Merge pull request #61870 from mikedanese/serverauth2

Automatic merge from submit-queue (batch tested with PRs 57658, 61304, 61560, 61859, 61870). If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. certs: exclude more nonsensical addresses from SANs I noticed this when I saw 169.254.* SANs using server TLS bootstrap. This change excludes more nonsensical addresses from being requested as SANs in that flow.
2025-08-19 08:40:42 +00:00 · 2018-03-29 15:03:16 -07:00 · 2018-03-29 15:03:16 -07:00 · 7a946e6fb0
commit 7a946e6fb0
parent 086f72a771 473d34eff6
1 changed files with 3 additions and 3 deletions
--- a/pkg/kubelet/kubelet.go
+++ b/pkg/kubelet/kubelet.go
@ -740,7 +740,7 @@ func NewMainKubelet(kubeCfg *kubeletconfiginternal.KubeletConfiguration,
 		var ips []net.IP
 		cfgAddress := net.ParseIP(kubeCfg.Address)
 		if cfgAddress == nil || cfgAddress.IsUnspecified() {
-			localIPs, err := allLocalIPsWithoutLoopback()
+			localIPs, err := allGlobalUnicastIPs()
 			if err != nil {
 				return nil, err
 			}
@ -1159,7 +1159,7 @@ type Kubelet struct {
 	keepTerminatedPodVolumes bool // DEPRECATED
 }

-func allLocalIPsWithoutLoopback() ([]net.IP, error) {
+func allGlobalUnicastIPs() ([]net.IP, error) {
 	interfaces, err := net.Interfaces()
 	if err != nil {
 		return nil, fmt.Errorf("could not list network interfaces: %v", err)
@ -1173,7 +1173,7 @@ func allLocalIPsWithoutLoopback() ([]net.IP, error) {
 		for _, address := range addresses {
 			switch v := address.(type) {
 			case *net.IPNet:
-				if !v.IP.IsLoopback() {
+				if v.IP.IsGlobalUnicast() {
 					ips = append(ips, v.IP)
 				}
 			}