Add an advertise-address flag. This allows the address that the apiserver binds

to (possibly 0.0.0.0) to be different than the address on which members of the cluster can reach the apiserver (possibly not a local interface).
2025-09-09 05:01:46 +00:00 · 2015-05-20 14:05:23 -07:00
parent 16d3531e90
commit 085a48a70e
4 changed files with 22 additions and 8 deletions
--- a/cmd/kube-apiserver/app/server.go
+++ b/cmd/kube-apiserver/app/server.go
@@ -58,6 +58,7 @@ type APIServer struct {
 	InsecureBindAddress        util.IP
 	InsecurePort               int
 	BindAddress                util.IP
+	AdvertiseAddress           util.IP
 	ReadOnlyPort               int
 	SecurePort                 int
 	ExternalHost               string
@@ -145,8 +146,13 @@ func (s *APIServer) AddFlags(fs *pflag.FlagSet) {
 		"Defaults to localhost.")
 	fs.Var(&s.InsecureBindAddress, "address", "DEPRECATED: see --insecure-bind-address instead")
 	fs.Var(&s.BindAddress, "bind-address", ""+
-		"The IP address on which to serve the --read-only-port and --secure-port ports. This "+
-		"address must be reachable by the rest of the cluster. If blank, all interfaces will be used.")
+		"The IP address on which to serve the --read-only-port and --secure-port ports. The "+
+		"associated interface(s) must be reachable by the rest of the cluster, and by CLI/web "+
+		"clients. If blank, all interfaces will be used (0.0.0.0).")
+	fs.Var(&s.AdvertiseAddress, "advertise-address", ""+
+		"The IP address on which to advertise the apiserver to members of the cluster. This "+
+		"address must be reachable by the rest of the cluster. If blank, all interfaces will be "+
+		"used.")
 	fs.Var(&s.BindAddress, "public-address-override", "DEPRECATED: see --bind-address instead")
 	fs.IntVar(&s.ReadOnlyPort, "read-only-port", s.ReadOnlyPort, ""+
 		"The port on which to serve read-only resources. If 0, don't serve read-only "+
@@ -356,7 +362,7 @@ func (s *APIServer) Run(_ []string) error {
 		CorsAllowedOriginList:  s.CorsAllowedOriginList,
 		ReadOnlyPort:           s.ReadOnlyPort,
 		ReadWritePort:          s.SecurePort,
-		PublicAddress:          net.IP(s.BindAddress),
+		PublicAddress:          net.IP(s.AdvertiseAddress),
 		Authenticator:          authenticator,
 		SupportsBasicAuth:      len(s.BasicAuthFile) > 0,
 		Authorizer:             authorizer,
@@ -443,6 +449,7 @@ func (s *APIServer) Run(_ []string) error {
 				if s.TLSCertFile == "" && s.TLSPrivateKeyFile == "" {
 					s.TLSCertFile = path.Join(s.CertDirectory, "apiserver.crt")
 					s.TLSPrivateKeyFile = path.Join(s.CertDirectory, "apiserver.key")
+					// TODO (cjcullen): Is PublicAddress the right address to sign a cert with?
 					if err := util.GenerateSelfSignedCert(config.PublicAddress.String(), s.TLSCertFile, s.TLSPrivateKeyFile); err != nil {
 						glog.Errorf("Unable to generate self signed cert: %v", err)
 					} else {