mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 03:41:45 +00:00
cloud-controller-manager: enable secure loopback
This commit is contained in:
parent
b25a551ed8
commit
88035a4599
@ -31,6 +31,9 @@ type Config struct {
|
||||
ComponentConfig componentconfig.CloudControllerManagerConfiguration
|
||||
|
||||
SecureServing *apiserver.SecureServingInfo
|
||||
// LoopbackClientConfig is a config for a privileged loopback connection
|
||||
LoopbackClientConfig *restclient.Config
|
||||
|
||||
// TODO: remove deprecated insecure serving
|
||||
InsecureServing *apiserver.DeprecatedInsecureServingInfo
|
||||
Authentication apiserver.AuthenticationInfo
|
||||
@ -71,5 +74,8 @@ type CompletedConfig struct {
|
||||
// Complete fills in any fields not set that are required to have valid data. It's mutating the receiver.
|
||||
func (c *Config) Complete() *CompletedConfig {
|
||||
cc := completedConfig{c}
|
||||
|
||||
apiserver.AuthorizeClientBearerToken(c.LoopbackClientConfig, &c.Authentication, &c.Authorization)
|
||||
|
||||
return &CompletedConfig{&cc}
|
||||
}
|
||||
|
@ -61,9 +61,9 @@ type CloudControllerManagerOptions struct {
|
||||
KubeCloudShared *cmoptions.KubeCloudSharedOptions
|
||||
ServiceController *cmoptions.ServiceControllerOptions
|
||||
|
||||
SecureServing *apiserveroptions.SecureServingOptions
|
||||
SecureServing *apiserveroptions.SecureServingOptionsWithLoopback
|
||||
// TODO: remove insecure serving mode
|
||||
InsecureServing *apiserveroptions.DeprecatedInsecureServingOptions
|
||||
InsecureServing *apiserveroptions.DeprecatedInsecureServingOptionsWithLoopback
|
||||
Authentication *apiserveroptions.DelegatingAuthenticationOptions
|
||||
Authorization *apiserveroptions.DelegatingAuthorizationOptions
|
||||
|
||||
@ -89,12 +89,12 @@ func NewCloudControllerManagerOptions() (*CloudControllerManagerOptions, error)
|
||||
ServiceController: &cmoptions.ServiceControllerOptions{
|
||||
ConcurrentServiceSyncs: componentConfig.ServiceController.ConcurrentServiceSyncs,
|
||||
},
|
||||
SecureServing: apiserveroptions.NewSecureServingOptions(),
|
||||
InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{
|
||||
SecureServing: apiserveroptions.NewSecureServingOptions().WithLoopback(),
|
||||
InsecureServing: (&apiserveroptions.DeprecatedInsecureServingOptions{
|
||||
BindAddress: net.ParseIP(componentConfig.KubeCloudShared.Address),
|
||||
BindPort: int(componentConfig.KubeCloudShared.Port),
|
||||
BindNetwork: "tcp",
|
||||
},
|
||||
}).WithLoopback(),
|
||||
Authentication: apiserveroptions.NewDelegatingAuthenticationOptions(),
|
||||
Authorization: apiserveroptions.NewDelegatingAuthorizationOptions(),
|
||||
NodeStatusUpdateFrequency: componentConfig.NodeStatusUpdateFrequency,
|
||||
@ -173,10 +173,10 @@ func (o *CloudControllerManagerOptions) ApplyTo(c *cloudcontrollerconfig.Config,
|
||||
if err = o.ServiceController.ApplyTo(&c.ComponentConfig.ServiceController); err != nil {
|
||||
return err
|
||||
}
|
||||
if err = o.SecureServing.ApplyTo(&c.SecureServing); err != nil {
|
||||
if err = o.InsecureServing.ApplyTo(&c.InsecureServing, &c.LoopbackClientConfig); err != nil {
|
||||
return err
|
||||
}
|
||||
if err = o.InsecureServing.ApplyTo(&c.InsecureServing); err != nil {
|
||||
if err = o.SecureServing.ApplyTo(&c.SecureServing, &c.LoopbackClientConfig); err != nil {
|
||||
return err
|
||||
}
|
||||
if o.SecureServing.BindPort != 0 || o.SecureServing.Listener != nil {
|
||||
|
@ -70,7 +70,7 @@ func TestDefaultFlags(t *testing.T) {
|
||||
ServiceController: &cmoptions.ServiceControllerOptions{
|
||||
ConcurrentServiceSyncs: 1,
|
||||
},
|
||||
SecureServing: &apiserveroptions.SecureServingOptions{
|
||||
SecureServing: (&apiserveroptions.SecureServingOptions{
|
||||
BindPort: 10258,
|
||||
BindAddress: net.ParseIP("0.0.0.0"),
|
||||
ServerCert: apiserveroptions.GeneratableKeyCert{
|
||||
@ -78,12 +78,12 @@ func TestDefaultFlags(t *testing.T) {
|
||||
PairName: "cloud-controller-manager",
|
||||
},
|
||||
HTTP2MaxStreamsPerConnection: 0,
|
||||
},
|
||||
InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{
|
||||
}).WithLoopback(),
|
||||
InsecureServing: (&apiserveroptions.DeprecatedInsecureServingOptions{
|
||||
BindAddress: net.ParseIP("0.0.0.0"),
|
||||
BindPort: int(10253),
|
||||
BindNetwork: "tcp",
|
||||
},
|
||||
}).WithLoopback(),
|
||||
Authentication: &apiserveroptions.DelegatingAuthenticationOptions{
|
||||
CacheTTL: 10 * time.Second,
|
||||
ClientCert: apiserveroptions.ClientCertAuthenticationOptions{},
|
||||
@ -185,7 +185,7 @@ func TestAddFlags(t *testing.T) {
|
||||
ServiceController: &cmoptions.ServiceControllerOptions{
|
||||
ConcurrentServiceSyncs: 1,
|
||||
},
|
||||
SecureServing: &apiserveroptions.SecureServingOptions{
|
||||
SecureServing: (&apiserveroptions.SecureServingOptions{
|
||||
BindPort: 10001,
|
||||
BindAddress: net.ParseIP("192.168.4.21"),
|
||||
ServerCert: apiserveroptions.GeneratableKeyCert{
|
||||
@ -193,12 +193,12 @@ func TestAddFlags(t *testing.T) {
|
||||
PairName: "cloud-controller-manager",
|
||||
},
|
||||
HTTP2MaxStreamsPerConnection: 47,
|
||||
},
|
||||
InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{
|
||||
}).WithLoopback(),
|
||||
InsecureServing: (&apiserveroptions.DeprecatedInsecureServingOptions{
|
||||
BindAddress: net.ParseIP("192.168.4.10"),
|
||||
BindPort: int(10000),
|
||||
BindNetwork: "tcp",
|
||||
},
|
||||
}).WithLoopback(),
|
||||
Authentication: &apiserveroptions.DelegatingAuthenticationOptions{
|
||||
CacheTTL: 10 * time.Second,
|
||||
ClientCert: apiserveroptions.ClientCertAuthenticationOptions{},
|
||||
|
Loading…
Reference in New Issue
Block a user