mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-30 15:05:27 +00:00
split insecure serving options
This commit is contained in:
deads2k
parent
a08f3ba521
commit
18074d7606
@ -36,10 +36,12 @@ go_library(
|
||||
"//pkg/generated/openapi:go_default_library",
|
||||
"//pkg/genericapiserver:go_default_library",
|
||||
"//pkg/genericapiserver/authorizer:go_default_library",
|
||||
"//pkg/genericapiserver/options:go_default_library",
|
||||
"//pkg/master:go_default_library",
|
||||
"//pkg/registry/cachesize:go_default_library",
|
||||
"//pkg/runtime/schema:go_default_library",
|
||||
"//pkg/serviceaccount:go_default_library",
|
||||
"//pkg/util/errors:go_default_library",
|
||||
"//pkg/util/net:go_default_library",
|
||||
"//pkg/util/wait:go_default_library",
|
||||
"//pkg/version:go_default_library",
|
||||
|
||||
@ -50,6 +50,7 @@ import (
|
||||
generatedopenapi "k8s.io/kubernetes/pkg/generated/openapi"
|
||||
"k8s.io/kubernetes/pkg/genericapiserver"
|
||||
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
|
||||
genericoptions "k8s.io/kubernetes/pkg/genericapiserver/options"
|
||||
"k8s.io/kubernetes/pkg/master"
|
||||
"k8s.io/kubernetes/pkg/registry/cachesize"
|
||||
"k8s.io/kubernetes/pkg/runtime/schema"
|
||||
@ -202,9 +203,9 @@ func Run(s *options.ServerRunOptions) error {
|
||||
}
|
||||
|
||||
// Default to the private server key for service account token signing
|
||||
if len(s.ServiceAccountKeyFiles) == 0 && s.GenericServerRunOptions.SecureServingOptions.ServerCert.CertKey.KeyFile != "" {
|
||||
if authenticator.IsValidServiceAccountKeyFile(s.GenericServerRunOptions.SecureServingOptions.ServerCert.CertKey.KeyFile) {
|
||||
s.ServiceAccountKeyFiles = []string{s.GenericServerRunOptions.SecureServingOptions.ServerCert.CertKey.KeyFile}
|
||||
if len(s.ServiceAccountKeyFiles) == 0 && s.GenericServerRunOptions.SecureServing.ServerCert.CertKey.KeyFile != "" {
|
||||
if authenticator.IsValidServiceAccountKeyFile(s.GenericServerRunOptions.SecureServing.ServerCert.CertKey.KeyFile) {
|
||||
s.ServiceAccountKeyFiles = []string{s.GenericServerRunOptions.SecureServing.ServerCert.CertKey.KeyFile}
|
||||
} else {
|
||||
glog.Warning("No TLS key provided, service account token authentication disabled")
|
||||
}
|
||||
@ -225,7 +226,7 @@ func Run(s *options.ServerRunOptions) error {
|
||||
Anonymous: s.GenericServerRunOptions.AnonymousAuth,
|
||||
AnyToken: s.GenericServerRunOptions.EnableAnyToken,
|
||||
BasicAuthFile: s.GenericServerRunOptions.BasicAuthFile,
|
||||
ClientCAFile: s.GenericServerRunOptions.SecureServingOptions.ClientCA,
|
||||
ClientCAFile: s.GenericServerRunOptions.SecureServing.ClientCA,
|
||||
TokenAuthFile: s.GenericServerRunOptions.TokenAuthFile,
|
||||
OIDCIssuerURL: s.GenericServerRunOptions.OIDCIssuerURL,
|
||||
OIDCClientID: s.GenericServerRunOptions.OIDCClientID,
|
||||
@ -247,7 +248,7 @@ func Run(s *options.ServerRunOptions) error {
|
||||
}
|
||||
|
||||
privilegedLoopbackToken := uuid.NewRandom().String()
|
||||
selfClientConfig, err := s.GenericServerRunOptions.NewSelfClientConfig(privilegedLoopbackToken)
|
||||
selfClientConfig, err := genericoptions.NewSelfClientConfig(s.GenericServerRunOptions.SecureServing, s.GenericServerRunOptions.InsecureServing, privilegedLoopbackToken)
|
||||
if err != nil {
|
||||
glog.Fatalf("Failed to create clientset: %v", err)
|
||||
}
|
||||
|
||||
@ -56,8 +56,8 @@ func newStorageFactory() genericapiserver.StorageFactory {
|
||||
}
|
||||
|
||||
func NewServerRunOptions() *genericoptions.ServerRunOptions {
|
||||
serverOptions := genericoptions.NewServerRunOptions().WithEtcdOptions().WithSecureServingOptions()
|
||||
serverOptions.InsecurePort = InsecurePort
|
||||
serverOptions := genericoptions.NewServerRunOptions().WithEtcdOptions().WithSecureServingOptions().WithInsecureServingOptions()
|
||||
serverOptions.InsecureServing.BindPort = InsecurePort
|
||||
return serverOptions
|
||||
}
|
||||
|
||||
|
||||
@ -43,6 +43,7 @@ go_library(
|
||||
"//pkg/generated/openapi:go_default_library",
|
||||
"//pkg/genericapiserver:go_default_library",
|
||||
"//pkg/genericapiserver/authorizer:go_default_library",
|
||||
"//pkg/genericapiserver/options:go_default_library",
|
||||
"//pkg/registry/cachesize:go_default_library",
|
||||
"//pkg/registry/core/configmap/etcd:go_default_library",
|
||||
"//pkg/registry/core/event/etcd:go_default_library",
|
||||
|
||||
@ -38,6 +38,7 @@ import (
|
||||
"k8s.io/kubernetes/pkg/generated/openapi"
|
||||
"k8s.io/kubernetes/pkg/genericapiserver"
|
||||
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
|
||||
genericoptions "k8s.io/kubernetes/pkg/genericapiserver/options"
|
||||
"k8s.io/kubernetes/pkg/registry/cachesize"
|
||||
"k8s.io/kubernetes/pkg/registry/generic"
|
||||
"k8s.io/kubernetes/pkg/registry/generic/registry"
|
||||
@ -121,7 +122,7 @@ func Run(s *options.ServerRunOptions) error {
|
||||
Anonymous: s.GenericServerRunOptions.AnonymousAuth,
|
||||
AnyToken: s.GenericServerRunOptions.EnableAnyToken,
|
||||
BasicAuthFile: s.GenericServerRunOptions.BasicAuthFile,
|
||||
ClientCAFile: s.GenericServerRunOptions.SecureServingOptions.ClientCA,
|
||||
ClientCAFile: s.GenericServerRunOptions.SecureServing.ClientCA,
|
||||
TokenAuthFile: s.GenericServerRunOptions.TokenAuthFile,
|
||||
OIDCIssuerURL: s.GenericServerRunOptions.OIDCIssuerURL,
|
||||
OIDCClientID: s.GenericServerRunOptions.OIDCClientID,
|
||||
@ -136,7 +137,7 @@ func Run(s *options.ServerRunOptions) error {
|
||||
}
|
||||
|
||||
privilegedLoopbackToken := uuid.NewRandom().String()
|
||||
selfClientConfig, err := s.GenericServerRunOptions.NewSelfClientConfig(privilegedLoopbackToken)
|
||||
selfClientConfig, err := genericoptions.NewSelfClientConfig(s.GenericServerRunOptions.SecureServing, s.GenericServerRunOptions.InsecureServing, privilegedLoopbackToken)
|
||||
if err != nil {
|
||||
glog.Fatalf("Failed to create clientset: %v", err)
|
||||
}
|
||||
|
||||
@ -226,7 +226,6 @@ func NewConfig() *Config {
|
||||
defaultOptions := options.NewServerRunOptions()
|
||||
// unset fields that can be overridden to avoid setting values so that we won't end up with lingering values.
|
||||
// TODO we probably want to run the defaults the other way. A default here drives it in the CLI flags
|
||||
defaultOptions.InsecurePort = 0
|
||||
defaultOptions.AuditLogPath = ""
|
||||
return config.ApplyOptions(defaultOptions)
|
||||
}
|
||||
@ -242,28 +241,28 @@ func (c *Config) ApplyOptions(options *options.ServerRunOptions) *Config {
|
||||
}
|
||||
}
|
||||
|
||||
if options.SecureServingOptions != nil && options.SecureServingOptions.ServingOptions.BindPort > 0 {
|
||||
if options.SecureServing != nil && options.SecureServing.ServingOptions.BindPort > 0 {
|
||||
secureServingInfo := &SecureServingInfo{
|
||||
ServingInfo: ServingInfo{
|
||||
BindAddress: net.JoinHostPort(options.SecureServingOptions.ServingOptions.BindAddress.String(), strconv.Itoa(options.SecureServingOptions.ServingOptions.BindPort)),
|
||||
BindAddress: net.JoinHostPort(options.SecureServing.ServingOptions.BindAddress.String(), strconv.Itoa(options.SecureServing.ServingOptions.BindPort)),
|
||||
},
|
||||
ServerCert: GeneratableKeyCert{
|
||||
CertKey: CertKey{
|
||||
CertFile: options.SecureServingOptions.ServerCert.CertKey.CertFile,
|
||||
KeyFile: options.SecureServingOptions.ServerCert.CertKey.KeyFile,
|
||||
CertFile: options.SecureServing.ServerCert.CertKey.CertFile,
|
||||
KeyFile: options.SecureServing.ServerCert.CertKey.KeyFile,
|
||||
},
|
||||
},
|
||||
SNICerts: []NamedCertKey{},
|
||||
ClientCA: options.SecureServingOptions.ClientCA,
|
||||
ClientCA: options.SecureServing.ClientCA,
|
||||
}
|
||||
if options.SecureServingOptions.ServerCert.CertKey.CertFile == "" && options.SecureServingOptions.ServerCert.CertKey.KeyFile == "" {
|
||||
if options.SecureServing.ServerCert.CertKey.CertFile == "" && options.SecureServing.ServerCert.CertKey.KeyFile == "" {
|
||||
secureServingInfo.ServerCert.Generate = true
|
||||
secureServingInfo.ServerCert.CertFile = path.Join(options.SecureServingOptions.ServerCert.CertDirectory, options.SecureServingOptions.ServerCert.PairName+".crt")
|
||||
secureServingInfo.ServerCert.KeyFile = path.Join(options.SecureServingOptions.ServerCert.CertDirectory, options.SecureServingOptions.ServerCert.PairName+".key")
|
||||
secureServingInfo.ServerCert.CertFile = path.Join(options.SecureServing.ServerCert.CertDirectory, options.SecureServing.ServerCert.PairName+".crt")
|
||||
secureServingInfo.ServerCert.KeyFile = path.Join(options.SecureServing.ServerCert.CertDirectory, options.SecureServing.ServerCert.PairName+".key")
|
||||
}
|
||||
|
||||
secureServingInfo.SNICerts = nil
|
||||
for _, nkc := range options.SecureServingOptions.SNICertKeys {
|
||||
for _, nkc := range options.SecureServing.SNICertKeys {
|
||||
secureServingInfo.SNICerts = append(secureServingInfo.SNICerts, NamedCertKey{
|
||||
CertKey: CertKey{
|
||||
KeyFile: nkc.KeyFile,
|
||||
@ -274,12 +273,12 @@ func (c *Config) ApplyOptions(options *options.ServerRunOptions) *Config {
|
||||
}
|
||||
|
||||
c.SecureServingInfo = secureServingInfo
|
||||
c.ReadWritePort = options.SecureServingOptions.ServingOptions.BindPort
|
||||
c.ReadWritePort = options.SecureServing.ServingOptions.BindPort
|
||||
}
|
||||
|
||||
if options.InsecurePort > 0 {
|
||||
if options.InsecureServing != nil && options.InsecureServing.BindPort > 0 {
|
||||
insecureServingInfo := &ServingInfo{
|
||||
BindAddress: net.JoinHostPort(options.InsecureBindAddress.String(), strconv.Itoa(options.InsecurePort)),
|
||||
BindAddress: net.JoinHostPort(options.InsecureServing.BindAddress.String(), strconv.Itoa(options.InsecureServing.BindPort)),
|
||||
}
|
||||
c.InsecureServingInfo = insecureServingInfo
|
||||
}
|
||||
@ -487,8 +486,8 @@ func DefaultAndValidateRunOptions(options *options.ServerRunOptions) {
|
||||
// If advertise-address is not specified, use bind-address. If bind-address
|
||||
// is not usable (unset, 0.0.0.0, or loopback), we will use the host's default
|
||||
// interface as valid public addr for master (see: util/net#ValidPublicAddrForMaster)
|
||||
if options.SecureServingOptions != nil && (options.AdvertiseAddress == nil || options.AdvertiseAddress.IsUnspecified()) {
|
||||
hostIP, err := utilnet.ChooseBindAddress(options.SecureServingOptions.ServingOptions.BindAddress)
|
||||
if options.SecureServing != nil && (options.AdvertiseAddress == nil || options.AdvertiseAddress.IsUnspecified()) {
|
||||
hostIP, err := utilnet.ChooseBindAddress(options.SecureServing.ServingOptions.BindAddress)
|
||||
if err != nil {
|
||||
glog.Fatalf("Unable to find suitable network address.error='%v' . "+
|
||||
"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this.", err)
|
||||
|
||||
@ -17,6 +17,7 @@ go_library(
|
||||
"doc.go",
|
||||
"etcd_options.go",
|
||||
"server_run_options.go",
|
||||
"serving_options.go",
|
||||
],
|
||||
tags = ["automanaged"],
|
||||
deps = [
|
||||
|
||||
@ -17,9 +17,7 @@ limitations under the License.
|
||||
package options
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"net"
|
||||
"strconv"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
@ -27,7 +25,6 @@ import (
|
||||
"k8s.io/kubernetes/pkg/api"
|
||||
"k8s.io/kubernetes/pkg/apimachinery/registered"
|
||||
clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
|
||||
"k8s.io/kubernetes/pkg/client/restclient"
|
||||
"k8s.io/kubernetes/pkg/runtime/schema"
|
||||
"k8s.io/kubernetes/pkg/util/config"
|
||||
utilnet "k8s.io/kubernetes/pkg/util/net"
|
||||
@ -54,8 +51,9 @@ var AuthorizationModeChoices = []string{ModeAlwaysAllow, ModeAlwaysDeny, ModeABA
|
||||
|
||||
// ServerRunOptions contains the options while running a generic api server.
|
||||
type ServerRunOptions struct {
|
||||
Etcd *EtcdOptions
|
||||
SecureServingOptions *SecureServingOptions
|
||||
Etcd *EtcdOptions
|
||||
SecureServing *SecureServingOptions
|
||||
InsecureServing *ServingOptions
|
||||
|
||||
AdmissionControl string
|
||||
AdmissionControlConfigFile string
|
||||
@ -86,8 +84,6 @@ type ServerRunOptions struct {
|
||||
EnableSwaggerUI bool
|
||||
EnableWatchCache bool
|
||||
ExternalHost string
|
||||
InsecureBindAddress net.IP
|
||||
InsecurePort int
|
||||
KeystoneURL string
|
||||
KeystoneCAFile string
|
||||
KubernetesServiceNodePort int
|
||||
@ -133,8 +129,6 @@ func NewServerRunOptions() *ServerRunOptions {
|
||||
EnableProfiling: true,
|
||||
EnableContentionProfiling: false,
|
||||
EnableWatchCache: true,
|
||||
InsecureBindAddress: net.ParseIP("127.0.0.1"),
|
||||
InsecurePort: 8080,
|
||||
LongRunningRequestRE: DefaultLongRunningRequestRE,
|
||||
MasterCount: 1,
|
||||
MasterServiceNamespace: api.NamespaceDefault,
|
||||
@ -150,8 +144,14 @@ func (o *ServerRunOptions) WithEtcdOptions() *ServerRunOptions {
|
||||
o.Etcd = NewDefaultEtcdOptions()
|
||||
return o
|
||||
}
|
||||
|
||||
func (o *ServerRunOptions) WithSecureServingOptions() *ServerRunOptions {
|
||||
o.SecureServingOptions = NewDefaultSecureServingOptions()
|
||||
o.SecureServing = NewDefaultSecureServingOptions()
|
||||
return o
|
||||
}
|
||||
|
||||
func (o *ServerRunOptions) WithInsecureServingOptions() *ServerRunOptions {
|
||||
o.InsecureServing = NewDefaultInsecureServingOptions()
|
||||
return o
|
||||
}
|
||||
|
||||
@ -203,42 +203,13 @@ func mergeGroupVersionIntoMap(gvList string, dest map[string]schema.GroupVersion
|
||||
|
||||
// Returns a clientset which can be used to talk to this apiserver.
|
||||
func (s *ServerRunOptions) NewSelfClient(token string) (clientset.Interface, error) {
|
||||
clientConfig, err := s.NewSelfClientConfig(token)
|
||||
clientConfig, err := NewSelfClientConfig(s.SecureServing, s.InsecureServing, token)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return clientset.NewForConfig(clientConfig)
|
||||
}
|
||||
|
||||
// Returns a clientconfig which can be used to talk to this apiserver.
|
||||
func (s *ServerRunOptions) NewSelfClientConfig(token string) (*restclient.Config, error) {
|
||||
clientConfig := &restclient.Config{
|
||||
// Increase QPS limits. The client is currently passed to all admission plugins,
|
||||
// and those can be throttled in case of higher load on apiserver - see #22340 and #22422
|
||||
// for more details. Once #22422 is fixed, we may want to remove it.
|
||||
QPS: 50,
|
||||
Burst: 100,
|
||||
}
|
||||
|
||||
// Use secure port if the ServerCA is specified
|
||||
if s.SecureServingOptions != nil && s.SecureServingOptions.ServingOptions.BindPort > 0 && len(s.SecureServingOptions.ServerCA) > 0 {
|
||||
host := s.SecureServingOptions.ServingOptions.BindAddress.String()
|
||||
if host == "0.0.0.0" {
|
||||
host = "localhost"
|
||||
}
|
||||
clientConfig.Host = "https://" + net.JoinHostPort(host, strconv.Itoa(s.SecureServingOptions.ServingOptions.BindPort))
|
||||
clientConfig.CAFile = s.SecureServingOptions.ServerCA
|
||||
clientConfig.BearerToken = token
|
||||
|
||||
} else if s.InsecurePort > 0 {
|
||||
clientConfig.Host = net.JoinHostPort(s.InsecureBindAddress.String(), strconv.Itoa(s.InsecurePort))
|
||||
} else {
|
||||
return nil, errors.New("Unable to set url for apiserver local client")
|
||||
}
|
||||
|
||||
return clientConfig, nil
|
||||
}
|
||||
|
||||
// AddFlags adds flags for a specific APIServer to the specified FlagSet
|
||||
func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) {
|
||||
// Note: the weird ""+ in below lines seems to be the only way to get gofmt to
|
||||
@ -337,22 +308,6 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) {
|
||||
fs.StringVar(&s.ExternalHost, "external-hostname", s.ExternalHost,
|
||||
"The hostname to use when generating externalized URLs for this master (e.g. Swagger API Docs).")
|
||||
|
||||
fs.IPVar(&s.InsecureBindAddress, "insecure-bind-address", s.InsecureBindAddress, ""+
|
||||
"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all interfaces). "+
|
||||
"Defaults to localhost.")
|
||||
fs.IPVar(&s.InsecureBindAddress, "address", s.InsecureBindAddress,
|
||||
"DEPRECATED: see --insecure-bind-address instead.")
|
||||
fs.MarkDeprecated("address", "see --insecure-bind-address instead.")
|
||||
|
||||
fs.IntVar(&s.InsecurePort, "insecure-port", s.InsecurePort, ""+
|
||||
"The port on which to serve unsecured, unauthenticated access. Default 8080. It is assumed "+
|
||||
"that firewall rules are set up such that this port is not reachable from outside of "+
|
||||
"the cluster and that port 443 on the cluster's public address is proxied to this "+
|
||||
"port. This is performed by nginx in the default setup.")
|
||||
|
||||
fs.IntVar(&s.InsecurePort, "port", s.InsecurePort, "DEPRECATED: see --insecure-port instead.")
|
||||
fs.MarkDeprecated("port", "see --insecure-port instead.")
|
||||
|
||||
fs.StringVar(&s.KeystoneURL, "experimental-keystone-url", s.KeystoneURL,
|
||||
"If passed, activates the keystone authentication plugin.")
|
||||
|
||||
|
||||
@ -17,11 +17,14 @@ limitations under the License.
|
||||
package options
|
||||
|
||||
import (
|
||||
"errors"
|
||||
"fmt"
|
||||
"net"
|
||||
"strconv"
|
||||
|
||||
"github.com/spf13/pflag"
|
||||
|
||||
"k8s.io/kubernetes/pkg/client/restclient"
|
||||
"k8s.io/kubernetes/pkg/util/config"
|
||||
)
|
||||
|
||||
@ -76,6 +79,30 @@ func NewDefaultSecureServingOptions() *SecureServingOptions {
|
||||
}
|
||||
}
|
||||
|
||||
func (s *SecureServingOptions) NewSelfClientConfig(token string) *restclient.Config {
|
||||
if s == nil || s.ServingOptions.BindPort <= 0 && len(s.ServerCA) == 0 {
|
||||
return nil
|
||||
}
|
||||
clientConfig := &restclient.Config{
|
||||
// Increase QPS limits. The client is currently passed to all admission plugins,
|
||||
// and those can be throttled in case of higher load on apiserver - see #22340 and #22422
|
||||
// for more details. Once #22422 is fixed, we may want to remove it.
|
||||
QPS: 50,
|
||||
Burst: 100,
|
||||
}
|
||||
|
||||
// Use secure port if the ServerCA is specified
|
||||
host := s.ServingOptions.BindAddress.String()
|
||||
if host == "0.0.0.0" {
|
||||
host = "localhost"
|
||||
}
|
||||
clientConfig.Host = "https://" + net.JoinHostPort(host, strconv.Itoa(s.ServingOptions.BindPort))
|
||||
clientConfig.CAFile = s.ServerCA
|
||||
clientConfig.BearerToken = token
|
||||
|
||||
return clientConfig
|
||||
}
|
||||
|
||||
func (s *SecureServingOptions) Validate() []error {
|
||||
errors := []error{}
|
||||
if s == nil {
|
||||
@ -86,16 +113,6 @@ func (s *SecureServingOptions) Validate() []error {
|
||||
return errors
|
||||
}
|
||||
|
||||
func (s ServingOptions) Validate(portArg string) []error {
|
||||
errors := []error{}
|
||||
|
||||
if s.BindPort < 0 || s.BindPort > 65535 {
|
||||
errors = append(errors, fmt.Errorf("--%v %v must be between 0 and 65535, inclusive. 0 for turning off secure port.", portArg, s.BindPort))
|
||||
}
|
||||
|
||||
return errors
|
||||
}
|
||||
|
||||
func (s *SecureServingOptions) AddSecureServingFlags(fs *pflag.FlagSet) {
|
||||
fs.IPVar(&s.ServingOptions.BindAddress, "bind-address", s.ServingOptions.BindAddress, ""+
|
||||
"The IP address on which to listen for the --secure-port port. The "+
|
||||
@ -145,3 +162,70 @@ func (s *SecureServingOptions) AddDeprecatedSecureServingFlags(fs *pflag.FlagSet
|
||||
fs.MarkDeprecated("public-address-override", "see --bind-address instead.")
|
||||
|
||||
}
|
||||
|
||||
func NewDefaultInsecureServingOptions() *ServingOptions {
|
||||
return &ServingOptions{
|
||||
BindAddress: net.ParseIP("127.0.0.1"),
|
||||
BindPort: 8080,
|
||||
}
|
||||
}
|
||||
|
||||
func (s ServingOptions) Validate(portArg string) []error {
|
||||
errors := []error{}
|
||||
|
||||
if s.BindPort < 0 || s.BindPort > 65535 {
|
||||
errors = append(errors, fmt.Errorf("--%v %v must be between 0 and 65535, inclusive. 0 for turning off secure port.", portArg, s.BindPort))
|
||||
}
|
||||
|
||||
return errors
|
||||
}
|
||||
|
||||
func (s *ServingOptions) NewSelfClientConfig(token string) *restclient.Config {
|
||||
if s == nil || s.BindPort <= 0 {
|
||||
return nil
|
||||
}
|
||||
clientConfig := &restclient.Config{
|
||||
// Increase QPS limits. The client is currently passed to all admission plugins,
|
||||
// and those can be throttled in case of higher load on apiserver - see #22340 and #22422
|
||||
// for more details. Once #22422 is fixed, we may want to remove it.
|
||||
QPS: 50,
|
||||
Burst: 100,
|
||||
}
|
||||
|
||||
clientConfig.Host = net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort))
|
||||
|
||||
return clientConfig
|
||||
}
|
||||
|
||||
func (s *ServingOptions) AddInsecureServingFlags(fs *pflag.FlagSet) {
|
||||
fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
|
||||
"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all interfaces). "+
|
||||
"Defaults to localhost.")
|
||||
|
||||
fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
|
||||
"The port on which to serve unsecured, unauthenticated access. Default 8080. It is assumed "+
|
||||
"that firewall rules are set up such that this port is not reachable from outside of "+
|
||||
"the cluster and that port 443 on the cluster's public address is proxied to this "+
|
||||
"port. This is performed by nginx in the default setup.")
|
||||
}
|
||||
|
||||
func (s *ServingOptions) AddDeprecatedInsecureServingFlags(fs *pflag.FlagSet) {
|
||||
fs.IPVar(&s.BindAddress, "address", s.BindAddress,
|
||||
"DEPRECATED: see --insecure-bind-address instead.")
|
||||
fs.MarkDeprecated("address", "see --insecure-bind-address instead.")
|
||||
|
||||
fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --insecure-port instead.")
|
||||
fs.MarkDeprecated("port", "see --insecure-port instead.")
|
||||
}
|
||||
|
||||
// Returns a clientconfig which can be used to talk to this apiserver.
|
||||
func NewSelfClientConfig(secureServingOptions *SecureServingOptions, insecureServingOptions *ServingOptions, token string) (*restclient.Config, error) {
|
||||
if cfg := secureServingOptions.NewSelfClientConfig(token); cfg != nil {
|
||||
return cfg, nil
|
||||
}
|
||||
if cfg := insecureServingOptions.NewSelfClientConfig(token); cfg != nil {
|
||||
return cfg, nil
|
||||
}
|
||||
|
||||
return nil, errors.New("Unable to set url for apiserver local client")
|
||||
}
|
||||
|
||||
@ -51,17 +51,16 @@ func verifyServiceNodePort(options *options.ServerRunOptions) []error {
|
||||
|
||||
func verifySecureAndInsecurePort(options *options.ServerRunOptions) []error {
|
||||
errors := []error{}
|
||||
errors = append(errors, options.SecureServingOptions.Validate()...)
|
||||
errors = append(errors, options.SecureServing.Validate()...)
|
||||
errors = append(errors, options.InsecureServing.Validate("insecure-port")...)
|
||||
|
||||
if options.InsecurePort < 0 || options.InsecurePort > 65535 {
|
||||
errors = append(errors, fmt.Errorf("--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off insecure port.", options.InsecurePort))
|
||||
}
|
||||
|
||||
if (options.SecureServingOptions == nil || options.SecureServingOptions.ServingOptions.BindPort == 0) && options.InsecurePort == 0 {
|
||||
if (options.SecureServing == nil || options.SecureServing.ServingOptions.BindPort == 0) &&
|
||||
(options.InsecureServing == nil || options.InsecureServing.BindPort == 0) {
|
||||
glog.Fatalf("--secure-port and --insecure-port cannot be turned off at the same time.")
|
||||
}
|
||||
|
||||
if options.SecureServingOptions != nil && options.SecureServingOptions.ServingOptions.BindPort == options.InsecurePort {
|
||||
if options.SecureServing != nil && options.InsecureServing != nil &&
|
||||
options.SecureServing.ServingOptions.BindPort == options.InsecureServing.BindPort {
|
||||
errors = append(errors, fmt.Errorf("--secure-port and --insecure-port cannot use the same port."))
|
||||
}
|
||||
return errors
|
||||
|
||||
@ -63,8 +63,8 @@ func TestRunSecureServer(t *testing.T) {
|
||||
stopCh := make(chan struct{})
|
||||
go func() {
|
||||
options := apiserver.NewServerRunOptions()
|
||||
options.InsecurePort = 0
|
||||
options.SecureServingOptions.ServingOptions.BindPort = apiserver.SecurePort
|
||||
options.InsecureServing.BindPort = 0
|
||||
options.SecureServing.ServingOptions.BindPort = apiserver.SecurePort
|
||||
if err := apiserver.Run(options, stopCh); err != nil {
|
||||
t.Fatalf("Error in bringing up the server: %v", err)
|
||||
}
|
||||
|
||||
Loading…
Reference in New Issue
Block a user