github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-26 21:17:23 +00:00
Code Issues Projects Releases Wiki Activity

cloud-controller-manager: enable secure loopback

Browse Source
This commit is contained in:
Dr. Stefan Schimanski 2018-08-28 12:53:48 +02:00
parent b25a551ed8
commit 88035a4599
3 changed files with 21 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
cmd/cloud-controller-manager/app/config/config.go
View File

@ -31,6 +31,9 @@ type Config struct {
ComponentConfig componentconfig.CloudControllerManagerConfiguration ComponentConfig componentconfig.CloudControllerManagerConfiguration
SecureServing *apiserver.SecureServingInfo SecureServing *apiserver.SecureServingInfo
// LoopbackClientConfig is a config for a privileged loopback connection
LoopbackClientConfig *restclient.Config
// TODO: remove deprecated insecure serving // TODO: remove deprecated insecure serving
InsecureServing *apiserver.DeprecatedInsecureServingInfo InsecureServing *apiserver.DeprecatedInsecureServingInfo
Authentication apiserver.AuthenticationInfo Authentication apiserver.AuthenticationInfo
@ -71,5 +74,8 @@ type CompletedConfig struct {
// Complete fills in any fields not set that are required to have valid data. It's mutating the receiver. // Complete fills in any fields not set that are required to have valid data. It's mutating the receiver.
func (c *Config) Complete() *CompletedConfig { func (c *Config) Complete() *CompletedConfig {
cc := completedConfig{c} cc := completedConfig{c}
apiserver.AuthorizeClientBearerToken(c.LoopbackClientConfig, &c.Authentication, &c.Authorization)
return &CompletedConfig{&cc} return &CompletedConfig{&cc}
} }

14
cmd/cloud-controller-manager/app/options/options.go
View File

@ -61,9 +61,9 @@ type CloudControllerManagerOptions struct {
KubeCloudShared *cmoptions.KubeCloudSharedOptions KubeCloudShared *cmoptions.KubeCloudSharedOptions
ServiceController *cmoptions.ServiceControllerOptions ServiceController *cmoptions.ServiceControllerOptions
SecureServing *apiserveroptions.SecureServingOptions SecureServing *apiserveroptions.SecureServingOptionsWithLoopback
// TODO: remove insecure serving mode // TODO: remove insecure serving mode
InsecureServing *apiserveroptions.DeprecatedInsecureServingOptions InsecureServing *apiserveroptions.DeprecatedInsecureServingOptionsWithLoopback
Authentication *apiserveroptions.DelegatingAuthenticationOptions Authentication *apiserveroptions.DelegatingAuthenticationOptions
Authorization *apiserveroptions.DelegatingAuthorizationOptions Authorization *apiserveroptions.DelegatingAuthorizationOptions
@ -89,12 +89,12 @@ func NewCloudControllerManagerOptions() (*CloudControllerManagerOptions, error)
ServiceController: &cmoptions.ServiceControllerOptions{ ServiceController: &cmoptions.ServiceControllerOptions{
ConcurrentServiceSyncs: componentConfig.ServiceController.ConcurrentServiceSyncs, ConcurrentServiceSyncs: componentConfig.ServiceController.ConcurrentServiceSyncs,
}, },
SecureServing: apiserveroptions.NewSecureServingOptions(), SecureServing: apiserveroptions.NewSecureServingOptions().WithLoopback(),
InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{ InsecureServing: (&apiserveroptions.DeprecatedInsecureServingOptions{
BindAddress: net.ParseIP(componentConfig.KubeCloudShared.Address), BindAddress: net.ParseIP(componentConfig.KubeCloudShared.Address),
BindPort: int(componentConfig.KubeCloudShared.Port), BindPort: int(componentConfig.KubeCloudShared.Port),
BindNetwork: "tcp", BindNetwork: "tcp",
}, }).WithLoopback(),
Authentication: apiserveroptions.NewDelegatingAuthenticationOptions(), Authentication: apiserveroptions.NewDelegatingAuthenticationOptions(),
Authorization: apiserveroptions.NewDelegatingAuthorizationOptions(), Authorization: apiserveroptions.NewDelegatingAuthorizationOptions(),
NodeStatusUpdateFrequency: componentConfig.NodeStatusUpdateFrequency, NodeStatusUpdateFrequency: componentConfig.NodeStatusUpdateFrequency,
@ -173,10 +173,10 @@ func (o *CloudControllerManagerOptions) ApplyTo(c *cloudcontrollerconfig.Config,
if err = o.ServiceController.ApplyTo(&c.ComponentConfig.ServiceController); err != nil { if err = o.ServiceController.ApplyTo(&c.ComponentConfig.ServiceController); err != nil {
return err return err
} }
if err = o.SecureServing.ApplyTo(&c.SecureServing); err != nil { if err = o.InsecureServing.ApplyTo(&c.InsecureServing, &c.LoopbackClientConfig); err != nil {
return err return err
} }
if err = o.InsecureServing.ApplyTo(&c.InsecureServing); err != nil { if err = o.SecureServing.ApplyTo(&c.SecureServing, &c.LoopbackClientConfig); err != nil {
return err return err
} }
if o.SecureServing.BindPort != 0 || o.SecureServing.Listener != nil { if o.SecureServing.BindPort != 0 || o.SecureServing.Listener != nil {

16
cmd/cloud-controller-manager/app/options/options_test.go
View File

@ -70,7 +70,7 @@ func TestDefaultFlags(t *testing.T) {
ServiceController: &cmoptions.ServiceControllerOptions{ ServiceController: &cmoptions.ServiceControllerOptions{
ConcurrentServiceSyncs: 1, ConcurrentServiceSyncs: 1,
}, },
SecureServing: &apiserveroptions.SecureServingOptions{ SecureServing: (&apiserveroptions.SecureServingOptions{
BindPort: 10258, BindPort: 10258,
BindAddress: net.ParseIP("0.0.0.0"), BindAddress: net.ParseIP("0.0.0.0"),
ServerCert: apiserveroptions.GeneratableKeyCert{ ServerCert: apiserveroptions.GeneratableKeyCert{
@ -78,12 +78,12 @@ func TestDefaultFlags(t *testing.T) {
PairName: "cloud-controller-manager", PairName: "cloud-controller-manager",
}, },
HTTP2MaxStreamsPerConnection: 0, HTTP2MaxStreamsPerConnection: 0,
}, }).WithLoopback(),
InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{ InsecureServing: (&apiserveroptions.DeprecatedInsecureServingOptions{
BindAddress: net.ParseIP("0.0.0.0"), BindAddress: net.ParseIP("0.0.0.0"),
BindPort: int(10253), BindPort: int(10253),
BindNetwork: "tcp", BindNetwork: "tcp",
}, }).WithLoopback(),
Authentication: &apiserveroptions.DelegatingAuthenticationOptions{ Authentication: &apiserveroptions.DelegatingAuthenticationOptions{
CacheTTL: 10 * time.Second, CacheTTL: 10 * time.Second,
ClientCert: apiserveroptions.ClientCertAuthenticationOptions{}, ClientCert: apiserveroptions.ClientCertAuthenticationOptions{},
@ -185,7 +185,7 @@ func TestAddFlags(t *testing.T) {
ServiceController: &cmoptions.ServiceControllerOptions{ ServiceController: &cmoptions.ServiceControllerOptions{
ConcurrentServiceSyncs: 1, ConcurrentServiceSyncs: 1,
}, },
SecureServing: &apiserveroptions.SecureServingOptions{ SecureServing: (&apiserveroptions.SecureServingOptions{
BindPort: 10001, BindPort: 10001,
BindAddress: net.ParseIP("192.168.4.21"), BindAddress: net.ParseIP("192.168.4.21"),
ServerCert: apiserveroptions.GeneratableKeyCert{ ServerCert: apiserveroptions.GeneratableKeyCert{
@ -193,12 +193,12 @@ func TestAddFlags(t *testing.T) {
PairName: "cloud-controller-manager", PairName: "cloud-controller-manager",
}, },
HTTP2MaxStreamsPerConnection: 47, HTTP2MaxStreamsPerConnection: 47,
}, }).WithLoopback(),
InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{ InsecureServing: (&apiserveroptions.DeprecatedInsecureServingOptions{
BindAddress: net.ParseIP("192.168.4.10"), BindAddress: net.ParseIP("192.168.4.10"),
BindPort: int(10000), BindPort: int(10000),
BindNetwork: "tcp", BindNetwork: "tcp",
}, }).WithLoopback(),
Authentication: &apiserveroptions.DelegatingAuthenticationOptions{ Authentication: &apiserveroptions.DelegatingAuthenticationOptions{
CacheTTL: 10 * time.Second, CacheTTL: 10 * time.Second,
ClientCert: apiserveroptions.ClientCertAuthenticationOptions{}, ClientCert: apiserveroptions.ClientCertAuthenticationOptions{},