/* Copyright 2017 The Kubernetes Authors. Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */ package server import ( "net" "net/http" "time" "k8s.io/klog" "k8s.io/apiserver/pkg/authentication/authenticator" "k8s.io/apiserver/pkg/authentication/user" "k8s.io/client-go/rest" ) // DeprecatedInsecureServingInfo is the main context object for the insecure http server. type DeprecatedInsecureServingInfo struct { // Listener is the secure server network listener. Listener net.Listener // optional server name for log messages Name string } // Serve starts an insecure http server with the given handler. It fails only if // the initial listen call fails. It does not block. func (s *DeprecatedInsecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Duration, stopCh <-chan struct{}) error { insecureServer := &http.Server{ Addr: s.Listener.Addr().String(), Handler: handler, MaxHeaderBytes: 1 << 20, } if len(s.Name) > 0 { klog.Infof("Serving %s insecurely on %s", s.Name, s.Listener.Addr()) } else { klog.Infof("Serving insecurely on %s", s.Listener.Addr()) } _, err := RunServer(insecureServer, s.Listener, shutdownTimeout, stopCh) // NOTE: we do not handle stoppedCh returned by RunServer for graceful termination here return err } func (s *DeprecatedInsecureServingInfo) NewLoopbackClientConfig() (*rest.Config, error) { if s == nil { return nil, nil } host, port, err := LoopbackHostPort(s.Listener.Addr().String()) if err != nil { return nil, err } return &rest.Config{ Host: "http://" + net.JoinHostPort(host, port), // Increase QPS limits. The client is currently passed to all admission plugins, // and those can be throttled in case of higher load on apiserver - see #22340 and #22422 // for more details. Once #22422 is fixed, we may want to remove it. QPS: 50, Burst: 100, }, nil } // InsecureSuperuser implements authenticator.Request to always return a superuser. // This is functionally equivalent to skipping authentication and authorization, // but allows apiserver code to stop special-casing a nil user to skip authorization checks. type InsecureSuperuser struct{} func (InsecureSuperuser) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) { auds, _ := authenticator.AudiencesFrom(req.Context()) return &authenticator.Response{ User: &user.DefaultInfo{ Name: "system:unsecured", Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated}, }, Audiences: auds, }, true, nil }