kube-controller-manager: enable secure loopback

This commit is contained in:
Dr. Stefan Schimanski 2018-08-07 11:14:45 +02:00
parent 5fa8b4b2ae
commit 4cc3b2e6bb
3 changed files with 17 additions and 11 deletions

View File

@ -29,6 +29,9 @@ type Config struct {
ComponentConfig componentconfig.KubeControllerManagerConfiguration ComponentConfig componentconfig.KubeControllerManagerConfiguration
SecureServing *apiserver.SecureServingInfo SecureServing *apiserver.SecureServingInfo
// LoopbackClientConfig is a config for a privileged loopback connection
LoopbackClientConfig *restclient.Config
// TODO: remove deprecated insecure serving // TODO: remove deprecated insecure serving
InsecureServing *apiserver.DeprecatedInsecureServingInfo InsecureServing *apiserver.DeprecatedInsecureServingInfo
Authentication apiserver.AuthenticationInfo Authentication apiserver.AuthenticationInfo
@ -60,5 +63,8 @@ type CompletedConfig struct {
// Complete fills in any fields not set that are required to have valid data. It's mutating the receiver. // Complete fills in any fields not set that are required to have valid data. It's mutating the receiver.
func (c *Config) Complete() *CompletedConfig { func (c *Config) Complete() *CompletedConfig {
cc := completedConfig{c} cc := completedConfig{c}
apiserver.AuthorizeClientBearerToken(c.LoopbackClientConfig, &c.Authentication, &c.Authorization)
return &CompletedConfig{&cc} return &CompletedConfig{&cc}
} }

View File

@ -83,9 +83,9 @@ type KubeControllerManagerOptions struct {
Controllers []string Controllers []string
ExternalCloudVolumePlugin string ExternalCloudVolumePlugin string
SecureServing *apiserveroptions.SecureServingOptions SecureServing *apiserveroptions.SecureServingOptionsWithLoopback
// TODO: remove insecure serving mode // TODO: remove insecure serving mode
InsecureServing *apiserveroptions.DeprecatedInsecureServingOptions InsecureServing *apiserveroptions.DeprecatedInsecureServingOptionsWithLoopback
Authentication *apiserveroptions.DelegatingAuthenticationOptions Authentication *apiserveroptions.DelegatingAuthenticationOptions
Authorization *apiserveroptions.DelegatingAuthorizationOptions Authorization *apiserveroptions.DelegatingAuthorizationOptions
@ -179,12 +179,12 @@ func NewKubeControllerManagerOptions() (*KubeControllerManagerOptions, error) {
ConcurrentServiceSyncs: componentConfig.ServiceController.ConcurrentServiceSyncs, ConcurrentServiceSyncs: componentConfig.ServiceController.ConcurrentServiceSyncs,
}, },
Controllers: componentConfig.Controllers, Controllers: componentConfig.Controllers,
SecureServing: apiserveroptions.NewSecureServingOptions(), SecureServing: apiserveroptions.NewSecureServingOptions().WithLoopback(),
InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{ InsecureServing: (&apiserveroptions.DeprecatedInsecureServingOptions{
BindAddress: net.ParseIP(componentConfig.KubeCloudShared.Address), BindAddress: net.ParseIP(componentConfig.KubeCloudShared.Address),
BindPort: int(componentConfig.KubeCloudShared.Port), BindPort: int(componentConfig.KubeCloudShared.Port),
BindNetwork: "tcp", BindNetwork: "tcp",
}, }).WithLoopback(),
Authentication: apiserveroptions.NewDelegatingAuthenticationOptions(), Authentication: apiserveroptions.NewDelegatingAuthenticationOptions(),
Authorization: apiserveroptions.NewDelegatingAuthorizationOptions(), Authorization: apiserveroptions.NewDelegatingAuthorizationOptions(),
} }
@ -347,10 +347,10 @@ func (s *KubeControllerManagerOptions) ApplyTo(c *kubecontrollerconfig.Config) e
if err := s.ServiceController.ApplyTo(&c.ComponentConfig.ServiceController); err != nil { if err := s.ServiceController.ApplyTo(&c.ComponentConfig.ServiceController); err != nil {
return err return err
} }
if err := s.InsecureServing.ApplyTo(&c.InsecureServing); err != nil { if err := s.InsecureServing.ApplyTo(&c.InsecureServing, &c.LoopbackClientConfig); err != nil {
return err return err
} }
if err := s.SecureServing.ApplyTo(&c.SecureServing); err != nil { if err := s.SecureServing.ApplyTo(&c.SecureServing, &c.LoopbackClientConfig); err != nil {
return err return err
} }
if s.SecureServing.BindPort != 0 || s.SecureServing.Listener != nil { if s.SecureServing.BindPort != 0 || s.SecureServing.Listener != nil {

View File

@ -250,7 +250,7 @@ func TestAddFlags(t *testing.T) {
ConcurrentServiceSyncs: 2, ConcurrentServiceSyncs: 2,
}, },
Controllers: []string{"foo", "bar"}, Controllers: []string{"foo", "bar"},
SecureServing: &apiserveroptions.SecureServingOptions{ SecureServing: (&apiserveroptions.SecureServingOptions{
BindPort: 10001, BindPort: 10001,
BindAddress: net.ParseIP("192.168.4.21"), BindAddress: net.ParseIP("192.168.4.21"),
ServerCert: apiserveroptions.GeneratableKeyCert{ ServerCert: apiserveroptions.GeneratableKeyCert{
@ -258,12 +258,12 @@ func TestAddFlags(t *testing.T) {
PairName: "kube-controller-manager", PairName: "kube-controller-manager",
}, },
HTTP2MaxStreamsPerConnection: 47, HTTP2MaxStreamsPerConnection: 47,
}, }).WithLoopback(),
InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{ InsecureServing: (&apiserveroptions.DeprecatedInsecureServingOptions{
BindAddress: net.ParseIP("192.168.4.10"), BindAddress: net.ParseIP("192.168.4.10"),
BindPort: int(10000), BindPort: int(10000),
BindNetwork: "tcp", BindNetwork: "tcp",
}, }).WithLoopback(),
Authentication: &apiserveroptions.DelegatingAuthenticationOptions{ Authentication: &apiserveroptions.DelegatingAuthenticationOptions{
CacheTTL: 10 * time.Second, CacheTTL: 10 * time.Second,
ClientCert: apiserveroptions.ClientCertAuthenticationOptions{}, ClientCert: apiserveroptions.ClientCertAuthenticationOptions{},