mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
kube-controller-manager: enable secure loopback
This commit is contained in:
parent
5fa8b4b2ae
commit
4cc3b2e6bb
@ -29,6 +29,9 @@ type Config struct {
|
|||||||
ComponentConfig componentconfig.KubeControllerManagerConfiguration
|
ComponentConfig componentconfig.KubeControllerManagerConfiguration
|
||||||
|
|
||||||
SecureServing *apiserver.SecureServingInfo
|
SecureServing *apiserver.SecureServingInfo
|
||||||
|
// LoopbackClientConfig is a config for a privileged loopback connection
|
||||||
|
LoopbackClientConfig *restclient.Config
|
||||||
|
|
||||||
// TODO: remove deprecated insecure serving
|
// TODO: remove deprecated insecure serving
|
||||||
InsecureServing *apiserver.DeprecatedInsecureServingInfo
|
InsecureServing *apiserver.DeprecatedInsecureServingInfo
|
||||||
Authentication apiserver.AuthenticationInfo
|
Authentication apiserver.AuthenticationInfo
|
||||||
@ -60,5 +63,8 @@ type CompletedConfig struct {
|
|||||||
// Complete fills in any fields not set that are required to have valid data. It's mutating the receiver.
|
// Complete fills in any fields not set that are required to have valid data. It's mutating the receiver.
|
||||||
func (c *Config) Complete() *CompletedConfig {
|
func (c *Config) Complete() *CompletedConfig {
|
||||||
cc := completedConfig{c}
|
cc := completedConfig{c}
|
||||||
|
|
||||||
|
apiserver.AuthorizeClientBearerToken(c.LoopbackClientConfig, &c.Authentication, &c.Authorization)
|
||||||
|
|
||||||
return &CompletedConfig{&cc}
|
return &CompletedConfig{&cc}
|
||||||
}
|
}
|
||||||
|
@ -83,9 +83,9 @@ type KubeControllerManagerOptions struct {
|
|||||||
Controllers []string
|
Controllers []string
|
||||||
ExternalCloudVolumePlugin string
|
ExternalCloudVolumePlugin string
|
||||||
|
|
||||||
SecureServing *apiserveroptions.SecureServingOptions
|
SecureServing *apiserveroptions.SecureServingOptionsWithLoopback
|
||||||
// TODO: remove insecure serving mode
|
// TODO: remove insecure serving mode
|
||||||
InsecureServing *apiserveroptions.DeprecatedInsecureServingOptions
|
InsecureServing *apiserveroptions.DeprecatedInsecureServingOptionsWithLoopback
|
||||||
Authentication *apiserveroptions.DelegatingAuthenticationOptions
|
Authentication *apiserveroptions.DelegatingAuthenticationOptions
|
||||||
Authorization *apiserveroptions.DelegatingAuthorizationOptions
|
Authorization *apiserveroptions.DelegatingAuthorizationOptions
|
||||||
|
|
||||||
@ -179,12 +179,12 @@ func NewKubeControllerManagerOptions() (*KubeControllerManagerOptions, error) {
|
|||||||
ConcurrentServiceSyncs: componentConfig.ServiceController.ConcurrentServiceSyncs,
|
ConcurrentServiceSyncs: componentConfig.ServiceController.ConcurrentServiceSyncs,
|
||||||
},
|
},
|
||||||
Controllers: componentConfig.Controllers,
|
Controllers: componentConfig.Controllers,
|
||||||
SecureServing: apiserveroptions.NewSecureServingOptions(),
|
SecureServing: apiserveroptions.NewSecureServingOptions().WithLoopback(),
|
||||||
InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{
|
InsecureServing: (&apiserveroptions.DeprecatedInsecureServingOptions{
|
||||||
BindAddress: net.ParseIP(componentConfig.KubeCloudShared.Address),
|
BindAddress: net.ParseIP(componentConfig.KubeCloudShared.Address),
|
||||||
BindPort: int(componentConfig.KubeCloudShared.Port),
|
BindPort: int(componentConfig.KubeCloudShared.Port),
|
||||||
BindNetwork: "tcp",
|
BindNetwork: "tcp",
|
||||||
},
|
}).WithLoopback(),
|
||||||
Authentication: apiserveroptions.NewDelegatingAuthenticationOptions(),
|
Authentication: apiserveroptions.NewDelegatingAuthenticationOptions(),
|
||||||
Authorization: apiserveroptions.NewDelegatingAuthorizationOptions(),
|
Authorization: apiserveroptions.NewDelegatingAuthorizationOptions(),
|
||||||
}
|
}
|
||||||
@ -347,10 +347,10 @@ func (s *KubeControllerManagerOptions) ApplyTo(c *kubecontrollerconfig.Config) e
|
|||||||
if err := s.ServiceController.ApplyTo(&c.ComponentConfig.ServiceController); err != nil {
|
if err := s.ServiceController.ApplyTo(&c.ComponentConfig.ServiceController); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := s.InsecureServing.ApplyTo(&c.InsecureServing); err != nil {
|
if err := s.InsecureServing.ApplyTo(&c.InsecureServing, &c.LoopbackClientConfig); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := s.SecureServing.ApplyTo(&c.SecureServing); err != nil {
|
if err := s.SecureServing.ApplyTo(&c.SecureServing, &c.LoopbackClientConfig); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if s.SecureServing.BindPort != 0 || s.SecureServing.Listener != nil {
|
if s.SecureServing.BindPort != 0 || s.SecureServing.Listener != nil {
|
||||||
|
@ -250,7 +250,7 @@ func TestAddFlags(t *testing.T) {
|
|||||||
ConcurrentServiceSyncs: 2,
|
ConcurrentServiceSyncs: 2,
|
||||||
},
|
},
|
||||||
Controllers: []string{"foo", "bar"},
|
Controllers: []string{"foo", "bar"},
|
||||||
SecureServing: &apiserveroptions.SecureServingOptions{
|
SecureServing: (&apiserveroptions.SecureServingOptions{
|
||||||
BindPort: 10001,
|
BindPort: 10001,
|
||||||
BindAddress: net.ParseIP("192.168.4.21"),
|
BindAddress: net.ParseIP("192.168.4.21"),
|
||||||
ServerCert: apiserveroptions.GeneratableKeyCert{
|
ServerCert: apiserveroptions.GeneratableKeyCert{
|
||||||
@ -258,12 +258,12 @@ func TestAddFlags(t *testing.T) {
|
|||||||
PairName: "kube-controller-manager",
|
PairName: "kube-controller-manager",
|
||||||
},
|
},
|
||||||
HTTP2MaxStreamsPerConnection: 47,
|
HTTP2MaxStreamsPerConnection: 47,
|
||||||
},
|
}).WithLoopback(),
|
||||||
InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{
|
InsecureServing: (&apiserveroptions.DeprecatedInsecureServingOptions{
|
||||||
BindAddress: net.ParseIP("192.168.4.10"),
|
BindAddress: net.ParseIP("192.168.4.10"),
|
||||||
BindPort: int(10000),
|
BindPort: int(10000),
|
||||||
BindNetwork: "tcp",
|
BindNetwork: "tcp",
|
||||||
},
|
}).WithLoopback(),
|
||||||
Authentication: &apiserveroptions.DelegatingAuthenticationOptions{
|
Authentication: &apiserveroptions.DelegatingAuthenticationOptions{
|
||||||
CacheTTL: 10 * time.Second,
|
CacheTTL: 10 * time.Second,
|
||||||
ClientCert: apiserveroptions.ClientCertAuthenticationOptions{},
|
ClientCert: apiserveroptions.ClientCertAuthenticationOptions{},
|
||||||
|
Loading…
Reference in New Issue
Block a user