Merge pull request #44639 from marun/kubefed-apiserver-on-high-port

Automatic merge from submit-queue (batch tested with PRs 44645, 44639, 43510)

[Federation][kubefed]: Set apiserver to bind securely to 8443 instead of 443

On platforms like OpenShift that don't run containers as root by default, binding to ports < 1000 is not permitted.  Having the apiserver bind to a high port means it can run with reduced privileges.  The service will still expose the apiserver on 443, so this change shouldn't impact clients of the federation api.

cc: @kubernetes/sig-federation-pr-reviews @perotinus
This commit is contained in:
Kubernetes Submit Queue 2017-04-18 23:22:02 -07:00 committed by GitHub
commit 8144a11e62
3 changed files with 24 additions and 12 deletions

View File

@ -29,6 +29,7 @@ go_library(
"//vendor/github.com/spf13/pflag:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/uuid:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library",
"//vendor/k8s.io/client-go/tools/clientcmd:go_default_library",
@ -61,6 +62,7 @@ go_test(
"//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
"//vendor/k8s.io/client-go/dynamic:go_default_library",
"//vendor/k8s.io/client-go/rest/fake:go_default_library",

View File

@ -33,6 +33,7 @@ import (
"k8s.io/apimachinery/pkg/api/resource"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/apimachinery/pkg/util/uuid"
"k8s.io/apimachinery/pkg/util/wait"
"k8s.io/client-go/tools/clientcmd"
@ -84,6 +85,12 @@ const (
apiserverAdvertiseAddressFlag = "api-server-advertise-address"
dnsProviderSecretName = "federation-dns-provider.conf"
apiServerSecurePortName = "https"
// Set the secure port to 8443 to avoid requiring root privileges
// to bind to port < 1000. The apiserver's service will still
// expose on port 443.
apiServerSecurePort = 8443
)
var (
@ -439,9 +446,10 @@ func createService(clientset client.Interface, namespace, svcName, federationNam
Selector: apiserverSvcSelector,
Ports: []api.ServicePort{
{
Name: "https",
Protocol: "TCP",
Port: 443,
Name: "https",
Protocol: "TCP",
Port: 443,
TargetPort: intstr.FromString(apiServerSecurePortName),
},
},
},
@ -661,7 +669,7 @@ func createAPIServer(clientset client.Interface, namespace, name, federationName
argsMap := map[string]string{
"--bind-address": "0.0.0.0",
"--etcd-servers": "http://localhost:2379",
"--secure-port": "443",
"--secure-port": fmt.Sprintf("%d", apiServerSecurePort),
"--client-ca-file": "/etc/federation/apiserver/ca.crt",
"--tls-cert-file": "/etc/federation/apiserver/server.crt",
"--tls-private-key-file": "/etc/federation/apiserver/server.key",
@ -704,8 +712,8 @@ func createAPIServer(clientset client.Interface, namespace, name, federationName
Command: command,
Ports: []api.ContainerPort{
{
Name: "https",
ContainerPort: 443,
Name: apiServerSecurePortName,
ContainerPort: apiServerSecurePort,
},
{
Name: "local",

View File

@ -38,6 +38,7 @@ import (
"k8s.io/apimachinery/pkg/api/resource"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/diff"
"k8s.io/apimachinery/pkg/util/intstr"
"k8s.io/apimachinery/pkg/util/sets"
"k8s.io/client-go/dynamic"
"k8s.io/client-go/rest/fake"
@ -645,9 +646,10 @@ func fakeInitHostFactory(apiserverServiceType v1.ServiceType, federationName, na
Selector: apiserverSvcSelector,
Ports: []v1.ServicePort{
{
Name: "https",
Protocol: "TCP",
Port: 443,
Name: "https",
Protocol: "TCP",
Port: 443,
TargetPort: intstr.FromString(apiServerSecurePortName),
},
},
},
@ -836,7 +838,7 @@ func fakeInitHostFactory(apiserverServiceType v1.ServiceType, federationName, na
apiserverArgs := []string{
"--bind-address=0.0.0.0",
"--etcd-servers=http://localhost:2379",
"--secure-port=443",
fmt.Sprintf("--secure-port=%d", apiServerSecurePort),
"--tls-cert-file=/etc/federation/apiserver/server.crt",
"--tls-private-key-file=/etc/federation/apiserver/server.key",
"--admission-control=NamespaceLifecycle",
@ -887,8 +889,8 @@ func fakeInitHostFactory(apiserverServiceType v1.ServiceType, federationName, na
Command: apiserverCommand,
Ports: []v1.ContainerPort{
{
Name: "https",
ContainerPort: 443,
Name: apiServerSecurePortName,
ContainerPort: apiServerSecurePort,
},
{
Name: "local",