move insecure options to kubeapiserver

2025-07-24 20:24:09 +00:00 · 2017-03-09 13:51:59 -05:00 · 2017-03-09 13:51:59 -05:00 · c2f8ef1b1a
commit c2f8ef1b1a
parent d6c5f05954
12 changed files with 151 additions and 118 deletions
--- a/cmd/kube-apiserver/app/BUILD
+++ b/cmd/kube-apiserver/app/BUILD
@ -32,6 +32,7 @@ go_library(
        "//pkg/kubeapiserver:go_default_library",
        "//pkg/kubeapiserver/admission:go_default_library",
        "//pkg/kubeapiserver/authenticator:go_default_library",
        "//pkg/kubeapiserver/options:go_default_library",
        "//pkg/master:go_default_library",
        "//pkg/master/thirdparty:go_default_library",
        "//pkg/master/tunneler:go_default_library",
--- a/cmd/kube-apiserver/app/options/options.go
+++ b/cmd/kube-apiserver/app/options/options.go
@ -44,7 +44,7 @@ type ServerRunOptions struct {
 	GenericServerRunOptions *genericoptions.ServerRunOptions
 	Etcd                    *genericoptions.EtcdOptions
 	SecureServing           *genericoptions.SecureServingOptions
-	InsecureServing         *genericoptions.ServingOptions
+	InsecureServing         *kubeoptions.InsecureServingOptions
 	Audit                   *genericoptions.AuditLogOptions
 	Features                *genericoptions.FeatureOptions
 	Authentication          *kubeoptions.BuiltInAuthenticationOptions
@ -74,7 +74,7 @@ func NewServerRunOptions() *ServerRunOptions {
 		GenericServerRunOptions: genericoptions.NewServerRunOptions(),
 		Etcd:                 genericoptions.NewEtcdOptions(storagebackend.NewDefaultConfig(kubeoptions.DefaultEtcdPathPrefix, api.Scheme, nil)),
 		SecureServing:        kubeoptions.NewSecureServingOptions(),
-		InsecureServing:      genericoptions.NewInsecureServingOptions(),
+		InsecureServing:      kubeoptions.NewInsecureServingOptions(),
 		Audit:                genericoptions.NewAuditLogOptions(),
 		Features:             genericoptions.NewFeatureOptions(),
 		Authentication:       kubeoptions.NewBuiltInAuthenticationOptions().WithAll(),
--- a/cmd/kube-apiserver/app/server.go
+++ b/cmd/kube-apiserver/app/server.go
@ -66,6 +66,7 @@ import (
 	"k8s.io/kubernetes/pkg/kubeapiserver"
 	kubeadmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
 	kubeauthenticator "k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
 	kubeoptions "k8s.io/kubernetes/pkg/kubeapiserver/options"
 	"k8s.io/kubernetes/pkg/master"
 	"k8s.io/kubernetes/pkg/master/tunneler"
 	"k8s.io/kubernetes/pkg/registry/cachesize"
@ -441,7 +442,11 @@ func BuildStorageFactory(s *options.ServerRunOptions) (*serverstorage.DefaultSto
 }
 func defaultOptions(s *options.ServerRunOptions) error {
-	if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing, s.InsecureServing); err != nil {
+	// set defaults
 	if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing); err != nil {
 		return err
 	}
 	if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing); err != nil {
 		return err
 	}
 	_, apiServerServiceIP, err := master.DefaultServiceIPRange(s.ServiceClusterIPRange)
--- a/federation/cmd/federation-apiserver/app/BUILD
+++ b/federation/cmd/federation-apiserver/app/BUILD
@ -41,6 +41,7 @@ go_library(
        "//pkg/generated/openapi:go_default_library",
        "//pkg/kubeapiserver:go_default_library",
        "//pkg/kubeapiserver/admission:go_default_library",
        "//pkg/kubeapiserver/options:go_default_library",
        "//pkg/registry/autoscaling/horizontalpodautoscaler/storage:go_default_library",
        "//pkg/registry/batch/job/storage:go_default_library",
        "//pkg/registry/cachesize:go_default_library",
--- a/federation/cmd/federation-apiserver/app/options/options.go
+++ b/federation/cmd/federation-apiserver/app/options/options.go
@ -36,7 +36,7 @@ type ServerRunOptions struct {
 	GenericServerRunOptions *genericoptions.ServerRunOptions
 	Etcd                    *genericoptions.EtcdOptions
 	SecureServing           *genericoptions.SecureServingOptions
-	InsecureServing         *genericoptions.ServingOptions
+	InsecureServing         *kubeoptions.InsecureServingOptions
 	Audit                   *genericoptions.AuditLogOptions
 	Features                *genericoptions.FeatureOptions
 	Authentication          *kubeoptions.BuiltInAuthenticationOptions
@ -54,7 +54,7 @@ func NewServerRunOptions() *ServerRunOptions {
 		GenericServerRunOptions: genericoptions.NewServerRunOptions(),
 		Etcd:                 genericoptions.NewEtcdOptions(storagebackend.NewDefaultConfig(kubeoptions.DefaultEtcdPathPrefix, api.Scheme, nil)),
 		SecureServing:        kubeoptions.NewSecureServingOptions(),
-		InsecureServing:      genericoptions.NewInsecureServingOptions(),
+		InsecureServing:      kubeoptions.NewInsecureServingOptions(),
 		Audit:                genericoptions.NewAuditLogOptions(),
 		Features:             genericoptions.NewFeatureOptions(),
 		Authentication:       kubeoptions.NewBuiltInAuthenticationOptions().WithAll(),
--- a/federation/cmd/federation-apiserver/app/server.go
+++ b/federation/cmd/federation-apiserver/app/server.go
@ -45,6 +45,7 @@ import (
 	"k8s.io/kubernetes/pkg/generated/openapi"
 	"k8s.io/kubernetes/pkg/kubeapiserver"
 	kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
 	kubeoptions "k8s.io/kubernetes/pkg/kubeapiserver/options"
 	"k8s.io/kubernetes/pkg/registry/cachesize"
 	"k8s.io/kubernetes/pkg/routes"
 	"k8s.io/kubernetes/pkg/version"
@ -81,7 +82,10 @@ func Run(s *options.ServerRunOptions, stopCh <-chan struct{}) error {
 // stop with the given channel.
 func NonBlockingRun(s *options.ServerRunOptions, stopCh <-chan struct{}) error {
 	// set defaults
-	if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing, s.InsecureServing); err != nil {
+	if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing); err != nil {
 		return err
 	}
 	if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing); err != nil {
 		return err
 	}
 	if err := s.SecureServing.MaybeDefaultWithSelfSignedCerts(s.GenericServerRunOptions.AdvertiseAddress.String(), nil, nil); err != nil {
--- a/pkg/kubeapiserver/options/BUILD
+++ b/pkg/kubeapiserver/options/BUILD
@ -28,8 +28,10 @@ go_library(
        "//pkg/kubeapiserver/authorizer:go_default_library",
        "//pkg/kubeapiserver/authorizer/modes:go_default_library",
        "//vendor:github.com/golang/glog",
        "//vendor:github.com/pborman/uuid",
        "//vendor:github.com/spf13/pflag",
        "//vendor:k8s.io/apimachinery/pkg/runtime/schema",
        "//vendor:k8s.io/apimachinery/pkg/util/net",
        "//vendor:k8s.io/apiserver/pkg/server",
        "//vendor:k8s.io/apiserver/pkg/server/options",
        "//vendor:k8s.io/apiserver/pkg/util/flag",
--- a/pkg/kubeapiserver/options/serving.go
+++ b/pkg/kubeapiserver/options/serving.go
@ -18,8 +18,15 @@ limitations under the License.
 package options
 import (
 	"fmt"
 	"net"
 	"strconv"
 	"github.com/pborman/uuid"
 	"github.com/spf13/pflag"
 	utilnet "k8s.io/apimachinery/pkg/util/net"
 	"k8s.io/apiserver/pkg/server"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 )
@ -27,13 +34,101 @@ import (
 // "normal" API servers running on the platform
 func NewSecureServingOptions() *genericoptions.SecureServingOptions {
 	return &genericoptions.SecureServingOptions{
 		ServingOptions: genericoptions.ServingOptions{
 		BindAddress: net.ParseIP("0.0.0.0"),
 		BindPort:    6443,
 		},
 		ServerCert: genericoptions.GeneratableKeyCert{
 			PairName:      "apiserver",
 			CertDirectory: "/var/run/kubernetes",
 		},
 	}
 }
 // DefaultAdvertiseAddress sets the field AdvertiseAddress if
 // unset. The field will be set based on the SecureServingOptions. If
 // the SecureServingOptions is not present, DefaultExternalAddress
 // will fall back to the insecure ServingOptions.
 func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *InsecureServingOptions) error {
 	if insecure == nil {
 		return nil
 	}
 	if s.AdvertiseAddress == nil || s.AdvertiseAddress.IsUnspecified() {
 		hostIP, err := insecure.DefaultExternalAddress()
 		if err != nil {
 			return fmt.Errorf("Unable to find suitable network address.error='%v'. "+
 				"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this.", err)
 		}
 		s.AdvertiseAddress = hostIP
 	}
 	return nil
 }
 // InsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port.
 // No one should be using these anymore.
 type InsecureServingOptions struct {
 	BindAddress net.IP
 	BindPort    int
 }
 // NewInsecureServingOptions is for creating an unauthenticated, unauthorized, insecure port.
 // No one should be using these anymore.
 func NewInsecureServingOptions() *InsecureServingOptions {
 	return &InsecureServingOptions{
 		BindAddress: net.ParseIP("127.0.0.1"),
 		BindPort:    8080,
 	}
 }
 func (s InsecureServingOptions) Validate(portArg string) []error {
 	errors := []error{}
 	if s.BindPort < 0 || s.BindPort > 65535 {
 		errors = append(errors, fmt.Errorf("--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off secure port.", s.BindPort))
 	}
 	return errors
 }
 func (s *InsecureServingOptions) DefaultExternalAddress() (net.IP, error) {
 	return utilnet.ChooseBindAddress(s.BindAddress)
 }
 func (s *InsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
 		"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all interfaces). "+
 		"Defaults to localhost.")
 	fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
 		"The port on which to serve unsecured, unauthenticated access. Default 8080. It is assumed "+
 		"that firewall rules are set up such that this port is not reachable from outside of "+
 		"the cluster and that port 443 on the cluster's public address is proxied to this "+
 		"port. This is performed by nginx in the default setup.")
 }
 func (s *InsecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
 	fs.IPVar(&s.BindAddress, "address", s.BindAddress,
 		"DEPRECATED: see --insecure-bind-address instead.")
 	fs.MarkDeprecated("address", "see --insecure-bind-address instead.")
 	fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --insecure-port instead.")
 	fs.MarkDeprecated("port", "see --insecure-port instead.")
 }
 func (s *InsecureServingOptions) ApplyTo(c *server.Config) error {
 	if s.BindPort <= 0 {
 		return nil
 	}
 	c.InsecureServingInfo = &server.ServingInfo{
 		BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)),
 	}
 	var err error
 	privilegedLoopbackToken := uuid.NewRandom().String()
 	if c.LoopbackClientConfig, err = c.InsecureServingInfo.NewLoopbackClientConfig(privilegedLoopbackToken); err != nil {
 		return err
 	}
 	return nil
 }
--- a/staging/src/k8s.io/apiserver/pkg/server/options/server_run_options.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/server_run_options.go
@ -71,30 +71,20 @@ func (s *ServerRunOptions) ApplyTo(c *server.Config) error {
 	return nil
 }
-// DefaultAdvertiseAddress sets the field AdvertiseAddress if
+// DefaultAdvertiseAddress sets the field AdvertiseAddress if unset. The field will be set based on the SecureServingOptions.
-// unset. The field will be set based on the SecureServingOptions. If
+func (s *ServerRunOptions) DefaultAdvertiseAddress(secure *SecureServingOptions) error {
-// the SecureServingOptions is not present, DefaultExternalAddress
+	if secure == nil {
-// will fall back to the insecure ServingOptions.
+		return nil
 func (s *ServerRunOptions) DefaultAdvertiseAddress(secure *SecureServingOptions, insecure *ServingOptions) error {
 	if s.AdvertiseAddress == nil || s.AdvertiseAddress.IsUnspecified() {
 		switch {
 		case secure != nil:
 			hostIP, err := secure.ServingOptions.DefaultExternalAddress()
 			if err != nil {
 				return fmt.Errorf("Unable to find suitable network address.error='%v'. "+
 					"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this.", err)
 	}
 			s.AdvertiseAddress = hostIP
-		case insecure != nil:
+	if s.AdvertiseAddress == nil || s.AdvertiseAddress.IsUnspecified() {
-			hostIP, err := insecure.DefaultExternalAddress()
+		hostIP, err := secure.DefaultExternalAddress()
 		if err != nil {
 			return fmt.Errorf("Unable to find suitable network address.error='%v'. "+
 				"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this.", err)
 		}
 		s.AdvertiseAddress = hostIP
 	}
 	}
 	return nil
 }
--- a/staging/src/k8s.io/apiserver/pkg/server/options/serving.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/serving.go
@ -35,13 +35,9 @@ import (
 	certutil "k8s.io/client-go/util/cert"
 )
-type ServingOptions struct {
+type SecureServingOptions struct {
 	BindAddress net.IP
 	BindPort    int
 }
 type SecureServingOptions struct {
 	ServingOptions ServingOptions
 	// ServerCert is the TLS cert info for serving secure traffic
 	ServerCert GeneratableKeyCert
@ -71,10 +67,8 @@ type GeneratableKeyCert struct {
 func NewSecureServingOptions() *SecureServingOptions {
 	return &SecureServingOptions{
 		ServingOptions: ServingOptions{
 		BindAddress: net.ParseIP("0.0.0.0"),
 		BindPort:    443,
 		},
 		ServerCert: GeneratableKeyCert{
 			PairName:      "apiserver",
 			CertDirectory: "apiserver.local.config/certificates",
@ -82,23 +76,27 @@ func NewSecureServingOptions() *SecureServingOptions {
 	}
 }
 func (s *SecureServingOptions) DefaultExternalAddress() (net.IP, error) {
 	return utilnet.ChooseBindAddress(s.BindAddress)
 }
 func (s *SecureServingOptions) Validate() []error {
 	errors := []error{}
-	if s == nil {
+
-		return errors
+	if s.BindPort < 0 || s.BindPort > 65535 {
 		errors = append(errors, fmt.Errorf("--secure-port %v must be between 0 and 65535, inclusive. 0 for turning off secure port.", s.BindPort))
 	}
 	errors = append(errors, s.ServingOptions.Validate("secure-port")...)
 	return errors
 }
 func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
-	fs.IPVar(&s.ServingOptions.BindAddress, "bind-address", s.ServingOptions.BindAddress, ""+
+	fs.IPVar(&s.BindAddress, "bind-address", s.BindAddress, ""+
 		"The IP address on which to listen for the --secure-port port. The "+
 		"associated interface(s) must be reachable by the rest of the cluster, and by CLI/web "+
 		"clients. If blank, all interfaces will be used (0.0.0.0).")
-	fs.IntVar(&s.ServingOptions.BindPort, "secure-port", s.ServingOptions.BindPort, ""+
+	fs.IntVar(&s.BindPort, "secure-port", s.BindPort, ""+
 		"The port on which to serve HTTPS with authentication and authorization. If 0, "+
 		"don't serve HTTPS at all.")
@ -131,13 +129,13 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
 }
 func (s *SecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
-	fs.IPVar(&s.ServingOptions.BindAddress, "public-address-override", s.ServingOptions.BindAddress,
+	fs.IPVar(&s.BindAddress, "public-address-override", s.BindAddress,
 		"DEPRECATED: see --bind-address instead.")
 	fs.MarkDeprecated("public-address-override", "see --bind-address instead.")
 }
 func (s *SecureServingOptions) ApplyTo(c *server.Config) error {
-	if s.ServingOptions.BindPort <= 0 {
+	if s.BindPort <= 0 {
 		return nil
 	}
 	if err := s.applyServingInfoTo(c); err != nil {
@ -173,13 +171,13 @@ func (s *SecureServingOptions) ApplyTo(c *server.Config) error {
 }
 func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
-	if s.ServingOptions.BindPort <= 0 {
+	if s.BindPort <= 0 {
 		return nil
 	}
 	secureServingInfo := &server.SecureServingInfo{
 		ServingInfo: server.ServingInfo{
-			BindAddress: net.JoinHostPort(s.ServingOptions.BindAddress.String(), strconv.Itoa(s.ServingOptions.BindPort)),
+			BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)),
 		},
 	}
@ -231,67 +229,7 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
 	}
 	c.SecureServingInfo = secureServingInfo
-	c.ReadWritePort = s.ServingOptions.BindPort
+	c.ReadWritePort = s.BindPort
 	return nil
 }
 func NewInsecureServingOptions() *ServingOptions {
 	return &ServingOptions{
 		BindAddress: net.ParseIP("127.0.0.1"),
 		BindPort:    8080,
 	}
 }
 func (s ServingOptions) Validate(portArg string) []error {
 	errors := []error{}
 	if s.BindPort < 0 || s.BindPort > 65535 {
 		errors = append(errors, fmt.Errorf("--%v %v must be between 0 and 65535, inclusive. 0 for turning off secure port.", portArg, s.BindPort))
 	}
 	return errors
 }
 func (s *ServingOptions) DefaultExternalAddress() (net.IP, error) {
 	return utilnet.ChooseBindAddress(s.BindAddress)
 }
 func (s *ServingOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
 		"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all interfaces). "+
 		"Defaults to localhost.")
 	fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
 		"The port on which to serve unsecured, unauthenticated access. Default 8080. It is assumed "+
 		"that firewall rules are set up such that this port is not reachable from outside of "+
 		"the cluster and that port 443 on the cluster's public address is proxied to this "+
 		"port. This is performed by nginx in the default setup.")
 }
 func (s *ServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
 	fs.IPVar(&s.BindAddress, "address", s.BindAddress,
 		"DEPRECATED: see --insecure-bind-address instead.")
 	fs.MarkDeprecated("address", "see --insecure-bind-address instead.")
 	fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --insecure-port instead.")
 	fs.MarkDeprecated("port", "see --insecure-port instead.")
 }
 func (s *ServingOptions) ApplyTo(c *server.Config) error {
 	if s.BindPort <= 0 {
 		return nil
 	}
 	c.InsecureServingInfo = &server.ServingInfo{
 		BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)),
 	}
 	var err error
 	privilegedLoopbackToken := uuid.NewRandom().String()
 	if c.LoopbackClientConfig, err = c.InsecureServingInfo.NewLoopbackClientConfig(privilegedLoopbackToken); err != nil {
 		return err
 	}
 	return nil
 }
@ -301,7 +239,7 @@ func (s *SecureServingOptions) MaybeDefaultWithSelfSignedCerts(publicAddress str
 		return nil
 	}
 	keyCert := &s.ServerCert.CertKey
-	if s.ServingOptions.BindPort == 0 || len(keyCert.CertFile) != 0 || len(keyCert.KeyFile) != 0 {
+	if s.BindPort == 0 || len(keyCert.CertFile) != 0 || len(keyCert.KeyFile) != 0 {
 		return nil
 	}
@ -314,11 +252,11 @@ func (s *SecureServingOptions) MaybeDefaultWithSelfSignedCerts(publicAddress str
 	}
 	if !canReadCertAndKey {
 		// add either the bind address or localhost to the valid alternates
-		bindIP := s.ServingOptions.BindAddress.String()
+		bindIP := s.BindAddress.String()
 		if bindIP == "0.0.0.0" {
 			alternateDNS = append(alternateDNS, "localhost")
 		} else {
-			alternateIPs = append(alternateIPs, s.ServingOptions.BindAddress)
+			alternateIPs = append(alternateIPs, s.BindAddress)
 		}
 		if cert, key, err := certutil.GenerateSelfSignedCertKey(publicAddress, alternateIPs, alternateDNS); err != nil {
--- a/staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go
@ -459,10 +459,8 @@ NextTest:
 			config.EnableIndex = true
 			secureOptions := &SecureServingOptions{
 				ServingOptions: ServingOptions{
 				BindAddress: net.ParseIP("127.0.0.1"),
 				BindPort:    6443,
 				},
 				ServerCert: GeneratableKeyCert{
 					CertKey: CertKey{
 						CertFile: serverCertBundleFile,
--- a/staging/src/k8s.io/kube-aggregator/pkg/cmd/server/start.go
+++ b/staging/src/k8s.io/kube-aggregator/pkg/cmd/server/start.go
@ -96,7 +96,6 @@ func NewDefaultOptions(out, err io.Writer) *AggregatorOptions {
 		StdOut: out,
 		StdErr: err,
 	}
 	o.RecommendedOptions.SecureServing.ServingOptions.BindPort = 443
 	return o
 }