From 2e8461a5bc0258eb6a1f512c354030aa51e9e7da Mon Sep 17 00:00:00 2001 From: Jordan Liggitt Date: Mon, 1 Jun 2020 10:43:26 -0400 Subject: [PATCH] Mark --kubelet-https deprecated, unconditionally use https for apiserver->kubelet connections --- cmd/kube-apiserver/app/options/options.go | 6 +++--- cmd/kube-apiserver/app/options/options_test.go | 2 -- pkg/kubelet/client/kubelet_client.go | 12 ++---------- pkg/kubelet/client/kubelet_client_test.go | 15 ++++++--------- 4 files changed, 11 insertions(+), 24 deletions(-) diff --git a/cmd/kube-apiserver/app/options/options.go b/cmd/kube-apiserver/app/options/options.go index c2fa360ffcc..ae2d1246e8f 100644 --- a/cmd/kube-apiserver/app/options/options.go +++ b/cmd/kube-apiserver/app/options/options.go @@ -120,7 +120,6 @@ func NewServerRunOptions() *ServerRunOptions { string(api.NodeExternalDNS), string(api.NodeExternalIP), }, - EnableHTTPS: true, HTTPTimeout: time.Duration(5) * time.Second, }, ServiceNodePortRange: kubeoptions.DefaultServiceNodePortRange, @@ -200,8 +199,9 @@ func (s *ServerRunOptions) Flags() (fss cliflag.NamedFlagSets) { "Example: '30000-32767'. Inclusive at both ends of the range.") // Kubelet related flags: - fs.BoolVar(&s.KubeletConfig.EnableHTTPS, "kubelet-https", s.KubeletConfig.EnableHTTPS, - "Use https for kubelet connections.") + kubeletHTTPS := true + fs.BoolVar(&kubeletHTTPS, "kubelet-https", kubeletHTTPS, "Use https for kubelet connections.") + fs.MarkDeprecated("kubelet-https", "API Server connections to kubelets always use https. This flag will be removed in 1.22.") fs.StringSliceVar(&s.KubeletConfig.PreferredAddressTypes, "kubelet-preferred-address-types", s.KubeletConfig.PreferredAddressTypes, "List of the preferred NodeAddressTypes to use for kubelet connections.") diff --git a/cmd/kube-apiserver/app/options/options_test.go b/cmd/kube-apiserver/app/options/options_test.go index ad4a11a4cbc..661a66379ad 100644 --- a/cmd/kube-apiserver/app/options/options_test.go +++ b/cmd/kube-apiserver/app/options/options_test.go @@ -106,7 +106,6 @@ func TestAddFlags(t *testing.T) { "--etcd-certfile=/var/run/kubernetes/etcdce.crt", "--etcd-cafile=/var/run/kubernetes/etcdca.crt", "--http2-max-streams-per-connection=42", - "--kubelet-https=true", "--kubelet-read-only-port=10255", "--kubelet-timeout=5s", "--kubelet-client-certificate=/var/run/kubernetes/ceserver.crt", @@ -193,7 +192,6 @@ func TestAddFlags(t *testing.T) { string(kapi.NodeExternalDNS), string(kapi.NodeExternalIP), }, - EnableHTTPS: true, HTTPTimeout: time.Duration(5) * time.Second, TLSClientConfig: restclient.TLSClientConfig{ CertFile: "/var/run/kubernetes/ceserver.crt", diff --git a/pkg/kubelet/client/kubelet_client.go b/pkg/kubelet/client/kubelet_client.go index 113e4650668..20a4eb9df8b 100644 --- a/pkg/kubelet/client/kubelet_client.go +++ b/pkg/kubelet/client/kubelet_client.go @@ -41,9 +41,6 @@ type KubeletClientConfig struct { // ReadOnlyPort specifies the Port for ReadOnly communications. ReadOnlyPort uint - // EnableHTTPs specifies if traffic should be encrypted. - EnableHTTPS bool - // PreferredAddressTypes - used to select an address from Node.NodeStatus.Addresses PreferredAddressTypes []string @@ -139,7 +136,7 @@ func (c *KubeletClientConfig) transportConfig() *transport.Config { }, BearerToken: c.BearerToken, } - if c.EnableHTTPS && !cfg.HasCA() { + if !cfg.HasCA() { cfg.TLS.Insecure = true } return cfg @@ -176,11 +173,6 @@ type NodeConnectionInfoGetter struct { // NewNodeConnectionInfoGetter creates a new NodeConnectionInfoGetter. func NewNodeConnectionInfoGetter(nodes NodeGetter, config KubeletClientConfig) (ConnectionInfoGetter, error) { - scheme := "http" - if config.EnableHTTPS { - scheme = "https" - } - transport, err := MakeTransport(&config) if err != nil { return nil, err @@ -197,7 +189,7 @@ func NewNodeConnectionInfoGetter(nodes NodeGetter, config KubeletClientConfig) ( return &NodeConnectionInfoGetter{ nodes: nodes, - scheme: scheme, + scheme: "https", defaultPort: int(config.Port), transport: transport, insecureSkipTLSVerifyTransport: insecureSkipTLSVerifyTransport, diff --git a/pkg/kubelet/client/kubelet_client_test.go b/pkg/kubelet/client/kubelet_client_test.go index 2512fb14b61..88cf693624a 100644 --- a/pkg/kubelet/client/kubelet_client_test.go +++ b/pkg/kubelet/client/kubelet_client_test.go @@ -30,7 +30,6 @@ import ( func TestMakeTransportInvalid(t *testing.T) { config := &KubeletClientConfig{ - EnableHTTPS: true, //Invalid certificate and key path TLSClientConfig: restclient.TLSClientConfig{ CertFile: "../../client/testdata/mycertinvalid.cer", @@ -50,13 +49,12 @@ func TestMakeTransportInvalid(t *testing.T) { func TestMakeTransportValid(t *testing.T) { config := &KubeletClientConfig{ - Port: 1234, - EnableHTTPS: true, + Port: 1234, TLSClientConfig: restclient.TLSClientConfig{ CertFile: "../../client/testdata/mycertvalid.cer", - // TLS Configuration, only applies if EnableHTTPS is true. + // TLS Configuration KeyFile: "../../client/testdata/mycertvalid.key", - // TLS Configuration, only applies if EnableHTTPS is true. + // TLS Configuration CAFile: "../../client/testdata/myCA.cer", }, } @@ -90,13 +88,12 @@ func TestMakeInsecureTransport(t *testing.T) { } config := &KubeletClientConfig{ - Port: uint(port), - EnableHTTPS: true, + Port: uint(port), TLSClientConfig: restclient.TLSClientConfig{ CertFile: "../../client/testdata/mycertvalid.cer", - // TLS Configuration, only applies if EnableHTTPS is true. + // TLS Configuration KeyFile: "../../client/testdata/mycertvalid.key", - // TLS Configuration, only applies if EnableHTTPS is true. + // TLS Configuration CAFile: "../../client/testdata/myCA.cer", }, }