From 88035a4599918e9b1339ba30ef6c970b3d31df1e Mon Sep 17 00:00:00 2001 From: "Dr. Stefan Schimanski" Date: Tue, 28 Aug 2018 12:53:48 +0200 Subject: [PATCH] cloud-controller-manager: enable secure loopback --- .../app/config/config.go | 6 ++++++ .../app/options/options.go | 14 +++++++------- .../app/options/options_test.go | 16 ++++++++-------- 3 files changed, 21 insertions(+), 15 deletions(-) diff --git a/cmd/cloud-controller-manager/app/config/config.go b/cmd/cloud-controller-manager/app/config/config.go index abd2df05adc..c4ccf92b4c2 100644 --- a/cmd/cloud-controller-manager/app/config/config.go +++ b/cmd/cloud-controller-manager/app/config/config.go @@ -31,6 +31,9 @@ type Config struct { ComponentConfig componentconfig.CloudControllerManagerConfiguration SecureServing *apiserver.SecureServingInfo + // LoopbackClientConfig is a config for a privileged loopback connection + LoopbackClientConfig *restclient.Config + // TODO: remove deprecated insecure serving InsecureServing *apiserver.DeprecatedInsecureServingInfo Authentication apiserver.AuthenticationInfo @@ -71,5 +74,8 @@ type CompletedConfig struct { // Complete fills in any fields not set that are required to have valid data. It's mutating the receiver. func (c *Config) Complete() *CompletedConfig { cc := completedConfig{c} + + apiserver.AuthorizeClientBearerToken(c.LoopbackClientConfig, &c.Authentication, &c.Authorization) + return &CompletedConfig{&cc} } diff --git a/cmd/cloud-controller-manager/app/options/options.go b/cmd/cloud-controller-manager/app/options/options.go index d152aae2d03..90f298d54b3 100644 --- a/cmd/cloud-controller-manager/app/options/options.go +++ b/cmd/cloud-controller-manager/app/options/options.go @@ -61,9 +61,9 @@ type CloudControllerManagerOptions struct { KubeCloudShared *cmoptions.KubeCloudSharedOptions ServiceController *cmoptions.ServiceControllerOptions - SecureServing *apiserveroptions.SecureServingOptions + SecureServing *apiserveroptions.SecureServingOptionsWithLoopback // TODO: remove insecure serving mode - InsecureServing *apiserveroptions.DeprecatedInsecureServingOptions + InsecureServing *apiserveroptions.DeprecatedInsecureServingOptionsWithLoopback Authentication *apiserveroptions.DelegatingAuthenticationOptions Authorization *apiserveroptions.DelegatingAuthorizationOptions @@ -89,12 +89,12 @@ func NewCloudControllerManagerOptions() (*CloudControllerManagerOptions, error) ServiceController: &cmoptions.ServiceControllerOptions{ ConcurrentServiceSyncs: componentConfig.ServiceController.ConcurrentServiceSyncs, }, - SecureServing: apiserveroptions.NewSecureServingOptions(), - InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{ + SecureServing: apiserveroptions.NewSecureServingOptions().WithLoopback(), + InsecureServing: (&apiserveroptions.DeprecatedInsecureServingOptions{ BindAddress: net.ParseIP(componentConfig.KubeCloudShared.Address), BindPort: int(componentConfig.KubeCloudShared.Port), BindNetwork: "tcp", - }, + }).WithLoopback(), Authentication: apiserveroptions.NewDelegatingAuthenticationOptions(), Authorization: apiserveroptions.NewDelegatingAuthorizationOptions(), NodeStatusUpdateFrequency: componentConfig.NodeStatusUpdateFrequency, @@ -173,10 +173,10 @@ func (o *CloudControllerManagerOptions) ApplyTo(c *cloudcontrollerconfig.Config, if err = o.ServiceController.ApplyTo(&c.ComponentConfig.ServiceController); err != nil { return err } - if err = o.SecureServing.ApplyTo(&c.SecureServing); err != nil { + if err = o.InsecureServing.ApplyTo(&c.InsecureServing, &c.LoopbackClientConfig); err != nil { return err } - if err = o.InsecureServing.ApplyTo(&c.InsecureServing); err != nil { + if err = o.SecureServing.ApplyTo(&c.SecureServing, &c.LoopbackClientConfig); err != nil { return err } if o.SecureServing.BindPort != 0 || o.SecureServing.Listener != nil { diff --git a/cmd/cloud-controller-manager/app/options/options_test.go b/cmd/cloud-controller-manager/app/options/options_test.go index d71a190c598..9467f634fd6 100644 --- a/cmd/cloud-controller-manager/app/options/options_test.go +++ b/cmd/cloud-controller-manager/app/options/options_test.go @@ -70,7 +70,7 @@ func TestDefaultFlags(t *testing.T) { ServiceController: &cmoptions.ServiceControllerOptions{ ConcurrentServiceSyncs: 1, }, - SecureServing: &apiserveroptions.SecureServingOptions{ + SecureServing: (&apiserveroptions.SecureServingOptions{ BindPort: 10258, BindAddress: net.ParseIP("0.0.0.0"), ServerCert: apiserveroptions.GeneratableKeyCert{ @@ -78,12 +78,12 @@ func TestDefaultFlags(t *testing.T) { PairName: "cloud-controller-manager", }, HTTP2MaxStreamsPerConnection: 0, - }, - InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{ + }).WithLoopback(), + InsecureServing: (&apiserveroptions.DeprecatedInsecureServingOptions{ BindAddress: net.ParseIP("0.0.0.0"), BindPort: int(10253), BindNetwork: "tcp", - }, + }).WithLoopback(), Authentication: &apiserveroptions.DelegatingAuthenticationOptions{ CacheTTL: 10 * time.Second, ClientCert: apiserveroptions.ClientCertAuthenticationOptions{}, @@ -185,7 +185,7 @@ func TestAddFlags(t *testing.T) { ServiceController: &cmoptions.ServiceControllerOptions{ ConcurrentServiceSyncs: 1, }, - SecureServing: &apiserveroptions.SecureServingOptions{ + SecureServing: (&apiserveroptions.SecureServingOptions{ BindPort: 10001, BindAddress: net.ParseIP("192.168.4.21"), ServerCert: apiserveroptions.GeneratableKeyCert{ @@ -193,12 +193,12 @@ func TestAddFlags(t *testing.T) { PairName: "cloud-controller-manager", }, HTTP2MaxStreamsPerConnection: 47, - }, - InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{ + }).WithLoopback(), + InsecureServing: (&apiserveroptions.DeprecatedInsecureServingOptions{ BindAddress: net.ParseIP("192.168.4.10"), BindPort: int(10000), BindNetwork: "tcp", - }, + }).WithLoopback(), Authentication: &apiserveroptions.DelegatingAuthenticationOptions{ CacheTTL: 10 * time.Second, ClientCert: apiserveroptions.ClientCertAuthenticationOptions{},