Allow secure access to apiserver from Admission Controllers

* Allow options.InsecurePort to be set to 0 to switch off insecure access * In NewSelfClient, Set the TLSClientConfig to the cert and key files if InsecurePort is switched off * Mint a bearer token that allows the client(s) created in NewSelfClient to talk to the api server * Add a new authenticator that checks for this specific bearer token Fixes #13598
2025-10-15 11:39:24 +00:00 · 2016-08-25 23:01:50 -04:00
parent 4b7f0c8388
commit 25d4a70827
9 changed files with 157 additions and 30 deletions
--- a/pkg/genericapiserver/validation/universal_validation.go
+++ b/pkg/genericapiserver/validation/universal_validation.go
@@ -55,9 +55,12 @@ func verifySecureAndInsecurePort(options *options.ServerRunOptions) []error {
 		errors = append(errors, fmt.Errorf("--secure-port %v must be between 0 and 65535, inclusive. 0 for turning off secure port.", options.SecurePort))
 	}

-	// TODO: Allow 0 to turn off insecure port.
-	if options.InsecurePort < 1 || options.InsecurePort > 65535 {
-		errors = append(errors, fmt.Errorf("--insecure-port %v must be between 1 and 65535, inclusive.", options.InsecurePort))
+	if options.InsecurePort < 0 || options.InsecurePort > 65535 {
+		errors = append(errors, fmt.Errorf("--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off insecure port.", options.InsecurePort))
+	}
+
+	if options.SecurePort == 0 && options.InsecurePort == 0 {
+		glog.Fatalf("--secure-port and --insecure-port cannot be turned off at the same time.")
 	}

 	if options.SecurePort == options.InsecurePort {