diff --git a/cmd/kubeadm/app/master/manifests.go b/cmd/kubeadm/app/master/manifests.go index 9ed9a6da318..49fd249d1ed 100644 --- a/cmd/kubeadm/app/master/manifests.go +++ b/cmd/kubeadm/app/master/manifests.go @@ -74,7 +74,7 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error { Image: images.GetCoreImage(images.KubeAPIServerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage), Command: getAPIServerCommand(cfg, false), VolumeMounts: volumeMounts, - LivenessProbe: componentProbe(8080, "/healthz"), + LivenessProbe: componentProbe(6443, "/healthz", api.URISchemeHTTPS), Resources: componentResources("250m"), Env: getProxyEnvVars(), }, volumes...), @@ -83,7 +83,7 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error { Image: images.GetCoreImage(images.KubeControllerManagerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage), Command: getControllerManagerCommand(cfg, false), VolumeMounts: volumeMounts, - LivenessProbe: componentProbe(10252, "/healthz"), + LivenessProbe: componentProbe(10252, "/healthz", api.URISchemeHTTP), Resources: componentResources("200m"), Env: getProxyEnvVars(), }, volumes...), @@ -92,7 +92,7 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error { Image: images.GetCoreImage(images.KubeSchedulerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage), Command: getSchedulerCommand(cfg, false), VolumeMounts: []api.VolumeMount{k8sVolumeMount()}, - LivenessProbe: componentProbe(10251, "/healthz"), + LivenessProbe: componentProbe(10251, "/healthz", api.URISchemeHTTP), Resources: componentResources("100m"), Env: getProxyEnvVars(), }, k8sVolume(cfg)), @@ -110,7 +110,7 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error { }, VolumeMounts: []api.VolumeMount{certsVolumeMount(), etcdVolumeMount(), k8sVolumeMount()}, Image: images.GetCoreImage(images.KubeEtcdImage, cfg, kubeadmapi.GlobalEnvParams.EtcdImage), - LivenessProbe: componentProbe(2379, "/health"), + LivenessProbe: componentProbe(2379, "/health", api.URISchemeHTTP), }, certsVolume(cfg), etcdVolume(cfg), k8sVolume(cfg)) etcdPod.Spec.SecurityContext = &api.PodSecurityContext{ @@ -249,13 +249,14 @@ func componentResources(cpu string) api.ResourceRequirements { } } -func componentProbe(port int, path string) *api.Probe { +func componentProbe(port int, path string, scheme api.URIScheme) *api.Probe { return &api.Probe{ Handler: api.Handler{ HTTPGet: &api.HTTPGetAction{ - Host: "127.0.0.1", - Path: path, - Port: intstr.FromInt(port), + Host: "127.0.0.1", + Path: path, + Port: intstr.FromInt(port), + Scheme: scheme, }, }, InitialDelaySeconds: 15, @@ -304,7 +305,7 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration, selfHosted bool) [ } defaultArguments := map[string]string{ - "insecure-bind-address": "127.0.0.1", + "insecure-port": "0", "admission-control": kubeadmconstants.DefaultAdmissionControl, "service-cluster-ip-range": cfg.Networking.ServiceSubnet, "service-account-key-file": getCertFilePath(kubeadmconstants.ServiceAccountPublicKeyName), @@ -318,7 +319,6 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration, selfHosted bool) [ "allow-privileged": "true", "storage-backend": "etcd3", "kubelet-preferred-address-types": "InternalIP,ExternalIP,Hostname", - // add options to configure the front proxy. Without the generated client cert, this will never be useable // so add it unconditionally with recommended values "requestheader-username-headers": "X-Remote-User", diff --git a/cmd/kubeadm/app/master/manifests_test.go b/cmd/kubeadm/app/master/manifests_test.go index 2f471738209..05f450bc441 100644 --- a/cmd/kubeadm/app/master/manifests_test.go +++ b/cmd/kubeadm/app/master/manifests_test.go @@ -280,16 +280,23 @@ func TestComponentResources(t *testing.T) { func TestComponentProbe(t *testing.T) { var tests = []struct { - port int - path string + port int + path string + scheme api.URIScheme }{ { - port: 1, - path: "foo", + port: 1, + path: "foo", + scheme: api.URISchemeHTTP, + }, + { + port: 2, + path: "bar", + scheme: api.URISchemeHTTPS, }, } for _, rt := range tests { - actual := componentProbe(rt.port, rt.path) + actual := componentProbe(rt.port, rt.path, rt.scheme) if actual.Handler.HTTPGet.Port != intstr.FromInt(rt.port) { t.Errorf( "failed componentProbe:\n\texpected: %v\n\t actual: %v", @@ -304,6 +311,13 @@ func TestComponentProbe(t *testing.T) { actual.Handler.HTTPGet.Path, ) } + if actual.Handler.HTTPGet.Scheme != rt.scheme { + t.Errorf( + "failed componentProbe:\n\texpected: %v\n\t actual: %v", + rt.scheme, + actual.Handler.HTTPGet.Scheme, + ) + } } } @@ -371,7 +385,7 @@ func TestGetAPIServerCommand(t *testing.T) { }, expected: []string{ "kube-apiserver", - "--insecure-bind-address=127.0.0.1", + "--insecure-port=0", "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds", "--service-cluster-ip-range=bar", "--service-account-key-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/sa.pub", @@ -401,7 +415,7 @@ func TestGetAPIServerCommand(t *testing.T) { }, expected: []string{ "kube-apiserver", - "--insecure-bind-address=127.0.0.1", + "--insecure-port=0", "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds", "--service-cluster-ip-range=bar", "--service-account-key-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/sa.pub", @@ -433,7 +447,7 @@ func TestGetAPIServerCommand(t *testing.T) { }, expected: []string{ "kube-apiserver", - "--insecure-bind-address=127.0.0.1", + "--insecure-port=0", "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds", "--service-cluster-ip-range=bar", "--service-account-key-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/sa.pub", diff --git a/cmd/kubeadm/app/master/selfhosted.go b/cmd/kubeadm/app/master/selfhosted.go index 62f6031eee9..8eb9400d4c4 100644 --- a/cmd/kubeadm/app/master/selfhosted.go +++ b/cmd/kubeadm/app/master/selfhosted.go @@ -214,7 +214,7 @@ func getAPIServerDS(cfg *kubeadmapi.MasterConfiguration, volumes []v1.Volume, vo Command: getAPIServerCommand(cfg, true), Env: getSelfHostedAPIServerEnv(), VolumeMounts: volumeMounts, - LivenessProbe: componentProbe(8080, "/healthz"), + LivenessProbe: componentProbe(6443, "/healthz", v1.URISchemeHTTPS), Resources: componentResources("250m"), }, }, @@ -264,7 +264,7 @@ func getControllerManagerDeployment(cfg *kubeadmapi.MasterConfiguration, volumes Image: images.GetCoreImage(images.KubeControllerManagerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage), Command: getControllerManagerCommand(cfg, true), VolumeMounts: volumeMounts, - LivenessProbe: componentProbe(10252, "/healthz"), + LivenessProbe: componentProbe(10252, "/healthz", v1.URISchemeHTTP), Resources: componentResources("200m"), Env: getProxyEnvVars(), }, @@ -314,7 +314,7 @@ func getSchedulerDeployment(cfg *kubeadmapi.MasterConfiguration) ext.Deployment Name: "self-hosted-" + kubeScheduler, Image: images.GetCoreImage(images.KubeSchedulerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage), Command: getSchedulerCommand(cfg, true), - LivenessProbe: componentProbe(10251, "/healthz"), + LivenessProbe: componentProbe(10251, "/healthz", v1.URISchemeHTTP), Resources: componentResources("100m"), Env: getProxyEnvVars(), }, diff --git a/cmd/kubeadm/app/preflight/checks.go b/cmd/kubeadm/app/preflight/checks.go index 3c88a519ce0..ac4a906a3d8 100644 --- a/cmd/kubeadm/app/preflight/checks.go +++ b/cmd/kubeadm/app/preflight/checks.go @@ -488,7 +488,6 @@ func RunInitMasterChecks(cfg *kubeadmapi.MasterConfiguration) error { ServiceCheck{Service: "docker", CheckIfActive: true}, FirewalldCheck{ports: []int{int(cfg.API.Port), 10250}}, PortOpenCheck{port: int(cfg.API.Port)}, - PortOpenCheck{port: 8080}, PortOpenCheck{port: 10250}, PortOpenCheck{port: 10251}, PortOpenCheck{port: 10252},