mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 12:15:52 +00:00
Merge pull request #44639 from marun/kubefed-apiserver-on-high-port
Automatic merge from submit-queue (batch tested with PRs 44645, 44639, 43510) [Federation][kubefed]: Set apiserver to bind securely to 8443 instead of 443 On platforms like OpenShift that don't run containers as root by default, binding to ports < 1000 is not permitted. Having the apiserver bind to a high port means it can run with reduced privileges. The service will still expose the apiserver on 443, so this change shouldn't impact clients of the federation api. cc: @kubernetes/sig-federation-pr-reviews @perotinus
This commit is contained in:
commit
8144a11e62
@ -29,6 +29,7 @@ go_library(
|
||||
"//vendor/github.com/spf13/pflag:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/util/uuid:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library",
|
||||
"//vendor/k8s.io/client-go/tools/clientcmd:go_default_library",
|
||||
@ -61,6 +62,7 @@ go_test(
|
||||
"//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
|
||||
"//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
|
||||
"//vendor/k8s.io/client-go/dynamic:go_default_library",
|
||||
"//vendor/k8s.io/client-go/rest/fake:go_default_library",
|
||||
|
@ -33,6 +33,7 @@ import (
|
||||
|
||||
"k8s.io/apimachinery/pkg/api/resource"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/intstr"
|
||||
"k8s.io/apimachinery/pkg/util/uuid"
|
||||
"k8s.io/apimachinery/pkg/util/wait"
|
||||
"k8s.io/client-go/tools/clientcmd"
|
||||
@ -84,6 +85,12 @@ const (
|
||||
apiserverAdvertiseAddressFlag = "api-server-advertise-address"
|
||||
|
||||
dnsProviderSecretName = "federation-dns-provider.conf"
|
||||
|
||||
apiServerSecurePortName = "https"
|
||||
// Set the secure port to 8443 to avoid requiring root privileges
|
||||
// to bind to port < 1000. The apiserver's service will still
|
||||
// expose on port 443.
|
||||
apiServerSecurePort = 8443
|
||||
)
|
||||
|
||||
var (
|
||||
@ -439,9 +446,10 @@ func createService(clientset client.Interface, namespace, svcName, federationNam
|
||||
Selector: apiserverSvcSelector,
|
||||
Ports: []api.ServicePort{
|
||||
{
|
||||
Name: "https",
|
||||
Protocol: "TCP",
|
||||
Port: 443,
|
||||
Name: "https",
|
||||
Protocol: "TCP",
|
||||
Port: 443,
|
||||
TargetPort: intstr.FromString(apiServerSecurePortName),
|
||||
},
|
||||
},
|
||||
},
|
||||
@ -661,7 +669,7 @@ func createAPIServer(clientset client.Interface, namespace, name, federationName
|
||||
argsMap := map[string]string{
|
||||
"--bind-address": "0.0.0.0",
|
||||
"--etcd-servers": "http://localhost:2379",
|
||||
"--secure-port": "443",
|
||||
"--secure-port": fmt.Sprintf("%d", apiServerSecurePort),
|
||||
"--client-ca-file": "/etc/federation/apiserver/ca.crt",
|
||||
"--tls-cert-file": "/etc/federation/apiserver/server.crt",
|
||||
"--tls-private-key-file": "/etc/federation/apiserver/server.key",
|
||||
@ -704,8 +712,8 @@ func createAPIServer(clientset client.Interface, namespace, name, federationName
|
||||
Command: command,
|
||||
Ports: []api.ContainerPort{
|
||||
{
|
||||
Name: "https",
|
||||
ContainerPort: 443,
|
||||
Name: apiServerSecurePortName,
|
||||
ContainerPort: apiServerSecurePort,
|
||||
},
|
||||
{
|
||||
Name: "local",
|
||||
|
@ -38,6 +38,7 @@ import (
|
||||
"k8s.io/apimachinery/pkg/api/resource"
|
||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||
"k8s.io/apimachinery/pkg/util/diff"
|
||||
"k8s.io/apimachinery/pkg/util/intstr"
|
||||
"k8s.io/apimachinery/pkg/util/sets"
|
||||
"k8s.io/client-go/dynamic"
|
||||
"k8s.io/client-go/rest/fake"
|
||||
@ -645,9 +646,10 @@ func fakeInitHostFactory(apiserverServiceType v1.ServiceType, federationName, na
|
||||
Selector: apiserverSvcSelector,
|
||||
Ports: []v1.ServicePort{
|
||||
{
|
||||
Name: "https",
|
||||
Protocol: "TCP",
|
||||
Port: 443,
|
||||
Name: "https",
|
||||
Protocol: "TCP",
|
||||
Port: 443,
|
||||
TargetPort: intstr.FromString(apiServerSecurePortName),
|
||||
},
|
||||
},
|
||||
},
|
||||
@ -836,7 +838,7 @@ func fakeInitHostFactory(apiserverServiceType v1.ServiceType, federationName, na
|
||||
apiserverArgs := []string{
|
||||
"--bind-address=0.0.0.0",
|
||||
"--etcd-servers=http://localhost:2379",
|
||||
"--secure-port=443",
|
||||
fmt.Sprintf("--secure-port=%d", apiServerSecurePort),
|
||||
"--tls-cert-file=/etc/federation/apiserver/server.crt",
|
||||
"--tls-private-key-file=/etc/federation/apiserver/server.key",
|
||||
"--admission-control=NamespaceLifecycle",
|
||||
@ -887,8 +889,8 @@ func fakeInitHostFactory(apiserverServiceType v1.ServiceType, federationName, na
|
||||
Command: apiserverCommand,
|
||||
Ports: []v1.ContainerPort{
|
||||
{
|
||||
Name: "https",
|
||||
ContainerPort: 443,
|
||||
Name: apiServerSecurePortName,
|
||||
ContainerPort: apiServerSecurePort,
|
||||
},
|
||||
{
|
||||
Name: "local",
|
||||
|
Loading…
Reference in New Issue
Block a user