diff --git a/staging/src/k8s.io/apiserver/pkg/server/config_selfclient.go b/staging/src/k8s.io/apiserver/pkg/server/config_selfclient.go index d53cc2f24c..ba79760175 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/config_selfclient.go +++ b/staging/src/k8s.io/apiserver/pkg/server/config_selfclient.go @@ -33,14 +33,9 @@ func (s *SecureServingInfo) NewLoopbackClientConfig(token string, loopbackCert [ return nil, nil } - host, port, err := net.SplitHostPort(s.ServingInfo.BindAddress) + host, port, err := s.ServingInfo.loopbackHostPort() if err != nil { - // should never happen - return nil, fmt.Errorf("invalid secure bind address: %q", s.ServingInfo.BindAddress) - } - if host == "0.0.0.0" { - // compare MaybeDefaultWithSelfSignedCerts which adds "localhost" to the cert as alternateDNS - host = "localhost" + return nil, err } return &restclient.Config{ @@ -95,12 +90,35 @@ func findCA(chain []*x509.Certificate) (*x509.Certificate, error) { return nil, fmt.Errorf("no certificate with CA:TRUE found in chain") } +// loopbackHostPort returns the host and port loopback REST clients should use +// to contact the server. +func (s *ServingInfo) loopbackHostPort() (string, string, error) { + host, port, err := net.SplitHostPort(s.BindAddress) + if err != nil { + // should never happen + return "", "", fmt.Errorf("invalid server bind address: %q", s.BindAddress) + } + + // Value is expected to be an IP or DNS name, not "0.0.0.0". + if host == "0.0.0.0" { + // compare MaybeDefaultWithSelfSignedCerts which adds "localhost" to the cert as alternateDNS + host = "localhost" + } + return host, port, nil +} + func (s *ServingInfo) NewLoopbackClientConfig(token string) (*restclient.Config, error) { if s == nil { return nil, nil } + + host, port, err := s.loopbackHostPort() + if err != nil { + return nil, err + } + return &restclient.Config{ - Host: s.BindAddress, + Host: "http://" + net.JoinHostPort(host, port), // Increase QPS limits. The client is currently passed to all admission plugins, // and those can be throttled in case of higher load on apiserver - see #22340 and #22422 // for more details. Once #22422 is fixed, we may want to remove it.