Merge pull request #95856 from knight42/refactor/disable-apiserver-insecure-port

refactor(apiserver): disable insecure port
2025-07-19 09:52:49 +00:00 · 2020-10-29 10:47:58 -07:00 · 2020-10-29 10:47:58 -07:00 · 1968e96165
commit 1968e96165
parent 917dcbabe1 cfc2b330a7
15 changed files with 118 additions and 71 deletions
--- a/cmd/kube-apiserver/app/BUILD
+++ b/cmd/kube-apiserver/app/BUILD
@ -23,8 +23,6 @@ go_library(
        "//pkg/kubeapiserver/admission:go_default_library",
        "//pkg/kubeapiserver/authenticator:go_default_library",
        "//pkg/kubeapiserver/authorizer/modes:go_default_library",
-        "//pkg/kubeapiserver/options:go_default_library",
-        "//pkg/kubeapiserver/server:go_default_library",
        "//pkg/registry/rbac/rest:go_default_library",
        "//pkg/serviceaccount:go_default_library",
        "//staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1:go_default_library",
@ -74,6 +72,7 @@ go_library(
        "//staging/src/k8s.io/kube-aggregator/pkg/client/informers/externalversions/apiregistration/v1:go_default_library",
        "//staging/src/k8s.io/kube-aggregator/pkg/controllers/autoregister:go_default_library",
        "//vendor/github.com/spf13/cobra:go_default_library",
+        "//vendor/github.com/spf13/pflag:go_default_library",
        "//vendor/k8s.io/klog/v2:go_default_library",
    ],
 )
--- a/cmd/kube-apiserver/app/options/options.go
+++ b/cmd/kube-apiserver/app/options/options.go
@ -22,12 +22,14 @@ import (
 	"strings"
 	"time"

+	"github.com/spf13/pflag"
 	utilnet "k8s.io/apimachinery/pkg/util/net"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 	"k8s.io/apiserver/pkg/storage/storagebackend"
 	cliflag "k8s.io/component-base/cli/flag"
 	"k8s.io/component-base/logs"
 	"k8s.io/component-base/metrics"
+
 	api "k8s.io/kubernetes/pkg/apis/core"
 	"k8s.io/kubernetes/pkg/cluster/ports"
 	"k8s.io/kubernetes/pkg/controlplane/reconcilers"
@ -37,12 +39,15 @@ import (
 	"k8s.io/kubernetes/pkg/serviceaccount"
 )

+// InsecurePortFlags are dummy flags, they are kept only for compatibility and will be removed in v1.24.
+// TODO: remove these flags in v1.24.
+var InsecurePortFlags = []string{"insecure-port", "port"}
+
 // ServerRunOptions runs a kubernetes api server.
 type ServerRunOptions struct {
 	GenericServerRunOptions *genericoptions.ServerRunOptions
 	Etcd                    *genericoptions.EtcdOptions
 	SecureServing           *genericoptions.SecureServingOptionsWithLoopback
-	InsecureServing         *genericoptions.DeprecatedInsecureServingOptionsWithLoopback
 	Audit                   *genericoptions.AuditOptions
 	Features                *genericoptions.FeatureOptions
 	Admission               *kubeoptions.AdmissionOptions
@ -62,7 +67,7 @@ type ServerRunOptions struct {
 	MaxConnectionBytesPerSec  int64
 	// ServiceClusterIPRange is mapped to input provided by user
 	ServiceClusterIPRanges string
-	//PrimaryServiceClusterIPRange and SecondaryServiceClusterIPRange are the results
+	// PrimaryServiceClusterIPRange and SecondaryServiceClusterIPRange are the results
 	// of parsing ServiceClusterIPRange into actual values
 	PrimaryServiceClusterIPRange   net.IPNet
 	SecondaryServiceClusterIPRange net.IPNet
@ -92,7 +97,6 @@ func NewServerRunOptions() *ServerRunOptions {
 		GenericServerRunOptions: genericoptions.NewServerRunOptions(),
 		Etcd:                    genericoptions.NewEtcdOptions(storagebackend.NewDefaultConfig(kubeoptions.DefaultEtcdPathPrefix, nil)),
 		SecureServing:           kubeoptions.NewSecureServingOptions(),
-		InsecureServing:         kubeoptions.NewInsecureServingOptions(),
 		Audit:                   genericoptions.NewAuditOptions(),
 		Features:                genericoptions.NewFeatureOptions(),
 		Admission:               kubeoptions.NewAdmissionOptions(),
@ -134,14 +138,33 @@ func NewServerRunOptions() *ServerRunOptions {
 	return &s
 }

+// TODO: remove these insecure flags in v1.24
+func addDummyInsecureFlags(fs *pflag.FlagSet) {
+	var (
+		bindAddr = net.IPv4(127, 0, 0, 1)
+		bindPort int
+	)
+
+	for _, name := range []string{"insecure-bind-address", "address"} {
+		fs.IPVar(&bindAddr, name, bindAddr, ""+
+			"The IP address on which to serve the insecure port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).")
+		fs.MarkDeprecated(name, "This flag has no effect now and will be removed in v1.24.")
+	}
+
+	for _, name := range InsecurePortFlags {
+		fs.IntVar(&bindPort, name, bindPort, ""+
+			"The port on which to serve unsecured, unauthenticated access.")
+		fs.MarkDeprecated(name, "This flag has no effect now and will be removed in v1.24.")
+	}
+}
+
 // Flags returns flags for a specific APIServer by section name
 func (s *ServerRunOptions) Flags() (fss cliflag.NamedFlagSets) {
 	// Add the generic flags.
 	s.GenericServerRunOptions.AddUniversalFlags(fss.FlagSet("generic"))
 	s.Etcd.AddFlags(fss.FlagSet("etcd"))
 	s.SecureServing.AddFlags(fss.FlagSet("secure serving"))
-	s.InsecureServing.AddFlags(fss.FlagSet("insecure serving"))
-	s.InsecureServing.AddUnqualifiedFlags(fss.FlagSet("insecure serving")) // TODO: remove it until kops stops using `--address`
+	addDummyInsecureFlags(fss.FlagSet("insecure serving"))
 	s.Audit.AddFlags(fss.FlagSet("auditing"))
 	s.Features.AddFlags(fss.FlagSet("features"))
 	s.Authentication.AddFlags(fss.FlagSet("authentication"))
--- a/cmd/kube-apiserver/app/options/options_test.go
+++ b/cmd/kube-apiserver/app/options/options_test.go
@ -177,10 +177,6 @@ func TestAddFlags(t *testing.T) {
 			HTTP2MaxStreamsPerConnection: 42,
 			Required:                     true,
 		}).WithLoopback(),
-		InsecureServing: (&apiserveroptions.DeprecatedInsecureServingOptions{
-			BindAddress: net.ParseIP("127.0.0.1"),
-			BindPort:    8080,
-		}).WithLoopback(),
 		EventTTL: 1 * time.Hour,
 		KubeletConfig: kubeletclient.KubeletClientConfig{
 			Port:         10250,
--- a/cmd/kube-apiserver/app/options/validation.go
+++ b/cmd/kube-apiserver/app/options/validation.go
@ -173,7 +173,6 @@ func (s *ServerRunOptions) Validate() []error {
 	errs = append(errs, s.Authorization.Validate()...)
 	errs = append(errs, s.Audit.Validate()...)
 	errs = append(errs, s.Admission.Validate()...)
-	errs = append(errs, s.InsecureServing.Validate()...)
 	errs = append(errs, s.APIEnablement.Validate(legacyscheme.Scheme, apiextensionsapiserver.Scheme, aggregatorscheme.Scheme)...)
 	errs = append(errs, validateTokenRequest(s)...)
 	errs = append(errs, s.Metrics.Validate()...)
--- a/cmd/kube-apiserver/app/server.go
+++ b/cmd/kube-apiserver/app/server.go
@ -31,6 +31,7 @@ import (
 	"time"

 	"github.com/spf13/cobra"
+	"github.com/spf13/pflag"

 	extensionsapiserver "k8s.io/apiextensions-apiserver/pkg/apiserver"
 	utilerrors "k8s.io/apimachinery/pkg/util/errors"
@ -65,6 +66,7 @@ import (
 	"k8s.io/klog/v2"
 	aggregatorapiserver "k8s.io/kube-aggregator/pkg/apiserver"
 	aggregatorscheme "k8s.io/kube-aggregator/pkg/apiserver/scheme"
+
 	"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	"k8s.io/kubernetes/pkg/capabilities"
@ -77,8 +79,6 @@ import (
 	kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
 	kubeauthenticator "k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
 	"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
-	kubeoptions "k8s.io/kubernetes/pkg/kubeapiserver/options"
-	kubeserver "k8s.io/kubernetes/pkg/kubeapiserver/server"
 	rbacrest "k8s.io/kubernetes/pkg/registry/rbac/rest"
 	"k8s.io/kubernetes/pkg/serviceaccount"
 )
@ -88,6 +88,20 @@ const (
 	etcdRetryInterval = 1 * time.Second
 )

+// TODO: delete this check after insecure flags removed in v1.24
+func checkNonZeroInsecurePort(fs *pflag.FlagSet) error {
+	for _, name := range options.InsecurePortFlags {
+		val, err := fs.GetInt(name)
+		if err != nil {
+			return err
+		}
+		if val != 0 {
+			return fmt.Errorf("invalid port value %d: only zero is allowed", val)
+		}
+	}
+	return nil
+}
+
 // NewAPIServerCommand creates a *cobra.Command object with default parameters
 func NewAPIServerCommand() *cobra.Command {
 	s := options.NewServerRunOptions()
@ -108,8 +122,13 @@ cluster's shared state through which all other components interact.`,
 		},
 		RunE: func(cmd *cobra.Command, args []string) error {
 			verflag.PrintAndExitIfRequested()
-			cliflag.PrintFlags(cmd.Flags())
+			fs := cmd.Flags()
+			cliflag.PrintFlags(fs)

+			err := checkNonZeroInsecurePort(fs)
+			if err != nil {
+				return err
+			}
 			// set default options
 			completedOptions, err := Complete(s)
 			if err != nil {
@ -182,7 +201,7 @@ func CreateServerChain(completedOptions completedServerRunOptions, stopCh <-chan
 		return nil, err
 	}

-	kubeAPIServerConfig, insecureServingInfo, serviceResolver, pluginInitializer, err := CreateKubeAPIServerConfig(completedOptions, nodeTunneler, proxyTransport)
+	kubeAPIServerConfig, serviceResolver, pluginInitializer, err := CreateKubeAPIServerConfig(completedOptions, nodeTunneler, proxyTransport)
 	if err != nil {
 		return nil, err
 	}
@ -214,13 +233,6 @@ func CreateServerChain(completedOptions completedServerRunOptions, stopCh <-chan
 		return nil, err
 	}

-	if insecureServingInfo != nil {
-		insecureHandlerChain := kubeserver.BuildInsecureHandlerChain(aggregatorServer.GenericAPIServer.UnprotectedHandler(), kubeAPIServerConfig.GenericConfig)
-		if err := insecureServingInfo.Serve(insecureHandlerChain, kubeAPIServerConfig.GenericConfig.RequestTimeout, stopCh); err != nil {
-			return nil, err
-		}
-	}
-
 	return aggregatorServer, nil
 }

@ -288,19 +300,18 @@ func CreateKubeAPIServerConfig(
 	proxyTransport *http.Transport,
 ) (
 	*controlplane.Config,
-	*genericapiserver.DeprecatedInsecureServingInfo,
 	aggregatorapiserver.ServiceResolver,
 	[]admission.PluginInitializer,
 	error,
 ) {
-	genericConfig, versionedInformers, insecureServingInfo, serviceResolver, pluginInitializers, admissionPostStartHook, storageFactory, err := buildGenericConfig(s.ServerRunOptions, proxyTransport)
+	genericConfig, versionedInformers, serviceResolver, pluginInitializers, admissionPostStartHook, storageFactory, err := buildGenericConfig(s.ServerRunOptions, proxyTransport)
 	if err != nil {
-		return nil, nil, nil, nil, err
+		return nil, nil, nil, err
 	}

 	if _, port, err := net.SplitHostPort(s.Etcd.StorageConfig.Transport.ServerList[0]); err == nil && port != "0" && len(port) != 0 {
 		if err := utilwait.PollImmediate(etcdRetryInterval, etcdRetryLimit*etcdRetryInterval, preflight.EtcdConnection{ServerList: s.Etcd.StorageConfig.Transport.ServerList}.CheckEtcdServers); err != nil {
-			return nil, nil, nil, nil, fmt.Errorf("error waiting for etcd connection: %v", err)
+			return nil, nil, nil, fmt.Errorf("error waiting for etcd connection: %v", err)
 		}
 	}

@ -322,7 +333,7 @@ func CreateKubeAPIServerConfig(

 	serviceIPRange, apiServerServiceIP, err := controlplane.ServiceIPRange(s.PrimaryServiceClusterIPRange)
 	if err != nil {
-		return nil, nil, nil, nil, err
+		return nil, nil, nil, err
 	}

 	// defaults to empty range and ip
@ -331,7 +342,7 @@ func CreateKubeAPIServerConfig(
 	if s.SecondaryServiceClusterIPRange.IP != nil {
 		secondaryServiceIPRange, _, err = controlplane.ServiceIPRange(s.SecondaryServiceClusterIPRange)
 		if err != nil {
-			return nil, nil, nil, nil, err
+			return nil, nil, nil, err
 		}
 	}

@ -369,13 +380,13 @@ func CreateKubeAPIServerConfig(

 	clientCAProvider, err := s.Authentication.ClientCert.GetClientCAContentProvider()
 	if err != nil {
-		return nil, nil, nil, nil, err
+		return nil, nil, nil, err
 	}
 	config.ExtraConfig.ClusterAuthenticationInfo.ClientCA = clientCAProvider

 	requestHeaderConfig, err := s.Authentication.RequestHeader.ToAuthenticationRequestHeaderConfig()
 	if err != nil {
-		return nil, nil, nil, nil, err
+		return nil, nil, nil, err
 	}
 	if requestHeaderConfig != nil {
 		config.ExtraConfig.ClusterAuthenticationInfo.RequestHeaderCA = requestHeaderConfig.CAContentProvider
@ -386,7 +397,7 @@ func CreateKubeAPIServerConfig(
 	}

 	if err := config.GenericConfig.AddPostStartHook("start-kube-apiserver-admission-initializer", admissionPostStartHook); err != nil {
-		return nil, nil, nil, nil, err
+		return nil, nil, nil, err
 	}

 	if nodeTunneler != nil {
@ -401,7 +412,7 @@ func CreateKubeAPIServerConfig(
 		networkContext := egressselector.Cluster.AsNetworkContext()
 		dialer, err := config.GenericConfig.EgressSelector.Lookup(networkContext)
 		if err != nil {
-			return nil, nil, nil, nil, err
+			return nil, nil, nil, err
 		}
 		c := proxyTransport.Clone()
 		c.DialContext = dialer
@ -414,7 +425,7 @@ func CreateKubeAPIServerConfig(
 		for _, f := range s.Authentication.ServiceAccounts.KeyFiles {
 			keys, err := keyutil.PublicKeysFromFile(f)
 			if err != nil {
-				return nil, nil, nil, nil, fmt.Errorf("failed to parse key file %q: %v", f, err)
+				return nil, nil, nil, fmt.Errorf("failed to parse key file %q: %v", f, err)
 			}
 			pubKeys = append(pubKeys, keys...)
 		}
@ -424,7 +435,7 @@ func CreateKubeAPIServerConfig(
 		config.ExtraConfig.ServiceAccountPublicKeys = pubKeys
 	}

-	return config, insecureServingInfo, serviceResolver, pluginInitializers, nil
+	return config, serviceResolver, pluginInitializers, nil
 }

 // BuildGenericConfig takes the master server options and produces the genericapiserver.Config associated with it
@ -434,7 +445,6 @@ func buildGenericConfig(
 ) (
 	genericConfig *genericapiserver.Config,
 	versionedInformers clientgoinformers.SharedInformerFactory,
-	insecureServingInfo *genericapiserver.DeprecatedInsecureServingInfo,
 	serviceResolver aggregatorapiserver.ServiceResolver,
 	pluginInitializers []admission.PluginInitializer,
 	admissionPostStartHook genericapiserver.PostStartHookFunc,
@ -448,9 +458,6 @@ func buildGenericConfig(
 		return
 	}

-	if lastErr = s.InsecureServing.ApplyTo(&insecureServingInfo, &genericConfig.LoopbackClientConfig); lastErr != nil {
-		return
-	}
 	if lastErr = s.SecureServing.ApplyTo(&genericConfig.SecureServing, &genericConfig.LoopbackClientConfig); lastErr != nil {
 		return
 	}
@ -595,9 +602,6 @@ func Complete(s *options.ServerRunOptions) (completedServerRunOptions, error) {
 	if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing.SecureServingOptions); err != nil {
 		return options, err
 	}
-	if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing.DeprecatedInsecureServingOptions); err != nil {
-		return options, err
-	}

 	// process s.ServiceClusterIPRange from list to Primary and Secondary
 	// we process secondary only if provided by user
--- a/cmd/kube-apiserver/app/testing/testserver.go
+++ b/cmd/kube-apiserver/app/testing/testserver.go
@ -122,7 +122,6 @@ func StartTestServer(t Logger, instanceOptions *TestServerInstanceOptions, custo
 	for _, f := range s.Flags().FlagSets {
 		fs.AddFlagSet(f)
 	}
-	s.InsecureServing.BindPort = 0

 	s.SecureServing.Listener, s.SecureServing.BindPort, err = createLocalhostListenerOnFreePort()
 	if err != nil {
--- a/hack/lib/util.sh
+++ b/hack/lib/util.sh
@ -45,6 +45,7 @@ kube::util::wait_for_url() {
  local wait=${3:-1}
  local times=${4:-30}
  local maxtime=${5:-1}
+  local extra_args=${6:-}

  command -v curl >/dev/null || {
    kube::log::usage "curl must be installed"
@ -54,7 +55,9 @@ kube::util::wait_for_url() {
  local i
  for i in $(seq 1 "${times}"); do
    local out
-    if out=$(curl --max-time "${maxtime}" -gkfs "${url}" 2>/dev/null); then
+    # shellcheck disable=SC2086
+    # Disabling because "${extra_args}" needs to allow for expansion here
+    if out=$(curl --max-time "${maxtime}" -gkfs $extra_args "${url}" 2>/dev/null); then
      kube::log::status "On try ${i}, ${prefix}: ${out}"
      return 0
    fi
@ -64,6 +67,17 @@ kube::util::wait_for_url() {
  return 1
 }

+kube::util::wait_for_url_with_bearer_token() {
+  local url=$1
+  local token=$2
+  local prefix=${3:-}
+  local wait=${4:-1}
+  local times=${5:-30}
+  local maxtime=${6:-1}
+
+  kube::util::wait_for_url "${url}" "${prefix}" "${wait}" "${times}" "${maxtime}" "--oauth2-bearer ${token}"
+}
+
 # Example:  kube::util::wait_for_success 120 5 "kubectl get nodes|grep localhost"
 # arguments: wait time, sleep time, shell command
 # returns 0 if the shell command get output, 1 otherwise.
--- a/hack/make-rules/test-cmd.sh
+++ b/hack/make-rules/test-cmd.sh
@ -56,9 +56,7 @@ function run_kube_apiserver() {
  ENABLE_FEATURE_GATES="ServerSideApply=true"

  "${KUBE_OUTPUT_HOSTBIN}/kube-apiserver" \
-    --insecure-bind-address="127.0.0.1" \
    --bind-address="127.0.0.1" \
-    --insecure-port="${API_PORT}" \
    --authorization-mode="${AUTHORIZATION_MODE}" \
    --secure-port="${SECURE_API_PORT}" \
    --feature-gates="${ENABLE_FEATURE_GATES}" \
@ -73,7 +71,7 @@ function run_kube_apiserver() {
    --token-auth-file=hack/testdata/auth-tokens.csv 1>&2 &
  export APISERVER_PID=$!

-  kube::util::wait_for_url "http://127.0.0.1:${API_PORT}/healthz" "apiserver"
+  kube::util::wait_for_url_with_bearer_token "https://127.0.0.1:${SECURE_API_PORT}/healthz" "admin-token" "apiserver"
 }

 # Runs run_kube_controller_manager
@ -85,11 +83,33 @@ function run_kube_controller_manager() {
  make -C "${KUBE_ROOT}" WHAT="cmd/kube-controller-manager"

  # Start controller manager
+  kube::log::status 'Generate kubeconfig for controller-manager'
+  local config
+  config="$(mktemp controller-manager.kubeconfig.XXXXX)"
+  cat <<EOF > "$config"
+kind: Config
+users:
+- name: controller-manager
+  user:
+    token: admin-token
+clusters:
+- cluster:
+    server: https://127.0.0.1:${SECURE_API_PORT}
+    insecure-skip-tls-verify: true
+  name: local
+contexts:
+- context:
+    cluster: local
+    user: controller-manager
+  name: local-context
+current-context: local-context
+EOF
+
  kube::log::status "Starting controller-manager"
  "${KUBE_OUTPUT_HOSTBIN}/kube-controller-manager" \
    --port="${CTLRMGR_PORT}" \
    --kube-api-content-type="${KUBE_TEST_API_TYPE-}" \
-    --master="127.0.0.1:${API_PORT}" 1>&2 &
+    --kubeconfig="${config}" 1>&2 &
  export CTLRMGR_PID=$!

  kube::util::wait_for_url "http://127.0.0.1:${CTLRMGR_PORT}/healthz" "controller-manager"
@ -101,7 +121,7 @@ function run_kube_controller_manager() {
 # Exports:
 #   SUPPORTED_RESOURCES(Array of all resources supported by the apiserver).
 function create_node() {
-  kubectl create -f - -s "http://127.0.0.1:${API_PORT}" << __EOF__
+  kubectl create -f - << __EOF__
 {
  "kind": "Node",
  "apiVersion": "v1",
--- a/hack/update-openapi-spec.sh
+++ b/hack/update-openapi-spec.sh
@ -61,22 +61,22 @@ echo "dummy_token,admin,admin" > "${TMP_DIR}/tokenauth.csv"
 # Start kube-apiserver
 kube::log::status "Starting kube-apiserver"
 "${KUBE_OUTPUT_HOSTBIN}/kube-apiserver" \
-  --insecure-bind-address="${API_HOST}" \
  --bind-address="${API_HOST}" \
-  --insecure-port="${API_PORT}" \
+  --secure-port="${API_PORT}" \
  --etcd-servers="http://${ETCD_HOST}:${ETCD_PORT}" \
  --advertise-address="10.10.10.10" \
  --cert-dir="${TMP_DIR}/certs" \
  --runtime-config="api/all=true" \
  --token-auth-file="${TMP_DIR}/tokenauth.csv" \
-  --service-account-issuer="https://kubernetes.devault.svc/" \
+  --authorization-mode=RBAC \
+  --service-account-issuer="https://kubernetes.default.svc/" \
  --service-account-signing-key-file="${KUBE_ROOT}/staging/src/k8s.io/client-go/util/cert/testdata/dontUseThisKey.pem" \
  --logtostderr \
  --v=2 \
  --service-cluster-ip-range="10.0.0.0/24" >"${API_LOGFILE}" 2>&1 &
 APISERVER_PID=$!

-if ! kube::util::wait_for_url "${API_HOST}:${API_PORT}/healthz" "apiserver: "; then
+if ! kube::util::wait_for_url "https://${API_HOST}:${API_PORT}/healthz" "apiserver: "; then
  kube::log::error "Here are the last 10 lines from kube-apiserver (${API_LOGFILE})"
  kube::log::error "=== BEGIN OF LOG ==="
  tail -10 "${API_LOGFILE}" >&2 || :
@ -86,7 +86,7 @@ fi

 kube::log::status "Updating " "${OPENAPI_ROOT_DIR}"

-curl -w "\n" -fs "${API_HOST}:${API_PORT}/openapi/v2" | jq -S '.info.version="unversioned"' > "${OPENAPI_ROOT_DIR}/swagger.json"
+curl -w "\n" -kfs --oauth2-bearer dummy_token "https://${API_HOST}:${API_PORT}/openapi/v2" | jq -S '.info.version="unversioned"' > "${OPENAPI_ROOT_DIR}/swagger.json"

 kube::log::status "SUCCESS"

--- a/test/cmd/authorization.sh
+++ b/test/cmd/authorization.sh
@ -30,7 +30,7 @@ run_authorization_tests() {
  kubectl create -f test/fixtures/pkg/kubectl/cmd/create/sar-v1beta1.json --validate=false

  SAR_RESULT_FILE="${KUBE_TEMP}/sar-result.json"
-  curl -k -H "Content-Type:" http://localhost:8080/apis/authorization.k8s.io/v1beta1/subjectaccessreviews -XPOST -d @test/fixtures/pkg/kubectl/cmd/create/sar-v1beta1.json > "${SAR_RESULT_FILE}"
+  curl -kfsS -H "Content-Type:" --oauth2-bearer admin-token "https://localhost:${SECURE_API_PORT}/apis/authorization.k8s.io/v1beta1/subjectaccessreviews" -XPOST -d @test/fixtures/pkg/kubectl/cmd/create/sar-v1beta1.json > "${SAR_RESULT_FILE}"
  if grep -q '"allowed": true' "${SAR_RESULT_FILE}"; then
    kube::log::status "\"authorization.k8s.io/subjectaccessreviews\" returns as expected: $(cat "${SAR_RESULT_FILE}")"
  else
@ -40,7 +40,7 @@ run_authorization_tests() {
  rm "${SAR_RESULT_FILE}"

  SAR_RESULT_FILE="${KUBE_TEMP}/sar-result.json"
-  curl -k -H "Content-Type:" http://localhost:8080/apis/authorization.k8s.io/v1/subjectaccessreviews -XPOST -d @test/fixtures/pkg/kubectl/cmd/create/sar-v1.json > "${SAR_RESULT_FILE}"
+  curl -kfsS -H "Content-Type:" --oauth2-bearer admin-token "https://localhost:${SECURE_API_PORT}/apis/authorization.k8s.io/v1/subjectaccessreviews" -XPOST -d @test/fixtures/pkg/kubectl/cmd/create/sar-v1.json > "${SAR_RESULT_FILE}"
  if grep -q '"allowed": true' "${SAR_RESULT_FILE}"; then
    kube::log::status "\"authorization.k8s.io/subjectaccessreviews\" returns as expected: $(cat "${SAR_RESULT_FILE}")"
  else
--- a/test/cmd/discovery.sh
+++ b/test/cmd/discovery.sh
@ -120,7 +120,7 @@ run_swagger_tests() {

  # Verify schema
  file="${KUBE_TEMP}/schema.json"
-  curl -s "http://127.0.0.1:${API_PORT}/openapi/v2" > "${file}"
+  curl -kfs --oauth2-bearer admin-token "https://127.0.0.1:${SECURE_API_PORT}/openapi/v2" > "${file}"
  grep -q "list of returned" "${file}"
  grep -q "List of services" "${file}"
  grep -q "Watch for changes to the described resources" "${file}"
--- a/test/cmd/legacy-script.sh
+++ b/test/cmd/legacy-script.sh
@ -59,7 +59,6 @@ source "${KUBE_ROOT}/test/cmd/wait.sh"

 ETCD_HOST=${ETCD_HOST:-127.0.0.1}
 ETCD_PORT=${ETCD_PORT:-2379}
-API_PORT=${API_PORT:-8080}
 SECURE_API_PORT=${SECURE_API_PORT:-6443}
 API_HOST=${API_HOST:-127.0.0.1}
 KUBELET_HEALTHZ_PORT=${KUBELET_HEALTHZ_PORT:-10248}
@ -307,10 +306,12 @@ setup() {

  # TODO: we need to note down the current default namespace and set back to this
  # namespace after the tests are done.
-  kubectl config view
  CONTEXT="test"
-  kubectl config set-context "${CONTEXT}"
+  kubectl config set-credentials test-admin --token admin-token
+  kubectl config set-cluster local --insecure-skip-tls-verify --server "https://127.0.0.1:${SECURE_API_PORT}"
+  kubectl config set-context "${CONTEXT}" --user test-admin --cluster local
  kubectl config use-context "${CONTEXT}"
+  kubectl config view

  kube::log::status "Setup complete"
 }
@ -339,13 +340,9 @@ runTests() {
    kubectl config set-context "${CONTEXT}" --namespace="${ns_name}"
  }

-  kube_flags=(
-    '-s' "http://127.0.0.1:${API_PORT}"
-  )
+  kube_flags=( '-s' "https://127.0.0.1:${SECURE_API_PORT}" '--insecure-skip-tls-verify' )

-  kube_flags_without_token=(
-    '-s' "https://127.0.0.1:${SECURE_API_PORT}" '--insecure-skip-tls-verify=true'
-  )
+  kube_flags_without_token=( "${kube_flags[@]}" )

  # token defined in hack/testdata/auth-tokens.csv
  kube_flags_with_token=( "${kube_flags_without_token[@]}" '--token=admin-token' )
--- a/test/e2e_node/services/apiserver.go
+++ b/test/e2e_node/services/apiserver.go
@ -55,8 +55,6 @@ func (a *APIServer) Start() error {
 		return err
 	}
 	o.SecureServing.BindAddress = net.ParseIP("127.0.0.1")
-	// Disable insecure serving
-	o.InsecureServing.BindPort = 0
 	o.ServiceClusterIPRanges = ipnet.String()
 	o.AllowPrivileged = true
 	if err := generateTokenFile(tokenFilePath); err != nil {
--- a/test/integration/etcd/server.go
+++ b/test/integration/etcd/server.go
@ -71,7 +71,6 @@ func StartRealMasterOrDie(t *testing.T, configFuncs ...func(*options.ServerRunOp
 	}

 	kubeAPIServerOptions := options.NewServerRunOptions()
-	kubeAPIServerOptions.InsecureServing.BindPort = 0
 	kubeAPIServerOptions.SecureServing.Listener = listener
 	kubeAPIServerOptions.SecureServing.ServerCert.CertDirectory = certDir
 	kubeAPIServerOptions.Etcd.StorageConfig.Transport.ServerList = []string{framework.GetEtcdURL()}
--- a/test/integration/framework/test_server.go
+++ b/test/integration/framework/test_server.go
@ -90,7 +90,6 @@ func StartTestServer(t *testing.T, stopCh <-chan struct{}, setup TestServerSetup
 	kubeAPIServerOptions.SecureServing.Listener = listener
 	kubeAPIServerOptions.SecureServing.BindAddress = net.ParseIP("127.0.0.1")
 	kubeAPIServerOptions.SecureServing.ServerCert.CertDirectory = certDir
-	kubeAPIServerOptions.InsecureServing.BindPort = 0
 	kubeAPIServerOptions.Etcd.StorageConfig.Prefix = path.Join("/", uuid.New().String(), "registry")
 	kubeAPIServerOptions.Etcd.StorageConfig.Transport.ServerList = []string{GetEtcdURL()}
 	kubeAPIServerOptions.ServiceClusterIPRanges = defaultServiceClusterIPRange.String()
@ -114,7 +113,7 @@ func StartTestServer(t *testing.T, stopCh <-chan struct{}, setup TestServerSetup
 	if err != nil {
 		t.Fatal(err)
 	}
-	kubeAPIServerConfig, _, _, _, err := app.CreateKubeAPIServerConfig(completedOptions, tunneler, proxyTransport)
+	kubeAPIServerConfig, _, _, err := app.CreateKubeAPIServerConfig(completedOptions, tunneler, proxyTransport)
 	if err != nil {
 		t.Fatal(err)
 	}