Merge pull request #44639 from marun/kubefed-apiserver-on-high-port

Automatic merge from submit-queue (batch tested with PRs 44645, 44639, 43510)

[Federation][kubefed]: Set apiserver to bind securely to 8443 instead of 443

On platforms like OpenShift that don't run containers as root by default, binding to ports < 1000 is not permitted.  Having the apiserver bind to a high port means it can run with reduced privileges.  The service will still expose the apiserver on 443, so this change shouldn't impact clients of the federation api.

cc: @kubernetes/sig-federation-pr-reviews @perotinus

federation/pkg/kubefed/init/BUILD

@@ -29,6 +29,7 @@ go_library(
         "//vendor/github.com/spf13/pflag:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/uuid:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library",
         "//vendor/k8s.io/client-go/tools/clientcmd:go_default_library",
@@ -61,6 +62,7 @@ go_test(
         "//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
         "//vendor/k8s.io/client-go/dynamic:go_default_library",
         "//vendor/k8s.io/client-go/rest/fake:go_default_library",

federation/pkg/kubefed/init/init.go

@@ -33,6 +33,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/uuid"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/tools/clientcmd"
@@ -84,6 +85,12 @@ const (
 	apiserverAdvertiseAddressFlag = "api-server-advertise-address"
 
 	dnsProviderSecretName = "federation-dns-provider.conf"
+
+	apiServerSecurePortName = "https"
+	// Set the secure port to 8443 to avoid requiring root privileges
+	// to bind to port < 1000.  The apiserver's service will still
+	// expose on port 443.
+	apiServerSecurePort = 8443
 )
 
 var (
@@ -439,9 +446,10 @@ func createService(clientset client.Interface, namespace, svcName, federationNam
 			Selector: apiserverSvcSelector,
 			Ports: []api.ServicePort{
 				{
-					Name:     "https",
+					Name:       "https",
-					Protocol: "TCP",
+					Protocol:   "TCP",
-					Port:     443,
+					Port:       443,
+					TargetPort: intstr.FromString(apiServerSecurePortName),
 				},
 			},
 		},
@@ -661,7 +669,7 @@ func createAPIServer(clientset client.Interface, namespace, name, federationName
 	argsMap := map[string]string{
 		"--bind-address":         "0.0.0.0",
 		"--etcd-servers":         "http://localhost:2379",
-		"--secure-port":          "443",
+		"--secure-port":          fmt.Sprintf("%d", apiServerSecurePort),
 		"--client-ca-file":       "/etc/federation/apiserver/ca.crt",
 		"--tls-cert-file":        "/etc/federation/apiserver/server.crt",
 		"--tls-private-key-file": "/etc/federation/apiserver/server.key",
@@ -704,8 +712,8 @@ func createAPIServer(clientset client.Interface, namespace, name, federationName
 							Command: command,
 							Ports: []api.ContainerPort{
 								{
-									Name:          "https",
+									Name:          apiServerSecurePortName,
-									ContainerPort: 443,
+									ContainerPort: apiServerSecurePort,
 								},
 								{
 									Name:          "local",

federation/pkg/kubefed/init/init_test.go

@@ -38,6 +38,7 @@ import (
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/diff"
+	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/dynamic"
 	"k8s.io/client-go/rest/fake"
@@ -645,9 +646,10 @@ func fakeInitHostFactory(apiserverServiceType v1.ServiceType, federationName, na
 			Selector: apiserverSvcSelector,
 			Ports: []v1.ServicePort{
 				{
-					Name:     "https",
+					Name:       "https",
-					Protocol: "TCP",
+					Protocol:   "TCP",
-					Port:     443,
+					Port:       443,
+					TargetPort: intstr.FromString(apiServerSecurePortName),
 				},
 			},
 		},
@@ -836,7 +838,7 @@ func fakeInitHostFactory(apiserverServiceType v1.ServiceType, federationName, na
 	apiserverArgs := []string{
 		"--bind-address=0.0.0.0",
 		"--etcd-servers=http://localhost:2379",
-		"--secure-port=443",
+		fmt.Sprintf("--secure-port=%d", apiServerSecurePort),
 		"--tls-cert-file=/etc/federation/apiserver/server.crt",
 		"--tls-private-key-file=/etc/federation/apiserver/server.key",
 		"--admission-control=NamespaceLifecycle",
@@ -887,8 +889,8 @@ func fakeInitHostFactory(apiserverServiceType v1.ServiceType, federationName, na
 							Command: apiserverCommand,
 							Ports: []v1.ContainerPort{
 								{
-									Name:          "https",
+									Name:          apiServerSecurePortName,
-									ContainerPort: 443,
+									ContainerPort: apiServerSecurePort,
 								},
 								{
 									Name:          "local",