Allow secure access to apiserver from Admission Controllers

* Allow options.InsecurePort to be set to 0 to switch off insecure access * In NewSelfClient, Set the TLSClientConfig to the cert and key files if InsecurePort is switched off * Mint a bearer token that allows the client(s) created in NewSelfClient to talk to the api server * Add a new authenticator that checks for this specific bearer token Fixes #13598
2025-09-10 13:42:02 +00:00 · 2016-08-25 23:01:50 -04:00
parent 4b7f0c8388
commit 25d4a70827
9 changed files with 157 additions and 30 deletions
--- a/examples/apiserver/apiserver.go
+++ b/examples/apiserver/apiserver.go
@@ -27,6 +27,7 @@ import (
 	"k8s.io/kubernetes/pkg/api/unversioned"
 	"k8s.io/kubernetes/pkg/apimachinery/registered"
 	"k8s.io/kubernetes/pkg/genericapiserver"
+	"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
 	genericoptions "k8s.io/kubernetes/pkg/genericapiserver/options"
 	genericvalidation "k8s.io/kubernetes/pkg/genericapiserver/validation"
 	"k8s.io/kubernetes/pkg/storage/storagebackend"
@@ -39,6 +40,7 @@ const (
 	// Ports on which to run the server.
 	// Explicitly setting these to a different value than the default values, to prevent this from clashing with a local cluster.
 	InsecurePort = 8081
+	SecurePort   = 6444
 )

 func newStorageFactory() genericapiserver.StorageFactory {
@@ -65,6 +67,7 @@ func Run(serverOptions *genericoptions.ServerRunOptions) error {
 	genericvalidation.ValidateRunOptions(serverOptions)
 	genericvalidation.VerifyEtcdServersList(serverOptions)
 	config := genericapiserver.NewConfig(serverOptions)
+	config.Authorizer = authorizer.NewAlwaysAllowAuthorizer()
 	config.Serializer = api.Codecs
 	s, err := config.New()
 	if err != nil {