split insecure serving options

cmd/kube-apiserver/app/BUILD

@@ -36,10 +36,12 @@ go_library(
         "//pkg/generated/openapi:go_default_library",
         "//pkg/genericapiserver:go_default_library",
         "//pkg/genericapiserver/authorizer:go_default_library",
+        "//pkg/genericapiserver/options:go_default_library",
         "//pkg/master:go_default_library",
         "//pkg/registry/cachesize:go_default_library",
         "//pkg/runtime/schema:go_default_library",
         "//pkg/serviceaccount:go_default_library",
+        "//pkg/util/errors:go_default_library",
         "//pkg/util/net:go_default_library",
         "//pkg/util/wait:go_default_library",
         "//pkg/version:go_default_library",

cmd/kube-apiserver/app/server.go

@@ -50,6 +50,7 @@ import (
 	generatedopenapi "k8s.io/kubernetes/pkg/generated/openapi"
 	"k8s.io/kubernetes/pkg/genericapiserver"
 	"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
+	genericoptions "k8s.io/kubernetes/pkg/genericapiserver/options"
 	"k8s.io/kubernetes/pkg/master"
 	"k8s.io/kubernetes/pkg/registry/cachesize"
 	"k8s.io/kubernetes/pkg/runtime/schema"
@@ -202,9 +203,9 @@ func Run(s *options.ServerRunOptions) error {
 	}
 
 	// Default to the private server key for service account token signing
-	if len(s.ServiceAccountKeyFiles) == 0 && s.GenericServerRunOptions.SecureServingOptions.ServerCert.CertKey.KeyFile != "" {
+	if len(s.ServiceAccountKeyFiles) == 0 && s.GenericServerRunOptions.SecureServing.ServerCert.CertKey.KeyFile != "" {
-		if authenticator.IsValidServiceAccountKeyFile(s.GenericServerRunOptions.SecureServingOptions.ServerCert.CertKey.KeyFile) {
+		if authenticator.IsValidServiceAccountKeyFile(s.GenericServerRunOptions.SecureServing.ServerCert.CertKey.KeyFile) {
-			s.ServiceAccountKeyFiles = []string{s.GenericServerRunOptions.SecureServingOptions.ServerCert.CertKey.KeyFile}
+			s.ServiceAccountKeyFiles = []string{s.GenericServerRunOptions.SecureServing.ServerCert.CertKey.KeyFile}
 		} else {
 			glog.Warning("No TLS key provided, service account token authentication disabled")
 		}
@@ -225,7 +226,7 @@ func Run(s *options.ServerRunOptions) error {
 		Anonymous:                   s.GenericServerRunOptions.AnonymousAuth,
 		AnyToken:                    s.GenericServerRunOptions.EnableAnyToken,
 		BasicAuthFile:               s.GenericServerRunOptions.BasicAuthFile,
-		ClientCAFile:                s.GenericServerRunOptions.SecureServingOptions.ClientCA,
+		ClientCAFile:                s.GenericServerRunOptions.SecureServing.ClientCA,
 		TokenAuthFile:               s.GenericServerRunOptions.TokenAuthFile,
 		OIDCIssuerURL:               s.GenericServerRunOptions.OIDCIssuerURL,
 		OIDCClientID:                s.GenericServerRunOptions.OIDCClientID,
@@ -247,7 +248,7 @@ func Run(s *options.ServerRunOptions) error {
 	}
 
 	privilegedLoopbackToken := uuid.NewRandom().String()
-	selfClientConfig, err := s.GenericServerRunOptions.NewSelfClientConfig(privilegedLoopbackToken)
+	selfClientConfig, err := genericoptions.NewSelfClientConfig(s.GenericServerRunOptions.SecureServing, s.GenericServerRunOptions.InsecureServing, privilegedLoopbackToken)
 	if err != nil {
 		glog.Fatalf("Failed to create clientset: %v", err)
 	}

examples/apiserver/apiserver.go

@@ -56,8 +56,8 @@ func newStorageFactory() genericapiserver.StorageFactory {
 }
 
 func NewServerRunOptions() *genericoptions.ServerRunOptions {
-	serverOptions := genericoptions.NewServerRunOptions().WithEtcdOptions().WithSecureServingOptions()
+	serverOptions := genericoptions.NewServerRunOptions().WithEtcdOptions().WithSecureServingOptions().WithInsecureServingOptions()
-	serverOptions.InsecurePort = InsecurePort
+	serverOptions.InsecureServing.BindPort = InsecurePort
 	return serverOptions
 }
 

federation/cmd/federation-apiserver/app/BUILD

@@ -43,6 +43,7 @@ go_library(
         "//pkg/generated/openapi:go_default_library",
         "//pkg/genericapiserver:go_default_library",
         "//pkg/genericapiserver/authorizer:go_default_library",
+        "//pkg/genericapiserver/options:go_default_library",
         "//pkg/registry/cachesize:go_default_library",
         "//pkg/registry/core/configmap/etcd:go_default_library",
         "//pkg/registry/core/event/etcd:go_default_library",

federation/cmd/federation-apiserver/app/server.go

@@ -38,6 +38,7 @@ import (
 	"k8s.io/kubernetes/pkg/generated/openapi"
 	"k8s.io/kubernetes/pkg/genericapiserver"
 	"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
+	genericoptions "k8s.io/kubernetes/pkg/genericapiserver/options"
 	"k8s.io/kubernetes/pkg/registry/cachesize"
 	"k8s.io/kubernetes/pkg/registry/generic"
 	"k8s.io/kubernetes/pkg/registry/generic/registry"
@@ -121,7 +122,7 @@ func Run(s *options.ServerRunOptions) error {
 		Anonymous:           s.GenericServerRunOptions.AnonymousAuth,
 		AnyToken:            s.GenericServerRunOptions.EnableAnyToken,
 		BasicAuthFile:       s.GenericServerRunOptions.BasicAuthFile,
-		ClientCAFile:        s.GenericServerRunOptions.SecureServingOptions.ClientCA,
+		ClientCAFile:        s.GenericServerRunOptions.SecureServing.ClientCA,
 		TokenAuthFile:       s.GenericServerRunOptions.TokenAuthFile,
 		OIDCIssuerURL:       s.GenericServerRunOptions.OIDCIssuerURL,
 		OIDCClientID:        s.GenericServerRunOptions.OIDCClientID,
@@ -136,7 +137,7 @@ func Run(s *options.ServerRunOptions) error {
 	}
 
 	privilegedLoopbackToken := uuid.NewRandom().String()
-	selfClientConfig, err := s.GenericServerRunOptions.NewSelfClientConfig(privilegedLoopbackToken)
+	selfClientConfig, err := genericoptions.NewSelfClientConfig(s.GenericServerRunOptions.SecureServing, s.GenericServerRunOptions.InsecureServing, privilegedLoopbackToken)
 	if err != nil {
 		glog.Fatalf("Failed to create clientset: %v", err)
 	}

pkg/genericapiserver/config.go

@@ -226,7 +226,6 @@ func NewConfig() *Config {
 	defaultOptions := options.NewServerRunOptions()
 	// unset fields that can be overridden to avoid setting values so that we won't end up with lingering values.
 	// TODO we probably want to run the defaults the other way.  A default here drives it in the CLI flags
-	defaultOptions.InsecurePort = 0
 	defaultOptions.AuditLogPath = ""
 	return config.ApplyOptions(defaultOptions)
 }
@@ -242,28 +241,28 @@ func (c *Config) ApplyOptions(options *options.ServerRunOptions) *Config {
 		}
 	}
 
-	if options.SecureServingOptions != nil && options.SecureServingOptions.ServingOptions.BindPort > 0 {
+	if options.SecureServing != nil && options.SecureServing.ServingOptions.BindPort > 0 {
 		secureServingInfo := &SecureServingInfo{
 			ServingInfo: ServingInfo{
-				BindAddress: net.JoinHostPort(options.SecureServingOptions.ServingOptions.BindAddress.String(), strconv.Itoa(options.SecureServingOptions.ServingOptions.BindPort)),
+				BindAddress: net.JoinHostPort(options.SecureServing.ServingOptions.BindAddress.String(), strconv.Itoa(options.SecureServing.ServingOptions.BindPort)),
 			},
 			ServerCert: GeneratableKeyCert{
 				CertKey: CertKey{
-					CertFile: options.SecureServingOptions.ServerCert.CertKey.CertFile,
+					CertFile: options.SecureServing.ServerCert.CertKey.CertFile,
-					KeyFile:  options.SecureServingOptions.ServerCert.CertKey.KeyFile,
+					KeyFile:  options.SecureServing.ServerCert.CertKey.KeyFile,
 				},
 			},
 			SNICerts: []NamedCertKey{},
-			ClientCA: options.SecureServingOptions.ClientCA,
+			ClientCA: options.SecureServing.ClientCA,
 		}
-		if options.SecureServingOptions.ServerCert.CertKey.CertFile == "" && options.SecureServingOptions.ServerCert.CertKey.KeyFile == "" {
+		if options.SecureServing.ServerCert.CertKey.CertFile == "" && options.SecureServing.ServerCert.CertKey.KeyFile == "" {
 			secureServingInfo.ServerCert.Generate = true
-			secureServingInfo.ServerCert.CertFile = path.Join(options.SecureServingOptions.ServerCert.CertDirectory, options.SecureServingOptions.ServerCert.PairName+".crt")
+			secureServingInfo.ServerCert.CertFile = path.Join(options.SecureServing.ServerCert.CertDirectory, options.SecureServing.ServerCert.PairName+".crt")
-			secureServingInfo.ServerCert.KeyFile = path.Join(options.SecureServingOptions.ServerCert.CertDirectory, options.SecureServingOptions.ServerCert.PairName+".key")
+			secureServingInfo.ServerCert.KeyFile = path.Join(options.SecureServing.ServerCert.CertDirectory, options.SecureServing.ServerCert.PairName+".key")
 		}
 
 		secureServingInfo.SNICerts = nil
-		for _, nkc := range options.SecureServingOptions.SNICertKeys {
+		for _, nkc := range options.SecureServing.SNICertKeys {
 			secureServingInfo.SNICerts = append(secureServingInfo.SNICerts, NamedCertKey{
 				CertKey: CertKey{
 					KeyFile:  nkc.KeyFile,
@@ -274,12 +273,12 @@ func (c *Config) ApplyOptions(options *options.ServerRunOptions) *Config {
 		}
 
 		c.SecureServingInfo = secureServingInfo
-		c.ReadWritePort = options.SecureServingOptions.ServingOptions.BindPort
+		c.ReadWritePort = options.SecureServing.ServingOptions.BindPort
 	}
 
-	if options.InsecurePort > 0 {
+	if options.InsecureServing != nil && options.InsecureServing.BindPort > 0 {
 		insecureServingInfo := &ServingInfo{
-			BindAddress: net.JoinHostPort(options.InsecureBindAddress.String(), strconv.Itoa(options.InsecurePort)),
+			BindAddress: net.JoinHostPort(options.InsecureServing.BindAddress.String(), strconv.Itoa(options.InsecureServing.BindPort)),
 		}
 		c.InsecureServingInfo = insecureServingInfo
 	}
@@ -487,8 +486,8 @@ func DefaultAndValidateRunOptions(options *options.ServerRunOptions) {
 	// If advertise-address is not specified, use bind-address. If bind-address
 	// is not usable (unset, 0.0.0.0, or loopback), we will use the host's default
 	// interface as valid public addr for master (see: util/net#ValidPublicAddrForMaster)
-	if options.SecureServingOptions != nil && (options.AdvertiseAddress == nil || options.AdvertiseAddress.IsUnspecified()) {
+	if options.SecureServing != nil && (options.AdvertiseAddress == nil || options.AdvertiseAddress.IsUnspecified()) {
-		hostIP, err := utilnet.ChooseBindAddress(options.SecureServingOptions.ServingOptions.BindAddress)
+		hostIP, err := utilnet.ChooseBindAddress(options.SecureServing.ServingOptions.BindAddress)
 		if err != nil {
 			glog.Fatalf("Unable to find suitable network address.error='%v' . "+
 				"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this.", err)

pkg/genericapiserver/options/BUILD

@@ -17,6 +17,7 @@ go_library(
         "doc.go",
         "etcd_options.go",
         "server_run_options.go",
+        "serving_options.go",
     ],
     tags = ["automanaged"],
     deps = [

pkg/genericapiserver/options/server_run_options.go

@@ -17,9 +17,7 @@ limitations under the License.
 package options
 
 import (
-	"errors"
 	"net"
-	"strconv"
 	"strings"
 	"time"
 
@@ -27,7 +25,6 @@ import (
 	"k8s.io/kubernetes/pkg/api"
 	"k8s.io/kubernetes/pkg/apimachinery/registered"
 	clientset "k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
-	"k8s.io/kubernetes/pkg/client/restclient"
 	"k8s.io/kubernetes/pkg/runtime/schema"
 	"k8s.io/kubernetes/pkg/util/config"
 	utilnet "k8s.io/kubernetes/pkg/util/net"
@@ -54,8 +51,9 @@ var AuthorizationModeChoices = []string{ModeAlwaysAllow, ModeAlwaysDeny, ModeABA
 
 // ServerRunOptions contains the options while running a generic api server.
 type ServerRunOptions struct {
-	Etcd                 *EtcdOptions
+	Etcd            *EtcdOptions
-	SecureServingOptions *SecureServingOptions
+	SecureServing   *SecureServingOptions
+	InsecureServing *ServingOptions
 
 	AdmissionControl           string
 	AdmissionControlConfigFile string
@@ -86,8 +84,6 @@ type ServerRunOptions struct {
 	EnableSwaggerUI              bool
 	EnableWatchCache             bool
 	ExternalHost                 string
-	InsecureBindAddress          net.IP
-	InsecurePort                 int
 	KeystoneURL                  string
 	KeystoneCAFile               string
 	KubernetesServiceNodePort    int
@@ -133,8 +129,6 @@ func NewServerRunOptions() *ServerRunOptions {
 		EnableProfiling:                          true,
 		EnableContentionProfiling:                false,
 		EnableWatchCache:                         true,
-		InsecureBindAddress:                      net.ParseIP("127.0.0.1"),
-		InsecurePort:                             8080,
 		LongRunningRequestRE:                     DefaultLongRunningRequestRE,
 		MasterCount:                              1,
 		MasterServiceNamespace:                   api.NamespaceDefault,
@@ -150,8 +144,14 @@ func (o *ServerRunOptions) WithEtcdOptions() *ServerRunOptions {
 	o.Etcd = NewDefaultEtcdOptions()
 	return o
 }
+
 func (o *ServerRunOptions) WithSecureServingOptions() *ServerRunOptions {
-	o.SecureServingOptions = NewDefaultSecureServingOptions()
+	o.SecureServing = NewDefaultSecureServingOptions()
+	return o
+}
+
+func (o *ServerRunOptions) WithInsecureServingOptions() *ServerRunOptions {
+	o.InsecureServing = NewDefaultInsecureServingOptions()
 	return o
 }
 
@@ -203,42 +203,13 @@ func mergeGroupVersionIntoMap(gvList string, dest map[string]schema.GroupVersion
 
 // Returns a clientset which can be used to talk to this apiserver.
 func (s *ServerRunOptions) NewSelfClient(token string) (clientset.Interface, error) {
-	clientConfig, err := s.NewSelfClientConfig(token)
+	clientConfig, err := NewSelfClientConfig(s.SecureServing, s.InsecureServing, token)
 	if err != nil {
 		return nil, err
 	}
 	return clientset.NewForConfig(clientConfig)
 }
 
-// Returns a clientconfig which can be used to talk to this apiserver.
-func (s *ServerRunOptions) NewSelfClientConfig(token string) (*restclient.Config, error) {
-	clientConfig := &restclient.Config{
-		// Increase QPS limits. The client is currently passed to all admission plugins,
-		// and those can be throttled in case of higher load on apiserver - see #22340 and #22422
-		// for more details. Once #22422 is fixed, we may want to remove it.
-		QPS:   50,
-		Burst: 100,
-	}
-
-	// Use secure port if the ServerCA is specified
-	if s.SecureServingOptions != nil && s.SecureServingOptions.ServingOptions.BindPort > 0 && len(s.SecureServingOptions.ServerCA) > 0 {
-		host := s.SecureServingOptions.ServingOptions.BindAddress.String()
-		if host == "0.0.0.0" {
-			host = "localhost"
-		}
-		clientConfig.Host = "https://" + net.JoinHostPort(host, strconv.Itoa(s.SecureServingOptions.ServingOptions.BindPort))
-		clientConfig.CAFile = s.SecureServingOptions.ServerCA
-		clientConfig.BearerToken = token
-
-	} else if s.InsecurePort > 0 {
-		clientConfig.Host = net.JoinHostPort(s.InsecureBindAddress.String(), strconv.Itoa(s.InsecurePort))
-	} else {
-		return nil, errors.New("Unable to set url for apiserver local client")
-	}
-
-	return clientConfig, nil
-}
-
 // AddFlags adds flags for a specific APIServer to the specified FlagSet
 func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) {
 	// Note: the weird ""+ in below lines seems to be the only way to get gofmt to
@@ -337,22 +308,6 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) {
 	fs.StringVar(&s.ExternalHost, "external-hostname", s.ExternalHost,
 		"The hostname to use when generating externalized URLs for this master (e.g. Swagger API Docs).")
 
-	fs.IPVar(&s.InsecureBindAddress, "insecure-bind-address", s.InsecureBindAddress, ""+
-		"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all interfaces). "+
-		"Defaults to localhost.")
-	fs.IPVar(&s.InsecureBindAddress, "address", s.InsecureBindAddress,
-		"DEPRECATED: see --insecure-bind-address instead.")
-	fs.MarkDeprecated("address", "see --insecure-bind-address instead.")
-
-	fs.IntVar(&s.InsecurePort, "insecure-port", s.InsecurePort, ""+
-		"The port on which to serve unsecured, unauthenticated access. Default 8080. It is assumed "+
-		"that firewall rules are set up such that this port is not reachable from outside of "+
-		"the cluster and that port 443 on the cluster's public address is proxied to this "+
-		"port. This is performed by nginx in the default setup.")
-
-	fs.IntVar(&s.InsecurePort, "port", s.InsecurePort, "DEPRECATED: see --insecure-port instead.")
-	fs.MarkDeprecated("port", "see --insecure-port instead.")
-
 	fs.StringVar(&s.KeystoneURL, "experimental-keystone-url", s.KeystoneURL,
 		"If passed, activates the keystone authentication plugin.")
 

pkg/genericapiserver/options/serving_options.go

@@ -17,11 +17,14 @@ limitations under the License.
 package options
 
 import (
+	"errors"
 	"fmt"
 	"net"
+	"strconv"
 
 	"github.com/spf13/pflag"
 
+	"k8s.io/kubernetes/pkg/client/restclient"
 	"k8s.io/kubernetes/pkg/util/config"
 )
 
@@ -76,6 +79,30 @@ func NewDefaultSecureServingOptions() *SecureServingOptions {
 	}
 }
 
+func (s *SecureServingOptions) NewSelfClientConfig(token string) *restclient.Config {
+	if s == nil || s.ServingOptions.BindPort <= 0 && len(s.ServerCA) == 0 {
+		return nil
+	}
+	clientConfig := &restclient.Config{
+		// Increase QPS limits. The client is currently passed to all admission plugins,
+		// and those can be throttled in case of higher load on apiserver - see #22340 and #22422
+		// for more details. Once #22422 is fixed, we may want to remove it.
+		QPS:   50,
+		Burst: 100,
+	}
+
+	// Use secure port if the ServerCA is specified
+	host := s.ServingOptions.BindAddress.String()
+	if host == "0.0.0.0" {
+		host = "localhost"
+	}
+	clientConfig.Host = "https://" + net.JoinHostPort(host, strconv.Itoa(s.ServingOptions.BindPort))
+	clientConfig.CAFile = s.ServerCA
+	clientConfig.BearerToken = token
+
+	return clientConfig
+}
+
 func (s *SecureServingOptions) Validate() []error {
 	errors := []error{}
 	if s == nil {
@@ -86,16 +113,6 @@ func (s *SecureServingOptions) Validate() []error {
 	return errors
 }
 
-func (s ServingOptions) Validate(portArg string) []error {
-	errors := []error{}
-
-	if s.BindPort < 0 || s.BindPort > 65535 {
-		errors = append(errors, fmt.Errorf("--%v %v must be between 0 and 65535, inclusive. 0 for turning off secure port.", portArg, s.BindPort))
-	}
-
-	return errors
-}
-
 func (s *SecureServingOptions) AddSecureServingFlags(fs *pflag.FlagSet) {
 	fs.IPVar(&s.ServingOptions.BindAddress, "bind-address", s.ServingOptions.BindAddress, ""+
 		"The IP address on which to listen for the --secure-port port. The "+
@@ -145,3 +162,70 @@ func (s *SecureServingOptions) AddDeprecatedSecureServingFlags(fs *pflag.FlagSet
 	fs.MarkDeprecated("public-address-override", "see --bind-address instead.")
 
 }
+
+func NewDefaultInsecureServingOptions() *ServingOptions {
+	return &ServingOptions{
+		BindAddress: net.ParseIP("127.0.0.1"),
+		BindPort:    8080,
+	}
+}
+
+func (s ServingOptions) Validate(portArg string) []error {
+	errors := []error{}
+
+	if s.BindPort < 0 || s.BindPort > 65535 {
+		errors = append(errors, fmt.Errorf("--%v %v must be between 0 and 65535, inclusive. 0 for turning off secure port.", portArg, s.BindPort))
+	}
+
+	return errors
+}
+
+func (s *ServingOptions) NewSelfClientConfig(token string) *restclient.Config {
+	if s == nil || s.BindPort <= 0 {
+		return nil
+	}
+	clientConfig := &restclient.Config{
+		// Increase QPS limits. The client is currently passed to all admission plugins,
+		// and those can be throttled in case of higher load on apiserver - see #22340 and #22422
+		// for more details. Once #22422 is fixed, we may want to remove it.
+		QPS:   50,
+		Burst: 100,
+	}
+
+	clientConfig.Host = net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort))
+
+	return clientConfig
+}
+
+func (s *ServingOptions) AddInsecureServingFlags(fs *pflag.FlagSet) {
+	fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
+		"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all interfaces). "+
+		"Defaults to localhost.")
+
+	fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
+		"The port on which to serve unsecured, unauthenticated access. Default 8080. It is assumed "+
+		"that firewall rules are set up such that this port is not reachable from outside of "+
+		"the cluster and that port 443 on the cluster's public address is proxied to this "+
+		"port. This is performed by nginx in the default setup.")
+}
+
+func (s *ServingOptions) AddDeprecatedInsecureServingFlags(fs *pflag.FlagSet) {
+	fs.IPVar(&s.BindAddress, "address", s.BindAddress,
+		"DEPRECATED: see --insecure-bind-address instead.")
+	fs.MarkDeprecated("address", "see --insecure-bind-address instead.")
+
+	fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --insecure-port instead.")
+	fs.MarkDeprecated("port", "see --insecure-port instead.")
+}
+
+// Returns a clientconfig which can be used to talk to this apiserver.
+func NewSelfClientConfig(secureServingOptions *SecureServingOptions, insecureServingOptions *ServingOptions, token string) (*restclient.Config, error) {
+	if cfg := secureServingOptions.NewSelfClientConfig(token); cfg != nil {
+		return cfg, nil
+	}
+	if cfg := insecureServingOptions.NewSelfClientConfig(token); cfg != nil {
+		return cfg, nil
+	}
+
+	return nil, errors.New("Unable to set url for apiserver local client")
+}

pkg/genericapiserver/validation/universal_validation.go

@@ -51,17 +51,16 @@ func verifyServiceNodePort(options *options.ServerRunOptions) []error {
 
 func verifySecureAndInsecurePort(options *options.ServerRunOptions) []error {
 	errors := []error{}
-	errors = append(errors, options.SecureServingOptions.Validate()...)
+	errors = append(errors, options.SecureServing.Validate()...)
+	errors = append(errors, options.InsecureServing.Validate("insecure-port")...)
 
-	if options.InsecurePort < 0 || options.InsecurePort > 65535 {
+	if (options.SecureServing == nil || options.SecureServing.ServingOptions.BindPort == 0) &&
-		errors = append(errors, fmt.Errorf("--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off insecure port.", options.InsecurePort))
+		(options.InsecureServing == nil || options.InsecureServing.BindPort == 0) {
-	}
-
-	if (options.SecureServingOptions == nil || options.SecureServingOptions.ServingOptions.BindPort == 0) && options.InsecurePort == 0 {
 		glog.Fatalf("--secure-port and --insecure-port cannot be turned off at the same time.")
 	}
 
-	if options.SecureServingOptions != nil && options.SecureServingOptions.ServingOptions.BindPort == options.InsecurePort {
+	if options.SecureServing != nil && options.InsecureServing != nil &&
+		options.SecureServing.ServingOptions.BindPort == options.InsecureServing.BindPort {
 		errors = append(errors, fmt.Errorf("--secure-port and --insecure-port cannot use the same port."))
 	}
 	return errors

test/integration/examples/apiserver_test.go

@@ -63,8 +63,8 @@ func TestRunSecureServer(t *testing.T) {
 	stopCh := make(chan struct{})
 	go func() {
 		options := apiserver.NewServerRunOptions()
-		options.InsecurePort = 0
+		options.InsecureServing.BindPort = 0
-		options.SecureServingOptions.ServingOptions.BindPort = apiserver.SecurePort
+		options.SecureServing.ServingOptions.BindPort = apiserver.SecurePort
 		if err := apiserver.Run(options, stopCh); err != nil {
 			t.Fatalf("Error in bringing up the server: %v", err)
 		}