Merge pull request #34719 from errordeveloper/api-and-disco-ports

Automatic merge from submit-queue Add flags for alternative API and discovery ports **What this PR does / why we need it**: We had many issues reported due to the fact that we are using port 443 by default, and we should allow users to override whatever defaults we pick. This doesn't touch on `localhost:8080` yet, which should just generally get rid of. **Which issue this PR fixes**: fixes #34311 #34307 #33638 **Special notes for your reviewer**: cc @pires **Release note**: ```release-note Add `kubeadm` flags `--api-port` and `--discovery-port`, change default API port to 6443 ```
2025-09-28 21:55:48 +00:00 · 2016-10-17 05:54:38 -07:00
parent c4f509e65d 6f57775669
commit 714f816a34
13 changed files with 159 additions and 108 deletions
--- a/cmd/kubeadm/app/apis/kubeadm/defaults.go
+++ b/cmd/kubeadm/app/apis/kubeadm/defaults.go
@@ -20,4 +20,6 @@ const (
 	DefaultServiceDNSDomain  = "cluster.local"
 	DefaultServicesSubnet    = "10.12.0.0/12"
 	DefaultKubernetesVersion = "v1.4.1"
+	DefaultAPIBindPort       = 6443
+	DefaultDiscoveryBindPort = 9898
 )
--- a/cmd/kubeadm/app/apis/kubeadm/types.go
+++ b/cmd/kubeadm/app/apis/kubeadm/types.go
@@ -23,6 +23,7 @@ type MasterConfiguration struct {

 	Secrets           Secrets
 	API               API
+	Discovery         Discovery
 	Etcd              Etcd
 	Networking        Networking
 	KubernetesVersion string
@@ -32,6 +33,11 @@ type MasterConfiguration struct {
 type API struct {
 	AdvertiseAddresses []string
 	ExternalDNSNames   []string
+	BindPort           int32
+}
+
+type Discovery struct {
+	BindPort int32
 }

 type Networking struct {
@@ -59,6 +65,8 @@ type NodeConfiguration struct {

 	MasterAddresses []string
 	Secrets         Secrets
+	APIPort         int32
+	DiscoveryPort   int32
 }

 // ClusterInfo TODO add description
--- a/cmd/kubeadm/app/apis/kubeadm/v1alpha1/types.go
+++ b/cmd/kubeadm/app/apis/kubeadm/v1alpha1/types.go
@@ -24,6 +24,7 @@ type MasterConfiguration struct {
 	Secrets           Secrets    `json:"secrets"`
 	API               API        `json:"api"`
 	Etcd              Etcd       `json:"etcd"`
+	Discovery         Discovery  `json:"discovery"`
 	Networking        Networking `json:"networking"`
 	KubernetesVersion string     `json:"kubernetesVersion"`
 	CloudProvider     string     `json:"cloudProvider"`
@@ -32,6 +33,11 @@ type MasterConfiguration struct {
 type API struct {
 	AdvertiseAddresses []string `json:"advertiseAddresses"`
 	ExternalDNSNames   []string `json:"externalDNSNames"`
+	BindPort           int32    `json:"bindPort"`
+}
+
+type Discovery struct {
+	BindPort int32 `json:"bindPort"`
 }

 type Networking struct {
@@ -59,6 +65,8 @@ type NodeConfiguration struct {

 	MasterAddresses []string `json:"masterAddresses"`
 	Secrets         Secrets  `json:"secrets"`
+	APIPort         int32    `json:"apiPort"`
+	DiscoveryPort   int32    `json:"discoveryPort"`
 }

 // ClusterInfo TODO add description
--- a/cmd/kubeadm/app/cmd/init.go
+++ b/cmd/kubeadm/app/cmd/init.go
@@ -20,6 +20,7 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
+	"strings"

 	"github.com/renstrom/dedent"
 	"github.com/spf13/cobra"
@@ -41,7 +42,7 @@ var (

 		You can now join any number of machines by running the following on each node:

-		kubeadm join --token %s %s
+		kubeadm join %s
 		`)
 )

@@ -126,6 +127,16 @@ func NewCmdInit(out io.Writer) *cobra.Command {
 		"skip preflight checks normally run before modifying the system",
 	)

+	cmd.PersistentFlags().Int32Var(
+		&cfg.API.BindPort, "api-port", kubeadmapi.DefaultAPIBindPort,
+		"Port for API to bind to",
+	)
+
+	cmd.PersistentFlags().Int32Var(
+		&cfg.Discovery.BindPort, "discovery-port", kubeadmapi.DefaultDiscoveryBindPort,
+		"Port for JWS discovery service to bind to",
+	)
+
 	return cmd
 }

@@ -146,7 +157,7 @@ func NewInit(cfgPath string, cfg *kubeadmapi.MasterConfiguration, skipPreFlight

 	if !skipPreFlight {
 		fmt.Println("Running pre-flight checks")
-		err := preflight.RunInitMasterChecks()
+		err := preflight.RunInitMasterChecks(cfg)
 		if err != nil {
 			return nil, &preflight.PreFlightError{Msg: err.Error()}
 		}
@@ -190,7 +201,7 @@ func (i *Init) Run(out io.Writer) error {
 		return err
 	}

-	kubeconfigs, err := kubemaster.CreateCertsAndConfigForClients(i.cfg.API.AdvertiseAddresses, []string{"kubelet", "admin"}, caKey, caCert)
+	kubeconfigs, err := kubemaster.CreateCertsAndConfigForClients(i.cfg.API, []string{"kubelet", "admin"}, caKey, caCert)
 	if err != nil {
 		return err
 	}
@@ -228,11 +239,16 @@ func (i *Init) Run(out io.Writer) error {
 		return err
 	}

-	// TODO(phase1+) use templates to reference struct fields directly as order of args is fragile
-	fmt.Fprintf(out, initDoneMsgf,
-		i.cfg.Secrets.GivenToken,
-		i.cfg.API.AdvertiseAddresses[0],
-	)
+	// TODO(phase1+) we could probably use templates for this logic, and reference struct fields directly etc
+	joinArgs := []string{fmt.Sprintf("--token=%s", i.cfg.Secrets.GivenToken)}
+	if i.cfg.API.BindPort != kubeadmapi.DefaultAPIBindPort {
+		joinArgs = append(joinArgs, fmt.Sprintf("--api-port=%d", i.cfg.API.BindPort))
+	}
+	if i.cfg.Discovery.BindPort != kubeadmapi.DefaultDiscoveryBindPort {
+		joinArgs = append(joinArgs, fmt.Sprintf("--discovery-port=%d", i.cfg.Discovery.BindPort))
+	}
+	joinArgs = append(joinArgs, i.cfg.API.AdvertiseAddresses[0])
+	fmt.Fprintf(out, initDoneMsgf, strings.Join(joinArgs, " "))

 	return nil
 }
--- a/cmd/kubeadm/app/cmd/join.go
+++ b/cmd/kubeadm/app/cmd/join.go
@@ -70,6 +70,16 @@ func NewCmdJoin(out io.Writer) *cobra.Command {
 		"skip preflight checks normally run before modifying the system",
 	)

+	cmd.PersistentFlags().Int32Var(
+		&cfg.APIPort, "api-port", kubeadmapi.DefaultAPIBindPort,
+		"(optional) API server port on the master",
+	)
+
+	cmd.PersistentFlags().Int32Var(
+		&cfg.DiscoveryPort, "discovery-port", kubeadmapi.DefaultDiscoveryBindPort,
+		"(optional) Discovery port on the master",
+	)
+
 	return cmd
 }

--- a/cmd/kubeadm/app/master/addons.go
+++ b/cmd/kubeadm/app/master/addons.go
@@ -32,7 +32,7 @@ import (
 )

 // TODO(phase1+): kube-proxy should be a daemonset, three different daemonsets should not be here
-func createKubeProxyPodSpec(s *kubeadmapi.MasterConfiguration, architecture string) api.PodSpec {
+func createKubeProxyPodSpec(cfg *kubeadmapi.MasterConfiguration, architecture string) api.PodSpec {
 	envParams := kubeadmapi.GetEnvParams()
 	privilegedTrue := true
 	return api.PodSpec{
@@ -42,8 +42,8 @@ func createKubeProxyPodSpec(s *kubeadmapi.MasterConfiguration, architecture stri
 		},
 		Containers: []api.Container{{
 			Name:            kubeProxy,
-			Image:           images.GetCoreImage(images.KubeProxyImage, s, envParams["hyperkube_image"]),
-			Command:         append(getComponentCommand("proxy", s), "--kubeconfig=/run/kubeconfig"),
+			Image:           images.GetCoreImage(images.KubeProxyImage, cfg, envParams["hyperkube_image"]),
+			Command:         append(getComponentCommand("proxy", cfg), "--kubeconfig=/run/kubeconfig"),
 			SecurityContext: &api.SecurityContext{Privileged: &privilegedTrue},
 			VolumeMounts: []api.VolumeMount{
 				{
@@ -85,7 +85,7 @@ func createKubeProxyPodSpec(s *kubeadmapi.MasterConfiguration, architecture stri
 	}
 }

-func createKubeDNSPodSpec(s *kubeadmapi.MasterConfiguration) api.PodSpec {
+func createKubeDNSPodSpec(cfg *kubeadmapi.MasterConfiguration) api.PodSpec {

 	dnsPodResources := api.ResourceList{
 		api.ResourceName(api.ResourceCPU):    resource.MustParse("100m"),
@@ -100,7 +100,7 @@ func createKubeDNSPodSpec(s *kubeadmapi.MasterConfiguration) api.PodSpec {
 	kubeDNSPort := int32(10053)
 	dnsmasqPort := int32(53)

-	nslookup := fmt.Sprintf("nslookup kubernetes.default.svc.%s 127.0.0.1", s.Networking.DNSDomain)
+	nslookup := fmt.Sprintf("nslookup kubernetes.default.svc.%s 127.0.0.1", cfg.Networking.DNSDomain)

 	nslookup = fmt.Sprintf("-cmd=%s:%d >/dev/null && %s:%d >/dev/null",
 		nslookup, dnsmasqPort,
@@ -121,7 +121,7 @@ func createKubeDNSPodSpec(s *kubeadmapi.MasterConfiguration) api.PodSpec {
 					Requests: dnsPodResources,
 				},
 				Args: []string{
-					fmt.Sprintf("--domain=%s", s.Networking.DNSDomain),
+					fmt.Sprintf("--domain=%s", cfg.Networking.DNSDomain),
 					fmt.Sprintf("--dns-port=%d", kubeDNSPort),
 					// TODO __PILLAR__FEDERATIONS__DOMAIN__MAP__
 				},
@@ -214,14 +214,14 @@ func createKubeDNSPodSpec(s *kubeadmapi.MasterConfiguration) api.PodSpec {

 }

-func createKubeDNSServiceSpec(s *kubeadmapi.MasterConfiguration) (*api.ServiceSpec, error) {
-	_, n, err := net.ParseCIDR(s.Networking.ServiceSubnet)
+func createKubeDNSServiceSpec(cfg *kubeadmapi.MasterConfiguration) (*api.ServiceSpec, error) {
+	_, n, err := net.ParseCIDR(cfg.Networking.ServiceSubnet)
 	if err != nil {
-		return nil, fmt.Errorf("could not parse %q: %v", s.Networking.ServiceSubnet, err)
+		return nil, fmt.Errorf("could not parse %q: %v", cfg.Networking.ServiceSubnet, err)
 	}
 	ip, err := ipallocator.GetIndexedIP(n, 10)
 	if err != nil {
-		return nil, fmt.Errorf("unable to allocate IP address for kube-dns addon from the given CIDR (%q) [%v]", s.Networking.ServiceSubnet, err)
+		return nil, fmt.Errorf("unable to allocate IP address for kube-dns addon from the given CIDR (%q) [%v]", cfg.Networking.ServiceSubnet, err)
 	}

 	svc := &api.ServiceSpec{
@@ -236,11 +236,11 @@ func createKubeDNSServiceSpec(s *kubeadmapi.MasterConfiguration) (*api.ServiceSp
 	return svc, nil
 }

-func CreateEssentialAddons(s *kubeadmapi.MasterConfiguration, client *clientset.Clientset) error {
+func CreateEssentialAddons(cfg *kubeadmapi.MasterConfiguration, client *clientset.Clientset) error {
 	arches := [3]string{"amd64", "arm", "arm64"}

 	for _, arch := range arches {
-		kubeProxyDaemonSet := NewDaemonSet(kubeProxy+"-"+arch, createKubeProxyPodSpec(s, arch))
+		kubeProxyDaemonSet := NewDaemonSet(kubeProxy+"-"+arch, createKubeProxyPodSpec(cfg, arch))
 		SetMasterTaintTolerations(&kubeProxyDaemonSet.Spec.Template.ObjectMeta)

 		if _, err := client.Extensions().DaemonSets(api.NamespaceSystem).Create(kubeProxyDaemonSet); err != nil {
@@ -250,14 +250,14 @@ func CreateEssentialAddons(s *kubeadmapi.MasterConfiguration, client *clientset.

 	fmt.Println("<master/addons> created essential addon: kube-proxy")

-	kubeDNSDeployment := NewDeployment("kube-dns", 1, createKubeDNSPodSpec(s))
+	kubeDNSDeployment := NewDeployment("kube-dns", 1, createKubeDNSPodSpec(cfg))
 	SetMasterTaintTolerations(&kubeDNSDeployment.Spec.Template.ObjectMeta)

 	if _, err := client.Extensions().Deployments(api.NamespaceSystem).Create(kubeDNSDeployment); err != nil {
 		return fmt.Errorf("<master/addons> failed creating essential kube-dns addon [%v]", err)
 	}

-	kubeDNSServiceSpec, err := createKubeDNSServiceSpec(s)
+	kubeDNSServiceSpec, err := createKubeDNSServiceSpec(cfg)
 	if err != nil {
 		return fmt.Errorf("<master/addons> failed creating essential kube-dns addon - %v", err)
 	}
--- a/cmd/kubeadm/app/master/discovery.go
+++ b/cmd/kubeadm/app/master/discovery.go
@@ -40,18 +40,18 @@ const (
 	kubeDiscoverySecretName = "clusterinfo"
 )

-func encodeKubeDiscoverySecretData(s *kubeadmapi.MasterConfiguration, caCert *x509.Certificate) map[string][]byte {
+func encodeKubeDiscoverySecretData(cfg *kubeadmapi.MasterConfiguration, caCert *x509.Certificate) map[string][]byte {
 	var (
 		data         = map[string][]byte{}
 		endpointList = []string{}
 		tokenMap     = map[string]string{}
 	)

-	for _, addr := range s.API.AdvertiseAddresses {
-		endpointList = append(endpointList, fmt.Sprintf("https://%s:443", addr))
+	for _, addr := range cfg.API.AdvertiseAddresses {
+		endpointList = append(endpointList, fmt.Sprintf("https://%s:%d", addr, cfg.API.BindPort))
 	}

-	tokenMap[s.Secrets.TokenID] = s.Secrets.BearerToken
+	tokenMap[cfg.Secrets.TokenID] = cfg.Secrets.BearerToken

 	data["endpoint-list.json"], _ = json.Marshal(endpointList)
 	data["token-map.json"], _ = json.Marshal(tokenMap)
@@ -60,7 +60,7 @@ func encodeKubeDiscoverySecretData(s *kubeadmapi.MasterConfiguration, caCert *x5
 	return data
 }

-func newKubeDiscoveryPodSpec() api.PodSpec {
+func newKubeDiscoveryPodSpec(cfg *kubeadmapi.MasterConfiguration) api.PodSpec {
 	envParams := kubeadmapi.GetEnvParams()
 	return api.PodSpec{
 		// We have to use host network namespace, as `HostPort`/`HostIP` are Docker's
@@ -80,7 +80,7 @@ func newKubeDiscoveryPodSpec() api.PodSpec {
 			Ports: []api.ContainerPort{
 				// TODO when CNI issue (#31307) is resolved, we should consider adding
 				// `HostIP: s.API.AdvertiseAddrs[0]`, if there is only one address`
-				{Name: "http", ContainerPort: 9898, HostPort: 9898},
+				{Name: "http", ContainerPort: kubeadmapi.DefaultDiscoveryBindPort, HostPort: cfg.Discovery.BindPort},
 			},
 			SecurityContext: &api.SecurityContext{
 				SELinuxOptions: &api.SELinuxOptions{
@@ -101,13 +101,13 @@ func newKubeDiscoveryPodSpec() api.PodSpec {
 	}
 }

-func newKubeDiscovery(s *kubeadmapi.MasterConfiguration, caCert *x509.Certificate) kubeDiscovery {
+func newKubeDiscovery(cfg *kubeadmapi.MasterConfiguration, caCert *x509.Certificate) kubeDiscovery {
 	kd := kubeDiscovery{
-		Deployment: NewDeployment(kubeDiscoveryName, 1, newKubeDiscoveryPodSpec()),
+		Deployment: NewDeployment(kubeDiscoveryName, 1, newKubeDiscoveryPodSpec(cfg)),
 		Secret: &api.Secret{
 			ObjectMeta: api.ObjectMeta{Name: kubeDiscoverySecretName},
 			Type:       api.SecretTypeOpaque,
-			Data:       encodeKubeDiscoverySecretData(s, caCert),
+			Data:       encodeKubeDiscoverySecretData(cfg, caCert),
 		},
 	}

@@ -117,8 +117,8 @@ func newKubeDiscovery(s *kubeadmapi.MasterConfiguration, caCert *x509.Certificat
 	return kd
 }

-func CreateDiscoveryDeploymentAndSecret(s *kubeadmapi.MasterConfiguration, client *clientset.Clientset, caCert *x509.Certificate) error {
-	kd := newKubeDiscovery(s, caCert)
+func CreateDiscoveryDeploymentAndSecret(cfg *kubeadmapi.MasterConfiguration, client *clientset.Clientset, caCert *x509.Certificate) error {
+	kd := newKubeDiscovery(cfg, caCert)

 	if _, err := client.Extensions().Deployments(api.NamespaceSystem).Create(kd.Deployment); err != nil {
 		return fmt.Errorf("<master/discovery> failed to create %q deployment [%v]", kubeDiscoveryName, err)
--- a/cmd/kubeadm/app/master/kubeconfig.go
+++ b/cmd/kubeadm/app/master/kubeconfig.go
@@ -22,19 +22,20 @@ import (
 	"fmt"

 	// TODO: "k8s.io/client-go/client/tools/clientcmd/api"
+	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
 	kubeadmutil "k8s.io/kubernetes/cmd/kubeadm/app/util"
 	clientcmdapi "k8s.io/kubernetes/pkg/client/unversioned/clientcmd/api"
 	certutil "k8s.io/kubernetes/pkg/util/cert"
 )

-func CreateCertsAndConfigForClients(advertiseAddresses, clientNames []string, caKey *rsa.PrivateKey, caCert *x509.Certificate) (map[string]*clientcmdapi.Config, error) {
+func CreateCertsAndConfigForClients(cfg kubeadmapi.API, clientNames []string, caKey *rsa.PrivateKey, caCert *x509.Certificate) (map[string]*clientcmdapi.Config, error) {

 	basicClientConfig := kubeadmutil.CreateBasicClientConfig(
 		"kubernetes",
 		// TODO this is not great, but there is only one address we can use here
 		// so we'll pick the first one, there is much of chance to have an empty
 		// slice by the time this gets called
-		fmt.Sprintf("https://%s:443", advertiseAddresses[0]),
+		fmt.Sprintf("https://%s:%d", cfg.AdvertiseAddresses[0], cfg.BindPort),
 		certutil.EncodeCertPEM(caCert),
 	)

--- a/cmd/kubeadm/app/master/manifests.go
+++ b/cmd/kubeadm/app/master/manifests.go
@@ -53,37 +53,37 @@ const (

 // WriteStaticPodManifests builds manifest objects based on user provided configuration and then dumps it to disk
 // where kubelet will pick and schedule them.
-func WriteStaticPodManifests(s *kubeadmapi.MasterConfiguration) error {
+func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {
 	envParams := kubeadmapi.GetEnvParams()
 	// Prepare static pod specs
 	staticPodSpecs := map[string]api.Pod{
 		kubeAPIServer: componentPod(api.Container{
 			Name:          kubeAPIServer,
-			Image:         images.GetCoreImage(images.KubeAPIServerImage, s, envParams["hyperkube_image"]),
-			Command:       getComponentCommand(apiServer, s),
+			Image:         images.GetCoreImage(images.KubeAPIServerImage, cfg, envParams["hyperkube_image"]),
+			Command:       getComponentCommand(apiServer, cfg),
 			VolumeMounts:  []api.VolumeMount{certsVolumeMount(), k8sVolumeMount()},
 			LivenessProbe: componentProbe(8080, "/healthz"),
 			Resources:     componentResources("250m"),
-		}, certsVolume(s), k8sVolume(s)),
+		}, certsVolume(cfg), k8sVolume(cfg)),
 		kubeControllerManager: componentPod(api.Container{
 			Name:          kubeControllerManager,
-			Image:         images.GetCoreImage(images.KubeControllerManagerImage, s, envParams["hyperkube_image"]),
-			Command:       getComponentCommand(controllerManager, s),
+			Image:         images.GetCoreImage(images.KubeControllerManagerImage, cfg, envParams["hyperkube_image"]),
+			Command:       getComponentCommand(controllerManager, cfg),
 			VolumeMounts:  []api.VolumeMount{certsVolumeMount(), k8sVolumeMount()},
 			LivenessProbe: componentProbe(10252, "/healthz"),
 			Resources:     componentResources("200m"),
-		}, certsVolume(s), k8sVolume(s)),
+		}, certsVolume(cfg), k8sVolume(cfg)),
 		kubeScheduler: componentPod(api.Container{
 			Name:          kubeScheduler,
-			Image:         images.GetCoreImage(images.KubeSchedulerImage, s, envParams["hyperkube_image"]),
-			Command:       getComponentCommand(scheduler, s),
+			Image:         images.GetCoreImage(images.KubeSchedulerImage, cfg, envParams["hyperkube_image"]),
+			Command:       getComponentCommand(scheduler, cfg),
 			LivenessProbe: componentProbe(10251, "/healthz"),
 			Resources:     componentResources("100m"),
 		}),
 	}

 	// Add etcd static pod spec only if external etcd is not configured
-	if len(s.Etcd.Endpoints) == 0 {
+	if len(cfg.Etcd.Endpoints) == 0 {
 		staticPodSpecs[etcd] = componentPod(api.Container{
 			Name: etcd,
 			Command: []string{
@@ -93,7 +93,7 @@ func WriteStaticPodManifests(s *kubeadmapi.MasterConfiguration) error {
 				"--data-dir=/var/etcd/data",
 			},
 			VolumeMounts:  []api.VolumeMount{certsVolumeMount(), etcdVolumeMount(), k8sVolumeMount()},
-			Image:         images.GetCoreImage(images.KubeEtcdImage, s, envParams["etcd_image"]),
+			Image:         images.GetCoreImage(images.KubeEtcdImage, cfg, envParams["etcd_image"]),
 			LivenessProbe: componentProbe(2379, "/health"),
 			Resources:     componentResources("200m"),
 			SecurityContext: &api.SecurityContext{
@@ -105,7 +105,7 @@ func WriteStaticPodManifests(s *kubeadmapi.MasterConfiguration) error {
 					Type: "unconfined_t",
 				},
 			},
-		}, certsVolume(s), etcdVolume(s), k8sVolume(s))
+		}, certsVolume(cfg), etcdVolume(cfg), k8sVolume(cfg))
 	}

 	manifestsPath := path.Join(envParams["kubernetes_dir"], "manifests")
@@ -126,7 +126,7 @@ func WriteStaticPodManifests(s *kubeadmapi.MasterConfiguration) error {
 }

 // etcdVolume exposes a path on the host in order to guarantee data survival during reboot.
-func etcdVolume(s *kubeadmapi.MasterConfiguration) api.Volume {
+func etcdVolume(cfg *kubeadmapi.MasterConfiguration) api.Volume {
 	envParams := kubeadmapi.GetEnvParams()
 	return api.Volume{
 		Name: "etcd",
@@ -144,7 +144,7 @@ func etcdVolumeMount() api.VolumeMount {
 }

 // certsVolume exposes host SSL certificates to pod containers.
-func certsVolume(s *kubeadmapi.MasterConfiguration) api.Volume {
+func certsVolume(cfg *kubeadmapi.MasterConfiguration) api.Volume {
 	return api.Volume{
 		Name: "certs",
 		VolumeSource: api.VolumeSource{
@@ -161,7 +161,7 @@ func certsVolumeMount() api.VolumeMount {
 	}
 }

-func k8sVolume(s *kubeadmapi.MasterConfiguration) api.Volume {
+func k8sVolume(cfg *kubeadmapi.MasterConfiguration) api.Volume {
 	envParams := kubeadmapi.GetEnvParams()
 	return api.Volume{
 		Name: "pki",
@@ -221,18 +221,18 @@ func componentPod(container api.Container, volumes ...api.Volume) api.Pod {
 	}
 }

-func getComponentCommand(component string, s *kubeadmapi.MasterConfiguration) (command []string) {
+func getComponentCommand(component string, cfg *kubeadmapi.MasterConfiguration) (command []string) {
 	baseFlags := map[string][]string{
 		apiServer: {
 			"--insecure-bind-address=127.0.0.1",
 			"--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota",
-			"--service-cluster-ip-range=" + s.Networking.ServiceSubnet,
+			"--service-cluster-ip-range=" + cfg.Networking.ServiceSubnet,
 			"--service-account-key-file=" + pkiDir + "/apiserver-key.pem",
 			"--client-ca-file=" + pkiDir + "/ca.pem",
 			"--tls-cert-file=" + pkiDir + "/apiserver.pem",
 			"--tls-private-key-file=" + pkiDir + "/apiserver-key.pem",
 			"--token-auth-file=" + pkiDir + "/tokens.csv",
-			"--secure-port=443",
+			fmt.Sprintf("--secure-port=%d", cfg.API.BindPort),
 			"--allow-privileged",
 		},
 		controllerManager: {
@@ -266,30 +266,30 @@ func getComponentCommand(component string, s *kubeadmapi.MasterConfiguration) (c

 	if component == apiServer {
 		// Use first address we are given
-		if len(s.API.AdvertiseAddresses) > 0 {
-			command = append(command, fmt.Sprintf("--advertise-address=%s", s.API.AdvertiseAddresses[0]))
+		if len(cfg.API.AdvertiseAddresses) > 0 {
+			command = append(command, fmt.Sprintf("--advertise-address=%s", cfg.API.AdvertiseAddresses[0]))
 		}
 		// Check if the user decided to use an external etcd cluster
-		if len(s.Etcd.Endpoints) > 0 {
-			command = append(command, fmt.Sprintf("--etcd-servers=%s", strings.Join(s.Etcd.Endpoints, ",")))
+		if len(cfg.Etcd.Endpoints) > 0 {
+			command = append(command, fmt.Sprintf("--etcd-servers=%s", strings.Join(cfg.Etcd.Endpoints, ",")))
 		} else {
 			command = append(command, "--etcd-servers=http://127.0.0.1:2379")
 		}

 		// Is etcd secured?
-		if s.Etcd.CAFile != "" {
-			command = append(command, fmt.Sprintf("--etcd-cafile=%s", s.Etcd.CAFile))
+		if cfg.Etcd.CAFile != "" {
+			command = append(command, fmt.Sprintf("--etcd-cafile=%s", cfg.Etcd.CAFile))
 		}
-		if s.Etcd.CertFile != "" && s.Etcd.KeyFile != "" {
-			etcdClientFileArg := fmt.Sprintf("--etcd-certfile=%s", s.Etcd.CertFile)
-			etcdKeyFileArg := fmt.Sprintf("--etcd-keyfile=%s", s.Etcd.KeyFile)
+		if cfg.Etcd.CertFile != "" && cfg.Etcd.KeyFile != "" {
+			etcdClientFileArg := fmt.Sprintf("--etcd-certfile=%s", cfg.Etcd.CertFile)
+			etcdKeyFileArg := fmt.Sprintf("--etcd-keyfile=%s", cfg.Etcd.KeyFile)
 			command = append(command, etcdClientFileArg, etcdKeyFileArg)
 		}
 	}

 	if component == controllerManager {
-		if s.CloudProvider != "" {
-			command = append(command, "--cloud-provider="+s.CloudProvider)
+		if cfg.CloudProvider != "" {
+			command = append(command, "--cloud-provider="+cfg.CloudProvider)

 			// Only append the --cloud-config option if there's a such file
 			// TODO(phase1+) this won't work unless it's in one of the few directories we bind-mount
@@ -299,8 +299,8 @@ func getComponentCommand(component string, s *kubeadmapi.MasterConfiguration) (c
 		}
 		// Let the controller-manager allocate Node CIDRs for the Pod network.
 		// Each node will get a subspace of the address CIDR provided with --pod-network-cidr.
-		if s.Networking.PodSubnet != "" {
-			command = append(command, "--allocate-node-cidrs=true", "--cluster-cidr="+s.Networking.PodSubnet)
+		if cfg.Networking.PodSubnet != "" {
+			command = append(command, "--allocate-node-cidrs=true", "--cluster-cidr="+cfg.Networking.PodSubnet)
 		}
 	}

--- a/cmd/kubeadm/app/master/pki.go
+++ b/cmd/kubeadm/app/master/pki.go
@@ -46,7 +46,7 @@ func newCertificateAuthority() (*rsa.PrivateKey, *x509.Certificate, error) {
 	return key, cert, nil
 }

-func newServerKeyAndCert(s *kubeadmapi.MasterConfiguration, caCert *x509.Certificate, caKey *rsa.PrivateKey, altNames certutil.AltNames) (*rsa.PrivateKey, *x509.Certificate, error) {
+func newServerKeyAndCert(cfg *kubeadmapi.MasterConfiguration, caCert *x509.Certificate, caKey *rsa.PrivateKey, altNames certutil.AltNames) (*rsa.PrivateKey, *x509.Certificate, error) {
 	key, err := certutil.NewPrivateKey()
 	if err != nil {
 		return nil, nil, fmt.Errorf("unabel to create private key [%v]", err)
@@ -56,16 +56,16 @@ func newServerKeyAndCert(s *kubeadmapi.MasterConfiguration, caCert *x509.Certifi
 		"kubernetes",
 		"kubernetes.default",
 		"kubernetes.default.svc",
-		fmt.Sprintf("kubernetes.default.svc.%s", s.Networking.DNSDomain),
+		fmt.Sprintf("kubernetes.default.svc.%s", cfg.Networking.DNSDomain),
 	}

-	_, n, err := net.ParseCIDR(s.Networking.ServiceSubnet)
+	_, n, err := net.ParseCIDR(cfg.Networking.ServiceSubnet)
 	if err != nil {
-		return nil, nil, fmt.Errorf("error parsing CIDR %q: %v", s.Networking.ServiceSubnet, err)
+		return nil, nil, fmt.Errorf("error parsing CIDR %q: %v", cfg.Networking.ServiceSubnet, err)
 	}
 	internalAPIServerVirtualIP, err := ipallocator.GetIndexedIP(n, 1)
 	if err != nil {
-		return nil, nil, fmt.Errorf("unable to allocate IP address for the API server from the given CIDR (%q) [%v]", &s.Networking.ServiceSubnet, err)
+		return nil, nil, fmt.Errorf("unable to allocate IP address for the API server from the given CIDR (%q) [%v]", &cfg.Networking.ServiceSubnet, err)
 	}

 	altNames.IPs = append(altNames.IPs, internalAPIServerVirtualIP)
@@ -143,20 +143,20 @@ func newServiceAccountKey() (*rsa.PrivateKey, error) {
 // It first generates a self-signed CA certificate, a server certificate (signed by the CA) and a key for
 // signing service account tokens. It returns CA key and certificate, which is convenient for use with
 // client config funcs.
-func CreatePKIAssets(s *kubeadmapi.MasterConfiguration) (*rsa.PrivateKey, *x509.Certificate, error) {
+func CreatePKIAssets(cfg *kubeadmapi.MasterConfiguration) (*rsa.PrivateKey, *x509.Certificate, error) {
 	var (
 		err      error
 		altNames certutil.AltNames
 	)

-	for _, a := range s.API.AdvertiseAddresses {
+	for _, a := range cfg.API.AdvertiseAddresses {
 		if ip := net.ParseIP(a); ip != nil {
 			altNames.IPs = append(altNames.IPs, ip)
 		} else {
 			return nil, nil, fmt.Errorf("could not parse ip %q", a)
 		}
 	}
-	altNames.DNSNames = append(altNames.DNSNames, s.API.ExternalDNSNames...)
+	altNames.DNSNames = append(altNames.DNSNames, cfg.API.ExternalDNSNames...)

 	pkiPath := path.Join(kubeadmapi.GetEnvParams()["host_pki_path"])

@@ -172,7 +172,7 @@ func CreatePKIAssets(s *kubeadmapi.MasterConfiguration) (*rsa.PrivateKey, *x509.
 	pub, prv, cert := pathsKeysCerts(pkiPath, "ca")
 	fmt.Printf("Public: %s\nPrivate: %s\nCert: %s\n", pub, prv, cert)

-	apiKey, apiCert, err := newServerKeyAndCert(s, caCert, caKey, altNames)
+	apiKey, apiCert, err := newServerKeyAndCert(cfg, caCert, caKey, altNames)
 	if err != nil {
 		return nil, nil, fmt.Errorf("<master/pki> failure while creating API server keys and certificate - %v", err)
 	}
--- a/cmd/kubeadm/app/node/discovery.go
+++ b/cmd/kubeadm/app/node/discovery.go
@@ -33,7 +33,7 @@ import (
 const discoveryRetryTimeout = 5 * time.Second

 func RetrieveTrustedClusterInfo(s *kubeadmapi.NodeConfiguration) (*kubeadmapi.ClusterInfo, error) {
-	host, port := s.MasterAddresses[0], 9898
+	host, port := s.MasterAddresses[0], s.DiscoveryPort
 	requestURL := fmt.Sprintf("http://%s:%d/cluster-info/v1/?token-id=%s", host, port, s.Secrets.TokenID)
 	req, err := http.NewRequest("GET", requestURL, nil)
 	if err != nil {
--- a/cmd/kubeadm/app/preflight/checks.go
+++ b/cmd/kubeadm/app/preflight/checks.go
@@ -24,6 +24,7 @@ import (
 	"os"
 	"os/exec"

+	kubeadmapi "k8s.io/kubernetes/cmd/kubeadm/app/apis/kubeadm"
 	"k8s.io/kubernetes/pkg/util/initsystem"
 )

@@ -156,15 +157,16 @@ func (ipc InPathCheck) Check() (warnings, errors []error) {
 	return nil, nil
 }

-func RunInitMasterChecks() error {
+func RunInitMasterChecks(cfg *kubeadmapi.MasterConfiguration) error {
 	// TODO: Some of these ports should come from kubeadm config eventually:
 	checks := []PreFlightCheck{
 		IsRootCheck{root: true},
 		ServiceCheck{Service: "kubelet"},
 		ServiceCheck{Service: "docker"},
-		PortOpenCheck{port: 443},
+		PortOpenCheck{port: int(cfg.API.BindPort)},
 		PortOpenCheck{port: 2379},
 		PortOpenCheck{port: 8080},
+		PortOpenCheck{port: int(cfg.Discovery.BindPort)},
 		PortOpenCheck{port: 10250},
 		PortOpenCheck{port: 10251},
 		PortOpenCheck{port: 10252},