diff --git a/cmd/cloud-controller-manager/app/config/BUILD b/cmd/cloud-controller-manager/app/config/BUILD index 3b02ccdc05..e77beafaac 100644 --- a/cmd/cloud-controller-manager/app/config/BUILD +++ b/cmd/cloud-controller-manager/app/config/BUILD @@ -6,7 +6,6 @@ go_library( importpath = "k8s.io/kubernetes/cmd/cloud-controller-manager/app/config", visibility = ["//visibility:public"], deps = [ - "//cmd/controller-manager/app:go_default_library", "//pkg/apis/componentconfig:go_default_library", "//pkg/controller:go_default_library", "//staging/src/k8s.io/apiserver/pkg/server:go_default_library", diff --git a/cmd/cloud-controller-manager/app/config/config.go b/cmd/cloud-controller-manager/app/config/config.go index 9282cfd106..abd2df05ad 100644 --- a/cmd/cloud-controller-manager/app/config/config.go +++ b/cmd/cloud-controller-manager/app/config/config.go @@ -22,7 +22,6 @@ import ( clientset "k8s.io/client-go/kubernetes" restclient "k8s.io/client-go/rest" "k8s.io/client-go/tools/record" - genericcontrollermanager "k8s.io/kubernetes/cmd/controller-manager/app" "k8s.io/kubernetes/pkg/apis/componentconfig" "k8s.io/kubernetes/pkg/controller" ) @@ -33,7 +32,7 @@ type Config struct { SecureServing *apiserver.SecureServingInfo // TODO: remove deprecated insecure serving - InsecureServing *genericcontrollermanager.InsecureServingInfo + InsecureServing *apiserver.DeprecatedInsecureServingInfo Authentication apiserver.AuthenticationInfo Authorization apiserver.AuthorizationInfo diff --git a/cmd/cloud-controller-manager/app/options/options.go b/cmd/cloud-controller-manager/app/options/options.go index 854a1450c9..21c1351644 100644 --- a/cmd/cloud-controller-manager/app/options/options.go +++ b/cmd/cloud-controller-manager/app/options/options.go @@ -63,7 +63,7 @@ type CloudControllerManagerOptions struct { SecureServing *apiserveroptions.SecureServingOptions // TODO: remove insecure serving mode - InsecureServing *cmoptions.InsecureServingOptions + InsecureServing *apiserveroptions.DeprecatedInsecureServingOptions Authentication *apiserveroptions.DelegatingAuthenticationOptions Authorization *apiserveroptions.DelegatingAuthorizationOptions @@ -90,7 +90,7 @@ func NewCloudControllerManagerOptions() (*CloudControllerManagerOptions, error) ConcurrentServiceSyncs: componentConfig.ServiceController.ConcurrentServiceSyncs, }, SecureServing: apiserveroptions.NewSecureServingOptions(), - InsecureServing: &cmoptions.InsecureServingOptions{ + InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{ BindAddress: net.ParseIP(componentConfig.KubeCloudShared.Address), BindPort: int(componentConfig.KubeCloudShared.Port), BindNetwork: "tcp", @@ -140,7 +140,7 @@ func (o *CloudControllerManagerOptions) AddFlags(fs *pflag.FlagSet) { o.ServiceController.AddFlags(fs) o.SecureServing.AddFlags(fs) - o.InsecureServing.AddFlags(fs) + o.InsecureServing.AddUnqualifiedFlags(fs) o.Authentication.AddFlags(fs) o.Authorization.AddFlags(fs) diff --git a/cmd/cloud-controller-manager/app/options/options_test.go b/cmd/cloud-controller-manager/app/options/options_test.go index 84ff245685..f7215ea658 100644 --- a/cmd/cloud-controller-manager/app/options/options_test.go +++ b/cmd/cloud-controller-manager/app/options/options_test.go @@ -57,8 +57,8 @@ func TestDefaultFlags(t *testing.T) { }, }, KubeCloudShared: &cmoptions.KubeCloudSharedOptions{ - Port: 10253, // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config - Address: "0.0.0.0", // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config + Port: 10253, // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config + Address: "0.0.0.0", // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config RouteReconciliationPeriod: metav1.Duration{Duration: 10 * time.Second}, NodeMonitorPeriod: metav1.Duration{Duration: 5 * time.Second}, ClusterName: "kubernetes", @@ -79,7 +79,7 @@ func TestDefaultFlags(t *testing.T) { }, HTTP2MaxStreamsPerConnection: 0, }, - InsecureServing: &cmoptions.InsecureServingOptions{ + InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{ BindAddress: net.ParseIP("0.0.0.0"), BindPort: int(10253), BindNetwork: "tcp", @@ -154,8 +154,8 @@ func TestAddFlags(t *testing.T) { }, }, KubeCloudShared: &cmoptions.KubeCloudSharedOptions{ - Port: 10253, // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config - Address: "0.0.0.0", // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config + Port: 10253, // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config + Address: "0.0.0.0", // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config RouteReconciliationPeriod: metav1.Duration{Duration: 30 * time.Second}, NodeMonitorPeriod: metav1.Duration{Duration: 5 * time.Second}, ClusterName: "k8s", @@ -176,7 +176,7 @@ func TestAddFlags(t *testing.T) { }, HTTP2MaxStreamsPerConnection: 47, }, - InsecureServing: &cmoptions.InsecureServingOptions{ + InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{ BindAddress: net.ParseIP("192.168.4.10"), BindPort: int(10000), BindNetwork: "tcp", diff --git a/cmd/controller-manager/app/BUILD b/cmd/controller-manager/app/BUILD index f01ddd19ea..1ba2af4425 100644 --- a/cmd/controller-manager/app/BUILD +++ b/cmd/controller-manager/app/BUILD @@ -4,7 +4,6 @@ go_library( name = "go_default_library", srcs = [ "helper.go", - "insecure_serving.go", "serve.go", ], importpath = "k8s.io/kubernetes/cmd/controller-manager/app", diff --git a/cmd/controller-manager/app/options/BUILD b/cmd/controller-manager/app/options/BUILD index 6879f60d08..009d8840c0 100644 --- a/cmd/controller-manager/app/options/BUILD +++ b/cmd/controller-manager/app/options/BUILD @@ -6,19 +6,16 @@ go_library( "cloudprovider.go", "debugging.go", "generic.go", - "insecure_serving.go", "kubecloudshared.go", "servicecontroller.go", ], importpath = "k8s.io/kubernetes/cmd/controller-manager/app/options", visibility = ["//visibility:public"], deps = [ - "//cmd/controller-manager/app:go_default_library", "//pkg/apis/componentconfig:go_default_library", "//pkg/client/leaderelectionconfig:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//staging/src/k8s.io/apiserver/pkg/apis/config:go_default_library", - "//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library", "//vendor/github.com/spf13/pflag:go_default_library", ], ) diff --git a/cmd/controller-manager/app/options/insecure_serving.go b/cmd/controller-manager/app/options/insecure_serving.go deleted file mode 100644 index 3f98437a6c..0000000000 --- a/cmd/controller-manager/app/options/insecure_serving.go +++ /dev/null @@ -1,105 +0,0 @@ -/* -Copyright 2017 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package options - -import ( - "fmt" - "net" - - "github.com/spf13/pflag" - - "k8s.io/apiserver/pkg/server/options" - genericcontrollermanager "k8s.io/kubernetes/cmd/controller-manager/app" -) - -// InsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port. -// No one should be using these anymore. -type InsecureServingOptions struct { - BindAddress net.IP - BindPort int - // BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp", - // "tcp4", and "tcp6". - BindNetwork string - - // Listener is the secure server network listener. - // either Listener or BindAddress/BindPort/BindNetwork is set, - // if Listener is set, use it and omit BindAddress/BindPort/BindNetwork. - Listener net.Listener - - // ListenFunc can be overridden to create a custom listener, e.g. for mocking in tests. - // It defaults to options.CreateListener. - ListenFunc func(network, addr string) (net.Listener, int, error) -} - -// Validate ensures that the insecure port values within the range of the port. -func (s *InsecureServingOptions) Validate() []error { - if s == nil { - return nil - } - - errors := []error{} - - if s.BindPort < 0 || s.BindPort > 65335 { - errors = append(errors, fmt.Errorf("--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort)) - } - - return errors -} - -// AddFlags adds flags related to insecure serving for controller manager to the specified FlagSet. -func (s *InsecureServingOptions) AddFlags(fs *pflag.FlagSet) { - if s == nil { - return - } - - fs.IPVar(&s.BindAddress, "address", s.BindAddress, "DEPRECATED: the IP address on which to listen for the --port port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces). See --bind-address instead.") - // MarkDeprecated hides the flag from the help. We don't want that: - // fs.MarkDeprecated("address", "see --bind-address instead.") - fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: the port on which to serve HTTP insecurely without authentication and authorization. If 0, don't serve HTTPS at all. See --secure-port instead.") - // MarkDeprecated hides the flag from the help. We don't want that: - // fs.MarkDeprecated("port", "see --secure-port instead.") -} - -// ApplyTo adds InsecureServingOptions to the insecureserverinfo amd kube-controller manager configuration. -// Note: the double pointer allows to set the *InsecureServingInfo to nil without referencing the struct hosting this pointer. -func (s *InsecureServingOptions) ApplyTo(c **genericcontrollermanager.InsecureServingInfo) error { - if s == nil { - return nil - } - if s.BindPort <= 0 { - return nil - } - - if s.Listener == nil { - var err error - listen := options.CreateListener - if s.ListenFunc != nil { - listen = s.ListenFunc - } - addr := net.JoinHostPort(s.BindAddress.String(), fmt.Sprintf("%d", s.BindPort)) - s.Listener, s.BindPort, err = listen(s.BindNetwork, addr) - if err != nil { - return fmt.Errorf("failed to create listener: %v", err) - } - } - - *c = &genericcontrollermanager.InsecureServingInfo{ - Listener: s.Listener, - } - - return nil -} diff --git a/cmd/kube-apiserver/app/options/options.go b/cmd/kube-apiserver/app/options/options.go index 0fc80d5c10..2e5276d4bc 100644 --- a/cmd/kube-apiserver/app/options/options.go +++ b/cmd/kube-apiserver/app/options/options.go @@ -41,7 +41,7 @@ type ServerRunOptions struct { GenericServerRunOptions *genericoptions.ServerRunOptions Etcd *genericoptions.EtcdOptions SecureServing *genericoptions.SecureServingOptionsWithLoopback - InsecureServing *kubeoptions.InsecureServingOptions + InsecureServing *genericoptions.DeprecatedInsecureServingOptionsWithLoopback Audit *genericoptions.AuditOptions Features *genericoptions.FeatureOptions Admission *kubeoptions.AdmissionOptions @@ -128,7 +128,7 @@ func (s *ServerRunOptions) Flags() (fss apiserverflag.NamedFlagSets) { s.Etcd.AddFlags(fss.FlagSet("etcd")) s.SecureServing.AddFlags(fss.FlagSet("secure serving")) s.InsecureServing.AddFlags(fss.FlagSet("insecure serving")) - s.InsecureServing.AddDeprecatedFlags(fss.FlagSet("insecure serving")) + s.InsecureServing.AddUnqualifiedFlags(fss.FlagSet("insecure serving")) // TODO: remove it until kops stops using `--address` s.Audit.AddFlags(fss.FlagSet("auditing")) s.Features.AddFlags(fss.FlagSet("features")) s.Authentication.AddFlags(fss.FlagSet("authentication")) diff --git a/cmd/kube-apiserver/app/options/options_test.go b/cmd/kube-apiserver/app/options/options_test.go index 234961d81e..38fbe90453 100644 --- a/cmd/kube-apiserver/app/options/options_test.go +++ b/cmd/kube-apiserver/app/options/options_test.go @@ -159,7 +159,7 @@ func TestAddFlags(t *testing.T) { EnableWatchCache: true, DefaultWatchCacheSize: 100, }, - SecureServing: apiserveroptions.WithLoopback(&apiserveroptions.SecureServingOptions{ + SecureServing: (&apiserveroptions.SecureServingOptions{ BindAddress: net.ParseIP("192.168.10.20"), BindPort: 6443, ServerCert: apiserveroptions.GeneratableKeyCert{ @@ -168,11 +168,11 @@ func TestAddFlags(t *testing.T) { }, HTTP2MaxStreamsPerConnection: 42, Required: true, - }), - InsecureServing: &kubeoptions.InsecureServingOptions{ + }).WithLoopback(), + InsecureServing: (&apiserveroptions.DeprecatedInsecureServingOptions{ BindAddress: net.ParseIP("127.0.0.1"), BindPort: 8080, - }, + }).WithLoopback(), EventTTL: 1 * time.Hour, KubeletConfig: kubeletclient.KubeletClientConfig{ Port: 10250, diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go index e93320f200..27880351ab 100644 --- a/cmd/kube-apiserver/app/server.go +++ b/cmd/kube-apiserver/app/server.go @@ -166,7 +166,7 @@ func CreateServerChain(completedOptions completedServerRunOptions, stopCh <-chan return nil, err } - kubeAPIServerConfig, insecureServingOptions, serviceResolver, pluginInitializer, admissionPostStartHook, err := CreateKubeAPIServerConfig(completedOptions, nodeTunneler, proxyTransport) + kubeAPIServerConfig, insecureServingInfo, serviceResolver, pluginInitializer, admissionPostStartHook, err := CreateKubeAPIServerConfig(completedOptions, nodeTunneler, proxyTransport) if err != nil { return nil, err } @@ -204,9 +204,9 @@ func CreateServerChain(completedOptions completedServerRunOptions, stopCh <-chan return nil, err } - if insecureServingOptions != nil { + if insecureServingInfo != nil { insecureHandlerChain := kubeserver.BuildInsecureHandlerChain(aggregatorServer.GenericAPIServer.UnprotectedHandler(), kubeAPIServerConfig.GenericConfig) - if err := kubeserver.NonBlockingRun(insecureServingOptions, insecureHandlerChain, kubeAPIServerConfig.GenericConfig.RequestTimeout, stopCh); err != nil { + if err := insecureServingInfo.Serve(insecureHandlerChain, kubeAPIServerConfig.GenericConfig.RequestTimeout, stopCh); err != nil { return nil, err } } @@ -278,7 +278,7 @@ func CreateKubeAPIServerConfig( proxyTransport *http.Transport, ) ( config *master.Config, - insecureServingInfo *kubeserver.InsecureServingInfo, + insecureServingInfo *genericapiserver.DeprecatedInsecureServingInfo, serviceResolver aggregatorapiserver.ServiceResolver, pluginInitializers []admission.PluginInitializer, admissionPostStartHook genericapiserver.PostStartHookFunc, @@ -421,7 +421,7 @@ func buildGenericConfig( genericConfig *genericapiserver.Config, sharedInformers informers.SharedInformerFactory, versionedInformers clientgoinformers.SharedInformerFactory, - insecureServingInfo *kubeserver.InsecureServingInfo, + insecureServingInfo *genericapiserver.DeprecatedInsecureServingInfo, serviceResolver aggregatorapiserver.ServiceResolver, pluginInitializers []admission.PluginInitializer, admissionPostStartHook genericapiserver.PostStartHookFunc, @@ -435,7 +435,7 @@ func buildGenericConfig( return } - if insecureServingInfo, lastErr = s.InsecureServing.ApplyTo(genericConfig); lastErr != nil { + if lastErr = s.InsecureServing.ApplyTo(&insecureServingInfo, &genericConfig.LoopbackClientConfig); lastErr != nil { return } if lastErr = s.SecureServing.ApplyTo(&genericConfig.SecureServing, &genericConfig.LoopbackClientConfig); lastErr != nil { @@ -652,7 +652,7 @@ func Complete(s *options.ServerRunOptions) (completedServerRunOptions, error) { if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing.SecureServingOptions); err != nil { return options, err } - if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing); err != nil { + if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing.DeprecatedInsecureServingOptions); err != nil { return options, err } serviceIPRange, apiServerServiceIP, err := master.DefaultServiceIPRange(s.ServiceClusterIPRange) diff --git a/cmd/kube-controller-manager/app/config/BUILD b/cmd/kube-controller-manager/app/config/BUILD index df37bee412..22f56c8adf 100644 --- a/cmd/kube-controller-manager/app/config/BUILD +++ b/cmd/kube-controller-manager/app/config/BUILD @@ -6,7 +6,6 @@ go_library( importpath = "k8s.io/kubernetes/cmd/kube-controller-manager/app/config", visibility = ["//visibility:public"], deps = [ - "//cmd/controller-manager/app:go_default_library", "//pkg/apis/componentconfig:go_default_library", "//staging/src/k8s.io/apiserver/pkg/server:go_default_library", "//staging/src/k8s.io/client-go/kubernetes:go_default_library", diff --git a/cmd/kube-controller-manager/app/config/config.go b/cmd/kube-controller-manager/app/config/config.go index 4713e9dfe2..c565f23ab6 100644 --- a/cmd/kube-controller-manager/app/config/config.go +++ b/cmd/kube-controller-manager/app/config/config.go @@ -21,7 +21,6 @@ import ( clientset "k8s.io/client-go/kubernetes" restclient "k8s.io/client-go/rest" "k8s.io/client-go/tools/record" - genericcontrollermanager "k8s.io/kubernetes/cmd/controller-manager/app" "k8s.io/kubernetes/pkg/apis/componentconfig" ) @@ -31,7 +30,7 @@ type Config struct { SecureServing *apiserver.SecureServingInfo // TODO: remove deprecated insecure serving - InsecureServing *genericcontrollermanager.InsecureServingInfo + InsecureServing *apiserver.DeprecatedInsecureServingInfo Authentication apiserver.AuthenticationInfo Authorization apiserver.AuthorizationInfo diff --git a/cmd/kube-controller-manager/app/options/options.go b/cmd/kube-controller-manager/app/options/options.go index eb818c9e5b..96864ef126 100644 --- a/cmd/kube-controller-manager/app/options/options.go +++ b/cmd/kube-controller-manager/app/options/options.go @@ -85,7 +85,7 @@ type KubeControllerManagerOptions struct { SecureServing *apiserveroptions.SecureServingOptions // TODO: remove insecure serving mode - InsecureServing *cmoptions.InsecureServingOptions + InsecureServing *apiserveroptions.DeprecatedInsecureServingOptions Authentication *apiserveroptions.DelegatingAuthenticationOptions Authorization *apiserveroptions.DelegatingAuthorizationOptions @@ -178,7 +178,7 @@ func NewKubeControllerManagerOptions() (*KubeControllerManagerOptions, error) { }, Controllers: componentConfig.Controllers, SecureServing: apiserveroptions.NewSecureServingOptions(), - InsecureServing: &cmoptions.InsecureServingOptions{ + InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{ BindAddress: net.ParseIP(componentConfig.KubeCloudShared.Address), BindPort: int(componentConfig.KubeCloudShared.Port), BindNetwork: "tcp", @@ -234,7 +234,7 @@ func (s *KubeControllerManagerOptions) AddFlags(fs *pflag.FlagSet, allController s.ServiceController.AddFlags(fs) s.SecureServing.AddFlags(fs) - s.InsecureServing.AddFlags(fs) + s.InsecureServing.AddUnqualifiedFlags(fs) s.Authentication.AddFlags(fs) s.Authorization.AddFlags(fs) @@ -341,10 +341,10 @@ func (s *KubeControllerManagerOptions) ApplyTo(c *kubecontrollerconfig.Config) e if err := s.ServiceController.ApplyTo(&c.ComponentConfig.ServiceController); err != nil { return err } - if err := s.SecureServing.ApplyTo(&c.SecureServing); err != nil { + if err := s.InsecureServing.ApplyTo(&c.InsecureServing); err != nil { return err } - if err := s.InsecureServing.ApplyTo(&c.InsecureServing); err != nil { + if err := s.SecureServing.ApplyTo(&c.SecureServing); err != nil { return err } if err := s.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil { diff --git a/cmd/kube-controller-manager/app/options/options_test.go b/cmd/kube-controller-manager/app/options/options_test.go index c5c4b83a0b..f8e31d4fd1 100644 --- a/cmd/kube-controller-manager/app/options/options_test.go +++ b/cmd/kube-controller-manager/app/options/options_test.go @@ -140,8 +140,8 @@ func TestAddFlags(t *testing.T) { }, }, KubeCloudShared: &cmoptions.KubeCloudSharedOptions{ - Port: 10252, // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config - Address: "0.0.0.0", // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config + Port: 10252, // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config + Address: "0.0.0.0", // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config UseServiceAccountCredentials: true, RouteReconciliationPeriod: metav1.Duration{Duration: 30 * time.Second}, NodeMonitorPeriod: metav1.Duration{Duration: 10 * time.Second}, @@ -253,7 +253,7 @@ func TestAddFlags(t *testing.T) { }, HTTP2MaxStreamsPerConnection: 47, }, - InsecureServing: &cmoptions.InsecureServingOptions{ + InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{ BindAddress: net.ParseIP("192.168.4.10"), BindPort: int(10000), BindNetwork: "tcp", diff --git a/cmd/kube-scheduler/app/config/BUILD b/cmd/kube-scheduler/app/config/BUILD index 98f245e23d..1b499919f7 100644 --- a/cmd/kube-scheduler/app/config/BUILD +++ b/cmd/kube-scheduler/app/config/BUILD @@ -6,7 +6,6 @@ go_library( importpath = "k8s.io/kubernetes/cmd/kube-scheduler/app/config", visibility = ["//visibility:public"], deps = [ - "//cmd/controller-manager/app:go_default_library", "//pkg/apis/componentconfig:go_default_library", "//staging/src/k8s.io/apiserver/pkg/server:go_default_library", "//staging/src/k8s.io/client-go/informers:go_default_library", diff --git a/cmd/kube-scheduler/app/config/config.go b/cmd/kube-scheduler/app/config/config.go index e57f9c224c..4f1e674dd3 100644 --- a/cmd/kube-scheduler/app/config/config.go +++ b/cmd/kube-scheduler/app/config/config.go @@ -24,7 +24,6 @@ import ( v1core "k8s.io/client-go/kubernetes/typed/core/v1" "k8s.io/client-go/tools/leaderelection" "k8s.io/client-go/tools/record" - "k8s.io/kubernetes/cmd/controller-manager/app" "k8s.io/kubernetes/pkg/apis/componentconfig" ) @@ -33,8 +32,8 @@ type Config struct { // config is the scheduler server's configuration object. ComponentConfig componentconfig.KubeSchedulerConfiguration - InsecureServing *app.InsecureServingInfo // nil will disable serving on an insecure port - InsecureMetricsServing *app.InsecureServingInfo // non-nil if metrics should be served independently + InsecureServing *apiserver.DeprecatedInsecureServingInfo // nil will disable serving on an insecure port + InsecureMetricsServing *apiserver.DeprecatedInsecureServingInfo // non-nil if metrics should be served independently Authentication apiserver.AuthenticationInfo Authorization apiserver.AuthorizationInfo SecureServing *apiserver.SecureServingInfo diff --git a/cmd/kube-scheduler/app/options/BUILD b/cmd/kube-scheduler/app/options/BUILD index 99c64e14e4..1254568c1c 100644 --- a/cmd/kube-scheduler/app/options/BUILD +++ b/cmd/kube-scheduler/app/options/BUILD @@ -11,7 +11,6 @@ go_library( importpath = "k8s.io/kubernetes/cmd/kube-scheduler/app/options", visibility = ["//visibility:public"], deps = [ - "//cmd/controller-manager/app/options:go_default_library", "//cmd/kube-scheduler/app/config:go_default_library", "//pkg/api/legacyscheme:go_default_library", "//pkg/apis/componentconfig:go_default_library", @@ -64,7 +63,6 @@ go_test( ], embed = [":go_default_library"], deps = [ - "//cmd/controller-manager/app/options:go_default_library", "//cmd/kube-scheduler/app/config:go_default_library", "//pkg/apis/componentconfig:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/apis/config:go_default_library", @@ -72,5 +70,6 @@ go_test( "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library", "//staging/src/k8s.io/apimachinery/pkg/util/rand:go_default_library", "//staging/src/k8s.io/apiserver/pkg/apis/config:go_default_library", + "//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library", ], ) diff --git a/cmd/kube-scheduler/app/options/insecure_serving.go b/cmd/kube-scheduler/app/options/insecure_serving.go index 5abe57cbb8..b7353789fa 100644 --- a/cmd/kube-scheduler/app/options/insecure_serving.go +++ b/cmd/kube-scheduler/app/options/insecure_serving.go @@ -23,16 +23,16 @@ import ( "github.com/spf13/pflag" - controlleroptions "k8s.io/kubernetes/cmd/controller-manager/app/options" + apiserveroptions "k8s.io/apiserver/pkg/server/options" schedulerappconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config" "k8s.io/kubernetes/pkg/apis/componentconfig" ) // CombinedInsecureServingOptions sets up up to two insecure listeners for healthz and metrics. The flags -// override the ComponentConfig and InsecureServingOptions values for both. +// override the ComponentConfig and DeprecatedInsecureServingOptions values for both. type CombinedInsecureServingOptions struct { - Healthz *controlleroptions.InsecureServingOptions - Metrics *controlleroptions.InsecureServingOptions + Healthz *apiserveroptions.DeprecatedInsecureServingOptions + Metrics *apiserveroptions.DeprecatedInsecureServingOptions BindPort int // overrides the structs above on ApplyTo, ignored on ApplyToFromLoadedConfig BindAddress string // overrides the structs above on ApplyTo, ignored on ApplyToFromLoadedConfig @@ -53,10 +53,10 @@ func (o *CombinedInsecureServingOptions) AddFlags(fs *pflag.FlagSet) { } func (o *CombinedInsecureServingOptions) applyTo(c *schedulerappconfig.Config, componentConfig *componentconfig.KubeSchedulerConfiguration) error { - if err := updateAddressFromInsecureServingOptions(&componentConfig.HealthzBindAddress, o.Healthz); err != nil { + if err := updateAddressFromDeprecatedInsecureServingOptions(&componentConfig.HealthzBindAddress, o.Healthz); err != nil { return err } - if err := updateAddressFromInsecureServingOptions(&componentConfig.MetricsBindAddress, o.Metrics); err != nil { + if err := updateAddressFromDeprecatedInsecureServingOptions(&componentConfig.MetricsBindAddress, o.Metrics); err != nil { return err } @@ -98,17 +98,17 @@ func (o *CombinedInsecureServingOptions) ApplyToFromLoadedConfig(c *schedulerapp return nil } - if err := updateInsecureServingOptionsFromAddress(o.Healthz, componentConfig.HealthzBindAddress); err != nil { + if err := updateDeprecatedInsecureServingOptionsFromAddress(o.Healthz, componentConfig.HealthzBindAddress); err != nil { return fmt.Errorf("invalid healthz address: %v", err) } - if err := updateInsecureServingOptionsFromAddress(o.Metrics, componentConfig.MetricsBindAddress); err != nil { + if err := updateDeprecatedInsecureServingOptionsFromAddress(o.Metrics, componentConfig.MetricsBindAddress); err != nil { return fmt.Errorf("invalid metrics address: %v", err) } return o.applyTo(c, componentConfig) } -func updateAddressFromInsecureServingOptions(addr *string, is *controlleroptions.InsecureServingOptions) error { +func updateAddressFromDeprecatedInsecureServingOptions(addr *string, is *apiserveroptions.DeprecatedInsecureServingOptions) error { if is == nil { *addr = "" } else { @@ -124,7 +124,7 @@ func updateAddressFromInsecureServingOptions(addr *string, is *controlleroptions return nil } -func updateInsecureServingOptionsFromAddress(is *controlleroptions.InsecureServingOptions, addr string) error { +func updateDeprecatedInsecureServingOptionsFromAddress(is *apiserveroptions.DeprecatedInsecureServingOptions, addr string) error { if is == nil { return nil } diff --git a/cmd/kube-scheduler/app/options/insecure_serving_test.go b/cmd/kube-scheduler/app/options/insecure_serving_test.go index f04dfd8d1f..78f45eecf1 100644 --- a/cmd/kube-scheduler/app/options/insecure_serving_test.go +++ b/cmd/kube-scheduler/app/options/insecure_serving_test.go @@ -23,7 +23,7 @@ import ( "testing" "k8s.io/apimachinery/pkg/util/rand" - "k8s.io/kubernetes/cmd/controller-manager/app/options" + apiserveroptions "k8s.io/apiserver/pkg/server/options" schedulerappconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config" "k8s.io/kubernetes/pkg/apis/componentconfig" ) @@ -46,8 +46,8 @@ func TestOptions_ApplyTo(t *testing.T) { MetricsBindAddress: "1.2.3.4:1234", }, CombinedInsecureServing: &CombinedInsecureServingOptions{ - Healthz: &options.InsecureServingOptions{}, - Metrics: &options.InsecureServingOptions{}, + Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, + Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, BindPort: 0, }, }, @@ -61,7 +61,7 @@ func TestOptions_ApplyTo(t *testing.T) { MetricsBindAddress: "1.2.3.4:1234", }, CombinedInsecureServing: &CombinedInsecureServingOptions{ - Healthz: &options.InsecureServingOptions{}, + Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, BindPort: 0, }, }, @@ -79,7 +79,7 @@ func TestOptions_ApplyTo(t *testing.T) { MetricsBindAddress: "1.2.3.4:1234", }, CombinedInsecureServing: &CombinedInsecureServingOptions{ - Metrics: &options.InsecureServingOptions{}, + Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, BindPort: 0, }, }, @@ -97,8 +97,8 @@ func TestOptions_ApplyTo(t *testing.T) { MetricsBindAddress: "1.2.3.4:1234", }, CombinedInsecureServing: &CombinedInsecureServingOptions{ - Healthz: &options.InsecureServingOptions{}, - Metrics: &options.InsecureServingOptions{}, + Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, + Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, BindPort: 0, }, }, @@ -118,8 +118,8 @@ func TestOptions_ApplyTo(t *testing.T) { MetricsBindAddress: "1.2.3.4:1235", }, CombinedInsecureServing: &CombinedInsecureServingOptions{ - Healthz: &options.InsecureServingOptions{}, - Metrics: &options.InsecureServingOptions{}, + Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, + Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, BindPort: 0, }, }, @@ -141,8 +141,8 @@ func TestOptions_ApplyTo(t *testing.T) { MetricsBindAddress: "1.2.3.4:1234", }, CombinedInsecureServing: &CombinedInsecureServingOptions{ - Healthz: &options.InsecureServingOptions{}, - Metrics: &options.InsecureServingOptions{}, + Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, + Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, BindPort: 1236, BindAddress: "1.2.3.4", }, @@ -163,8 +163,8 @@ func TestOptions_ApplyTo(t *testing.T) { MetricsBindAddress: "1.2.3.4:1234", }, CombinedInsecureServing: &CombinedInsecureServingOptions{ - Healthz: &options.InsecureServingOptions{}, - Metrics: &options.InsecureServingOptions{}, + Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, + Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, BindAddress: "2.3.4.5", BindPort: 1234, }, @@ -185,8 +185,8 @@ func TestOptions_ApplyTo(t *testing.T) { MetricsBindAddress: "1.2.3.4:1234", }, CombinedInsecureServing: &CombinedInsecureServingOptions{ - Healthz: &options.InsecureServingOptions{}, - Metrics: &options.InsecureServingOptions{}, + Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, + Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, BindAddress: "2.3.4.5", BindPort: 0, }, diff --git a/cmd/kube-scheduler/app/options/options.go b/cmd/kube-scheduler/app/options/options.go index 08990fda36..2150dea1aa 100644 --- a/cmd/kube-scheduler/app/options/options.go +++ b/cmd/kube-scheduler/app/options/options.go @@ -41,7 +41,6 @@ import ( "k8s.io/client-go/tools/leaderelection" "k8s.io/client-go/tools/leaderelection/resourcelock" "k8s.io/client-go/tools/record" - controlleroptions "k8s.io/kubernetes/cmd/controller-manager/app/options" schedulerappconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config" "k8s.io/kubernetes/pkg/api/legacyscheme" "k8s.io/kubernetes/pkg/apis/componentconfig" @@ -86,10 +85,10 @@ func NewOptions() (*Options, error) { ComponentConfig: *cfg, SecureServing: nil, // TODO: enable with apiserveroptions.NewSecureServingOptions() CombinedInsecureServing: &CombinedInsecureServingOptions{ - Healthz: &controlleroptions.InsecureServingOptions{ + Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{ BindNetwork: "tcp", }, - Metrics: &controlleroptions.InsecureServingOptions{ + Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{ BindNetwork: "tcp", }, BindPort: hport, diff --git a/pkg/kubeapiserver/options/BUILD b/pkg/kubeapiserver/options/BUILD index df6c28129d..c4829201b5 100644 --- a/pkg/kubeapiserver/options/BUILD +++ b/pkg/kubeapiserver/options/BUILD @@ -27,7 +27,6 @@ go_library( "//pkg/kubeapiserver/authenticator:go_default_library", "//pkg/kubeapiserver/authorizer:go_default_library", "//pkg/kubeapiserver/authorizer/modes:go_default_library", - "//pkg/kubeapiserver/server:go_default_library", "//plugin/pkg/admission/admit:go_default_library", "//plugin/pkg/admission/alwayspullimages:go_default_library", "//plugin/pkg/admission/antiaffinity:go_default_library", diff --git a/pkg/kubeapiserver/options/serving.go b/pkg/kubeapiserver/options/serving.go index c2bad3e892..5d561807fd 100644 --- a/pkg/kubeapiserver/options/serving.go +++ b/pkg/kubeapiserver/options/serving.go @@ -20,20 +20,15 @@ package options import ( "fmt" "net" - "strconv" - - "github.com/spf13/pflag" utilnet "k8s.io/apimachinery/pkg/util/net" - "k8s.io/apiserver/pkg/server" genericoptions "k8s.io/apiserver/pkg/server/options" - kubeserver "k8s.io/kubernetes/pkg/kubeapiserver/server" ) // NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by // "normal" API servers running on the platform func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback { - return genericoptions.WithLoopback(&genericoptions.SecureServingOptions{ + o := genericoptions.SecureServingOptions{ BindAddress: net.ParseIP("0.0.0.0"), BindPort: 6443, Required: true, @@ -41,20 +36,31 @@ func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback PairName: "apiserver", CertDirectory: "/var/run/kubernetes", }, - }) + } + return o.WithLoopback() +} + +// NewInsecureServingOptions gives default values for the kube-apiserver. +// TODO: switch insecure serving off by default +func NewInsecureServingOptions() *genericoptions.DeprecatedInsecureServingOptionsWithLoopback { + o := genericoptions.DeprecatedInsecureServingOptions{ + BindAddress: net.ParseIP("127.0.0.1"), + BindPort: 8080, + } + return o.WithLoopback() } // DefaultAdvertiseAddress sets the field AdvertiseAddress if // unset. The field will be set based on the SecureServingOptions. If // the SecureServingOptions is not present, DefaultExternalAddress // will fall back to the insecure ServingOptions. -func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *InsecureServingOptions) error { +func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *genericoptions.DeprecatedInsecureServingOptions) error { if insecure == nil { return nil } if s.AdvertiseAddress == nil || s.AdvertiseAddress.IsUnspecified() { - hostIP, err := insecure.DefaultExternalAddress() + hostIP, err := utilnet.ChooseBindAddress(insecure.BindAddress) if err != nil { return fmt.Errorf("unable to find suitable network address.error='%v'. "+ "Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this", err) @@ -64,75 +70,3 @@ func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *Insec return nil } - -// InsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port. -// No one should be using these anymore. -type InsecureServingOptions struct { - BindAddress net.IP - BindPort int -} - -// NewInsecureServingOptions is for creating an unauthenticated, unauthorized, insecure port. -// No one should be using these anymore. -func NewInsecureServingOptions() *InsecureServingOptions { - return &InsecureServingOptions{ - BindAddress: net.ParseIP("127.0.0.1"), - BindPort: 8080, - } -} - -func (s InsecureServingOptions) Validate() []error { - errors := []error{} - - if s.BindPort < 0 || s.BindPort > 65535 { - errors = append(errors, fmt.Errorf("--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort)) - } - - return errors -} - -func (s *InsecureServingOptions) DefaultExternalAddress() (net.IP, error) { - return utilnet.ChooseBindAddress(s.BindAddress) -} - -func (s *InsecureServingOptions) AddFlags(fs *pflag.FlagSet) { - fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+ - "The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).") - fs.MarkDeprecated("insecure-bind-address", "This flag will be removed in a future version.") - fs.Lookup("insecure-bind-address").Hidden = false - - fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+ - "The port on which to serve unsecured, unauthenticated access. It is assumed "+ - "that firewall rules are set up such that this port is not reachable from outside of "+ - "the cluster and that port 443 on the cluster's public address is proxied to this "+ - "port. This is performed by nginx in the default setup. Set to zero to disable.") - fs.MarkDeprecated("insecure-port", "This flag will be removed in a future version.") - fs.Lookup("insecure-port").Hidden = false -} - -// TODO: remove it until kops stop using `--address` -func (s *InsecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) { - fs.IPVar(&s.BindAddress, "address", s.BindAddress, - "DEPRECATED: see --insecure-bind-address instead.") - fs.MarkDeprecated("address", "see --insecure-bind-address instead.") - - fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --insecure-port instead.") - fs.MarkDeprecated("port", "see --insecure-port instead.") -} - -func (s *InsecureServingOptions) ApplyTo(c *server.Config) (*kubeserver.InsecureServingInfo, error) { - if s.BindPort <= 0 { - return nil, nil - } - - ret := &kubeserver.InsecureServingInfo{ - BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)), - } - - var err error - if c.LoopbackClientConfig, err = ret.NewLoopbackClientConfig(); err != nil { - return nil, err - } - - return ret, nil -} diff --git a/pkg/kubeapiserver/server/BUILD b/pkg/kubeapiserver/server/BUILD index 382380740b..b1d2c47bdd 100644 --- a/pkg/kubeapiserver/server/BUILD +++ b/pkg/kubeapiserver/server/BUILD @@ -15,10 +15,7 @@ go_library( "//staging/src/k8s.io/apiserver/pkg/features:go_default_library", "//staging/src/k8s.io/apiserver/pkg/server:go_default_library", "//staging/src/k8s.io/apiserver/pkg/server/filters:go_default_library", - "//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library", "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library", - "//staging/src/k8s.io/client-go/rest:go_default_library", - "//vendor/github.com/golang/glog:go_default_library", ], ) diff --git a/pkg/kubeapiserver/server/insecure_handler.go b/pkg/kubeapiserver/server/insecure_handler.go index bc67014037..d3eb628a28 100644 --- a/pkg/kubeapiserver/server/insecure_handler.go +++ b/pkg/kubeapiserver/server/insecure_handler.go @@ -17,25 +17,19 @@ limitations under the License. package server import ( - "net" "net/http" - "time" - - "github.com/golang/glog" "k8s.io/apiserver/pkg/authentication/user" genericapifilters "k8s.io/apiserver/pkg/endpoints/filters" "k8s.io/apiserver/pkg/features" "k8s.io/apiserver/pkg/server" genericfilters "k8s.io/apiserver/pkg/server/filters" - "k8s.io/apiserver/pkg/server/options" utilfeature "k8s.io/apiserver/pkg/util/feature" - "k8s.io/client-go/rest" ) -// InsecureServingInfo is required to serve http. HTTP does NOT include authentication or authorization. +// DeprecatedInsecureServingInfo is required to serve http. HTTP does NOT include authentication or authorization. // You shouldn't be using this. It makes sig-auth sad. -// InsecureServingInfo *ServingInfo +// DeprecatedInsecureServingInfo *ServingInfo func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.Handler { handler := apiHandler @@ -55,76 +49,6 @@ func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.H return handler } -type InsecureServingInfo struct { - // BindAddress is the ip:port to serve on - BindAddress string - // BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp", - // "tcp4", and "tcp6". - BindNetwork string -} - -func (s *InsecureServingInfo) NewLoopbackClientConfig() (*rest.Config, error) { - if s == nil { - return nil, nil - } - - host, port, err := server.LoopbackHostPort(s.BindAddress) - if err != nil { - return nil, err - } - - return &rest.Config{ - Host: "http://" + net.JoinHostPort(host, port), - // Increase QPS limits. The client is currently passed to all admission plugins, - // and those can be throttled in case of higher load on apiserver - see #22340 and #22422 - // for more details. Once #22422 is fixed, we may want to remove it. - QPS: 50, - Burst: 100, - }, nil -} - -// NonBlockingRun spawns the insecure http server. An error is -// returned if the ports cannot be listened on. -func NonBlockingRun(insecureServingInfo *InsecureServingInfo, insecureHandler http.Handler, shutDownTimeout time.Duration, stopCh <-chan struct{}) error { - // Use an internal stop channel to allow cleanup of the listeners on error. - internalStopCh := make(chan struct{}) - - if insecureServingInfo != nil && insecureHandler != nil { - if err := serveInsecurely(insecureServingInfo, insecureHandler, shutDownTimeout, internalStopCh); err != nil { - close(internalStopCh) - return err - } - } - - // Now that the listener has bound successfully, it is the - // responsibility of the caller to close the provided channel to - // ensure cleanup. - go func() { - <-stopCh - close(internalStopCh) - }() - - return nil -} - -// serveInsecurely run the insecure http server. It fails only if the initial listen -// call fails. The actual server loop (stoppable by closing stopCh) runs in a go -// routine, i.e. serveInsecurely does not block. -func serveInsecurely(insecureServingInfo *InsecureServingInfo, insecureHandler http.Handler, shutDownTimeout time.Duration, stopCh <-chan struct{}) error { - insecureServer := &http.Server{ - Addr: insecureServingInfo.BindAddress, - Handler: insecureHandler, - MaxHeaderBytes: 1 << 20, - } - glog.Infof("Serving insecurely on %s", insecureServingInfo.BindAddress) - ln, _, err := options.CreateListener(insecureServingInfo.BindNetwork, insecureServingInfo.BindAddress) - if err != nil { - return err - } - err = server.RunServer(insecureServer, ln, shutDownTimeout, stopCh) - return err -} - // insecureSuperuser implements authenticator.Request to always return a superuser. // This is functionally equivalent to skipping authentication and authorization, // but allows apiserver code to stop special-casing a nil user to skip authorization checks. diff --git a/staging/src/k8s.io/apiserver/pkg/server/BUILD b/staging/src/k8s.io/apiserver/pkg/server/BUILD index 449a10c84f..c71377a41e 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/BUILD +++ b/staging/src/k8s.io/apiserver/pkg/server/BUILD @@ -45,13 +45,14 @@ go_library( srcs = [ "config.go", "config_selfclient.go", + "deprecated_insecure_serving.go", "doc.go", "genericapiserver.go", "handler.go", "healthz.go", "hooks.go", "plugins.go", - "serve.go", + "secure_serving.go", "signal.go", "signal_posix.go", "signal_windows.go", diff --git a/cmd/controller-manager/app/insecure_serving.go b/staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go similarity index 55% rename from cmd/controller-manager/app/insecure_serving.go rename to staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go index 156fbadfc3..3e88dd49db 100644 --- a/cmd/controller-manager/app/insecure_serving.go +++ b/staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go @@ -14,7 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ -package app +package server import ( "net" @@ -23,11 +23,11 @@ import ( "github.com/golang/glog" - "k8s.io/apiserver/pkg/server" + "k8s.io/client-go/rest" ) -// InsecureServingInfo is the main context object for the insecure http server. -type InsecureServingInfo struct { +// DeprecatedInsecureServingInfo is the main context object for the insecure http server. +type DeprecatedInsecureServingInfo struct { // Listener is the secure server network listener. Listener net.Listener // optional server name for log messages @@ -36,7 +36,7 @@ type InsecureServingInfo struct { // Serve starts an insecure http server with the given handler. It fails only if // the initial listen call fails. It does not block. -func (s *InsecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Duration, stopCh <-chan struct{}) error { +func (s *DeprecatedInsecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Duration, stopCh <-chan struct{}) error { insecureServer := &http.Server{ Addr: s.Listener.Addr().String(), Handler: handler, @@ -48,5 +48,25 @@ func (s *InsecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.D } else { glog.Infof("Serving insecurely on %s", s.Listener.Addr()) } - return server.RunServer(insecureServer, s.Listener, shutdownTimeout, stopCh) + return RunServer(insecureServer, s.Listener, shutdownTimeout, stopCh) +} + +func (s *DeprecatedInsecureServingInfo) NewLoopbackClientConfig() (*rest.Config, error) { + if s == nil { + return nil, nil + } + + host, port, err := LoopbackHostPort(s.Listener.Addr().String()) + if err != nil { + return nil, err + } + + return &rest.Config{ + Host: "http://" + net.JoinHostPort(host, port), + // Increase QPS limits. The client is currently passed to all admission plugins, + // and those can be throttled in case of higher load on apiserver - see #22340 and #22422 + // for more details. Once #22422 is fixed, we may want to remove it. + QPS: 50, + Burst: 100, + }, nil } diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/BUILD b/staging/src/k8s.io/apiserver/pkg/server/options/BUILD index 07c28712b3..273d132447 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/BUILD +++ b/staging/src/k8s.io/apiserver/pkg/server/options/BUILD @@ -9,6 +9,7 @@ go_library( "authentication.go", "authorization.go", "coreapi.go", + "deprecated_insecure_serving.go", "doc.go", "etcd.go", "feature.go", diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/deprecated_insecure_serving.go b/staging/src/k8s.io/apiserver/pkg/server/options/deprecated_insecure_serving.go new file mode 100644 index 0000000000..e8e3d7feb3 --- /dev/null +++ b/staging/src/k8s.io/apiserver/pkg/server/options/deprecated_insecure_serving.go @@ -0,0 +1,164 @@ +/* +Copyright 2017 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package options + +import ( + "fmt" + "net" + + "github.com/spf13/pflag" + + "k8s.io/apiserver/pkg/server" + "k8s.io/client-go/rest" +) + +// DeprecatedInsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port. +// No one should be using these anymore. +// DEPRECATED: all insecure serving options are removed in a future version +type DeprecatedInsecureServingOptions struct { + BindAddress net.IP + BindPort int + // BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp", + // "tcp4", and "tcp6". + BindNetwork string + + // Listener is the secure server network listener. + // either Listener or BindAddress/BindPort/BindNetwork is set, + // if Listener is set, use it and omit BindAddress/BindPort/BindNetwork. + Listener net.Listener + + // ListenFunc can be overridden to create a custom listener, e.g. for mocking in tests. + // It defaults to options.CreateListener. + ListenFunc func(network, addr string) (net.Listener, int, error) +} + +// Validate ensures that the insecure port values within the range of the port. +func (s *DeprecatedInsecureServingOptions) Validate() []error { + if s == nil { + return nil + } + + errors := []error{} + + if s.BindPort < 0 || s.BindPort > 65335 { + errors = append(errors, fmt.Errorf("insecure port %v must be between 0 and 65335, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort)) + } + + return errors +} + +// AddFlags adds flags related to insecure serving to the specified FlagSet. +func (s *DeprecatedInsecureServingOptions) AddFlags(fs *pflag.FlagSet) { + if s == nil { + return + } + + fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+ + "The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).") + fs.MarkDeprecated("insecure-bind-address", "This flag will be removed in a future version.") + fs.Lookup("insecure-bind-address").Hidden = false + + fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+ + "The port on which to serve unsecured, unauthenticated access.") + fs.MarkDeprecated("insecure-port", "This flag will be removed in a future version.") + fs.Lookup("insecure-port").Hidden = false +} + +// AddUnqualifiedFlags adds flags related to insecure serving without the --insecure prefix to the specified FlagSet. +func (s *DeprecatedInsecureServingOptions) AddUnqualifiedFlags(fs *pflag.FlagSet) { + if s == nil { + return + } + + fs.IPVar(&s.BindAddress, "address", s.BindAddress, + "DEPRECATED: see --bind-address instead.") + fs.MarkDeprecated("address", "see --bind-address instead.") + + fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --secure-port instead.") + fs.MarkDeprecated("port", "see --secure-port instead.") +} + +// ApplyTo adds DeprecatedInsecureServingOptions to the insecureserverinfo amd kube-controller manager configuration. +// Note: the double pointer allows to set the *DeprecatedInsecureServingInfo to nil without referencing the struct hosting this pointer. +func (s *DeprecatedInsecureServingOptions) ApplyTo(c **server.DeprecatedInsecureServingInfo) error { + if s == nil { + return nil + } + if s.BindPort <= 0 { + return nil + } + + if s.Listener == nil { + var err error + listen := CreateListener + if s.ListenFunc != nil { + listen = s.ListenFunc + } + addr := net.JoinHostPort(s.BindAddress.String(), fmt.Sprintf("%d", s.BindPort)) + s.Listener, s.BindPort, err = listen(s.BindNetwork, addr) + if err != nil { + return fmt.Errorf("failed to create listener: %v", err) + } + } + + *c = &server.DeprecatedInsecureServingInfo{ + Listener: s.Listener, + } + + return nil +} + +// WithLoopback adds loopback functionality to the serving options. +func (o *DeprecatedInsecureServingOptions) WithLoopback() *DeprecatedInsecureServingOptionsWithLoopback { + return &DeprecatedInsecureServingOptionsWithLoopback{o} +} + +// DeprecatedInsecureServingOptionsWithLoopback adds loopback functionality to the DeprecatedInsecureServingOptions. +// DEPRECATED: all insecure serving options are removed in a future version +type DeprecatedInsecureServingOptionsWithLoopback struct { + *DeprecatedInsecureServingOptions +} + +// ApplyTo fills up serving information in the server configuration. +func (s *DeprecatedInsecureServingOptionsWithLoopback) ApplyTo(insecureServingInfo **server.DeprecatedInsecureServingInfo, loopbackClientConfig **rest.Config) error { + if s == nil || s.DeprecatedInsecureServingOptions == nil || insecureServingInfo == nil { + return nil + } + + if err := s.DeprecatedInsecureServingOptions.ApplyTo(insecureServingInfo); err != nil { + return err + } + + if *insecureServingInfo == nil || loopbackClientConfig == nil { + return nil + } + + secureLoopbackClientConfig, err := (*insecureServingInfo).NewLoopbackClientConfig() + switch { + // if we failed and there's no fallback loopback client config, we need to fail + case err != nil && secureLoopbackClientConfig == nil: + return err + + // if we failed, but we already have a fallback loopback client config (usually insecure), allow it + case err != nil && secureLoopbackClientConfig != nil: + + default: + *loopbackClientConfig = secureLoopbackClientConfig + } + + return nil +} diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/recommended.go b/staging/src/k8s.io/apiserver/pkg/server/options/recommended.go index d792d87515..5016145bd1 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/recommended.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/recommended.go @@ -54,7 +54,7 @@ func NewRecommendedOptions(prefix string, codec runtime.Codec) *RecommendedOptio return &RecommendedOptions{ Etcd: NewEtcdOptions(storagebackend.NewDefaultConfig(prefix, codec)), - SecureServing: WithLoopback(sso), + SecureServing: sso.WithLoopback(), Authentication: NewDelegatingAuthenticationOptions(), Authorization: NewDelegatingAuthorizationOptions(), Audit: NewAuditOptions(), diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go b/staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go index 939566a027..6d8899fd90 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go @@ -464,7 +464,7 @@ func TestServerRunWithSNI(t *testing.T) { config.Version = &v config.EnableIndex = true - secureOptions := WithLoopback(&SecureServingOptions{ + secureOptions := (&SecureServingOptions{ BindAddress: net.ParseIP("127.0.0.1"), BindPort: 6443, ServerCert: GeneratableKeyCert{ @@ -474,7 +474,7 @@ func TestServerRunWithSNI(t *testing.T) { }, }, SNICertKeys: namedCertKeys, - }) + }).WithLoopback() // use a random free port ln, err := net.Listen("tcp", "127.0.0.1:0") if err != nil { diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/serving_with_loopback.go b/staging/src/k8s.io/apiserver/pkg/server/options/serving_with_loopback.go index df4750d9ac..ac9635d2dd 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/serving_with_loopback.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/serving_with_loopback.go @@ -31,7 +31,7 @@ type SecureServingOptionsWithLoopback struct { *SecureServingOptions } -func WithLoopback(o *SecureServingOptions) *SecureServingOptionsWithLoopback { +func (o *SecureServingOptions) WithLoopback() *SecureServingOptionsWithLoopback { return &SecureServingOptionsWithLoopback{o} } diff --git a/staging/src/k8s.io/apiserver/pkg/server/serve.go b/staging/src/k8s.io/apiserver/pkg/server/secure_serving.go similarity index 100% rename from staging/src/k8s.io/apiserver/pkg/server/serve.go rename to staging/src/k8s.io/apiserver/pkg/server/secure_serving.go