mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-09-16 22:53:22 +00:00
Merge pull request #95856 from knight42/refactor/disable-apiserver-insecure-port
refactor(apiserver): disable insecure port
This commit is contained in:
Kubernetes Prow Robot
GitHub
@@ -23,8 +23,6 @@ go_library(
|
||||
"//pkg/kubeapiserver/admission:go_default_library",
|
||||
"//pkg/kubeapiserver/authenticator:go_default_library",
|
||||
"//pkg/kubeapiserver/authorizer/modes:go_default_library",
|
||||
"//pkg/kubeapiserver/options:go_default_library",
|
||||
"//pkg/kubeapiserver/server:go_default_library",
|
||||
"//pkg/registry/rbac/rest:go_default_library",
|
||||
"//pkg/serviceaccount:go_default_library",
|
||||
"//staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1:go_default_library",
|
||||
@@ -74,6 +72,7 @@ go_library(
|
||||
"//staging/src/k8s.io/kube-aggregator/pkg/client/informers/externalversions/apiregistration/v1:go_default_library",
|
||||
"//staging/src/k8s.io/kube-aggregator/pkg/controllers/autoregister:go_default_library",
|
||||
"//vendor/github.com/spf13/cobra:go_default_library",
|
||||
"//vendor/github.com/spf13/pflag:go_default_library",
|
||||
"//vendor/k8s.io/klog/v2:go_default_library",
|
||||
],
|
||||
)
|
||||
|
||||
@@ -22,12 +22,14 @@ import (
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/spf13/pflag"
|
||||
utilnet "k8s.io/apimachinery/pkg/util/net"
|
||||
genericoptions "k8s.io/apiserver/pkg/server/options"
|
||||
"k8s.io/apiserver/pkg/storage/storagebackend"
|
||||
cliflag "k8s.io/component-base/cli/flag"
|
||||
"k8s.io/component-base/logs"
|
||||
"k8s.io/component-base/metrics"
|
||||
|
||||
api "k8s.io/kubernetes/pkg/apis/core"
|
||||
"k8s.io/kubernetes/pkg/cluster/ports"
|
||||
"k8s.io/kubernetes/pkg/controlplane/reconcilers"
|
||||
@@ -37,12 +39,15 @@ import (
|
||||
"k8s.io/kubernetes/pkg/serviceaccount"
|
||||
)
|
||||
|
||||
// InsecurePortFlags are dummy flags, they are kept only for compatibility and will be removed in v1.24.
|
||||
// TODO: remove these flags in v1.24.
|
||||
var InsecurePortFlags = []string{"insecure-port", "port"}
|
||||
|
||||
// ServerRunOptions runs a kubernetes api server.
|
||||
type ServerRunOptions struct {
|
||||
GenericServerRunOptions *genericoptions.ServerRunOptions
|
||||
Etcd *genericoptions.EtcdOptions
|
||||
SecureServing *genericoptions.SecureServingOptionsWithLoopback
|
||||
InsecureServing *genericoptions.DeprecatedInsecureServingOptionsWithLoopback
|
||||
Audit *genericoptions.AuditOptions
|
||||
Features *genericoptions.FeatureOptions
|
||||
Admission *kubeoptions.AdmissionOptions
|
||||
@@ -62,7 +67,7 @@ type ServerRunOptions struct {
|
||||
MaxConnectionBytesPerSec int64
|
||||
// ServiceClusterIPRange is mapped to input provided by user
|
||||
ServiceClusterIPRanges string
|
||||
//PrimaryServiceClusterIPRange and SecondaryServiceClusterIPRange are the results
|
||||
// PrimaryServiceClusterIPRange and SecondaryServiceClusterIPRange are the results
|
||||
// of parsing ServiceClusterIPRange into actual values
|
||||
PrimaryServiceClusterIPRange net.IPNet
|
||||
SecondaryServiceClusterIPRange net.IPNet
|
||||
@@ -92,7 +97,6 @@ func NewServerRunOptions() *ServerRunOptions {
|
||||
GenericServerRunOptions: genericoptions.NewServerRunOptions(),
|
||||
Etcd: genericoptions.NewEtcdOptions(storagebackend.NewDefaultConfig(kubeoptions.DefaultEtcdPathPrefix, nil)),
|
||||
SecureServing: kubeoptions.NewSecureServingOptions(),
|
||||
InsecureServing: kubeoptions.NewInsecureServingOptions(),
|
||||
Audit: genericoptions.NewAuditOptions(),
|
||||
Features: genericoptions.NewFeatureOptions(),
|
||||
Admission: kubeoptions.NewAdmissionOptions(),
|
||||
@@ -134,14 +138,33 @@ func NewServerRunOptions() *ServerRunOptions {
|
||||
return &s
|
||||
}
|
||||
|
||||
// TODO: remove these insecure flags in v1.24
|
||||
func addDummyInsecureFlags(fs *pflag.FlagSet) {
|
||||
var (
|
||||
bindAddr = net.IPv4(127, 0, 0, 1)
|
||||
bindPort int
|
||||
)
|
||||
|
||||
for _, name := range []string{"insecure-bind-address", "address"} {
|
||||
fs.IPVar(&bindAddr, name, bindAddr, ""+
|
||||
"The IP address on which to serve the insecure port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).")
|
||||
fs.MarkDeprecated(name, "This flag has no effect now and will be removed in v1.24.")
|
||||
}
|
||||
|
||||
for _, name := range InsecurePortFlags {
|
||||
fs.IntVar(&bindPort, name, bindPort, ""+
|
||||
"The port on which to serve unsecured, unauthenticated access.")
|
||||
fs.MarkDeprecated(name, "This flag has no effect now and will be removed in v1.24.")
|
||||
}
|
||||
}
|
||||
|
||||
// Flags returns flags for a specific APIServer by section name
|
||||
func (s *ServerRunOptions) Flags() (fss cliflag.NamedFlagSets) {
|
||||
// Add the generic flags.
|
||||
s.GenericServerRunOptions.AddUniversalFlags(fss.FlagSet("generic"))
|
||||
s.Etcd.AddFlags(fss.FlagSet("etcd"))
|
||||
s.SecureServing.AddFlags(fss.FlagSet("secure serving"))
|
||||
s.InsecureServing.AddFlags(fss.FlagSet("insecure serving"))
|
||||
s.InsecureServing.AddUnqualifiedFlags(fss.FlagSet("insecure serving")) // TODO: remove it until kops stops using `--address`
|
||||
addDummyInsecureFlags(fss.FlagSet("insecure serving"))
|
||||
s.Audit.AddFlags(fss.FlagSet("auditing"))
|
||||
s.Features.AddFlags(fss.FlagSet("features"))
|
||||
s.Authentication.AddFlags(fss.FlagSet("authentication"))
|
||||
|
||||
@@ -177,10 +177,6 @@ func TestAddFlags(t *testing.T) {
|
||||
HTTP2MaxStreamsPerConnection: 42,
|
||||
Required: true,
|
||||
}).WithLoopback(),
|
||||
InsecureServing: (&apiserveroptions.DeprecatedInsecureServingOptions{
|
||||
BindAddress: net.ParseIP("127.0.0.1"),
|
||||
BindPort: 8080,
|
||||
}).WithLoopback(),
|
||||
EventTTL: 1 * time.Hour,
|
||||
KubeletConfig: kubeletclient.KubeletClientConfig{
|
||||
Port: 10250,
|
||||
|
||||
@@ -173,7 +173,6 @@ func (s *ServerRunOptions) Validate() []error {
|
||||
errs = append(errs, s.Authorization.Validate()...)
|
||||
errs = append(errs, s.Audit.Validate()...)
|
||||
errs = append(errs, s.Admission.Validate()...)
|
||||
errs = append(errs, s.InsecureServing.Validate()...)
|
||||
errs = append(errs, s.APIEnablement.Validate(legacyscheme.Scheme, apiextensionsapiserver.Scheme, aggregatorscheme.Scheme)...)
|
||||
errs = append(errs, validateTokenRequest(s)...)
|
||||
errs = append(errs, s.Metrics.Validate()...)
|
||||
|
||||
@@ -31,6 +31,7 @@ import (
|
||||
"time"
|
||||
|
||||
"github.com/spf13/cobra"
|
||||
"github.com/spf13/pflag"
|
||||
|
||||
extensionsapiserver "k8s.io/apiextensions-apiserver/pkg/apiserver"
|
||||
utilerrors "k8s.io/apimachinery/pkg/util/errors"
|
||||
@@ -65,6 +66,7 @@ import (
|
||||
"k8s.io/klog/v2"
|
||||
aggregatorapiserver "k8s.io/kube-aggregator/pkg/apiserver"
|
||||
aggregatorscheme "k8s.io/kube-aggregator/pkg/apiserver/scheme"
|
||||
|
||||
"k8s.io/kubernetes/cmd/kube-apiserver/app/options"
|
||||
"k8s.io/kubernetes/pkg/api/legacyscheme"
|
||||
"k8s.io/kubernetes/pkg/capabilities"
|
||||
@@ -77,8 +79,6 @@ import (
|
||||
kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
|
||||
kubeauthenticator "k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
|
||||
"k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes"
|
||||
kubeoptions "k8s.io/kubernetes/pkg/kubeapiserver/options"
|
||||
kubeserver "k8s.io/kubernetes/pkg/kubeapiserver/server"
|
||||
rbacrest "k8s.io/kubernetes/pkg/registry/rbac/rest"
|
||||
"k8s.io/kubernetes/pkg/serviceaccount"
|
||||
)
|
||||
@@ -88,6 +88,20 @@ const (
|
||||
etcdRetryInterval = 1 * time.Second
|
||||
)
|
||||
|
||||
// TODO: delete this check after insecure flags removed in v1.24
|
||||
func checkNonZeroInsecurePort(fs *pflag.FlagSet) error {
|
||||
for _, name := range options.InsecurePortFlags {
|
||||
val, err := fs.GetInt(name)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if val != 0 {
|
||||
return fmt.Errorf("invalid port value %d: only zero is allowed", val)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// NewAPIServerCommand creates a *cobra.Command object with default parameters
|
||||
func NewAPIServerCommand() *cobra.Command {
|
||||
s := options.NewServerRunOptions()
|
||||
@@ -108,8 +122,13 @@ cluster's shared state through which all other components interact.`,
|
||||
},
|
||||
RunE: func(cmd *cobra.Command, args []string) error {
|
||||
verflag.PrintAndExitIfRequested()
|
||||
cliflag.PrintFlags(cmd.Flags())
|
||||
fs := cmd.Flags()
|
||||
cliflag.PrintFlags(fs)
|
||||
|
||||
err := checkNonZeroInsecurePort(fs)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
// set default options
|
||||
completedOptions, err := Complete(s)
|
||||
if err != nil {
|
||||
@@ -182,7 +201,7 @@ func CreateServerChain(completedOptions completedServerRunOptions, stopCh <-chan
|
||||
return nil, err
|
||||
}
|
||||
|
||||
kubeAPIServerConfig, insecureServingInfo, serviceResolver, pluginInitializer, err := CreateKubeAPIServerConfig(completedOptions, nodeTunneler, proxyTransport)
|
||||
kubeAPIServerConfig, serviceResolver, pluginInitializer, err := CreateKubeAPIServerConfig(completedOptions, nodeTunneler, proxyTransport)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@@ -214,13 +233,6 @@ func CreateServerChain(completedOptions completedServerRunOptions, stopCh <-chan
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if insecureServingInfo != nil {
|
||||
insecureHandlerChain := kubeserver.BuildInsecureHandlerChain(aggregatorServer.GenericAPIServer.UnprotectedHandler(), kubeAPIServerConfig.GenericConfig)
|
||||
if err := insecureServingInfo.Serve(insecureHandlerChain, kubeAPIServerConfig.GenericConfig.RequestTimeout, stopCh); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
return aggregatorServer, nil
|
||||
}
|
||||
|
||||
@@ -288,19 +300,18 @@ func CreateKubeAPIServerConfig(
|
||||
proxyTransport *http.Transport,
|
||||
) (
|
||||
*controlplane.Config,
|
||||
*genericapiserver.DeprecatedInsecureServingInfo,
|
||||
aggregatorapiserver.ServiceResolver,
|
||||
[]admission.PluginInitializer,
|
||||
error,
|
||||
) {
|
||||
genericConfig, versionedInformers, insecureServingInfo, serviceResolver, pluginInitializers, admissionPostStartHook, storageFactory, err := buildGenericConfig(s.ServerRunOptions, proxyTransport)
|
||||
genericConfig, versionedInformers, serviceResolver, pluginInitializers, admissionPostStartHook, storageFactory, err := buildGenericConfig(s.ServerRunOptions, proxyTransport)
|
||||
if err != nil {
|
||||
return nil, nil, nil, nil, err
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
|
||||
if _, port, err := net.SplitHostPort(s.Etcd.StorageConfig.Transport.ServerList[0]); err == nil && port != "0" && len(port) != 0 {
|
||||
if err := utilwait.PollImmediate(etcdRetryInterval, etcdRetryLimit*etcdRetryInterval, preflight.EtcdConnection{ServerList: s.Etcd.StorageConfig.Transport.ServerList}.CheckEtcdServers); err != nil {
|
||||
return nil, nil, nil, nil, fmt.Errorf("error waiting for etcd connection: %v", err)
|
||||
return nil, nil, nil, fmt.Errorf("error waiting for etcd connection: %v", err)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -322,7 +333,7 @@ func CreateKubeAPIServerConfig(
|
||||
|
||||
serviceIPRange, apiServerServiceIP, err := controlplane.ServiceIPRange(s.PrimaryServiceClusterIPRange)
|
||||
if err != nil {
|
||||
return nil, nil, nil, nil, err
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
|
||||
// defaults to empty range and ip
|
||||
@@ -331,7 +342,7 @@ func CreateKubeAPIServerConfig(
|
||||
if s.SecondaryServiceClusterIPRange.IP != nil {
|
||||
secondaryServiceIPRange, _, err = controlplane.ServiceIPRange(s.SecondaryServiceClusterIPRange)
|
||||
if err != nil {
|
||||
return nil, nil, nil, nil, err
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
}
|
||||
|
||||
@@ -369,13 +380,13 @@ func CreateKubeAPIServerConfig(
|
||||
|
||||
clientCAProvider, err := s.Authentication.ClientCert.GetClientCAContentProvider()
|
||||
if err != nil {
|
||||
return nil, nil, nil, nil, err
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
config.ExtraConfig.ClusterAuthenticationInfo.ClientCA = clientCAProvider
|
||||
|
||||
requestHeaderConfig, err := s.Authentication.RequestHeader.ToAuthenticationRequestHeaderConfig()
|
||||
if err != nil {
|
||||
return nil, nil, nil, nil, err
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
if requestHeaderConfig != nil {
|
||||
config.ExtraConfig.ClusterAuthenticationInfo.RequestHeaderCA = requestHeaderConfig.CAContentProvider
|
||||
@@ -386,7 +397,7 @@ func CreateKubeAPIServerConfig(
|
||||
}
|
||||
|
||||
if err := config.GenericConfig.AddPostStartHook("start-kube-apiserver-admission-initializer", admissionPostStartHook); err != nil {
|
||||
return nil, nil, nil, nil, err
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
|
||||
if nodeTunneler != nil {
|
||||
@@ -401,7 +412,7 @@ func CreateKubeAPIServerConfig(
|
||||
networkContext := egressselector.Cluster.AsNetworkContext()
|
||||
dialer, err := config.GenericConfig.EgressSelector.Lookup(networkContext)
|
||||
if err != nil {
|
||||
return nil, nil, nil, nil, err
|
||||
return nil, nil, nil, err
|
||||
}
|
||||
c := proxyTransport.Clone()
|
||||
c.DialContext = dialer
|
||||
@@ -414,7 +425,7 @@ func CreateKubeAPIServerConfig(
|
||||
for _, f := range s.Authentication.ServiceAccounts.KeyFiles {
|
||||
keys, err := keyutil.PublicKeysFromFile(f)
|
||||
if err != nil {
|
||||
return nil, nil, nil, nil, fmt.Errorf("failed to parse key file %q: %v", f, err)
|
||||
return nil, nil, nil, fmt.Errorf("failed to parse key file %q: %v", f, err)
|
||||
}
|
||||
pubKeys = append(pubKeys, keys...)
|
||||
}
|
||||
@@ -424,7 +435,7 @@ func CreateKubeAPIServerConfig(
|
||||
config.ExtraConfig.ServiceAccountPublicKeys = pubKeys
|
||||
}
|
||||
|
||||
return config, insecureServingInfo, serviceResolver, pluginInitializers, nil
|
||||
return config, serviceResolver, pluginInitializers, nil
|
||||
}
|
||||
|
||||
// BuildGenericConfig takes the master server options and produces the genericapiserver.Config associated with it
|
||||
@@ -434,7 +445,6 @@ func buildGenericConfig(
|
||||
) (
|
||||
genericConfig *genericapiserver.Config,
|
||||
versionedInformers clientgoinformers.SharedInformerFactory,
|
||||
insecureServingInfo *genericapiserver.DeprecatedInsecureServingInfo,
|
||||
serviceResolver aggregatorapiserver.ServiceResolver,
|
||||
pluginInitializers []admission.PluginInitializer,
|
||||
admissionPostStartHook genericapiserver.PostStartHookFunc,
|
||||
@@ -448,9 +458,6 @@ func buildGenericConfig(
|
||||
return
|
||||
}
|
||||
|
||||
if lastErr = s.InsecureServing.ApplyTo(&insecureServingInfo, &genericConfig.LoopbackClientConfig); lastErr != nil {
|
||||
return
|
||||
}
|
||||
if lastErr = s.SecureServing.ApplyTo(&genericConfig.SecureServing, &genericConfig.LoopbackClientConfig); lastErr != nil {
|
||||
return
|
||||
}
|
||||
@@ -595,9 +602,6 @@ func Complete(s *options.ServerRunOptions) (completedServerRunOptions, error) {
|
||||
if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing.SecureServingOptions); err != nil {
|
||||
return options, err
|
||||
}
|
||||
if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing.DeprecatedInsecureServingOptions); err != nil {
|
||||
return options, err
|
||||
}
|
||||
|
||||
// process s.ServiceClusterIPRange from list to Primary and Secondary
|
||||
// we process secondary only if provided by user
|
||||
|
||||
@@ -122,7 +122,6 @@ func StartTestServer(t Logger, instanceOptions *TestServerInstanceOptions, custo
|
||||
for _, f := range s.Flags().FlagSets {
|
||||
fs.AddFlagSet(f)
|
||||
}
|
||||
s.InsecureServing.BindPort = 0
|
||||
|
||||
s.SecureServing.Listener, s.SecureServing.BindPort, err = createLocalhostListenerOnFreePort()
|
||||
if err != nil {
|
||||
|
||||
Reference in New Issue
Block a user