github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-01 07:47:56 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #91630 from liggitt/kube-apiserver-kubelet-https

Browse Source 
Mark --kubelet-https deprecated, unconditionally use https for apiserver->kubelet connections
This commit is contained in:
Kubernetes Prow Robot 2020-06-02 02:02:14 -07:00 committed by GitHub
commit 7bd4c53b27
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 11 additions and 24 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
cmd/kube-apiserver/app/options/options.go
View File

@ -120,7 +120,6 @@ func NewServerRunOptions() *ServerRunOptions {
string(api.NodeExternalDNS), string(api.NodeExternalDNS),
string(api.NodeExternalIP), string(api.NodeExternalIP),
}, },
EnableHTTPS: true,
HTTPTimeout: time.Duration(5) * time.Second, HTTPTimeout: time.Duration(5) * time.Second,
}, },
ServiceNodePortRange: kubeoptions.DefaultServiceNodePortRange, ServiceNodePortRange: kubeoptions.DefaultServiceNodePortRange,
@ -200,8 +199,9 @@ func (s *ServerRunOptions) Flags() (fss cliflag.NamedFlagSets) {
"Example: '30000-32767'. Inclusive at both ends of the range.") "Example: '30000-32767'. Inclusive at both ends of the range.")
// Kubelet related flags: // Kubelet related flags:
fs.BoolVar(&s.KubeletConfig.EnableHTTPS, "kubelet-https", s.KubeletConfig.EnableHTTPS, kubeletHTTPS := true
"Use https for kubelet connections.") fs.BoolVar(&kubeletHTTPS, "kubelet-https", kubeletHTTPS, "Use https for kubelet connections.")
fs.MarkDeprecated("kubelet-https", "API Server connections to kubelets always use https. This flag will be removed in 1.22.")
fs.StringSliceVar(&s.KubeletConfig.PreferredAddressTypes, "kubelet-preferred-address-types", s.KubeletConfig.PreferredAddressTypes, fs.StringSliceVar(&s.KubeletConfig.PreferredAddressTypes, "kubelet-preferred-address-types", s.KubeletConfig.PreferredAddressTypes,
"List of the preferred NodeAddressTypes to use for kubelet connections.") "List of the preferred NodeAddressTypes to use for kubelet connections.")

2
cmd/kube-apiserver/app/options/options_test.go
View File

@ -105,7 +105,6 @@ func TestAddFlags(t *testing.T) {
"--etcd-certfile=/var/run/kubernetes/etcdce.crt", "--etcd-certfile=/var/run/kubernetes/etcdce.crt",
"--etcd-cafile=/var/run/kubernetes/etcdca.crt", "--etcd-cafile=/var/run/kubernetes/etcdca.crt",
"--http2-max-streams-per-connection=42", "--http2-max-streams-per-connection=42",
"--kubelet-https=true",
"--kubelet-read-only-port=10255", "--kubelet-read-only-port=10255",
"--kubelet-timeout=5s", "--kubelet-timeout=5s",
"--kubelet-client-certificate=/var/run/kubernetes/ceserver.crt", "--kubelet-client-certificate=/var/run/kubernetes/ceserver.crt",
@ -192,7 +191,6 @@ func TestAddFlags(t *testing.T) {
string(kapi.NodeExternalDNS), string(kapi.NodeExternalDNS),
string(kapi.NodeExternalIP), string(kapi.NodeExternalIP),
}, },
EnableHTTPS: true,
HTTPTimeout: time.Duration(5) * time.Second, HTTPTimeout: time.Duration(5) * time.Second,
TLSClientConfig: restclient.TLSClientConfig{ TLSClientConfig: restclient.TLSClientConfig{
CertFile: "/var/run/kubernetes/ceserver.crt", CertFile: "/var/run/kubernetes/ceserver.crt",

12
pkg/kubelet/client/kubelet_client.go
View File

@ -41,9 +41,6 @@ type KubeletClientConfig struct {
// ReadOnlyPort specifies the Port for ReadOnly communications. // ReadOnlyPort specifies the Port for ReadOnly communications.
ReadOnlyPort uint ReadOnlyPort uint
// EnableHTTPs specifies if traffic should be encrypted.
EnableHTTPS bool
// PreferredAddressTypes - used to select an address from Node.NodeStatus.Addresses // PreferredAddressTypes - used to select an address from Node.NodeStatus.Addresses
PreferredAddressTypes []string PreferredAddressTypes []string
@ -139,7 +136,7 @@ func (c *KubeletClientConfig) transportConfig() *transport.Config {
}, },
BearerToken: c.BearerToken, BearerToken: c.BearerToken,
} }
if c.EnableHTTPS && !cfg.HasCA() { if !cfg.HasCA() {
cfg.TLS.Insecure = true cfg.TLS.Insecure = true
} }
return cfg return cfg
@ -176,11 +173,6 @@ type NodeConnectionInfoGetter struct {
// NewNodeConnectionInfoGetter creates a new NodeConnectionInfoGetter. // NewNodeConnectionInfoGetter creates a new NodeConnectionInfoGetter.
func NewNodeConnectionInfoGetter(nodes NodeGetter, config KubeletClientConfig) (ConnectionInfoGetter, error) { func NewNodeConnectionInfoGetter(nodes NodeGetter, config KubeletClientConfig) (ConnectionInfoGetter, error) {
scheme := "http"
if config.EnableHTTPS {
scheme = "https"
}
transport, err := MakeTransport(&config) transport, err := MakeTransport(&config)
if err != nil { if err != nil {
return nil, err return nil, err
@ -197,7 +189,7 @@ func NewNodeConnectionInfoGetter(nodes NodeGetter, config KubeletClientConfig) (
return &NodeConnectionInfoGetter{ return &NodeConnectionInfoGetter{
nodes: nodes, nodes: nodes,
scheme: scheme, scheme: "https",
defaultPort: int(config.Port), defaultPort: int(config.Port),
transport: transport, transport: transport,
insecureSkipTLSVerifyTransport: insecureSkipTLSVerifyTransport, insecureSkipTLSVerifyTransport: insecureSkipTLSVerifyTransport,

11
pkg/kubelet/client/kubelet_client_test.go
View File

@ -30,7 +30,6 @@ import (
func TestMakeTransportInvalid(t *testing.T) { func TestMakeTransportInvalid(t *testing.T) {
config := &KubeletClientConfig{ config := &KubeletClientConfig{
EnableHTTPS: true,
//Invalid certificate and key path //Invalid certificate and key path
TLSClientConfig: restclient.TLSClientConfig{ TLSClientConfig: restclient.TLSClientConfig{
CertFile: "../../client/testdata/mycertinvalid.cer", CertFile: "../../client/testdata/mycertinvalid.cer",
@ -51,12 +50,11 @@ func TestMakeTransportInvalid(t *testing.T) {
func TestMakeTransportValid(t *testing.T) { func TestMakeTransportValid(t *testing.T) {
config := &KubeletClientConfig{ config := &KubeletClientConfig{
Port: 1234, Port: 1234,
EnableHTTPS: true,
TLSClientConfig: restclient.TLSClientConfig{ TLSClientConfig: restclient.TLSClientConfig{
CertFile: "../../client/testdata/mycertvalid.cer", CertFile: "../../client/testdata/mycertvalid.cer",
// TLS Configuration, only applies if EnableHTTPS is true. // TLS Configuration
KeyFile: "../../client/testdata/mycertvalid.key", KeyFile: "../../client/testdata/mycertvalid.key",
// TLS Configuration, only applies if EnableHTTPS is true. // TLS Configuration
CAFile: "../../client/testdata/myCA.cer", CAFile: "../../client/testdata/myCA.cer",
}, },
} }
@ -91,12 +89,11 @@ func TestMakeInsecureTransport(t *testing.T) {
config := &KubeletClientConfig{ config := &KubeletClientConfig{
Port: uint(port), Port: uint(port),
EnableHTTPS: true,
TLSClientConfig: restclient.TLSClientConfig{ TLSClientConfig: restclient.TLSClientConfig{
CertFile: "../../client/testdata/mycertvalid.cer", CertFile: "../../client/testdata/mycertvalid.cer",
// TLS Configuration, only applies if EnableHTTPS is true. // TLS Configuration
KeyFile: "../../client/testdata/mycertvalid.key", KeyFile: "../../client/testdata/mycertvalid.key",
// TLS Configuration, only applies if EnableHTTPS is true. // TLS Configuration
CAFile: "../../client/testdata/myCA.cer", CAFile: "../../client/testdata/myCA.cer",
}, },
} }