diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go index 15ecc96b58b..9c101c706c5 100644 --- a/cmd/kube-apiserver/app/server.go +++ b/cmd/kube-apiserver/app/server.go @@ -593,6 +593,8 @@ func defaultOptions(s *options.ServerRunOptions) error { if err != nil { return fmt.Errorf("error determining service IP ranges: %v", err) } + s.SecureServing.ForceLoopbackConfigUsage() + if err := s.SecureServing.MaybeDefaultWithSelfSignedCerts(s.GenericServerRunOptions.AdvertiseAddress.String(), []string{"kubernetes.default.svc", "kubernetes.default", "kubernetes"}, []net.IP{apiServerServiceIP}); err != nil { return fmt.Errorf("error creating self-signed certificates: %v", err) } diff --git a/federation/cmd/federation-apiserver/app/server.go b/federation/cmd/federation-apiserver/app/server.go index b23bbe5b4c6..d1f44ca3aa4 100644 --- a/federation/cmd/federation-apiserver/app/server.go +++ b/federation/cmd/federation-apiserver/app/server.go @@ -102,6 +102,7 @@ func NonBlockingRun(s *options.ServerRunOptions, stopCh <-chan struct{}) error { if err := s.CloudProvider.DefaultExternalHost(s.GenericServerRunOptions); err != nil { return fmt.Errorf("error setting the external host value: %v", err) } + s.SecureServing.ForceLoopbackConfigUsage() s.Authentication.ApplyAuthorization(s.Authorization) diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/serving.go b/staging/src/k8s.io/apiserver/pkg/server/options/serving.go index a53252f72e7..b21f0002c34 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/serving.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/serving.go @@ -24,6 +24,7 @@ import ( "net" "path" "strconv" + "time" "github.com/golang/glog" "github.com/pborman/uuid" @@ -34,6 +35,7 @@ import ( utilflag "k8s.io/apiserver/pkg/util/flag" "k8s.io/client-go/informers" "k8s.io/client-go/kubernetes" + "k8s.io/client-go/rest" certutil "k8s.io/client-go/util/cert" ) @@ -45,6 +47,9 @@ type SecureServingOptions struct { ServerCert GeneratableKeyCert // SNICertKeys are named CertKeys for serving secure traffic with SNI support. SNICertKeys []utilflag.NamedCertKey + + // when set determines whether to use loopback configuration to create shared informers. + useLoopbackCfg bool } type CertKey struct { @@ -136,6 +141,7 @@ func (s *SecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) { fs.MarkDeprecated("public-address-override", "see --bind-address instead.") } +// ApplyTo fills up serving information in the server configuration. func (s *SecureServingOptions) ApplyTo(c *server.Config) error { if s.BindPort <= 0 { return nil @@ -169,16 +175,39 @@ func (s *SecureServingOptions) ApplyTo(c *server.Config) error { c.SecureServingInfo.SNICerts[server.LoopbackClientServerNameOverride] = &tlsCert } - // create shared informers - clientset, err := kubernetes.NewForConfig(c.LoopbackClientConfig) - if err != nil { - return err + // create shared informers, if not explicitly set use in cluster config. + // do not fail on an error, this allows an external API server to startup + // outside of a kube cluster. + var clientCfg *rest.Config + err = nil + if s.useLoopbackCfg { + clientCfg = c.LoopbackClientConfig + } else { + clientCfg, err = rest.InClusterConfig() } - c.SharedInformerFactory = informers.NewSharedInformerFactory(clientset, c.LoopbackClientConfig.Timeout) - + if err != nil { + glog.Errorf("Couldn't create in cluster config due to %v. SharedInformerFactory will not be set.", err) + return nil + } + clientset, err := kubernetes.NewForConfig(clientCfg) + if err != nil { + glog.Errorf("Couldn't create clientset due to %v. SharedInformerFactory will not be set.", err) + return nil + } + c.SharedInformerFactory = informers.NewSharedInformerFactory(clientset, 10*time.Minute) return nil } +// ForceLoopbackConfigUsage forces the usage of the loopback configuration +// to create SharedInformerFactory. The primary client of this method +// is kube API server, no other API server is the source of truth for kube APIs. +// +// Note: +// this method MUST be called prior to ApplyTo to take an effect. +func (s *SecureServingOptions) ForceLoopbackConfigUsage() { + s.useLoopbackCfg = true +} + func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error { if s.BindPort <= 0 { return nil