diff --git a/cmd/cloud-controller-manager/app/options/options.go b/cmd/cloud-controller-manager/app/options/options.go index f3f602424e9..d152aae2d03 100644 --- a/cmd/cloud-controller-manager/app/options/options.go +++ b/cmd/cloud-controller-manager/app/options/options.go @@ -95,11 +95,15 @@ func NewCloudControllerManagerOptions() (*CloudControllerManagerOptions, error) BindPort: int(componentConfig.KubeCloudShared.Port), BindNetwork: "tcp", }, - Authentication: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthenticationOptions() - Authorization: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthorizationOptions() + Authentication: apiserveroptions.NewDelegatingAuthenticationOptions(), + Authorization: apiserveroptions.NewDelegatingAuthorizationOptions(), NodeStatusUpdateFrequency: componentConfig.NodeStatusUpdateFrequency, } + s.Authentication.RemoteKubeConfigFileOptional = true + s.Authorization.RemoteKubeConfigFileOptional = true + s.Authorization.AlwaysAllowPaths = []string{"/healthz"} + s.SecureServing.ServerCert.CertDirectory = "/var/run/kubernetes" s.SecureServing.ServerCert.PairName = "cloud-controller-manager" s.SecureServing.BindPort = ports.CloudControllerManagerPort @@ -175,11 +179,13 @@ func (o *CloudControllerManagerOptions) ApplyTo(c *cloudcontrollerconfig.Config, if err = o.InsecureServing.ApplyTo(&c.InsecureServing); err != nil { return err } - if err = o.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil { - return err - } - if err = o.Authorization.ApplyTo(&c.Authorization); err != nil { - return err + if o.SecureServing.BindPort != 0 || o.SecureServing.Listener != nil { + if err = o.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil { + return err + } + if err = o.Authorization.ApplyTo(&c.Authorization); err != nil { + return err + } } c.Kubeconfig, err = clientcmd.BuildConfigFromFlags(o.Master, o.Kubeconfig) diff --git a/cmd/cloud-controller-manager/app/options/options_test.go b/cmd/cloud-controller-manager/app/options/options_test.go index 83e79f8396e..d71a190c598 100644 --- a/cmd/cloud-controller-manager/app/options/options_test.go +++ b/cmd/cloud-controller-manager/app/options/options_test.go @@ -71,7 +71,7 @@ func TestDefaultFlags(t *testing.T) { ConcurrentServiceSyncs: 1, }, SecureServing: &apiserveroptions.SecureServingOptions{ - BindPort: 0, + BindPort: 10258, BindAddress: net.ParseIP("0.0.0.0"), ServerCert: apiserveroptions.GeneratableKeyCert{ CertDirectory: "/var/run/kubernetes", @@ -84,6 +84,22 @@ func TestDefaultFlags(t *testing.T) { BindPort: int(10253), BindNetwork: "tcp", }, + Authentication: &apiserveroptions.DelegatingAuthenticationOptions{ + CacheTTL: 10 * time.Second, + ClientCert: apiserveroptions.ClientCertAuthenticationOptions{}, + RequestHeader: apiserveroptions.RequestHeaderAuthenticationOptions{ + UsernameHeaders: []string{"x-remote-user"}, + GroupHeaders: []string{"x-remote-group"}, + ExtraHeaderPrefixes: []string{"x-remote-extra-"}, + }, + RemoteKubeConfigFileOptional: true, + }, + Authorization: &apiserveroptions.DelegatingAuthorizationOptions{ + AllowCacheTTL: 10 * time.Second, + DenyCacheTTL: 10 * time.Second, + RemoteKubeConfigFileOptional: true, + AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or + }, Kubeconfig: "", Master: "", NodeStatusUpdateFrequency: metav1.Duration{Duration: 5 * time.Minute}, @@ -183,6 +199,22 @@ func TestAddFlags(t *testing.T) { BindPort: int(10000), BindNetwork: "tcp", }, + Authentication: &apiserveroptions.DelegatingAuthenticationOptions{ + CacheTTL: 10 * time.Second, + ClientCert: apiserveroptions.ClientCertAuthenticationOptions{}, + RequestHeader: apiserveroptions.RequestHeaderAuthenticationOptions{ + UsernameHeaders: []string{"x-remote-user"}, + GroupHeaders: []string{"x-remote-group"}, + ExtraHeaderPrefixes: []string{"x-remote-extra-"}, + }, + RemoteKubeConfigFileOptional: true, + }, + Authorization: &apiserveroptions.DelegatingAuthorizationOptions{ + AllowCacheTTL: 10 * time.Second, + DenyCacheTTL: 10 * time.Second, + RemoteKubeConfigFileOptional: true, + AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or + }, Kubeconfig: "/kubeconfig", Master: "192.168.4.20", NodeStatusUpdateFrequency: metav1.Duration{Duration: 10 * time.Minute},