From 1761031f5f318bf4e32cab636a9f40f17946a22f Mon Sep 17 00:00:00 2001 From: Arun Date: Sat, 22 Sep 2018 17:30:18 -0700 Subject: [PATCH] Fixes #65869 Do not listen insecurely if secure port is specified --- cmd/cloud-controller-manager/app/options/options.go | 4 +++- .../app/options/options_test.go | 10 +++++----- test/integration/controllermanager/serving_test.go | 4 ++++ 3 files changed, 12 insertions(+), 6 deletions(-) diff --git a/cmd/cloud-controller-manager/app/options/options.go b/cmd/cloud-controller-manager/app/options/options.go index 53268cd179b..5b184105bde 100644 --- a/cmd/cloud-controller-manager/app/options/options.go +++ b/cmd/cloud-controller-manager/app/options/options.go @@ -51,6 +51,8 @@ import ( const ( // CloudControllerManagerUserAgent is the userAgent name when starting cloud-controller managers. CloudControllerManagerUserAgent = "cloud-controller-manager" + // DefaultInsecureCloudControllerManagerPort is the default insecure cloud-controller manager port. + DefaultInsecureCloudControllerManagerPort = 0 ) // CloudControllerManagerOptions is the main context object for the controller manager. @@ -74,7 +76,7 @@ type CloudControllerManagerOptions struct { // NewCloudControllerManagerOptions creates a new ExternalCMServer with a default config. func NewCloudControllerManagerOptions() (*CloudControllerManagerOptions, error) { - componentConfig, err := NewDefaultComponentConfig(ports.InsecureCloudControllerManagerPort) + componentConfig, err := NewDefaultComponentConfig(DefaultInsecureCloudControllerManagerPort) if err != nil { return nil, err } diff --git a/cmd/cloud-controller-manager/app/options/options_test.go b/cmd/cloud-controller-manager/app/options/options_test.go index f0c23807416..8efbc2487fc 100644 --- a/cmd/cloud-controller-manager/app/options/options_test.go +++ b/cmd/cloud-controller-manager/app/options/options_test.go @@ -37,8 +37,8 @@ func TestDefaultFlags(t *testing.T) { expected := &CloudControllerManagerOptions{ Generic: &cmoptions.GenericControllerManagerConfigurationOptions{ - Port: 10253, // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config - Address: "0.0.0.0", // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config + Port: DefaultInsecureCloudControllerManagerPort, // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config + Address: "0.0.0.0", // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config MinResyncPeriod: metav1.Duration{Duration: 12 * time.Hour}, ClientConnection: apimachineryconfig.ClientConnectionConfiguration{ ContentType: "application/vnd.kubernetes.protobuf", @@ -85,7 +85,7 @@ func TestDefaultFlags(t *testing.T) { }).WithLoopback(), InsecureServing: (&apiserveroptions.DeprecatedInsecureServingOptions{ BindAddress: net.ParseIP("0.0.0.0"), - BindPort: int(10253), + BindPort: int(0), BindNetwork: "tcp", }).WithLoopback(), Authentication: &apiserveroptions.DelegatingAuthenticationOptions{ @@ -155,8 +155,8 @@ func TestAddFlags(t *testing.T) { expected := &CloudControllerManagerOptions{ Generic: &cmoptions.GenericControllerManagerConfigurationOptions{ - Port: 10253, // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config - Address: "0.0.0.0", // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config + Port: DefaultInsecureCloudControllerManagerPort, // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config + Address: "0.0.0.0", // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config MinResyncPeriod: metav1.Duration{Duration: 100 * time.Minute}, ClientConnection: apimachineryconfig.ClientConnectionConfiguration{ ContentType: "application/vnd.kubernetes.protobuf", diff --git a/test/integration/controllermanager/serving_test.go b/test/integration/controllermanager/serving_test.go index 10f7c4841fa..d4adbbb858e 100644 --- a/test/integration/controllermanager/serving_test.go +++ b/test/integration/controllermanager/serving_test.go @@ -213,11 +213,13 @@ func testControllerManager(t *testing.T, tester controllerManagerTester, kubecon {"no-flags", nil, "/healthz", false, true, nil, nil}, {"insecurely /healthz", []string{ "--secure-port=0", + "--port=10253", "--kubeconfig", kubeconfig, "--leader-elect=false", }, "/healthz", true, false, nil, intPtr(http.StatusOK)}, {"insecurely /metrics", []string{ "--secure-port=0", + "--port=10253", "--kubeconfig", kubeconfig, "--leader-elect=false", }, "/metrics", true, false, nil, intPtr(http.StatusOK)}, @@ -230,6 +232,7 @@ func testControllerManager(t *testing.T, tester controllerManagerTester, kubecon "--kubeconfig", kubeconfig, "--kubeconfig", kubeconfig, "--leader-elect=false", + "--port=10253", }, "/metrics", true, false, intPtr(http.StatusForbidden), intPtr(http.StatusOK)}, {"authorization skipped for /healthz with authn/authz", []string{ "--port=0", @@ -254,6 +257,7 @@ func testControllerManager(t *testing.T, tester controllerManagerTester, kubecon "--leader-elect=false", }, "/metrics", false, false, intPtr(http.StatusForbidden), nil}, {"not authorized /metrics with BROKEN authn/authz", []string{ + "--port=10253", "--authentication-kubeconfig", kubeconfig, "--authorization-kubeconfig", brokenKubeconfig, "--kubeconfig", kubeconfig,