github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-27 05:27:21 +00:00
Code Issues Projects Releases Wiki Activity

kubeadm: Turn off insecure apiserver access on localhost:8080

Browse Source
This commit is contained in:
Lucas Käldström 2017-02-28 17:52:00 +02:00
parent 49d1814b3a
commit 3f592843e6
No known key found for this signature in database
GPG Key ID: 3FA3783D77751514
4 changed files with 35 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
cmd/kubeadm/app/master/manifests.go
View File

@ -74,7 +74,7 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {
Image: images.GetCoreImage(images.KubeAPIServerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage), Image: images.GetCoreImage(images.KubeAPIServerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage),
Command: getAPIServerCommand(cfg, false), Command: getAPIServerCommand(cfg, false),
VolumeMounts: volumeMounts, VolumeMounts: volumeMounts,
LivenessProbe: componentProbe(8080, "/healthz"), LivenessProbe: componentProbe(6443, "/healthz", api.URISchemeHTTPS),
Resources: componentResources("250m"), Resources: componentResources("250m"),
Env: getProxyEnvVars(), Env: getProxyEnvVars(),
}, volumes...), }, volumes...),
@ -83,7 +83,7 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {
Image: images.GetCoreImage(images.KubeControllerManagerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage), Image: images.GetCoreImage(images.KubeControllerManagerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage),
Command: getControllerManagerCommand(cfg, false), Command: getControllerManagerCommand(cfg, false),
VolumeMounts: volumeMounts, VolumeMounts: volumeMounts,
LivenessProbe: componentProbe(10252, "/healthz"), LivenessProbe: componentProbe(10252, "/healthz", api.URISchemeHTTP),
Resources: componentResources("200m"), Resources: componentResources("200m"),
Env: getProxyEnvVars(), Env: getProxyEnvVars(),
}, volumes...), }, volumes...),
@ -92,7 +92,7 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {
Image: images.GetCoreImage(images.KubeSchedulerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage), Image: images.GetCoreImage(images.KubeSchedulerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage),
Command: getSchedulerCommand(cfg, false), Command: getSchedulerCommand(cfg, false),
VolumeMounts: []api.VolumeMount{k8sVolumeMount()}, VolumeMounts: []api.VolumeMount{k8sVolumeMount()},
LivenessProbe: componentProbe(10251, "/healthz"), LivenessProbe: componentProbe(10251, "/healthz", api.URISchemeHTTP),
Resources: componentResources("100m"), Resources: componentResources("100m"),
Env: getProxyEnvVars(), Env: getProxyEnvVars(),
}, k8sVolume(cfg)), }, k8sVolume(cfg)),
@ -110,7 +110,7 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {
}, },
VolumeMounts: []api.VolumeMount{certsVolumeMount(), etcdVolumeMount(), k8sVolumeMount()}, VolumeMounts: []api.VolumeMount{certsVolumeMount(), etcdVolumeMount(), k8sVolumeMount()},
Image: images.GetCoreImage(images.KubeEtcdImage, cfg, kubeadmapi.GlobalEnvParams.EtcdImage), Image: images.GetCoreImage(images.KubeEtcdImage, cfg, kubeadmapi.GlobalEnvParams.EtcdImage),
LivenessProbe: componentProbe(2379, "/health"), LivenessProbe: componentProbe(2379, "/health", api.URISchemeHTTP),
}, certsVolume(cfg), etcdVolume(cfg), k8sVolume(cfg)) }, certsVolume(cfg), etcdVolume(cfg), k8sVolume(cfg))
etcdPod.Spec.SecurityContext = &api.PodSecurityContext{ etcdPod.Spec.SecurityContext = &api.PodSecurityContext{
@ -249,13 +249,14 @@ func componentResources(cpu string) api.ResourceRequirements {
} }
} }
func componentProbe(port int, path string) *api.Probe { func componentProbe(port int, path string, scheme api.URIScheme) *api.Probe {
return &api.Probe{ return &api.Probe{
Handler: api.Handler{ Handler: api.Handler{
HTTPGet: &api.HTTPGetAction{ HTTPGet: &api.HTTPGetAction{
Host: "127.0.0.1", Host: "127.0.0.1",
Path: path, Path: path,
Port: intstr.FromInt(port), Port: intstr.FromInt(port),
Scheme: scheme,
}, },
}, },
InitialDelaySeconds: 15, InitialDelaySeconds: 15,
@ -304,7 +305,7 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration, selfHosted bool) [
} }
defaultArguments := map[string]string{ defaultArguments := map[string]string{
"insecure-bind-address": "127.0.0.1", "insecure-port": "0",
"admission-control": kubeadmconstants.DefaultAdmissionControl, "admission-control": kubeadmconstants.DefaultAdmissionControl,
"service-cluster-ip-range": cfg.Networking.ServiceSubnet, "service-cluster-ip-range": cfg.Networking.ServiceSubnet,
"service-account-key-file": getCertFilePath(kubeadmconstants.ServiceAccountPublicKeyName), "service-account-key-file": getCertFilePath(kubeadmconstants.ServiceAccountPublicKeyName),
@ -318,7 +319,6 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration, selfHosted bool) [
"allow-privileged": "true", "allow-privileged": "true",
"storage-backend": "etcd3", "storage-backend": "etcd3",
"kubelet-preferred-address-types": "InternalIP,ExternalIP,Hostname", "kubelet-preferred-address-types": "InternalIP,ExternalIP,Hostname",
// add options to configure the front proxy. Without the generated client cert, this will never be useable // add options to configure the front proxy. Without the generated client cert, this will never be useable
// so add it unconditionally with recommended values // so add it unconditionally with recommended values
"requestheader-username-headers": "X-Remote-User", "requestheader-username-headers": "X-Remote-User",

30
cmd/kubeadm/app/master/manifests_test.go
View File

@ -280,16 +280,23 @@ func TestComponentResources(t *testing.T) {
func TestComponentProbe(t *testing.T) { func TestComponentProbe(t *testing.T) {
var tests = []struct { var tests = []struct {
port int port int
path string path string
scheme api.URIScheme
}{ }{
{ {
port: 1, port: 1,
path: "foo", path: "foo",
scheme: api.URISchemeHTTP,
},
{
port: 2,
path: "bar",
scheme: api.URISchemeHTTPS,
}, },
} }
for _, rt := range tests { for _, rt := range tests {
actual := componentProbe(rt.port, rt.path) actual := componentProbe(rt.port, rt.path, rt.scheme)
if actual.Handler.HTTPGet.Port != intstr.FromInt(rt.port) { if actual.Handler.HTTPGet.Port != intstr.FromInt(rt.port) {
t.Errorf( t.Errorf(
"failed componentProbe:\n\texpected: %v\n\t actual: %v", "failed componentProbe:\n\texpected: %v\n\t actual: %v",
@ -304,6 +311,13 @@ func TestComponentProbe(t *testing.T) {
actual.Handler.HTTPGet.Path, actual.Handler.HTTPGet.Path,
) )
} }
if actual.Handler.HTTPGet.Scheme != rt.scheme {
t.Errorf(
"failed componentProbe:\n\texpected: %v\n\t actual: %v",
rt.scheme,
actual.Handler.HTTPGet.Scheme,
)
}
} }
} }
@ -371,7 +385,7 @@ func TestGetAPIServerCommand(t *testing.T) {
}, },
expected: []string{ expected: []string{
"kube-apiserver", "kube-apiserver",
"--insecure-bind-address=127.0.0.1", "--insecure-port=0",
"--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds", "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds",
"--service-cluster-ip-range=bar", "--service-cluster-ip-range=bar",
"--service-account-key-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/sa.pub", "--service-account-key-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/sa.pub",
@ -401,7 +415,7 @@ func TestGetAPIServerCommand(t *testing.T) {
}, },
expected: []string{ expected: []string{
"kube-apiserver", "kube-apiserver",
"--insecure-bind-address=127.0.0.1", "--insecure-port=0",
"--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds", "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds",
"--service-cluster-ip-range=bar", "--service-cluster-ip-range=bar",
"--service-account-key-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/sa.pub", "--service-account-key-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/sa.pub",
@ -433,7 +447,7 @@ func TestGetAPIServerCommand(t *testing.T) {
}, },
expected: []string{ expected: []string{
"kube-apiserver", "kube-apiserver",
"--insecure-bind-address=127.0.0.1", "--insecure-port=0",
"--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds", "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds",
"--service-cluster-ip-range=bar", "--service-cluster-ip-range=bar",
"--service-account-key-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/sa.pub", "--service-account-key-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/sa.pub",

6
cmd/kubeadm/app/master/selfhosted.go
View File

@ -214,7 +214,7 @@ func getAPIServerDS(cfg *kubeadmapi.MasterConfiguration, volumes []v1.Volume, vo
Command: getAPIServerCommand(cfg, true), Command: getAPIServerCommand(cfg, true),
Env: getSelfHostedAPIServerEnv(), Env: getSelfHostedAPIServerEnv(),
VolumeMounts: volumeMounts, VolumeMounts: volumeMounts,
LivenessProbe: componentProbe(8080, "/healthz"), LivenessProbe: componentProbe(6443, "/healthz", v1.URISchemeHTTPS),
Resources: componentResources("250m"), Resources: componentResources("250m"),
}, },
}, },
@ -264,7 +264,7 @@ func getControllerManagerDeployment(cfg *kubeadmapi.MasterConfiguration, volumes
Image: images.GetCoreImage(images.KubeControllerManagerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage), Image: images.GetCoreImage(images.KubeControllerManagerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage),
Command: getControllerManagerCommand(cfg, true), Command: getControllerManagerCommand(cfg, true),
VolumeMounts: volumeMounts, VolumeMounts: volumeMounts,
LivenessProbe: componentProbe(10252, "/healthz"), LivenessProbe: componentProbe(10252, "/healthz", v1.URISchemeHTTP),
Resources: componentResources("200m"), Resources: componentResources("200m"),
Env: getProxyEnvVars(), Env: getProxyEnvVars(),
}, },
@ -314,7 +314,7 @@ func getSchedulerDeployment(cfg *kubeadmapi.MasterConfiguration) ext.Deployment
Name: "self-hosted-" + kubeScheduler, Name: "self-hosted-" + kubeScheduler,
Image: images.GetCoreImage(images.KubeSchedulerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage), Image: images.GetCoreImage(images.KubeSchedulerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage),
Command: getSchedulerCommand(cfg, true), Command: getSchedulerCommand(cfg, true),
LivenessProbe: componentProbe(10251, "/healthz"), LivenessProbe: componentProbe(10251, "/healthz", v1.URISchemeHTTP),
Resources: componentResources("100m"), Resources: componentResources("100m"),
Env: getProxyEnvVars(), Env: getProxyEnvVars(),
}, },

1
cmd/kubeadm/app/preflight/checks.go
View File

@ -488,7 +488,6 @@ func RunInitMasterChecks(cfg *kubeadmapi.MasterConfiguration) error {
ServiceCheck{Service: "docker", CheckIfActive: true}, ServiceCheck{Service: "docker", CheckIfActive: true},
FirewalldCheck{ports: []int{int(cfg.API.Port), 10250}}, FirewalldCheck{ports: []int{int(cfg.API.Port), 10250}},
PortOpenCheck{port: int(cfg.API.Port)}, PortOpenCheck{port: int(cfg.API.Port)},
PortOpenCheck{port: 8080},
PortOpenCheck{port: 10250}, PortOpenCheck{port: 10250},
PortOpenCheck{port: 10251}, PortOpenCheck{port: 10251},
PortOpenCheck{port: 10252}, PortOpenCheck{port: 10252},