Automatic merge from submit-queue
Implement TLS bootstrap for kubelet using `--experimental-bootstrap-kubeconfig` (2nd take)
Ref kubernetes/features#43 (comment)
cc @gtank @philips @mikedanese @aaronlevy @liggitt @deads2k @errordeveloper @justinsb
Continue on the older PR https://github.com/kubernetes/kubernetes/pull/30094 as there are too many comments on that one and it's not loadable now.
Automatic merge from submit-queue
Correct the url in comment and optimise the code style
The PR modified two aspects:
1) Correct the url in comment, the original url can't be accessed;
2) Optimise the code style according to the go style guide.
Automatic merge from submit-queue
Verify if Secure and InsecurePort are equal for apiserver
If we specify the kube-apiserver flags `--secure-port` and `--insecure-port` with the same port, the server will print the below error info repeatedly. In fact, it's meaningless to do this. It should verify if the two flags are equal. If so, the server should give error info and exit directly.
```
root@vm:~# [restful] 2016/08/01 13:11:52 log.go:30: [restful/swagger] listing is available at https://172.16.1.11:8888/swaggerapi/
[restful] 2016/08/01 13:11:52 log.go:30: [restful/swagger] https://172.16.1.11:8888/swaggerui/ is mapped to folder /swagger-ui/
E0801 13:11:53.102232 2481 genericapiserver.go:733] Unable to listen for secure (listen tcp 0.0.0.0:8888: bind: address already in use); will try again.
E0801 13:12:08.116463 2481 genericapiserver.go:733] Unable to listen for secure (listen tcp 0.0.0.0:8888: bind: address already in use); will try again.
```
After fixing, the print is like this:
```
root@vm:~# F0801 11:51:44.308180 1921 genericapiserver.go:599] --secure-port and --insecure-port cannot use the same port.
goroutine 1 [running]:
k8s.io/kubernetes/vendor/github.com/golang/glog.stacks(0x4871d00, 0x0, 0x0, 0x0)
/home/paas/zxp/code/k8s/fork/kubernetes/_output/local/go/src/k8s.io/kubernetes/vendor/github.com/golang/glog/glog.go:766 +0xb8
k8s.io/kubernetes/vendor/github.com/golang/glog.(*loggingT).output(0x48517c0, 0xc800000003, 0xc820368000, 0x470aeab, 0x13, 0x257, 0x0)
/home/paas/zxp/code/k8s/fork/kubernetes/_output/local/go/src/k8s.io/kubernetes/vendor/github.com/golang/glog/glog.go:717 +0x259
k8s.io/kubernetes/vendor/github.com/golang/glog.(*loggingT).printf(0x48517c0, 0xc800000003, 0x3518280, 0x3b, 0x0, 0x0, 0x0)
/home/paas/zxp/code/k8s/fork/kubernetes/_output/local/go/src/k8s.io/kubernetes/vendor/github.com/golang/glog/glog.go:655 +0x1d4
k8s.io/kubernetes/vendor/github.com/golang/glog.Fatalf(0x3518280, 0x3b, 0x0, 0x0, 0x0)
/home/paas/zxp/code/k8s/fork/kubernetes/_output/local/go/src/k8s.io/kubernetes/vendor/github.com/golang/glog/glog.go:1145 +0x5d
k8s.io/kubernetes/pkg/genericapiserver.verifySecureAndInsecurePort(0xc820132800)
/home/paas/zxp/code/k8s/fork/kubernetes/_output/local/go/src/k8s.io/kubernetes/pkg/genericapiserver/genericapiserver.go:599 +0xad
k8s.io/kubernetes/pkg/genericapiserver.ValidateRunOptions(0xc820132800)
/home/paas/zxp/code/k8s/fork/kubernetes/_output/local/go/src/k8s.io/kubernetes/pkg/genericapiserver/genericapiserver.go:607 +0x4b
k8s.io/kubernetes/pkg/genericapiserver.DefaultAndValidateRunOptions(0xc820132800)
/home/paas/zxp/code/k8s/fork/kubernetes/_output/local/go/src/k8s.io/kubernetes/pkg/genericapiserver/genericapiserver.go:611 +0x4e
k8s.io/kubernetes/cmd/kube-apiserver/app.Run(0xc8202c9560, 0x0, 0x0)
/home/paas/zxp/code/k8s/fork/kubernetes/_output/local/go/src/k8s.io/kubernetes/cmd/kube-apiserver/app/server.go:84 +0x8e
main.main()
/home/paas/zxp/code/k8s/fork/kubernetes/_output/local/go/src/k8s.io/kubernetes/cmd/kube-apiserver/apiserver.go:48 +0x111
[2]+ Exit 255
```
This will fix the same issue of federation-apiserver.
cc @lavalamp @quinton-hoole
Automatic merge from submit-queue
add DefaultServiceNodePortRange const
The PR add DefaultServiceNodePortRange const in server_run_options.go, and use it in genericapiserver.go and server_run_options.go.
Automatic merge from submit-queue
Refactoring runner resource container linedelimiter to it's own pkg
Continuing my work ref #15634
Anyone is ok to review this fix.
Automatic merge from submit-queue
Modify wrong description about "InsecurePort" in genericapiserver.go
Modify wrong description about "InsecurePort" in genericapiserver.go, avoid misleading.
Automatic merge from submit-queue
Improve fatal error description for init in genericapiserver.go
When api.NewRequestContextFilter return error in the "init" function of genericapiserver.go, there are no handler info, add more information to indicate s.Handler or s.InsecureHandler, I suggest.
Automatic merge from submit-queue
Setting TLS1.2 minimum because TLS1.0 and TLS1.1 are vulnerable
TLS1.0 is known as vulnerable since it can be downgraded to SSL
https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/
TLS1.1 can be vulnerable if cipher RC4-SHA is used, and in Kubernetes it is, you can check it with
`
openssl s_client -cipher RC4-SHA -connect apiserver.k8s.example.com:443
`
https://www.globalsign.com/en/blog/poodle-vulnerability-expands-beyond-sslv3-to-tls/
Test suites like Qualys are reporting this Kubernetes issue as a level 3 vulnerability, they recommend to upgrade to TLS1.2 that is not affected, quoting Qualys:
`
RC4 should not be used where possible. One reason that RC4 was still being used was BEAST and Lucky13 attacks against CBC mode ciphers in
SSL and
TLS. However, TLSv 1.2 or later address these issues.
`
A few months ago we refactored options to keep it independent of the
implementations, so that it could be used in CLI tools to validate
config or to generate config, without pulling in the full dependency
tree of the master. This change restores that by separating
server_run_options.go back to its own package.
Also, options structs should never contain non-serializable types, which
storagebackend.Config was doing with runtime.Codec. Split the codec out.
Fix a typo on the name of the etcd2.go storage backend.
Finally, move DefaultStorageMediaType to server_run_options.
Automatic merge from submit-queue
enable resource name and service account cases for impersonation
Adds the resource name check since that attribute was added for authorization. Also adds a check against a separate resource for service accounts. Allowing impersonation of service accounts to use a different resource check places control of impersonation with the same users to have the power to get the SA tokens directly.
@kubernetes/kube-iam
@sgallagher FYI
Add tests to watch behavior in both protocols (http and websocket)
against all 3 media types. Adopt the
`application/vnd.kubernetes.protobuf;stream=watch` media type for the
content that comes back from a watch call so that it can be
distinguished from a Status result.
Automatic merge from submit-queue
Make etcd cache size configurable
Instead of the prior 50K limit, allow users to specify a more sensible size for their cluster.
I'm not sure what a sensible default is here. I'm still experimenting on my own clusters. 50 gives me a 270MB max footprint. 50K caused my apiserver to run out of memory as it exceeded >2GB. I believe that number is far too large for most people's use cases.
There are some other fundamental issues that I'm not addressing here:
- Old etcd items are cached and potentially never removed (it stores using modifiedIndex, and doesn't remove the old object when it gets updated)
- Cache isn't LRU, so there's no guarantee the cache remains hot. This makes its performance difficult to predict. More of an issue with a smaller cache size.
- 1.2 etcd entries seem to have a larger memory footprint (I never had an issue in 1.1, even though this cache existed there). I suspect that's due to image lists on the node status.
This is provided as a fix for #23323
Automatic merge from submit-queue
genericapiserver: Moving InstallSwaggerAPI to Run
Ref https://github.com/kubernetes/kubernetes/pull/21190#discussion_r57494673
Moving InstallSwaggerAPI() from InstallAPIGroups() to Run(). This allows the use of InstallAPIGroups() multiple times or using InstallAPIGroup() directly.
cc @jianhuiz @kubernetes/sig-api-machinery
deads2k
