github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-26 05:03:09 +00:00
Code Issues Projects Releases Wiki Activity

kubeadm: Turn off insecure apiserver access on localhost:8080

Browse Source
This commit is contained in:
Lucas Käldström 2017-02-28 17:52:00 +02:00
parent 49d1814b3a
commit 3f592843e6
No known key found for this signature in database
GPG Key ID: 3FA3783D77751514
4 changed files with 35 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
cmd/kubeadm/app/master/manifests.go
View File

@ -74,7 +74,7 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {
Image: images.GetCoreImage(images.KubeAPIServerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage),
Command: getAPIServerCommand(cfg, false),
VolumeMounts: volumeMounts,
LivenessProbe: componentProbe(8080, "/healthz"),
LivenessProbe: componentProbe(6443, "/healthz", api.URISchemeHTTPS),
Resources: componentResources("250m"),
Env: getProxyEnvVars(),
}, volumes...),
@ -83,7 +83,7 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {
Image: images.GetCoreImage(images.KubeControllerManagerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage),
Command: getControllerManagerCommand(cfg, false),
VolumeMounts: volumeMounts,
LivenessProbe: componentProbe(10252, "/healthz"),
LivenessProbe: componentProbe(10252, "/healthz", api.URISchemeHTTP),
Resources: componentResources("200m"),
Env: getProxyEnvVars(),
}, volumes...),
@ -92,7 +92,7 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {
Image: images.GetCoreImage(images.KubeSchedulerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage),
Command: getSchedulerCommand(cfg, false),
VolumeMounts: []api.VolumeMount{k8sVolumeMount()},
LivenessProbe: componentProbe(10251, "/healthz"),
LivenessProbe: componentProbe(10251, "/healthz", api.URISchemeHTTP),
Resources: componentResources("100m"),
Env: getProxyEnvVars(),
}, k8sVolume(cfg)),
@ -110,7 +110,7 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {
},
VolumeMounts: []api.VolumeMount{certsVolumeMount(), etcdVolumeMount(), k8sVolumeMount()},
Image: images.GetCoreImage(images.KubeEtcdImage, cfg, kubeadmapi.GlobalEnvParams.EtcdImage),
LivenessProbe: componentProbe(2379, "/health"),
LivenessProbe: componentProbe(2379, "/health", api.URISchemeHTTP),
}, certsVolume(cfg), etcdVolume(cfg), k8sVolume(cfg))
etcdPod.Spec.SecurityContext = &api.PodSecurityContext{
@ -249,13 +249,14 @@ func componentResources(cpu string) api.ResourceRequirements {
}
}
func componentProbe(port int, path string) *api.Probe {
func componentProbe(port int, path string, scheme api.URIScheme) *api.Probe {
return &api.Probe{
Handler: api.Handler{
HTTPGet: &api.HTTPGetAction{
Host: "127.0.0.1",
Path: path,
Port: intstr.FromInt(port),
Host: "127.0.0.1",
Path: path,
Port: intstr.FromInt(port),
Scheme: scheme,
},
},
InitialDelaySeconds: 15,
@ -304,7 +305,7 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration, selfHosted bool) [
}
defaultArguments := map[string]string{
"insecure-bind-address": "127.0.0.1",
"insecure-port": "0",
"admission-control": kubeadmconstants.DefaultAdmissionControl,
"service-cluster-ip-range": cfg.Networking.ServiceSubnet,
"service-account-key-file": getCertFilePath(kubeadmconstants.ServiceAccountPublicKeyName),
@ -318,7 +319,6 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration, selfHosted bool) [
"allow-privileged": "true",
"storage-backend": "etcd3",
"kubelet-preferred-address-types": "InternalIP,ExternalIP,Hostname",
// add options to configure the front proxy. Without the generated client cert, this will never be useable
// so add it unconditionally with recommended values
"requestheader-username-headers": "X-Remote-User",

30
cmd/kubeadm/app/master/manifests_test.go
View File

@ -280,16 +280,23 @@ func TestComponentResources(t *testing.T) {
func TestComponentProbe(t *testing.T) {
var tests = []struct {
port int
path string
port int
path string
scheme api.URIScheme
}{
{
port: 1,
path: "foo",
port: 1,
path: "foo",
scheme: api.URISchemeHTTP,
},
{
port: 2,
path: "bar",
scheme: api.URISchemeHTTPS,
},
}
for _, rt := range tests {
actual := componentProbe(rt.port, rt.path)
actual := componentProbe(rt.port, rt.path, rt.scheme)
if actual.Handler.HTTPGet.Port != intstr.FromInt(rt.port) {
t.Errorf(
"failed componentProbe:\n\texpected: %v\n\t actual: %v",
@ -304,6 +311,13 @@ func TestComponentProbe(t *testing.T) {
actual.Handler.HTTPGet.Path,
)
}
if actual.Handler.HTTPGet.Scheme != rt.scheme {
t.Errorf(
"failed componentProbe:\n\texpected: %v\n\t actual: %v",
rt.scheme,
actual.Handler.HTTPGet.Scheme,
)
}
}
}
@ -371,7 +385,7 @@ func TestGetAPIServerCommand(t *testing.T) {
},
expected: []string{
"kube-apiserver",
"--insecure-bind-address=127.0.0.1",
"--insecure-port=0",
"--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds",
"--service-cluster-ip-range=bar",
"--service-account-key-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/sa.pub",
@ -401,7 +415,7 @@ func TestGetAPIServerCommand(t *testing.T) {
},
expected: []string{
"kube-apiserver",
"--insecure-bind-address=127.0.0.1",
"--insecure-port=0",
"--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds",
"--service-cluster-ip-range=bar",
"--service-account-key-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/sa.pub",
@ -433,7 +447,7 @@ func TestGetAPIServerCommand(t *testing.T) {
},
expected: []string{
"kube-apiserver",
"--insecure-bind-address=127.0.0.1",
"--insecure-port=0",
"--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds",
"--service-cluster-ip-range=bar",
"--service-account-key-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/sa.pub",

6
cmd/kubeadm/app/master/selfhosted.go
View File

@ -214,7 +214,7 @@ func getAPIServerDS(cfg *kubeadmapi.MasterConfiguration, volumes []v1.Volume, vo
Command: getAPIServerCommand(cfg, true),
Env: getSelfHostedAPIServerEnv(),
VolumeMounts: volumeMounts,
LivenessProbe: componentProbe(8080, "/healthz"),
LivenessProbe: componentProbe(6443, "/healthz", v1.URISchemeHTTPS),
Resources: componentResources("250m"),
},
},
@ -264,7 +264,7 @@ func getControllerManagerDeployment(cfg *kubeadmapi.MasterConfiguration, volumes
Image: images.GetCoreImage(images.KubeControllerManagerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage),
Command: getControllerManagerCommand(cfg, true),
VolumeMounts: volumeMounts,
LivenessProbe: componentProbe(10252, "/healthz"),
LivenessProbe: componentProbe(10252, "/healthz", v1.URISchemeHTTP),
Resources: componentResources("200m"),
Env: getProxyEnvVars(),
},
@ -314,7 +314,7 @@ func getSchedulerDeployment(cfg *kubeadmapi.MasterConfiguration) ext.Deployment
Name: "self-hosted-" + kubeScheduler,
Image: images.GetCoreImage(images.KubeSchedulerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage),
Command: getSchedulerCommand(cfg, true),
LivenessProbe: componentProbe(10251, "/healthz"),
LivenessProbe: componentProbe(10251, "/healthz", v1.URISchemeHTTP),
Resources: componentResources("100m"),
Env: getProxyEnvVars(),
},

1
cmd/kubeadm/app/preflight/checks.go
View File

@ -488,7 +488,6 @@ func RunInitMasterChecks(cfg *kubeadmapi.MasterConfiguration) error {
ServiceCheck{Service: "docker", CheckIfActive: true},
FirewalldCheck{ports: []int{int(cfg.API.Port), 10250}},
PortOpenCheck{port: int(cfg.API.Port)},
PortOpenCheck{port: 8080},
PortOpenCheck{port: 10250},
PortOpenCheck{port: 10251},
PortOpenCheck{port: 10252},