mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-09-21 09:57:52 +00:00
Merge pull request #67060 from sttts/sttts-unify-insecure-serving
Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>. kube-{apiserver,ctrl-mgr}: unify into DeprecatedInsecureServingOptions **What this PR does / why we need it**: **Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*: Fixes # **Special notes for your reviewer**: **Release note**: ```release-note ```
This commit is contained in:
Kubernetes Submit Queue
GitHub
@@ -27,7 +27,6 @@ go_library(
|
||||
"//pkg/kubeapiserver/authenticator:go_default_library",
|
||||
"//pkg/kubeapiserver/authorizer:go_default_library",
|
||||
"//pkg/kubeapiserver/authorizer/modes:go_default_library",
|
||||
"//pkg/kubeapiserver/server:go_default_library",
|
||||
"//plugin/pkg/admission/admit:go_default_library",
|
||||
"//plugin/pkg/admission/alwayspullimages:go_default_library",
|
||||
"//plugin/pkg/admission/antiaffinity:go_default_library",
|
||||
|
||||
@@ -20,20 +20,15 @@ package options
|
||||
import (
|
||||
"fmt"
|
||||
"net"
|
||||
"strconv"
|
||||
|
||||
"github.com/spf13/pflag"
|
||||
|
||||
utilnet "k8s.io/apimachinery/pkg/util/net"
|
||||
"k8s.io/apiserver/pkg/server"
|
||||
genericoptions "k8s.io/apiserver/pkg/server/options"
|
||||
kubeserver "k8s.io/kubernetes/pkg/kubeapiserver/server"
|
||||
)
|
||||
|
||||
// NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by
|
||||
// "normal" API servers running on the platform
|
||||
func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback {
|
||||
return genericoptions.WithLoopback(&genericoptions.SecureServingOptions{
|
||||
o := genericoptions.SecureServingOptions{
|
||||
BindAddress: net.ParseIP("0.0.0.0"),
|
||||
BindPort: 6443,
|
||||
Required: true,
|
||||
@@ -41,20 +36,31 @@ func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback
|
||||
PairName: "apiserver",
|
||||
CertDirectory: "/var/run/kubernetes",
|
||||
},
|
||||
})
|
||||
}
|
||||
return o.WithLoopback()
|
||||
}
|
||||
|
||||
// NewInsecureServingOptions gives default values for the kube-apiserver.
|
||||
// TODO: switch insecure serving off by default
|
||||
func NewInsecureServingOptions() *genericoptions.DeprecatedInsecureServingOptionsWithLoopback {
|
||||
o := genericoptions.DeprecatedInsecureServingOptions{
|
||||
BindAddress: net.ParseIP("127.0.0.1"),
|
||||
BindPort: 8080,
|
||||
}
|
||||
return o.WithLoopback()
|
||||
}
|
||||
|
||||
// DefaultAdvertiseAddress sets the field AdvertiseAddress if
|
||||
// unset. The field will be set based on the SecureServingOptions. If
|
||||
// the SecureServingOptions is not present, DefaultExternalAddress
|
||||
// will fall back to the insecure ServingOptions.
|
||||
func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *InsecureServingOptions) error {
|
||||
func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *genericoptions.DeprecatedInsecureServingOptions) error {
|
||||
if insecure == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
if s.AdvertiseAddress == nil || s.AdvertiseAddress.IsUnspecified() {
|
||||
hostIP, err := insecure.DefaultExternalAddress()
|
||||
hostIP, err := utilnet.ChooseBindAddress(insecure.BindAddress)
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to find suitable network address.error='%v'. "+
|
||||
"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this", err)
|
||||
@@ -64,75 +70,3 @@ func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *Insec
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// InsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port.
|
||||
// No one should be using these anymore.
|
||||
type InsecureServingOptions struct {
|
||||
BindAddress net.IP
|
||||
BindPort int
|
||||
}
|
||||
|
||||
// NewInsecureServingOptions is for creating an unauthenticated, unauthorized, insecure port.
|
||||
// No one should be using these anymore.
|
||||
func NewInsecureServingOptions() *InsecureServingOptions {
|
||||
return &InsecureServingOptions{
|
||||
BindAddress: net.ParseIP("127.0.0.1"),
|
||||
BindPort: 8080,
|
||||
}
|
||||
}
|
||||
|
||||
func (s InsecureServingOptions) Validate() []error {
|
||||
errors := []error{}
|
||||
|
||||
if s.BindPort < 0 || s.BindPort > 65535 {
|
||||
errors = append(errors, fmt.Errorf("--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort))
|
||||
}
|
||||
|
||||
return errors
|
||||
}
|
||||
|
||||
func (s *InsecureServingOptions) DefaultExternalAddress() (net.IP, error) {
|
||||
return utilnet.ChooseBindAddress(s.BindAddress)
|
||||
}
|
||||
|
||||
func (s *InsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
|
||||
fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
|
||||
"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).")
|
||||
fs.MarkDeprecated("insecure-bind-address", "This flag will be removed in a future version.")
|
||||
fs.Lookup("insecure-bind-address").Hidden = false
|
||||
|
||||
fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
|
||||
"The port on which to serve unsecured, unauthenticated access. It is assumed "+
|
||||
"that firewall rules are set up such that this port is not reachable from outside of "+
|
||||
"the cluster and that port 443 on the cluster's public address is proxied to this "+
|
||||
"port. This is performed by nginx in the default setup. Set to zero to disable.")
|
||||
fs.MarkDeprecated("insecure-port", "This flag will be removed in a future version.")
|
||||
fs.Lookup("insecure-port").Hidden = false
|
||||
}
|
||||
|
||||
// TODO: remove it until kops stop using `--address`
|
||||
func (s *InsecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
|
||||
fs.IPVar(&s.BindAddress, "address", s.BindAddress,
|
||||
"DEPRECATED: see --insecure-bind-address instead.")
|
||||
fs.MarkDeprecated("address", "see --insecure-bind-address instead.")
|
||||
|
||||
fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --insecure-port instead.")
|
||||
fs.MarkDeprecated("port", "see --insecure-port instead.")
|
||||
}
|
||||
|
||||
func (s *InsecureServingOptions) ApplyTo(c *server.Config) (*kubeserver.InsecureServingInfo, error) {
|
||||
if s.BindPort <= 0 {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
ret := &kubeserver.InsecureServingInfo{
|
||||
BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)),
|
||||
}
|
||||
|
||||
var err error
|
||||
if c.LoopbackClientConfig, err = ret.NewLoopbackClientConfig(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return ret, nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user