mirror of https://github.com/k3s-io/k3s
288 lines
13 KiB
Go
288 lines
13 KiB
Go
/*
|
|
Copyright 2014 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
// Package options contains flags and options for initializing an apiserver
|
|
package options
|
|
|
|
import (
|
|
"net"
|
|
"strings"
|
|
"time"
|
|
|
|
"github.com/spf13/pflag"
|
|
utilnet "k8s.io/apimachinery/pkg/util/net"
|
|
genericoptions "k8s.io/apiserver/pkg/server/options"
|
|
"k8s.io/apiserver/pkg/storage/storagebackend"
|
|
cliflag "k8s.io/component-base/cli/flag"
|
|
"k8s.io/component-base/logs"
|
|
"k8s.io/component-base/metrics"
|
|
|
|
api "k8s.io/kubernetes/pkg/apis/core"
|
|
"k8s.io/kubernetes/pkg/cluster/ports"
|
|
"k8s.io/kubernetes/pkg/controlplane/reconcilers"
|
|
_ "k8s.io/kubernetes/pkg/features" // add the kubernetes feature gates
|
|
kubeoptions "k8s.io/kubernetes/pkg/kubeapiserver/options"
|
|
kubeletclient "k8s.io/kubernetes/pkg/kubelet/client"
|
|
"k8s.io/kubernetes/pkg/serviceaccount"
|
|
)
|
|
|
|
// InsecurePortFlags are dummy flags, they are kept only for compatibility and will be removed in v1.24.
|
|
// TODO: remove these flags in v1.24.
|
|
var InsecurePortFlags = []string{"insecure-port", "port"}
|
|
|
|
// ServerRunOptions runs a kubernetes api server.
|
|
type ServerRunOptions struct {
|
|
GenericServerRunOptions *genericoptions.ServerRunOptions
|
|
Etcd *genericoptions.EtcdOptions
|
|
SecureServing *genericoptions.SecureServingOptionsWithLoopback
|
|
Audit *genericoptions.AuditOptions
|
|
Features *genericoptions.FeatureOptions
|
|
Admission *kubeoptions.AdmissionOptions
|
|
Authentication *kubeoptions.BuiltInAuthenticationOptions
|
|
Authorization *kubeoptions.BuiltInAuthorizationOptions
|
|
CloudProvider *kubeoptions.CloudProviderOptions
|
|
APIEnablement *genericoptions.APIEnablementOptions
|
|
EgressSelector *genericoptions.EgressSelectorOptions
|
|
Metrics *metrics.Options
|
|
Logs *logs.Options
|
|
|
|
AllowPrivileged bool
|
|
EnableLogsHandler bool
|
|
EventTTL time.Duration
|
|
KubeletConfig kubeletclient.KubeletClientConfig
|
|
KubernetesServiceNodePort int
|
|
MaxConnectionBytesPerSec int64
|
|
// ServiceClusterIPRange is mapped to input provided by user
|
|
ServiceClusterIPRanges string
|
|
// PrimaryServiceClusterIPRange and SecondaryServiceClusterIPRange are the results
|
|
// of parsing ServiceClusterIPRange into actual values
|
|
PrimaryServiceClusterIPRange net.IPNet
|
|
SecondaryServiceClusterIPRange net.IPNet
|
|
|
|
ServiceNodePortRange utilnet.PortRange
|
|
SSHKeyfile string
|
|
SSHUser string
|
|
|
|
ProxyClientCertFile string
|
|
ProxyClientKeyFile string
|
|
|
|
EnableAggregatorRouting bool
|
|
|
|
MasterCount int
|
|
EndpointReconcilerType string
|
|
|
|
IdentityLeaseDurationSeconds int
|
|
IdentityLeaseRenewIntervalSeconds int
|
|
|
|
ServiceAccountSigningKeyFile string
|
|
ServiceAccountIssuer serviceaccount.TokenGenerator
|
|
ServiceAccountTokenMaxExpiration time.Duration
|
|
|
|
ShowHiddenMetricsForVersion string
|
|
}
|
|
|
|
// NewServerRunOptions creates a new ServerRunOptions object with default parameters
|
|
func NewServerRunOptions() *ServerRunOptions {
|
|
s := ServerRunOptions{
|
|
GenericServerRunOptions: genericoptions.NewServerRunOptions(),
|
|
Etcd: genericoptions.NewEtcdOptions(storagebackend.NewDefaultConfig(kubeoptions.DefaultEtcdPathPrefix, nil)),
|
|
SecureServing: kubeoptions.NewSecureServingOptions(),
|
|
Audit: genericoptions.NewAuditOptions(),
|
|
Features: genericoptions.NewFeatureOptions(),
|
|
Admission: kubeoptions.NewAdmissionOptions(),
|
|
Authentication: kubeoptions.NewBuiltInAuthenticationOptions().WithAll(),
|
|
Authorization: kubeoptions.NewBuiltInAuthorizationOptions(),
|
|
CloudProvider: kubeoptions.NewCloudProviderOptions(),
|
|
APIEnablement: genericoptions.NewAPIEnablementOptions(),
|
|
EgressSelector: genericoptions.NewEgressSelectorOptions(),
|
|
Metrics: metrics.NewOptions(),
|
|
Logs: logs.NewOptions(),
|
|
|
|
EnableLogsHandler: true,
|
|
EventTTL: 1 * time.Hour,
|
|
MasterCount: 1,
|
|
EndpointReconcilerType: string(reconcilers.LeaseEndpointReconcilerType),
|
|
IdentityLeaseDurationSeconds: 3600,
|
|
IdentityLeaseRenewIntervalSeconds: 10,
|
|
KubeletConfig: kubeletclient.KubeletClientConfig{
|
|
Port: ports.KubeletPort,
|
|
ReadOnlyPort: ports.KubeletReadOnlyPort,
|
|
PreferredAddressTypes: []string{
|
|
// --override-hostname
|
|
string(api.NodeHostName),
|
|
|
|
// internal, preferring DNS if reported
|
|
string(api.NodeInternalDNS),
|
|
string(api.NodeInternalIP),
|
|
|
|
// external, preferring DNS if reported
|
|
string(api.NodeExternalDNS),
|
|
string(api.NodeExternalIP),
|
|
},
|
|
HTTPTimeout: time.Duration(5) * time.Second,
|
|
},
|
|
ServiceNodePortRange: kubeoptions.DefaultServiceNodePortRange,
|
|
}
|
|
|
|
// Overwrite the default for storage data format.
|
|
s.Etcd.DefaultStorageMediaType = "application/vnd.kubernetes.protobuf"
|
|
|
|
return &s
|
|
}
|
|
|
|
// TODO: remove these insecure flags in v1.24
|
|
func addDummyInsecureFlags(fs *pflag.FlagSet) {
|
|
var (
|
|
bindAddr = net.IPv4(127, 0, 0, 1)
|
|
bindPort int
|
|
)
|
|
|
|
for _, name := range []string{"insecure-bind-address", "address"} {
|
|
fs.IPVar(&bindAddr, name, bindAddr, ""+
|
|
"The IP address on which to serve the insecure port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).")
|
|
fs.MarkDeprecated(name, "This flag has no effect now and will be removed in v1.24.")
|
|
}
|
|
|
|
for _, name := range InsecurePortFlags {
|
|
fs.IntVar(&bindPort, name, bindPort, ""+
|
|
"The port on which to serve unsecured, unauthenticated access.")
|
|
fs.MarkDeprecated(name, "This flag has no effect now and will be removed in v1.24.")
|
|
}
|
|
}
|
|
|
|
// Flags returns flags for a specific APIServer by section name
|
|
func (s *ServerRunOptions) Flags() (fss cliflag.NamedFlagSets) {
|
|
// Add the generic flags.
|
|
s.GenericServerRunOptions.AddUniversalFlags(fss.FlagSet("generic"))
|
|
s.Etcd.AddFlags(fss.FlagSet("etcd"))
|
|
s.SecureServing.AddFlags(fss.FlagSet("secure serving"))
|
|
addDummyInsecureFlags(fss.FlagSet("insecure serving"))
|
|
s.Audit.AddFlags(fss.FlagSet("auditing"))
|
|
s.Features.AddFlags(fss.FlagSet("features"))
|
|
s.Authentication.AddFlags(fss.FlagSet("authentication"))
|
|
s.Authorization.AddFlags(fss.FlagSet("authorization"))
|
|
s.CloudProvider.AddFlags(fss.FlagSet("cloud provider"))
|
|
s.APIEnablement.AddFlags(fss.FlagSet("API enablement"))
|
|
s.EgressSelector.AddFlags(fss.FlagSet("egress selector"))
|
|
s.Admission.AddFlags(fss.FlagSet("admission"))
|
|
s.Metrics.AddFlags(fss.FlagSet("metrics"))
|
|
s.Logs.AddFlags(fss.FlagSet("logs"))
|
|
|
|
// Note: the weird ""+ in below lines seems to be the only way to get gofmt to
|
|
// arrange these text blocks sensibly. Grrr.
|
|
fs := fss.FlagSet("misc")
|
|
fs.DurationVar(&s.EventTTL, "event-ttl", s.EventTTL,
|
|
"Amount of time to retain events.")
|
|
|
|
fs.BoolVar(&s.AllowPrivileged, "allow-privileged", s.AllowPrivileged,
|
|
"If true, allow privileged containers. [default=false]")
|
|
|
|
fs.BoolVar(&s.EnableLogsHandler, "enable-logs-handler", s.EnableLogsHandler,
|
|
"If true, install a /logs handler for the apiserver logs.")
|
|
fs.MarkDeprecated("enable-logs-handler", "This flag will be removed in v1.19")
|
|
|
|
// Deprecated in release 1.9
|
|
fs.StringVar(&s.SSHUser, "ssh-user", s.SSHUser,
|
|
"If non-empty, use secure SSH proxy to the nodes, using this user name")
|
|
fs.MarkDeprecated("ssh-user", "This flag will be removed in a future version.")
|
|
|
|
// Deprecated in release 1.9
|
|
fs.StringVar(&s.SSHKeyfile, "ssh-keyfile", s.SSHKeyfile,
|
|
"If non-empty, use secure SSH proxy to the nodes, using this user keyfile")
|
|
fs.MarkDeprecated("ssh-keyfile", "This flag will be removed in a future version.")
|
|
|
|
fs.Int64Var(&s.MaxConnectionBytesPerSec, "max-connection-bytes-per-sec", s.MaxConnectionBytesPerSec, ""+
|
|
"If non-zero, throttle each user connection to this number of bytes/sec. "+
|
|
"Currently only applies to long-running requests.")
|
|
|
|
fs.IntVar(&s.MasterCount, "apiserver-count", s.MasterCount,
|
|
"The number of apiservers running in the cluster, must be a positive number. (In use when --endpoint-reconciler-type=master-count is enabled.)")
|
|
|
|
fs.StringVar(&s.EndpointReconcilerType, "endpoint-reconciler-type", string(s.EndpointReconcilerType),
|
|
"Use an endpoint reconciler ("+strings.Join(reconcilers.AllTypes.Names(), ", ")+")")
|
|
|
|
fs.IntVar(&s.IdentityLeaseDurationSeconds, "identity-lease-duration-seconds", s.IdentityLeaseDurationSeconds,
|
|
"The duration of kube-apiserver lease in seconds, must be a positive number. (In use when the APIServerIdentity feature gate is enabled.)")
|
|
|
|
fs.IntVar(&s.IdentityLeaseRenewIntervalSeconds, "identity-lease-renew-interval-seconds", s.IdentityLeaseRenewIntervalSeconds,
|
|
"The interval of kube-apiserver renewing its lease in seconds, must be a positive number. (In use when the APIServerIdentity feature gate is enabled.)")
|
|
|
|
// See #14282 for details on how to test/try this option out.
|
|
// TODO: remove this comment once this option is tested in CI.
|
|
fs.IntVar(&s.KubernetesServiceNodePort, "kubernetes-service-node-port", s.KubernetesServiceNodePort, ""+
|
|
"If non-zero, the Kubernetes master service (which apiserver creates/maintains) will be "+
|
|
"of type NodePort, using this as the value of the port. If zero, the Kubernetes master "+
|
|
"service will be of type ClusterIP.")
|
|
|
|
// TODO (khenidak) change documentation as we move IPv6DualStack feature from ALPHA to BETA
|
|
fs.StringVar(&s.ServiceClusterIPRanges, "service-cluster-ip-range", s.ServiceClusterIPRanges, ""+
|
|
"A CIDR notation IP range from which to assign service cluster IPs. This must not "+
|
|
"overlap with any IP ranges assigned to nodes or pods.")
|
|
|
|
fs.Var(&s.ServiceNodePortRange, "service-node-port-range", ""+
|
|
"A port range to reserve for services with NodePort visibility. "+
|
|
"Example: '30000-32767'. Inclusive at both ends of the range.")
|
|
|
|
// Kubelet related flags:
|
|
kubeletHTTPS := true
|
|
fs.BoolVar(&kubeletHTTPS, "kubelet-https", kubeletHTTPS, "Use https for kubelet connections.")
|
|
fs.MarkDeprecated("kubelet-https", "API Server connections to kubelets always use https. This flag will be removed in 1.22.")
|
|
|
|
fs.StringSliceVar(&s.KubeletConfig.PreferredAddressTypes, "kubelet-preferred-address-types", s.KubeletConfig.PreferredAddressTypes,
|
|
"List of the preferred NodeAddressTypes to use for kubelet connections.")
|
|
|
|
fs.UintVar(&s.KubeletConfig.Port, "kubelet-port", s.KubeletConfig.Port,
|
|
"DEPRECATED: kubelet port.")
|
|
fs.MarkDeprecated("kubelet-port", "kubelet-port is deprecated and will be removed.")
|
|
|
|
fs.UintVar(&s.KubeletConfig.ReadOnlyPort, "kubelet-read-only-port", s.KubeletConfig.ReadOnlyPort,
|
|
"DEPRECATED: kubelet read only port.")
|
|
fs.MarkDeprecated("kubelet-read-only-port", "kubelet-read-only-port is deprecated and will be removed.")
|
|
|
|
fs.DurationVar(&s.KubeletConfig.HTTPTimeout, "kubelet-timeout", s.KubeletConfig.HTTPTimeout,
|
|
"Timeout for kubelet operations.")
|
|
|
|
fs.StringVar(&s.KubeletConfig.CertFile, "kubelet-client-certificate", s.KubeletConfig.CertFile,
|
|
"Path to a client cert file for TLS.")
|
|
|
|
fs.StringVar(&s.KubeletConfig.KeyFile, "kubelet-client-key", s.KubeletConfig.KeyFile,
|
|
"Path to a client key file for TLS.")
|
|
|
|
fs.StringVar(&s.KubeletConfig.CAFile, "kubelet-certificate-authority", s.KubeletConfig.CAFile,
|
|
"Path to a cert file for the certificate authority.")
|
|
|
|
fs.StringVar(&s.ProxyClientCertFile, "proxy-client-cert-file", s.ProxyClientCertFile, ""+
|
|
"Client certificate used to prove the identity of the aggregator or kube-apiserver "+
|
|
"when it must call out during a request. This includes proxying requests to a user "+
|
|
"api-server and calling out to webhook admission plugins. It is expected that this "+
|
|
"cert includes a signature from the CA in the --requestheader-client-ca-file flag. "+
|
|
"That CA is published in the 'extension-apiserver-authentication' configmap in "+
|
|
"the kube-system namespace. Components receiving calls from kube-aggregator should "+
|
|
"use that CA to perform their half of the mutual TLS verification.")
|
|
fs.StringVar(&s.ProxyClientKeyFile, "proxy-client-key-file", s.ProxyClientKeyFile, ""+
|
|
"Private key for the client certificate used to prove the identity of the aggregator or kube-apiserver "+
|
|
"when it must call out during a request. This includes proxying requests to a user "+
|
|
"api-server and calling out to webhook admission plugins.")
|
|
|
|
fs.BoolVar(&s.EnableAggregatorRouting, "enable-aggregator-routing", s.EnableAggregatorRouting,
|
|
"Turns on aggregator routing requests to endpoints IP rather than cluster IP.")
|
|
|
|
fs.StringVar(&s.ServiceAccountSigningKeyFile, "service-account-signing-key-file", s.ServiceAccountSigningKeyFile, ""+
|
|
"Path to the file that contains the current private key of the service account token issuer. The issuer will sign issued ID tokens with this private key.")
|
|
|
|
return fss
|
|
}
|