Merge pull request #67060 from sttts/sttts-unify-insecure-serving

Automatic merge from submit-queue. If you want to cherry-pick this change to another branch, please follow the instructions <a href="https://github.com/kubernetes/community/blob/master/contributors/devel/cherry-picks.md">here</a>.

kube-{apiserver,ctrl-mgr}: unify into DeprecatedInsecureServingOptions

**What this PR does / why we need it**:

**Which issue(s) this PR fixes** *(optional, in `fixes #<issue number>(, fixes #<issue_number>, ...)` format, will close the issue(s) when PR gets merged)*:
Fixes #

**Special notes for your reviewer**:

**Release note**:
```release-note

```

cmd/cloud-controller-manager/app/config/BUILD

@@ -6,7 +6,6 @@ go_library(
     importpath = "k8s.io/kubernetes/cmd/cloud-controller-manager/app/config",
     visibility = ["//visibility:public"],
     deps = [
-        "//cmd/controller-manager/app:go_default_library",
         "//pkg/apis/componentconfig:go_default_library",
         "//pkg/controller:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/server:go_default_library",

cmd/cloud-controller-manager/app/config/config.go

@@ -22,7 +22,6 @@ import (
 	clientset "k8s.io/client-go/kubernetes"
 	restclient "k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/record"
-	genericcontrollermanager "k8s.io/kubernetes/cmd/controller-manager/app"
 	"k8s.io/kubernetes/pkg/apis/componentconfig"
 	"k8s.io/kubernetes/pkg/controller"
 )
@@ -33,7 +32,7 @@ type Config struct {
 
 	SecureServing *apiserver.SecureServingInfo
 	// TODO: remove deprecated insecure serving
-	InsecureServing *genericcontrollermanager.InsecureServingInfo
+	InsecureServing *apiserver.DeprecatedInsecureServingInfo
 	Authentication  apiserver.AuthenticationInfo
 	Authorization   apiserver.AuthorizationInfo
 

cmd/cloud-controller-manager/app/options/options.go

@@ -63,7 +63,7 @@ type CloudControllerManagerOptions struct {
 
 	SecureServing *apiserveroptions.SecureServingOptions
 	// TODO: remove insecure serving mode
-	InsecureServing *cmoptions.InsecureServingOptions
+	InsecureServing *apiserveroptions.DeprecatedInsecureServingOptions
 	Authentication  *apiserveroptions.DelegatingAuthenticationOptions
 	Authorization   *apiserveroptions.DelegatingAuthorizationOptions
 
@@ -90,7 +90,7 @@ func NewCloudControllerManagerOptions() (*CloudControllerManagerOptions, error)
 			ConcurrentServiceSyncs: componentConfig.ServiceController.ConcurrentServiceSyncs,
 		},
 		SecureServing: apiserveroptions.NewSecureServingOptions(),
-		InsecureServing: &cmoptions.InsecureServingOptions{
+		InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{
 			BindAddress: net.ParseIP(componentConfig.KubeCloudShared.Address),
 			BindPort:    int(componentConfig.KubeCloudShared.Port),
 			BindNetwork: "tcp",
@@ -140,7 +140,7 @@ func (o *CloudControllerManagerOptions) AddFlags(fs *pflag.FlagSet) {
 	o.ServiceController.AddFlags(fs)
 
 	o.SecureServing.AddFlags(fs)
-	o.InsecureServing.AddFlags(fs)
+	o.InsecureServing.AddUnqualifiedFlags(fs)
 	o.Authentication.AddFlags(fs)
 	o.Authorization.AddFlags(fs)
 

cmd/cloud-controller-manager/app/options/options_test.go

@@ -57,8 +57,8 @@ func TestDefaultFlags(t *testing.T) {
 			},
 		},
 		KubeCloudShared: &cmoptions.KubeCloudSharedOptions{
-			Port:                      10253,     // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
+			Port:                      10253,     // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config
-			Address:                   "0.0.0.0", // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
+			Address:                   "0.0.0.0", // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config
 			RouteReconciliationPeriod: metav1.Duration{Duration: 10 * time.Second},
 			NodeMonitorPeriod:         metav1.Duration{Duration: 5 * time.Second},
 			ClusterName:               "kubernetes",
@@ -79,7 +79,7 @@ func TestDefaultFlags(t *testing.T) {
 			},
 			HTTP2MaxStreamsPerConnection: 0,
 		},
-		InsecureServing: &cmoptions.InsecureServingOptions{
+		InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{
 			BindAddress: net.ParseIP("0.0.0.0"),
 			BindPort:    int(10253),
 			BindNetwork: "tcp",
@@ -154,8 +154,8 @@ func TestAddFlags(t *testing.T) {
 			},
 		},
 		KubeCloudShared: &cmoptions.KubeCloudSharedOptions{
-			Port:                      10253,     // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
+			Port:                      10253,     // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config
-			Address:                   "0.0.0.0", // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
+			Address:                   "0.0.0.0", // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config
 			RouteReconciliationPeriod: metav1.Duration{Duration: 30 * time.Second},
 			NodeMonitorPeriod:         metav1.Duration{Duration: 5 * time.Second},
 			ClusterName:               "k8s",
@@ -176,7 +176,7 @@ func TestAddFlags(t *testing.T) {
 			},
 			HTTP2MaxStreamsPerConnection: 47,
 		},
-		InsecureServing: &cmoptions.InsecureServingOptions{
+		InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{
 			BindAddress: net.ParseIP("192.168.4.10"),
 			BindPort:    int(10000),
 			BindNetwork: "tcp",

cmd/controller-manager/app/BUILD

@@ -4,7 +4,6 @@ go_library(
     name = "go_default_library",
     srcs = [
         "helper.go",
-        "insecure_serving.go",
         "serve.go",
     ],
     importpath = "k8s.io/kubernetes/cmd/controller-manager/app",

cmd/controller-manager/app/options/BUILD

@@ -6,19 +6,16 @@ go_library(
         "cloudprovider.go",
         "debugging.go",
         "generic.go",
-        "insecure_serving.go",
         "kubecloudshared.go",
         "servicecontroller.go",
     ],
     importpath = "k8s.io/kubernetes/cmd/controller-manager/app/options",
     visibility = ["//visibility:public"],
     deps = [
-        "//cmd/controller-manager/app:go_default_library",
         "//pkg/apis/componentconfig:go_default_library",
         "//pkg/client/leaderelectionconfig:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/apis/config:go_default_library",
-        "//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library",
         "//vendor/github.com/spf13/pflag:go_default_library",
     ],
 )

cmd/controller-manager/app/options/insecure_serving.go

@@ -1,105 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package options
-
-import (
-	"fmt"
-	"net"
-
-	"github.com/spf13/pflag"
-
-	"k8s.io/apiserver/pkg/server/options"
-	genericcontrollermanager "k8s.io/kubernetes/cmd/controller-manager/app"
-)
-
-// InsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port.
-// No one should be using these anymore.
-type InsecureServingOptions struct {
-	BindAddress net.IP
-	BindPort    int
-	// BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp",
-	// "tcp4", and "tcp6".
-	BindNetwork string
-
-	// Listener is the secure server network listener.
-	// either Listener or BindAddress/BindPort/BindNetwork is set,
-	// if Listener is set, use it and omit BindAddress/BindPort/BindNetwork.
-	Listener net.Listener
-
-	// ListenFunc can be overridden to create a custom listener, e.g. for mocking in tests.
-	// It defaults to options.CreateListener.
-	ListenFunc func(network, addr string) (net.Listener, int, error)
-}
-
-// Validate ensures that the insecure port values within the range of the port.
-func (s *InsecureServingOptions) Validate() []error {
-	if s == nil {
-		return nil
-	}
-
-	errors := []error{}
-
-	if s.BindPort < 0 || s.BindPort > 65335 {
-		errors = append(errors, fmt.Errorf("--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort))
-	}
-
-	return errors
-}
-
-// AddFlags adds flags related to insecure serving for controller manager to the specified FlagSet.
-func (s *InsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
-	if s == nil {
-		return
-	}
-
-	fs.IPVar(&s.BindAddress, "address", s.BindAddress, "DEPRECATED: the IP address on which to listen for the --port port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces). See --bind-address instead.")
-	// MarkDeprecated hides the flag from the help. We don't want that:
-	// fs.MarkDeprecated("address", "see --bind-address instead.")
-	fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: the port on which to serve HTTP insecurely without authentication and authorization. If 0, don't serve HTTPS at all. See --secure-port instead.")
-	// MarkDeprecated hides the flag from the help. We don't want that:
-	// fs.MarkDeprecated("port", "see --secure-port instead.")
-}
-
-// ApplyTo adds InsecureServingOptions to the insecureserverinfo amd kube-controller manager configuration.
-// Note: the double pointer allows to set the *InsecureServingInfo to nil without referencing the struct hosting this pointer.
-func (s *InsecureServingOptions) ApplyTo(c **genericcontrollermanager.InsecureServingInfo) error {
-	if s == nil {
-		return nil
-	}
-	if s.BindPort <= 0 {
-		return nil
-	}
-
-	if s.Listener == nil {
-		var err error
-		listen := options.CreateListener
-		if s.ListenFunc != nil {
-			listen = s.ListenFunc
-		}
-		addr := net.JoinHostPort(s.BindAddress.String(), fmt.Sprintf("%d", s.BindPort))
-		s.Listener, s.BindPort, err = listen(s.BindNetwork, addr)
-		if err != nil {
-			return fmt.Errorf("failed to create listener: %v", err)
-		}
-	}
-
-	*c = &genericcontrollermanager.InsecureServingInfo{
-		Listener: s.Listener,
-	}
-
-	return nil
-}

cmd/kube-apiserver/app/options/options.go

@@ -41,7 +41,7 @@ type ServerRunOptions struct {
 	GenericServerRunOptions *genericoptions.ServerRunOptions
 	Etcd                    *genericoptions.EtcdOptions
 	SecureServing           *genericoptions.SecureServingOptionsWithLoopback
-	InsecureServing         *kubeoptions.InsecureServingOptions
+	InsecureServing         *genericoptions.DeprecatedInsecureServingOptionsWithLoopback
 	Audit                   *genericoptions.AuditOptions
 	Features                *genericoptions.FeatureOptions
 	Admission               *kubeoptions.AdmissionOptions
@@ -128,7 +128,7 @@ func (s *ServerRunOptions) Flags() (fss apiserverflag.NamedFlagSets) {
 	s.Etcd.AddFlags(fss.FlagSet("etcd"))
 	s.SecureServing.AddFlags(fss.FlagSet("secure serving"))
 	s.InsecureServing.AddFlags(fss.FlagSet("insecure serving"))
-	s.InsecureServing.AddDeprecatedFlags(fss.FlagSet("insecure serving"))
+	s.InsecureServing.AddUnqualifiedFlags(fss.FlagSet("insecure serving")) // TODO: remove it until kops stops using `--address`
 	s.Audit.AddFlags(fss.FlagSet("auditing"))
 	s.Features.AddFlags(fss.FlagSet("features"))
 	s.Authentication.AddFlags(fss.FlagSet("authentication"))

cmd/kube-apiserver/app/options/options_test.go

@@ -159,7 +159,7 @@ func TestAddFlags(t *testing.T) {
 			EnableWatchCache:        true,
 			DefaultWatchCacheSize:   100,
 		},
-		SecureServing: apiserveroptions.WithLoopback(&apiserveroptions.SecureServingOptions{
+		SecureServing: (&apiserveroptions.SecureServingOptions{
 			BindAddress: net.ParseIP("192.168.10.20"),
 			BindPort:    6443,
 			ServerCert: apiserveroptions.GeneratableKeyCert{
@@ -168,11 +168,11 @@ func TestAddFlags(t *testing.T) {
 			},
 			HTTP2MaxStreamsPerConnection: 42,
 			Required:                     true,
-		}),
+		}).WithLoopback(),
-		InsecureServing: &kubeoptions.InsecureServingOptions{
+		InsecureServing: (&apiserveroptions.DeprecatedInsecureServingOptions{
 			BindAddress: net.ParseIP("127.0.0.1"),
 			BindPort:    8080,
-		},
+		}).WithLoopback(),
 		EventTTL: 1 * time.Hour,
 		KubeletConfig: kubeletclient.KubeletClientConfig{
 			Port:         10250,

cmd/kube-apiserver/app/server.go

@@ -166,7 +166,7 @@ func CreateServerChain(completedOptions completedServerRunOptions, stopCh <-chan
 		return nil, err
 	}
 
-	kubeAPIServerConfig, insecureServingOptions, serviceResolver, pluginInitializer, admissionPostStartHook, err := CreateKubeAPIServerConfig(completedOptions, nodeTunneler, proxyTransport)
+	kubeAPIServerConfig, insecureServingInfo, serviceResolver, pluginInitializer, admissionPostStartHook, err := CreateKubeAPIServerConfig(completedOptions, nodeTunneler, proxyTransport)
 	if err != nil {
 		return nil, err
 	}
@@ -204,9 +204,9 @@ func CreateServerChain(completedOptions completedServerRunOptions, stopCh <-chan
 		return nil, err
 	}
 
-	if insecureServingOptions != nil {
+	if insecureServingInfo != nil {
 		insecureHandlerChain := kubeserver.BuildInsecureHandlerChain(aggregatorServer.GenericAPIServer.UnprotectedHandler(), kubeAPIServerConfig.GenericConfig)
-		if err := kubeserver.NonBlockingRun(insecureServingOptions, insecureHandlerChain, kubeAPIServerConfig.GenericConfig.RequestTimeout, stopCh); err != nil {
+		if err := insecureServingInfo.Serve(insecureHandlerChain, kubeAPIServerConfig.GenericConfig.RequestTimeout, stopCh); err != nil {
 			return nil, err
 		}
 	}
@@ -278,7 +278,7 @@ func CreateKubeAPIServerConfig(
 	proxyTransport *http.Transport,
 ) (
 	config *master.Config,
-	insecureServingInfo *kubeserver.InsecureServingInfo,
+	insecureServingInfo *genericapiserver.DeprecatedInsecureServingInfo,
 	serviceResolver aggregatorapiserver.ServiceResolver,
 	pluginInitializers []admission.PluginInitializer,
 	admissionPostStartHook genericapiserver.PostStartHookFunc,
@@ -421,7 +421,7 @@ func buildGenericConfig(
 	genericConfig *genericapiserver.Config,
 	sharedInformers informers.SharedInformerFactory,
 	versionedInformers clientgoinformers.SharedInformerFactory,
-	insecureServingInfo *kubeserver.InsecureServingInfo,
+	insecureServingInfo *genericapiserver.DeprecatedInsecureServingInfo,
 	serviceResolver aggregatorapiserver.ServiceResolver,
 	pluginInitializers []admission.PluginInitializer,
 	admissionPostStartHook genericapiserver.PostStartHookFunc,
@@ -435,7 +435,7 @@ func buildGenericConfig(
 		return
 	}
 
-	if insecureServingInfo, lastErr = s.InsecureServing.ApplyTo(genericConfig); lastErr != nil {
+	if lastErr = s.InsecureServing.ApplyTo(&insecureServingInfo, &genericConfig.LoopbackClientConfig); lastErr != nil {
 		return
 	}
 	if lastErr = s.SecureServing.ApplyTo(&genericConfig.SecureServing, &genericConfig.LoopbackClientConfig); lastErr != nil {
@@ -652,7 +652,7 @@ func Complete(s *options.ServerRunOptions) (completedServerRunOptions, error) {
 	if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing.SecureServingOptions); err != nil {
 		return options, err
 	}
-	if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing); err != nil {
+	if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing.DeprecatedInsecureServingOptions); err != nil {
 		return options, err
 	}
 	serviceIPRange, apiServerServiceIP, err := master.DefaultServiceIPRange(s.ServiceClusterIPRange)

cmd/kube-controller-manager/app/config/BUILD

@@ -6,7 +6,6 @@ go_library(
     importpath = "k8s.io/kubernetes/cmd/kube-controller-manager/app/config",
     visibility = ["//visibility:public"],
     deps = [
-        "//cmd/controller-manager/app:go_default_library",
         "//pkg/apis/componentconfig:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
         "//staging/src/k8s.io/client-go/kubernetes:go_default_library",

cmd/kube-controller-manager/app/config/config.go

@@ -21,7 +21,6 @@ import (
 	clientset "k8s.io/client-go/kubernetes"
 	restclient "k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/record"
-	genericcontrollermanager "k8s.io/kubernetes/cmd/controller-manager/app"
 	"k8s.io/kubernetes/pkg/apis/componentconfig"
 )
 
@@ -31,7 +30,7 @@ type Config struct {
 
 	SecureServing *apiserver.SecureServingInfo
 	// TODO: remove deprecated insecure serving
-	InsecureServing *genericcontrollermanager.InsecureServingInfo
+	InsecureServing *apiserver.DeprecatedInsecureServingInfo
 	Authentication  apiserver.AuthenticationInfo
 	Authorization   apiserver.AuthorizationInfo
 

cmd/kube-controller-manager/app/options/options.go

@@ -85,7 +85,7 @@ type KubeControllerManagerOptions struct {
 
 	SecureServing *apiserveroptions.SecureServingOptions
 	// TODO: remove insecure serving mode
-	InsecureServing *cmoptions.InsecureServingOptions
+	InsecureServing *apiserveroptions.DeprecatedInsecureServingOptions
 	Authentication  *apiserveroptions.DelegatingAuthenticationOptions
 	Authorization   *apiserveroptions.DelegatingAuthorizationOptions
 
@@ -178,7 +178,7 @@ func NewKubeControllerManagerOptions() (*KubeControllerManagerOptions, error) {
 		},
 		Controllers:   componentConfig.Controllers,
 		SecureServing: apiserveroptions.NewSecureServingOptions(),
-		InsecureServing: &cmoptions.InsecureServingOptions{
+		InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{
 			BindAddress: net.ParseIP(componentConfig.KubeCloudShared.Address),
 			BindPort:    int(componentConfig.KubeCloudShared.Port),
 			BindNetwork: "tcp",
@@ -234,7 +234,7 @@ func (s *KubeControllerManagerOptions) AddFlags(fs *pflag.FlagSet, allController
 	s.ServiceController.AddFlags(fs)
 
 	s.SecureServing.AddFlags(fs)
-	s.InsecureServing.AddFlags(fs)
+	s.InsecureServing.AddUnqualifiedFlags(fs)
 	s.Authentication.AddFlags(fs)
 	s.Authorization.AddFlags(fs)
 
@@ -341,10 +341,10 @@ func (s *KubeControllerManagerOptions) ApplyTo(c *kubecontrollerconfig.Config) e
 	if err := s.ServiceController.ApplyTo(&c.ComponentConfig.ServiceController); err != nil {
 		return err
 	}
-	if err := s.SecureServing.ApplyTo(&c.SecureServing); err != nil {
+	if err := s.InsecureServing.ApplyTo(&c.InsecureServing); err != nil {
 		return err
 	}
-	if err := s.InsecureServing.ApplyTo(&c.InsecureServing); err != nil {
+	if err := s.SecureServing.ApplyTo(&c.SecureServing); err != nil {
 		return err
 	}
 	if err := s.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil {

cmd/kube-controller-manager/app/options/options_test.go

@@ -140,8 +140,8 @@ func TestAddFlags(t *testing.T) {
 			},
 		},
 		KubeCloudShared: &cmoptions.KubeCloudSharedOptions{
-			Port:    10252,     // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
+			Port:    10252,     // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config
-			Address: "0.0.0.0", // Note: InsecureServingOptions.ApplyTo will write the flag value back into the component config
+			Address: "0.0.0.0", // Note: DeprecatedInsecureServingOptions.ApplyTo will write the flag value back into the component config
 			UseServiceAccountCredentials: true,
 			RouteReconciliationPeriod:    metav1.Duration{Duration: 30 * time.Second},
 			NodeMonitorPeriod:            metav1.Duration{Duration: 10 * time.Second},
@@ -253,7 +253,7 @@ func TestAddFlags(t *testing.T) {
 			},
 			HTTP2MaxStreamsPerConnection: 47,
 		},
-		InsecureServing: &cmoptions.InsecureServingOptions{
+		InsecureServing: &apiserveroptions.DeprecatedInsecureServingOptions{
 			BindAddress: net.ParseIP("192.168.4.10"),
 			BindPort:    int(10000),
 			BindNetwork: "tcp",

cmd/kube-scheduler/app/config/BUILD

@@ -6,7 +6,6 @@ go_library(
     importpath = "k8s.io/kubernetes/cmd/kube-scheduler/app/config",
     visibility = ["//visibility:public"],
     deps = [
-        "//cmd/controller-manager/app:go_default_library",
         "//pkg/apis/componentconfig:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
         "//staging/src/k8s.io/client-go/informers:go_default_library",

cmd/kube-scheduler/app/config/config.go

@@ -24,7 +24,6 @@ import (
 	v1core "k8s.io/client-go/kubernetes/typed/core/v1"
 	"k8s.io/client-go/tools/leaderelection"
 	"k8s.io/client-go/tools/record"
-	"k8s.io/kubernetes/cmd/controller-manager/app"
 	"k8s.io/kubernetes/pkg/apis/componentconfig"
 )
 
@@ -33,8 +32,8 @@ type Config struct {
 	// config is the scheduler server's configuration object.
 	ComponentConfig componentconfig.KubeSchedulerConfiguration
 
-	InsecureServing        *app.InsecureServingInfo // nil will disable serving on an insecure port
+	InsecureServing        *apiserver.DeprecatedInsecureServingInfo // nil will disable serving on an insecure port
-	InsecureMetricsServing *app.InsecureServingInfo // non-nil if metrics should be served independently
+	InsecureMetricsServing *apiserver.DeprecatedInsecureServingInfo // non-nil if metrics should be served independently
 	Authentication         apiserver.AuthenticationInfo
 	Authorization          apiserver.AuthorizationInfo
 	SecureServing          *apiserver.SecureServingInfo

cmd/kube-scheduler/app/options/BUILD

@@ -11,7 +11,6 @@ go_library(
     importpath = "k8s.io/kubernetes/cmd/kube-scheduler/app/options",
     visibility = ["//visibility:public"],
     deps = [
-        "//cmd/controller-manager/app/options:go_default_library",
         "//cmd/kube-scheduler/app/config:go_default_library",
         "//pkg/api/legacyscheme:go_default_library",
         "//pkg/apis/componentconfig:go_default_library",
@@ -64,7 +63,6 @@ go_test(
     ],
     embed = [":go_default_library"],
     deps = [
-        "//cmd/controller-manager/app/options:go_default_library",
         "//cmd/kube-scheduler/app/config:go_default_library",
         "//pkg/apis/componentconfig:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/apis/config:go_default_library",
@@ -72,5 +70,6 @@ go_test(
         "//staging/src/k8s.io/apimachinery/pkg/util/diff:go_default_library",
         "//staging/src/k8s.io/apimachinery/pkg/util/rand:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/apis/config:go_default_library",
+        "//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library",
     ],
 )

cmd/kube-scheduler/app/options/insecure_serving.go

@@ -23,16 +23,16 @@ import (
 
 	"github.com/spf13/pflag"
 
-	controlleroptions "k8s.io/kubernetes/cmd/controller-manager/app/options"
+	apiserveroptions "k8s.io/apiserver/pkg/server/options"
 	schedulerappconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config"
 	"k8s.io/kubernetes/pkg/apis/componentconfig"
 )
 
 // CombinedInsecureServingOptions sets up up to two insecure listeners for healthz and metrics. The flags
-// override the ComponentConfig and InsecureServingOptions values for both.
+// override the ComponentConfig and DeprecatedInsecureServingOptions values for both.
 type CombinedInsecureServingOptions struct {
-	Healthz *controlleroptions.InsecureServingOptions
+	Healthz *apiserveroptions.DeprecatedInsecureServingOptions
-	Metrics *controlleroptions.InsecureServingOptions
+	Metrics *apiserveroptions.DeprecatedInsecureServingOptions
 
 	BindPort    int    // overrides the structs above on ApplyTo, ignored on ApplyToFromLoadedConfig
 	BindAddress string // overrides the structs above on ApplyTo, ignored on ApplyToFromLoadedConfig
@@ -53,10 +53,10 @@ func (o *CombinedInsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
 }
 
 func (o *CombinedInsecureServingOptions) applyTo(c *schedulerappconfig.Config, componentConfig *componentconfig.KubeSchedulerConfiguration) error {
-	if err := updateAddressFromInsecureServingOptions(&componentConfig.HealthzBindAddress, o.Healthz); err != nil {
+	if err := updateAddressFromDeprecatedInsecureServingOptions(&componentConfig.HealthzBindAddress, o.Healthz); err != nil {
 		return err
 	}
-	if err := updateAddressFromInsecureServingOptions(&componentConfig.MetricsBindAddress, o.Metrics); err != nil {
+	if err := updateAddressFromDeprecatedInsecureServingOptions(&componentConfig.MetricsBindAddress, o.Metrics); err != nil {
 		return err
 	}
 
@@ -98,17 +98,17 @@ func (o *CombinedInsecureServingOptions) ApplyToFromLoadedConfig(c *schedulerapp
 		return nil
 	}
 
-	if err := updateInsecureServingOptionsFromAddress(o.Healthz, componentConfig.HealthzBindAddress); err != nil {
+	if err := updateDeprecatedInsecureServingOptionsFromAddress(o.Healthz, componentConfig.HealthzBindAddress); err != nil {
 		return fmt.Errorf("invalid healthz address: %v", err)
 	}
-	if err := updateInsecureServingOptionsFromAddress(o.Metrics, componentConfig.MetricsBindAddress); err != nil {
+	if err := updateDeprecatedInsecureServingOptionsFromAddress(o.Metrics, componentConfig.MetricsBindAddress); err != nil {
 		return fmt.Errorf("invalid metrics address: %v", err)
 	}
 
 	return o.applyTo(c, componentConfig)
 }
 
-func updateAddressFromInsecureServingOptions(addr *string, is *controlleroptions.InsecureServingOptions) error {
+func updateAddressFromDeprecatedInsecureServingOptions(addr *string, is *apiserveroptions.DeprecatedInsecureServingOptions) error {
 	if is == nil {
 		*addr = ""
 	} else {
@@ -124,7 +124,7 @@ func updateAddressFromInsecureServingOptions(addr *string, is *controlleroptions
 	return nil
 }
 
-func updateInsecureServingOptionsFromAddress(is *controlleroptions.InsecureServingOptions, addr string) error {
+func updateDeprecatedInsecureServingOptionsFromAddress(is *apiserveroptions.DeprecatedInsecureServingOptions, addr string) error {
 	if is == nil {
 		return nil
 	}

cmd/kube-scheduler/app/options/insecure_serving_test.go

@@ -23,7 +23,7 @@ import (
 	"testing"
 
 	"k8s.io/apimachinery/pkg/util/rand"
-	"k8s.io/kubernetes/cmd/controller-manager/app/options"
+	apiserveroptions "k8s.io/apiserver/pkg/server/options"
 	schedulerappconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config"
 	"k8s.io/kubernetes/pkg/apis/componentconfig"
 )
@@ -46,8 +46,8 @@ func TestOptions_ApplyTo(t *testing.T) {
 					MetricsBindAddress: "1.2.3.4:1234",
 				},
 				CombinedInsecureServing: &CombinedInsecureServingOptions{
-					Healthz:  &options.InsecureServingOptions{},
+					Healthz:  &apiserveroptions.DeprecatedInsecureServingOptions{},
-					Metrics:  &options.InsecureServingOptions{},
+					Metrics:  &apiserveroptions.DeprecatedInsecureServingOptions{},
 					BindPort: 0,
 				},
 			},
@@ -61,7 +61,7 @@ func TestOptions_ApplyTo(t *testing.T) {
 					MetricsBindAddress: "1.2.3.4:1234",
 				},
 				CombinedInsecureServing: &CombinedInsecureServingOptions{
-					Healthz:  &options.InsecureServingOptions{},
+					Healthz:  &apiserveroptions.DeprecatedInsecureServingOptions{},
 					BindPort: 0,
 				},
 			},
@@ -79,7 +79,7 @@ func TestOptions_ApplyTo(t *testing.T) {
 					MetricsBindAddress: "1.2.3.4:1234",
 				},
 				CombinedInsecureServing: &CombinedInsecureServingOptions{
-					Metrics:  &options.InsecureServingOptions{},
+					Metrics:  &apiserveroptions.DeprecatedInsecureServingOptions{},
 					BindPort: 0,
 				},
 			},
@@ -97,8 +97,8 @@ func TestOptions_ApplyTo(t *testing.T) {
 					MetricsBindAddress: "1.2.3.4:1234",
 				},
 				CombinedInsecureServing: &CombinedInsecureServingOptions{
-					Healthz:  &options.InsecureServingOptions{},
+					Healthz:  &apiserveroptions.DeprecatedInsecureServingOptions{},
-					Metrics:  &options.InsecureServingOptions{},
+					Metrics:  &apiserveroptions.DeprecatedInsecureServingOptions{},
 					BindPort: 0,
 				},
 			},
@@ -118,8 +118,8 @@ func TestOptions_ApplyTo(t *testing.T) {
 					MetricsBindAddress: "1.2.3.4:1235",
 				},
 				CombinedInsecureServing: &CombinedInsecureServingOptions{
-					Healthz:  &options.InsecureServingOptions{},
+					Healthz:  &apiserveroptions.DeprecatedInsecureServingOptions{},
-					Metrics:  &options.InsecureServingOptions{},
+					Metrics:  &apiserveroptions.DeprecatedInsecureServingOptions{},
 					BindPort: 0,
 				},
 			},
@@ -141,8 +141,8 @@ func TestOptions_ApplyTo(t *testing.T) {
 					MetricsBindAddress: "1.2.3.4:1234",
 				},
 				CombinedInsecureServing: &CombinedInsecureServingOptions{
-					Healthz:     &options.InsecureServingOptions{},
+					Healthz:     &apiserveroptions.DeprecatedInsecureServingOptions{},
-					Metrics:     &options.InsecureServingOptions{},
+					Metrics:     &apiserveroptions.DeprecatedInsecureServingOptions{},
 					BindPort:    1236,
 					BindAddress: "1.2.3.4",
 				},
@@ -163,8 +163,8 @@ func TestOptions_ApplyTo(t *testing.T) {
 					MetricsBindAddress: "1.2.3.4:1234",
 				},
 				CombinedInsecureServing: &CombinedInsecureServingOptions{
-					Healthz:     &options.InsecureServingOptions{},
+					Healthz:     &apiserveroptions.DeprecatedInsecureServingOptions{},
-					Metrics:     &options.InsecureServingOptions{},
+					Metrics:     &apiserveroptions.DeprecatedInsecureServingOptions{},
 					BindAddress: "2.3.4.5",
 					BindPort:    1234,
 				},
@@ -185,8 +185,8 @@ func TestOptions_ApplyTo(t *testing.T) {
 					MetricsBindAddress: "1.2.3.4:1234",
 				},
 				CombinedInsecureServing: &CombinedInsecureServingOptions{
-					Healthz:     &options.InsecureServingOptions{},
+					Healthz:     &apiserveroptions.DeprecatedInsecureServingOptions{},
-					Metrics:     &options.InsecureServingOptions{},
+					Metrics:     &apiserveroptions.DeprecatedInsecureServingOptions{},
 					BindAddress: "2.3.4.5",
 					BindPort:    0,
 				},

cmd/kube-scheduler/app/options/options.go

@@ -41,7 +41,6 @@ import (
 	"k8s.io/client-go/tools/leaderelection"
 	"k8s.io/client-go/tools/leaderelection/resourcelock"
 	"k8s.io/client-go/tools/record"
-	controlleroptions "k8s.io/kubernetes/cmd/controller-manager/app/options"
 	schedulerappconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	"k8s.io/kubernetes/pkg/apis/componentconfig"
@@ -86,10 +85,10 @@ func NewOptions() (*Options, error) {
 		ComponentConfig: *cfg,
 		SecureServing:   nil, // TODO: enable with apiserveroptions.NewSecureServingOptions()
 		CombinedInsecureServing: &CombinedInsecureServingOptions{
-			Healthz: &controlleroptions.InsecureServingOptions{
+			Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{
 				BindNetwork: "tcp",
 			},
-			Metrics: &controlleroptions.InsecureServingOptions{
+			Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{
 				BindNetwork: "tcp",
 			},
 			BindPort:    hport,

pkg/kubeapiserver/options/BUILD

@@ -27,7 +27,6 @@ go_library(
         "//pkg/kubeapiserver/authenticator:go_default_library",
         "//pkg/kubeapiserver/authorizer:go_default_library",
         "//pkg/kubeapiserver/authorizer/modes:go_default_library",
-        "//pkg/kubeapiserver/server:go_default_library",
         "//plugin/pkg/admission/admit:go_default_library",
         "//plugin/pkg/admission/alwayspullimages:go_default_library",
         "//plugin/pkg/admission/antiaffinity:go_default_library",

pkg/kubeapiserver/options/serving.go

@@ -20,20 +20,15 @@ package options
 import (
 	"fmt"
 	"net"
-	"strconv"
-
-	"github.com/spf13/pflag"
 
 	utilnet "k8s.io/apimachinery/pkg/util/net"
-	"k8s.io/apiserver/pkg/server"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
-	kubeserver "k8s.io/kubernetes/pkg/kubeapiserver/server"
 )
 
 // NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by
 // "normal" API servers running on the platform
 func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback {
-	return genericoptions.WithLoopback(&genericoptions.SecureServingOptions{
+	o := genericoptions.SecureServingOptions{
 		BindAddress: net.ParseIP("0.0.0.0"),
 		BindPort:    6443,
 		Required:    true,
@@ -41,20 +36,31 @@ func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback
 			PairName:      "apiserver",
 			CertDirectory: "/var/run/kubernetes",
 		},
-	})
+	}
+	return o.WithLoopback()
+}
+
+// NewInsecureServingOptions gives default values for the kube-apiserver.
+// TODO: switch insecure serving off by default
+func NewInsecureServingOptions() *genericoptions.DeprecatedInsecureServingOptionsWithLoopback {
+	o := genericoptions.DeprecatedInsecureServingOptions{
+		BindAddress: net.ParseIP("127.0.0.1"),
+		BindPort:    8080,
+	}
+	return o.WithLoopback()
 }
 
 // DefaultAdvertiseAddress sets the field AdvertiseAddress if
 // unset. The field will be set based on the SecureServingOptions. If
 // the SecureServingOptions is not present, DefaultExternalAddress
 // will fall back to the insecure ServingOptions.
-func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *InsecureServingOptions) error {
+func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *genericoptions.DeprecatedInsecureServingOptions) error {
 	if insecure == nil {
 		return nil
 	}
 
 	if s.AdvertiseAddress == nil || s.AdvertiseAddress.IsUnspecified() {
-		hostIP, err := insecure.DefaultExternalAddress()
+		hostIP, err := utilnet.ChooseBindAddress(insecure.BindAddress)
 		if err != nil {
 			return fmt.Errorf("unable to find suitable network address.error='%v'. "+
 				"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this", err)
@@ -64,75 +70,3 @@ func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *Insec
 
 	return nil
 }
-
-// InsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port.
-// No one should be using these anymore.
-type InsecureServingOptions struct {
-	BindAddress net.IP
-	BindPort    int
-}
-
-// NewInsecureServingOptions is for creating an unauthenticated, unauthorized, insecure port.
-// No one should be using these anymore.
-func NewInsecureServingOptions() *InsecureServingOptions {
-	return &InsecureServingOptions{
-		BindAddress: net.ParseIP("127.0.0.1"),
-		BindPort:    8080,
-	}
-}
-
-func (s InsecureServingOptions) Validate() []error {
-	errors := []error{}
-
-	if s.BindPort < 0 || s.BindPort > 65535 {
-		errors = append(errors, fmt.Errorf("--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort))
-	}
-
-	return errors
-}
-
-func (s *InsecureServingOptions) DefaultExternalAddress() (net.IP, error) {
-	return utilnet.ChooseBindAddress(s.BindAddress)
-}
-
-func (s *InsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
-	fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
-		"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).")
-	fs.MarkDeprecated("insecure-bind-address", "This flag will be removed in a future version.")
-	fs.Lookup("insecure-bind-address").Hidden = false
-
-	fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
-		"The port on which to serve unsecured, unauthenticated access. It is assumed "+
-		"that firewall rules are set up such that this port is not reachable from outside of "+
-		"the cluster and that port 443 on the cluster's public address is proxied to this "+
-		"port. This is performed by nginx in the default setup. Set to zero to disable.")
-	fs.MarkDeprecated("insecure-port", "This flag will be removed in a future version.")
-	fs.Lookup("insecure-port").Hidden = false
-}
-
-// TODO: remove it until kops stop using `--address`
-func (s *InsecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
-	fs.IPVar(&s.BindAddress, "address", s.BindAddress,
-		"DEPRECATED: see --insecure-bind-address instead.")
-	fs.MarkDeprecated("address", "see --insecure-bind-address instead.")
-
-	fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --insecure-port instead.")
-	fs.MarkDeprecated("port", "see --insecure-port instead.")
-}
-
-func (s *InsecureServingOptions) ApplyTo(c *server.Config) (*kubeserver.InsecureServingInfo, error) {
-	if s.BindPort <= 0 {
-		return nil, nil
-	}
-
-	ret := &kubeserver.InsecureServingInfo{
-		BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)),
-	}
-
-	var err error
-	if c.LoopbackClientConfig, err = ret.NewLoopbackClientConfig(); err != nil {
-		return nil, err
-	}
-
-	return ret, nil
-}

pkg/kubeapiserver/server/BUILD

@@ -15,10 +15,7 @@ go_library(
         "//staging/src/k8s.io/apiserver/pkg/features:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/server:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/server/filters:go_default_library",
-        "//staging/src/k8s.io/apiserver/pkg/server/options:go_default_library",
         "//staging/src/k8s.io/apiserver/pkg/util/feature:go_default_library",
-        "//staging/src/k8s.io/client-go/rest:go_default_library",
-        "//vendor/github.com/golang/glog:go_default_library",
     ],
 )
 

pkg/kubeapiserver/server/insecure_handler.go

@@ -17,25 +17,19 @@ limitations under the License.
 package server
 
 import (
-	"net"
 	"net/http"
-	"time"
-
-	"github.com/golang/glog"
 
 	"k8s.io/apiserver/pkg/authentication/user"
 	genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
 	"k8s.io/apiserver/pkg/features"
 	"k8s.io/apiserver/pkg/server"
 	genericfilters "k8s.io/apiserver/pkg/server/filters"
-	"k8s.io/apiserver/pkg/server/options"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
-	"k8s.io/client-go/rest"
 )
 
-// InsecureServingInfo is required to serve http.  HTTP does NOT include authentication or authorization.
+// DeprecatedInsecureServingInfo is required to serve http.  HTTP does NOT include authentication or authorization.
 // You shouldn't be using this.  It makes sig-auth sad.
-// InsecureServingInfo *ServingInfo
+// DeprecatedInsecureServingInfo *ServingInfo
 
 func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.Handler {
 	handler := apiHandler
@@ -55,76 +49,6 @@ func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.H
 	return handler
 }
 
-type InsecureServingInfo struct {
-	// BindAddress is the ip:port to serve on
-	BindAddress string
-	// BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp",
-	// "tcp4", and "tcp6".
-	BindNetwork string
-}
-
-func (s *InsecureServingInfo) NewLoopbackClientConfig() (*rest.Config, error) {
-	if s == nil {
-		return nil, nil
-	}
-
-	host, port, err := server.LoopbackHostPort(s.BindAddress)
-	if err != nil {
-		return nil, err
-	}
-
-	return &rest.Config{
-		Host: "http://" + net.JoinHostPort(host, port),
-		// Increase QPS limits. The client is currently passed to all admission plugins,
-		// and those can be throttled in case of higher load on apiserver - see #22340 and #22422
-		// for more details. Once #22422 is fixed, we may want to remove it.
-		QPS:   50,
-		Burst: 100,
-	}, nil
-}
-
-// NonBlockingRun spawns the insecure http server. An error is
-// returned if the ports cannot be listened on.
-func NonBlockingRun(insecureServingInfo *InsecureServingInfo, insecureHandler http.Handler, shutDownTimeout time.Duration, stopCh <-chan struct{}) error {
-	// Use an internal stop channel to allow cleanup of the listeners on error.
-	internalStopCh := make(chan struct{})
-
-	if insecureServingInfo != nil && insecureHandler != nil {
-		if err := serveInsecurely(insecureServingInfo, insecureHandler, shutDownTimeout, internalStopCh); err != nil {
-			close(internalStopCh)
-			return err
-		}
-	}
-
-	// Now that the listener has bound successfully, it is the
-	// responsibility of the caller to close the provided channel to
-	// ensure cleanup.
-	go func() {
-		<-stopCh
-		close(internalStopCh)
-	}()
-
-	return nil
-}
-
-// serveInsecurely run the insecure http server. It fails only if the initial listen
-// call fails. The actual server loop (stoppable by closing stopCh) runs in a go
-// routine, i.e. serveInsecurely does not block.
-func serveInsecurely(insecureServingInfo *InsecureServingInfo, insecureHandler http.Handler, shutDownTimeout time.Duration, stopCh <-chan struct{}) error {
-	insecureServer := &http.Server{
-		Addr:           insecureServingInfo.BindAddress,
-		Handler:        insecureHandler,
-		MaxHeaderBytes: 1 << 20,
-	}
-	glog.Infof("Serving insecurely on %s", insecureServingInfo.BindAddress)
-	ln, _, err := options.CreateListener(insecureServingInfo.BindNetwork, insecureServingInfo.BindAddress)
-	if err != nil {
-		return err
-	}
-	err = server.RunServer(insecureServer, ln, shutDownTimeout, stopCh)
-	return err
-}
-
 // insecureSuperuser implements authenticator.Request to always return a superuser.
 // This is functionally equivalent to skipping authentication and authorization,
 // but allows apiserver code to stop special-casing a nil user to skip authorization checks.

staging/src/k8s.io/apiserver/pkg/server/BUILD

@@ -45,13 +45,14 @@ go_library(
     srcs = [
         "config.go",
         "config_selfclient.go",
+        "deprecated_insecure_serving.go",
         "doc.go",
         "genericapiserver.go",
         "handler.go",
         "healthz.go",
         "hooks.go",
         "plugins.go",
-        "serve.go",
+        "secure_serving.go",
         "signal.go",
         "signal_posix.go",
         "signal_windows.go",

staging/src/k8s.io/apiserver/pkg/server/deprecated_insecure_serving.go

@@ -14,7 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-package app
+package server
 
 import (
 	"net"
@@ -23,11 +23,11 @@ import (
 
 	"github.com/golang/glog"
 
-	"k8s.io/apiserver/pkg/server"
+	"k8s.io/client-go/rest"
 )
 
-// InsecureServingInfo is the main context object for the insecure http server.
+// DeprecatedInsecureServingInfo is the main context object for the insecure http server.
-type InsecureServingInfo struct {
+type DeprecatedInsecureServingInfo struct {
 	// Listener is the secure server network listener.
 	Listener net.Listener
 	// optional server name for log messages
@@ -36,7 +36,7 @@ type InsecureServingInfo struct {
 
 // Serve starts an insecure http server with the given handler. It fails only if
 // the initial listen call fails. It does not block.
-func (s *InsecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Duration, stopCh <-chan struct{}) error {
+func (s *DeprecatedInsecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Duration, stopCh <-chan struct{}) error {
 	insecureServer := &http.Server{
 		Addr:           s.Listener.Addr().String(),
 		Handler:        handler,
@@ -48,5 +48,25 @@ func (s *InsecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.D
 	} else {
 		glog.Infof("Serving insecurely on %s", s.Listener.Addr())
 	}
-	return server.RunServer(insecureServer, s.Listener, shutdownTimeout, stopCh)
+	return RunServer(insecureServer, s.Listener, shutdownTimeout, stopCh)
+}
+
+func (s *DeprecatedInsecureServingInfo) NewLoopbackClientConfig() (*rest.Config, error) {
+	if s == nil {
+		return nil, nil
+	}
+
+	host, port, err := LoopbackHostPort(s.Listener.Addr().String())
+	if err != nil {
+		return nil, err
+	}
+
+	return &rest.Config{
+		Host: "http://" + net.JoinHostPort(host, port),
+		// Increase QPS limits. The client is currently passed to all admission plugins,
+		// and those can be throttled in case of higher load on apiserver - see #22340 and #22422
+		// for more details. Once #22422 is fixed, we may want to remove it.
+		QPS:   50,
+		Burst: 100,
+	}, nil
 }

staging/src/k8s.io/apiserver/pkg/server/options/BUILD

@@ -9,6 +9,7 @@ go_library(
         "authentication.go",
         "authorization.go",
         "coreapi.go",
+        "deprecated_insecure_serving.go",
         "doc.go",
         "etcd.go",
         "feature.go",

staging/src/k8s.io/apiserver/pkg/server/options/deprecated_insecure_serving.go

@@ -0,0 +1,164 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package options
+
+import (
+	"fmt"
+	"net"
+
+	"github.com/spf13/pflag"
+
+	"k8s.io/apiserver/pkg/server"
+	"k8s.io/client-go/rest"
+)
+
+// DeprecatedInsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port.
+// No one should be using these anymore.
+// DEPRECATED: all insecure serving options are removed in a future version
+type DeprecatedInsecureServingOptions struct {
+	BindAddress net.IP
+	BindPort    int
+	// BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp",
+	// "tcp4", and "tcp6".
+	BindNetwork string
+
+	// Listener is the secure server network listener.
+	// either Listener or BindAddress/BindPort/BindNetwork is set,
+	// if Listener is set, use it and omit BindAddress/BindPort/BindNetwork.
+	Listener net.Listener
+
+	// ListenFunc can be overridden to create a custom listener, e.g. for mocking in tests.
+	// It defaults to options.CreateListener.
+	ListenFunc func(network, addr string) (net.Listener, int, error)
+}
+
+// Validate ensures that the insecure port values within the range of the port.
+func (s *DeprecatedInsecureServingOptions) Validate() []error {
+	if s == nil {
+		return nil
+	}
+
+	errors := []error{}
+
+	if s.BindPort < 0 || s.BindPort > 65335 {
+		errors = append(errors, fmt.Errorf("insecure port %v must be between 0 and 65335, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort))
+	}
+
+	return errors
+}
+
+// AddFlags adds flags related to insecure serving to the specified FlagSet.
+func (s *DeprecatedInsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
+	if s == nil {
+		return
+	}
+
+	fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
+		"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).")
+	fs.MarkDeprecated("insecure-bind-address", "This flag will be removed in a future version.")
+	fs.Lookup("insecure-bind-address").Hidden = false
+
+	fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
+		"The port on which to serve unsecured, unauthenticated access.")
+	fs.MarkDeprecated("insecure-port", "This flag will be removed in a future version.")
+	fs.Lookup("insecure-port").Hidden = false
+}
+
+// AddUnqualifiedFlags adds flags related to insecure serving without the --insecure prefix to the specified FlagSet.
+func (s *DeprecatedInsecureServingOptions) AddUnqualifiedFlags(fs *pflag.FlagSet) {
+	if s == nil {
+		return
+	}
+
+	fs.IPVar(&s.BindAddress, "address", s.BindAddress,
+		"DEPRECATED: see --bind-address instead.")
+	fs.MarkDeprecated("address", "see --bind-address instead.")
+
+	fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --secure-port instead.")
+	fs.MarkDeprecated("port", "see --secure-port instead.")
+}
+
+// ApplyTo adds DeprecatedInsecureServingOptions to the insecureserverinfo amd kube-controller manager configuration.
+// Note: the double pointer allows to set the *DeprecatedInsecureServingInfo to nil without referencing the struct hosting this pointer.
+func (s *DeprecatedInsecureServingOptions) ApplyTo(c **server.DeprecatedInsecureServingInfo) error {
+	if s == nil {
+		return nil
+	}
+	if s.BindPort <= 0 {
+		return nil
+	}
+
+	if s.Listener == nil {
+		var err error
+		listen := CreateListener
+		if s.ListenFunc != nil {
+			listen = s.ListenFunc
+		}
+		addr := net.JoinHostPort(s.BindAddress.String(), fmt.Sprintf("%d", s.BindPort))
+		s.Listener, s.BindPort, err = listen(s.BindNetwork, addr)
+		if err != nil {
+			return fmt.Errorf("failed to create listener: %v", err)
+		}
+	}
+
+	*c = &server.DeprecatedInsecureServingInfo{
+		Listener: s.Listener,
+	}
+
+	return nil
+}
+
+// WithLoopback adds loopback functionality to the serving options.
+func (o *DeprecatedInsecureServingOptions) WithLoopback() *DeprecatedInsecureServingOptionsWithLoopback {
+	return &DeprecatedInsecureServingOptionsWithLoopback{o}
+}
+
+// DeprecatedInsecureServingOptionsWithLoopback adds loopback functionality to the DeprecatedInsecureServingOptions.
+// DEPRECATED: all insecure serving options are removed in a future version
+type DeprecatedInsecureServingOptionsWithLoopback struct {
+	*DeprecatedInsecureServingOptions
+}
+
+// ApplyTo fills up serving information in the server configuration.
+func (s *DeprecatedInsecureServingOptionsWithLoopback) ApplyTo(insecureServingInfo **server.DeprecatedInsecureServingInfo, loopbackClientConfig **rest.Config) error {
+	if s == nil || s.DeprecatedInsecureServingOptions == nil || insecureServingInfo == nil {
+		return nil
+	}
+
+	if err := s.DeprecatedInsecureServingOptions.ApplyTo(insecureServingInfo); err != nil {
+		return err
+	}
+
+	if *insecureServingInfo == nil || loopbackClientConfig == nil {
+		return nil
+	}
+
+	secureLoopbackClientConfig, err := (*insecureServingInfo).NewLoopbackClientConfig()
+	switch {
+	// if we failed and there's no fallback loopback client config, we need to fail
+	case err != nil && secureLoopbackClientConfig == nil:
+		return err
+
+		// if we failed, but we already have a fallback loopback client config (usually insecure), allow it
+	case err != nil && secureLoopbackClientConfig != nil:
+
+	default:
+		*loopbackClientConfig = secureLoopbackClientConfig
+	}
+
+	return nil
+}

staging/src/k8s.io/apiserver/pkg/server/options/recommended.go

@@ -54,7 +54,7 @@ func NewRecommendedOptions(prefix string, codec runtime.Codec) *RecommendedOptio
 
 	return &RecommendedOptions{
 		Etcd:                       NewEtcdOptions(storagebackend.NewDefaultConfig(prefix, codec)),
-		SecureServing:              WithLoopback(sso),
+		SecureServing:              sso.WithLoopback(),
 		Authentication:             NewDelegatingAuthenticationOptions(),
 		Authorization:              NewDelegatingAuthorizationOptions(),
 		Audit:                      NewAuditOptions(),

staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go

@@ -464,7 +464,7 @@ func TestServerRunWithSNI(t *testing.T) {
 			config.Version = &v
 
 			config.EnableIndex = true
-			secureOptions := WithLoopback(&SecureServingOptions{
+			secureOptions := (&SecureServingOptions{
 				BindAddress: net.ParseIP("127.0.0.1"),
 				BindPort:    6443,
 				ServerCert: GeneratableKeyCert{
@@ -474,7 +474,7 @@ func TestServerRunWithSNI(t *testing.T) {
 					},
 				},
 				SNICertKeys: namedCertKeys,
-			})
+			}).WithLoopback()
 			// use a random free port
 			ln, err := net.Listen("tcp", "127.0.0.1:0")
 			if err != nil {

staging/src/k8s.io/apiserver/pkg/server/options/serving_with_loopback.go

@@ -31,7 +31,7 @@ type SecureServingOptionsWithLoopback struct {
 	*SecureServingOptions
 }
 
-func WithLoopback(o *SecureServingOptions) *SecureServingOptionsWithLoopback {
+func (o *SecureServingOptions) WithLoopback() *SecureServingOptionsWithLoopback {
 	return &SecureServingOptionsWithLoopback{o}
 }