From d4591ea3245a57119620d4337ed551993a0a355d Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Sat, 16 Mar 2019 16:22:48 -0400 Subject: [PATCH] Revert "Stop using API server's `--insecure-port`" This reverts commit 5b64a9868931f294df242f88fbf3d20d352f3bdd. --- cmd/kubeadm/app/phases/controlplane/manifests.go | 1 + .../app/phases/controlplane/manifests_test.go | 12 ++++++++++-- .../app/phases/selfhosting/selfhosting_test.go | 2 ++ 3 files changed, 13 insertions(+), 2 deletions(-) diff --git a/cmd/kubeadm/app/phases/controlplane/manifests.go b/cmd/kubeadm/app/phases/controlplane/manifests.go index 63d3c14421..47c1e0355e 100644 --- a/cmd/kubeadm/app/phases/controlplane/manifests.go +++ b/cmd/kubeadm/app/phases/controlplane/manifests.go @@ -137,6 +137,7 @@ func CreateStaticPodFiles(manifestDir string, cfg *kubeadmapi.ClusterConfigurati func getAPIServerCommand(cfg *kubeadmapi.ClusterConfiguration, localAPIEndpoint *kubeadmapi.APIEndpoint) []string { defaultArguments := map[string]string{ "advertise-address": localAPIEndpoint.AdvertiseAddress, + "insecure-port": "0", "enable-admission-plugins": "NodeRestriction", "service-cluster-ip-range": cfg.Networking.ServiceSubnet, "service-account-key-file": filepath.Join(cfg.CertificatesDir, kubeadmconstants.ServiceAccountPublicKeyName), diff --git a/cmd/kubeadm/app/phases/controlplane/manifests_test.go b/cmd/kubeadm/app/phases/controlplane/manifests_test.go index 2a16786b78..191450c9d4 100644 --- a/cmd/kubeadm/app/phases/controlplane/manifests_test.go +++ b/cmd/kubeadm/app/phases/controlplane/manifests_test.go @@ -148,6 +148,7 @@ func TestGetAPIServerCommand(t *testing.T) { endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "1.2.3.4"}, expected: []string{ "kube-apiserver", + "--insecure-port=0", "--enable-admission-plugins=NodeRestriction", "--service-cluster-ip-range=bar", "--service-account-key-file=" + testCertsDir + "/sa.pub", @@ -184,6 +185,7 @@ func TestGetAPIServerCommand(t *testing.T) { endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "2001:db8::1"}, expected: []string{ "kube-apiserver", + "--insecure-port=0", "--enable-admission-plugins=NodeRestriction", "--service-cluster-ip-range=bar", "--service-account-key-file=" + testCertsDir + "/sa.pub", @@ -228,6 +230,7 @@ func TestGetAPIServerCommand(t *testing.T) { endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "2001:db8::1"}, expected: []string{ "kube-apiserver", + "--insecure-port=0", "--enable-admission-plugins=NodeRestriction", "--service-cluster-ip-range=bar", "--service-account-key-file=" + testCertsDir + "/sa.pub", @@ -269,6 +272,7 @@ func TestGetAPIServerCommand(t *testing.T) { endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "2001:db8::1"}, expected: []string{ "kube-apiserver", + "--insecure-port=0", "--enable-admission-plugins=NodeRestriction", "--service-cluster-ip-range=bar", "--service-account-key-file=" + testCertsDir + "/sa.pub", @@ -312,6 +316,7 @@ func TestGetAPIServerCommand(t *testing.T) { endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "1.2.3.4"}, expected: []string{ "kube-apiserver", + "--insecure-port=0", "--enable-admission-plugins=NodeRestriction", "--service-cluster-ip-range=baz", "--service-account-key-file=" + testCertsDir + "/sa.pub", @@ -357,6 +362,7 @@ func TestGetAPIServerCommand(t *testing.T) { endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "1.2.3.4"}, expected: []string{ "kube-apiserver", + "--insecure-port=0", "--enable-admission-plugins=NodeRestriction", "--service-cluster-ip-range=bar", "--service-account-key-file=" + testCertsDir + "/sa.pub", @@ -385,14 +391,14 @@ func TestGetAPIServerCommand(t *testing.T) { }, }, { - name: "secure-port extra-args", + name: "insecure-port extra-args", cfg: &kubeadmapi.ClusterConfiguration{ Networking: kubeadmapi.Networking{ServiceSubnet: "bar"}, CertificatesDir: testCertsDir, APIServer: kubeadmapi.APIServer{ ControlPlaneComponent: kubeadmapi.ControlPlaneComponent{ ExtraArgs: map[string]string{ - "secure-port": "123", + "insecure-port": "1234", }, }, }, @@ -400,6 +406,7 @@ func TestGetAPIServerCommand(t *testing.T) { endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "1.2.3.4"}, expected: []string{ "kube-apiserver", + "--insecure-port=1234", "--enable-admission-plugins=NodeRestriction", "--service-cluster-ip-range=bar", "--service-account-key-file=" + testCertsDir + "/sa.pub", @@ -443,6 +450,7 @@ func TestGetAPIServerCommand(t *testing.T) { endpoint: &kubeadmapi.APIEndpoint{BindPort: 123, AdvertiseAddress: "1.2.3.4"}, expected: []string{ "kube-apiserver", + "--insecure-port=0", "--enable-admission-plugins=NodeRestriction", "--service-cluster-ip-range=bar", "--service-account-key-file=" + testCertsDir + "/sa.pub", diff --git a/cmd/kubeadm/app/phases/selfhosting/selfhosting_test.go b/cmd/kubeadm/app/phases/selfhosting/selfhosting_test.go index 5b8a4d0e16..30c692c5ee 100644 --- a/cmd/kubeadm/app/phases/selfhosting/selfhosting_test.go +++ b/cmd/kubeadm/app/phases/selfhosting/selfhosting_test.go @@ -52,6 +52,7 @@ spec: - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt - --advertise-address=192.168.1.115 - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt + - --insecure-port=0 - --experimental-bootstrap-token-auth=true - --requestheader-username-headers=X-Remote-User - --requestheader-extra-headers-prefix=X-Remote-Extra- @@ -134,6 +135,7 @@ spec: - --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt - --advertise-address=$(HOST_IP) - --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt + - --insecure-port=0 - --experimental-bootstrap-token-auth=true - --requestheader-username-headers=X-Remote-User - --requestheader-extra-headers-prefix=X-Remote-Extra-