/apiserver/pkg/server"
"k8s.io/client-go/rest"
)
// InsecureServingInfo is the main context object for the insecure http server.
type InsecureServingInfo struct {
// DeprecatedInsecureServingInfo is the main context object for the insecure http server.
type DeprecatedInsecureServingInfo struct {
// Listener is the secure server network listener.
Listener net.Listener
// optional server name for log messages
@ -36,7 +36,7 @@ type InsecureServingInfo struct {
// Serve starts an insecure http server with the given handler. It fails only if
// the initial listen call fails. It does not block.
func (s *InsecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Duration, stopCh <-chan struct{}) error {
func (s *DeprecatedInsecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Duration, stopCh <-chan struct{}) error {
insecureServer := &http.Server{
Addr: s.Listener.Addr().String(),
Handler: handler,
@ -48,5 +48,25 @@ func (s *InsecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.D
} else {
glog.Infof("Serving insecurely on %s", s.Listener.Addr())
}
return server.RunServer(insecureServer, s.Listener, shutdownTimeout, stopCh)
return RunServer(insecureServer, s.Listener, shutdownTimeout, stopCh)
}
func (s *DeprecatedInsecureServingInfo) NewLoopbackClientConfig() (*rest.Config, error) {
if s == nil {
return nil, nil
}
host, port, err := LoopbackHostPort(s.Listener.Addr().String())
if err != nil {
return nil, err
}
return &rest.Config{
Host: "http://" + net.JoinHostPort(host, port),
// Increase QPS limits. The client is currently passed to all admission plugins,
// and those can be throttled in case of higher load on apiserver - see #22340 and #22422
// for more details. Once #22422 is fixed, we may want to remove it.
QPS: 50,
Burst: 100,
}, nil
}

1
staging/src/k8s.io/apiserver/pkg/server/options/BUILD
View File

@ -9,6 +9,7 @@ go_library(
"authentication.go",
"authorization.go",
"coreapi.go",
"deprecated_insecure_serving.go",
"doc.go",
"etcd.go",
"feature.go",

164
staging/src/k8s.io/apiserver/pkg/server/options/deprecated_insecure_serving.go Normal file
View File

@ -0,0 +1,164 @@
/*
Copyright 2017 The Kubernetes Authors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/
package options
import (
"fmt"
"net"
"github.com/spf13/pflag"
"k8s.io/apiserver/pkg/server"
"k8s.io/client-go/rest"
)
// DeprecatedInsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port.
// No one should be using these anymore.
// DEPRECATED: all insecure serving options are removed in a future version
type DeprecatedInsecureServingOptions struct {
BindAddress net.IP
BindPort int
// BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp",
// "tcp4", and "tcp6".
BindNetwork string
// Listener is the secure server network listener.
// either Listener or BindAddress/BindPort/BindNetwork is set,
// if Listener is set, use it and omit BindAddress/BindPort/BindNetwork.
Listener net.Listener
// ListenFunc can be overridden to create a custom listener, e.g. for mocking in tests.
// It defaults to options.CreateListener.
ListenFunc func(network, addr string) (net.Listener, int, error)
}
// Validate ensures that the insecure port values within the range of the port.
func (s *DeprecatedInsecureServingOptions) Validate() []error {
if s == nil {
return nil
}
errors := []error{}
if s.BindPort < 0 || s.BindPort > 65335 {
errors = append(errors, fmt.Errorf("insecure port %v must be between 0 and 65335, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort))
}
return errors
}
// AddFlags adds flags related to insecure serving to the specified FlagSet.
func (s *DeprecatedInsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
if s == nil {
return
}
fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).")
fs.MarkDeprecated("insecure-bind-address", "This flag will be removed in a future version.")
fs.Lookup("insecure-bind-address").Hidden = false
fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
"The port on which to serve unsecured, unauthenticated access.")
fs.MarkDeprecated("insecure-port", "This flag will be removed in a future version.")
fs.Lookup("insecure-port").Hidden = false
}
// AddUnqualifiedFlags adds flags related to insecure serving without the --insecure prefix to the specified FlagSet.
func (s *DeprecatedInsecureServingOptions) AddUnqualifiedFlags(fs *pflag.FlagSet) {
if s == nil {
return
}
fs.IPVar(&s.BindAddress, "address", s.BindAddress,
"DEPRECATED: see --bind-address instead.")
fs.MarkDeprecated("address", "see --bind-address instead.")
fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --secure-port instead.")
fs.MarkDeprecated("port", "see --secure-port instead.")
}
// ApplyTo adds DeprecatedInsecureServingOptions to the insecureserverinfo amd kube-controller manager configuration.
// Note: the double pointer allows to set the *DeprecatedInsecureServingInfo to nil without referencing the struct hosting this pointer.
func (s *DeprecatedInsecureServingOptions) ApplyTo(c **server.DeprecatedInsecureServingInfo) error {
if s == nil {
return nil
}
if s.BindPort <= 0 {
return nil
}
if s.Listener == nil {
var err error
listen := CreateListener
if s.ListenFunc != nil {
listen = s.ListenFunc
}
addr := net.JoinHostPort(s.BindAddress.String(), fmt.Sprintf("%d", s.BindPort))
s.Listener, s.BindPort, err = listen(s.BindNetwork, addr)
if err != nil {
return fmt.Errorf("failed to create listener: %v", err)
}
}
*c = &server.DeprecatedInsecureServingInfo{
Listener: s.Listener,
}
return nil
}
// WithLoopback adds loopback functionality to the serving options.
func (o *DeprecatedInsecureServingOptions) WithLoopback() *DeprecatedInsecureServingOptionsWithLoopback {
return &DeprecatedInsecureServingOptionsWithLoopback{o}
}
// DeprecatedInsecureServingOptionsWithLoopback adds loopback functionality to the DeprecatedInsecureServingOptions.
// DEPRECATED: all insecure serving options are removed in a future version
type DeprecatedInsecureServingOptionsWithLoopback struct {
*DeprecatedInsecureServingOptions
}
// ApplyTo fills up serving information in the server configuration.
func (s *DeprecatedInsecureServingOptionsWithLoopback) ApplyTo(insecureServingInfo **server.DeprecatedInsecureServingInfo, loopbackClientConfig **rest.Config) error {
if s == nil || s.DeprecatedInsecureServingOptions == nil || insecureServingInfo == nil {
return nil
}
if err := s.DeprecatedInsecureServingOptions.ApplyTo(insecureServingInfo); err != nil {
return err
}
if *insecureServingInfo == nil || loopbackClientConfig == nil {
return nil
}
secureLoopbackClientConfig, err := (*insecureServingInfo).NewLoopbackClientConfig()
switch {
// if we failed and there's no fallback loopback client config, we need to fail
case err != nil && secureLoopbackClientConfig == nil:
return err
// if we failed, but we already have a fallback loopback client config (usually insecure), allow it
case err != nil && secureLoopbackClientConfig != nil:
default:
*loopbackClientConfig = secureLoopbackClientConfig
}
return nil
}

2
staging/src/k8s.io/apiserver/pkg/server/options/recommended.go
View File

@ -54,7 +54,7 @@ func NewRecommendedOptions(prefix string, codec runtime.Codec) *RecommendedOptio
return &RecommendedOptions{
Etcd: NewEtcdOptions(storagebackend.NewDefaultConfig(prefix, codec)),
SecureServing: WithLoopback(sso),
SecureServing: sso.WithLoopback(),
Authentication: NewDelegatingAuthenticationOptions(),
Authorization: NewDelegatingAuthorizationOptions(),
Audit: NewAuditOptions(),

4
staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go
View File

@ -464,7 +464,7 @@ func TestServerRunWithSNI(t *testing.T) {
config.Version = &v
config.EnableIndex = true
secureOptions := WithLoopback(&SecureServingOptions{
secureOptions := (&SecureServingOptions{
BindAddress: net.ParseIP("127.0.0.1"),
BindPort: 6443,
ServerCert: GeneratableKeyCert{
@ -474,7 +474,7 @@ func TestServerRunWithSNI(t *testing.T) {
},
},
SNICertKeys: namedCertKeys,
})
}).WithLoopback()
// use a random free port
ln, err := net.Listen("tcp", "127.0.0.1:0")
if err != nil {

2
staging/src/k8s.io/apiserver/pkg/server/options/serving_with_loopback.go
View File

@ -31,7 +31,7 @@ type SecureServingOptionsWithLoopback struct {
*SecureServingOptions
}
func WithLoopback(o *SecureServingOptions) *SecureServingOptionsWithLoopback {
func (o *SecureServingOptions) WithLoopback() *SecureServingOptionsWithLoopback {
return &SecureServingOptionsWithLoopback{o}
}

0
staging/src/k8s.io/apiserver/pkg/server/serve.go → staging/src/k8s.io/apiserver/pkg/server/secure_serving.go
View File