mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-23 11:50:44 +00:00
move insecure options to kubeapiserver
This commit is contained in:
parent
d6c5f05954
commit
c2f8ef1b1a
@ -32,6 +32,7 @@ go_library(
|
|||||||
"//pkg/kubeapiserver:go_default_library",
|
"//pkg/kubeapiserver:go_default_library",
|
||||||
"//pkg/kubeapiserver/admission:go_default_library",
|
"//pkg/kubeapiserver/admission:go_default_library",
|
||||||
"//pkg/kubeapiserver/authenticator:go_default_library",
|
"//pkg/kubeapiserver/authenticator:go_default_library",
|
||||||
|
"//pkg/kubeapiserver/options:go_default_library",
|
||||||
"//pkg/master:go_default_library",
|
"//pkg/master:go_default_library",
|
||||||
"//pkg/master/thirdparty:go_default_library",
|
"//pkg/master/thirdparty:go_default_library",
|
||||||
"//pkg/master/tunneler:go_default_library",
|
"//pkg/master/tunneler:go_default_library",
|
||||||
|
@ -44,7 +44,7 @@ type ServerRunOptions struct {
|
|||||||
GenericServerRunOptions *genericoptions.ServerRunOptions
|
GenericServerRunOptions *genericoptions.ServerRunOptions
|
||||||
Etcd *genericoptions.EtcdOptions
|
Etcd *genericoptions.EtcdOptions
|
||||||
SecureServing *genericoptions.SecureServingOptions
|
SecureServing *genericoptions.SecureServingOptions
|
||||||
InsecureServing *genericoptions.ServingOptions
|
InsecureServing *kubeoptions.InsecureServingOptions
|
||||||
Audit *genericoptions.AuditLogOptions
|
Audit *genericoptions.AuditLogOptions
|
||||||
Features *genericoptions.FeatureOptions
|
Features *genericoptions.FeatureOptions
|
||||||
Authentication *kubeoptions.BuiltInAuthenticationOptions
|
Authentication *kubeoptions.BuiltInAuthenticationOptions
|
||||||
@ -74,7 +74,7 @@ func NewServerRunOptions() *ServerRunOptions {
|
|||||||
GenericServerRunOptions: genericoptions.NewServerRunOptions(),
|
GenericServerRunOptions: genericoptions.NewServerRunOptions(),
|
||||||
Etcd: genericoptions.NewEtcdOptions(storagebackend.NewDefaultConfig(kubeoptions.DefaultEtcdPathPrefix, api.Scheme, nil)),
|
Etcd: genericoptions.NewEtcdOptions(storagebackend.NewDefaultConfig(kubeoptions.DefaultEtcdPathPrefix, api.Scheme, nil)),
|
||||||
SecureServing: kubeoptions.NewSecureServingOptions(),
|
SecureServing: kubeoptions.NewSecureServingOptions(),
|
||||||
InsecureServing: genericoptions.NewInsecureServingOptions(),
|
InsecureServing: kubeoptions.NewInsecureServingOptions(),
|
||||||
Audit: genericoptions.NewAuditLogOptions(),
|
Audit: genericoptions.NewAuditLogOptions(),
|
||||||
Features: genericoptions.NewFeatureOptions(),
|
Features: genericoptions.NewFeatureOptions(),
|
||||||
Authentication: kubeoptions.NewBuiltInAuthenticationOptions().WithAll(),
|
Authentication: kubeoptions.NewBuiltInAuthenticationOptions().WithAll(),
|
||||||
|
@ -66,6 +66,7 @@ import (
|
|||||||
"k8s.io/kubernetes/pkg/kubeapiserver"
|
"k8s.io/kubernetes/pkg/kubeapiserver"
|
||||||
kubeadmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
|
kubeadmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
|
||||||
kubeauthenticator "k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
|
kubeauthenticator "k8s.io/kubernetes/pkg/kubeapiserver/authenticator"
|
||||||
|
kubeoptions "k8s.io/kubernetes/pkg/kubeapiserver/options"
|
||||||
"k8s.io/kubernetes/pkg/master"
|
"k8s.io/kubernetes/pkg/master"
|
||||||
"k8s.io/kubernetes/pkg/master/tunneler"
|
"k8s.io/kubernetes/pkg/master/tunneler"
|
||||||
"k8s.io/kubernetes/pkg/registry/cachesize"
|
"k8s.io/kubernetes/pkg/registry/cachesize"
|
||||||
@ -441,7 +442,11 @@ func BuildStorageFactory(s *options.ServerRunOptions) (*serverstorage.DefaultSto
|
|||||||
}
|
}
|
||||||
|
|
||||||
func defaultOptions(s *options.ServerRunOptions) error {
|
func defaultOptions(s *options.ServerRunOptions) error {
|
||||||
if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing, s.InsecureServing); err != nil {
|
// set defaults
|
||||||
|
if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
_, apiServerServiceIP, err := master.DefaultServiceIPRange(s.ServiceClusterIPRange)
|
_, apiServerServiceIP, err := master.DefaultServiceIPRange(s.ServiceClusterIPRange)
|
||||||
|
@ -41,6 +41,7 @@ go_library(
|
|||||||
"//pkg/generated/openapi:go_default_library",
|
"//pkg/generated/openapi:go_default_library",
|
||||||
"//pkg/kubeapiserver:go_default_library",
|
"//pkg/kubeapiserver:go_default_library",
|
||||||
"//pkg/kubeapiserver/admission:go_default_library",
|
"//pkg/kubeapiserver/admission:go_default_library",
|
||||||
|
"//pkg/kubeapiserver/options:go_default_library",
|
||||||
"//pkg/registry/autoscaling/horizontalpodautoscaler/storage:go_default_library",
|
"//pkg/registry/autoscaling/horizontalpodautoscaler/storage:go_default_library",
|
||||||
"//pkg/registry/batch/job/storage:go_default_library",
|
"//pkg/registry/batch/job/storage:go_default_library",
|
||||||
"//pkg/registry/cachesize:go_default_library",
|
"//pkg/registry/cachesize:go_default_library",
|
||||||
|
@ -36,7 +36,7 @@ type ServerRunOptions struct {
|
|||||||
GenericServerRunOptions *genericoptions.ServerRunOptions
|
GenericServerRunOptions *genericoptions.ServerRunOptions
|
||||||
Etcd *genericoptions.EtcdOptions
|
Etcd *genericoptions.EtcdOptions
|
||||||
SecureServing *genericoptions.SecureServingOptions
|
SecureServing *genericoptions.SecureServingOptions
|
||||||
InsecureServing *genericoptions.ServingOptions
|
InsecureServing *kubeoptions.InsecureServingOptions
|
||||||
Audit *genericoptions.AuditLogOptions
|
Audit *genericoptions.AuditLogOptions
|
||||||
Features *genericoptions.FeatureOptions
|
Features *genericoptions.FeatureOptions
|
||||||
Authentication *kubeoptions.BuiltInAuthenticationOptions
|
Authentication *kubeoptions.BuiltInAuthenticationOptions
|
||||||
@ -54,7 +54,7 @@ func NewServerRunOptions() *ServerRunOptions {
|
|||||||
GenericServerRunOptions: genericoptions.NewServerRunOptions(),
|
GenericServerRunOptions: genericoptions.NewServerRunOptions(),
|
||||||
Etcd: genericoptions.NewEtcdOptions(storagebackend.NewDefaultConfig(kubeoptions.DefaultEtcdPathPrefix, api.Scheme, nil)),
|
Etcd: genericoptions.NewEtcdOptions(storagebackend.NewDefaultConfig(kubeoptions.DefaultEtcdPathPrefix, api.Scheme, nil)),
|
||||||
SecureServing: kubeoptions.NewSecureServingOptions(),
|
SecureServing: kubeoptions.NewSecureServingOptions(),
|
||||||
InsecureServing: genericoptions.NewInsecureServingOptions(),
|
InsecureServing: kubeoptions.NewInsecureServingOptions(),
|
||||||
Audit: genericoptions.NewAuditLogOptions(),
|
Audit: genericoptions.NewAuditLogOptions(),
|
||||||
Features: genericoptions.NewFeatureOptions(),
|
Features: genericoptions.NewFeatureOptions(),
|
||||||
Authentication: kubeoptions.NewBuiltInAuthenticationOptions().WithAll(),
|
Authentication: kubeoptions.NewBuiltInAuthenticationOptions().WithAll(),
|
||||||
|
@ -45,6 +45,7 @@ import (
|
|||||||
"k8s.io/kubernetes/pkg/generated/openapi"
|
"k8s.io/kubernetes/pkg/generated/openapi"
|
||||||
"k8s.io/kubernetes/pkg/kubeapiserver"
|
"k8s.io/kubernetes/pkg/kubeapiserver"
|
||||||
kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
|
kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission"
|
||||||
|
kubeoptions "k8s.io/kubernetes/pkg/kubeapiserver/options"
|
||||||
"k8s.io/kubernetes/pkg/registry/cachesize"
|
"k8s.io/kubernetes/pkg/registry/cachesize"
|
||||||
"k8s.io/kubernetes/pkg/routes"
|
"k8s.io/kubernetes/pkg/routes"
|
||||||
"k8s.io/kubernetes/pkg/version"
|
"k8s.io/kubernetes/pkg/version"
|
||||||
@ -81,7 +82,10 @@ func Run(s *options.ServerRunOptions, stopCh <-chan struct{}) error {
|
|||||||
// stop with the given channel.
|
// stop with the given channel.
|
||||||
func NonBlockingRun(s *options.ServerRunOptions, stopCh <-chan struct{}) error {
|
func NonBlockingRun(s *options.ServerRunOptions, stopCh <-chan struct{}) error {
|
||||||
// set defaults
|
// set defaults
|
||||||
if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing, s.InsecureServing); err != nil {
|
if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := s.SecureServing.MaybeDefaultWithSelfSignedCerts(s.GenericServerRunOptions.AdvertiseAddress.String(), nil, nil); err != nil {
|
if err := s.SecureServing.MaybeDefaultWithSelfSignedCerts(s.GenericServerRunOptions.AdvertiseAddress.String(), nil, nil); err != nil {
|
||||||
|
@ -28,8 +28,10 @@ go_library(
|
|||||||
"//pkg/kubeapiserver/authorizer:go_default_library",
|
"//pkg/kubeapiserver/authorizer:go_default_library",
|
||||||
"//pkg/kubeapiserver/authorizer/modes:go_default_library",
|
"//pkg/kubeapiserver/authorizer/modes:go_default_library",
|
||||||
"//vendor:github.com/golang/glog",
|
"//vendor:github.com/golang/glog",
|
||||||
|
"//vendor:github.com/pborman/uuid",
|
||||||
"//vendor:github.com/spf13/pflag",
|
"//vendor:github.com/spf13/pflag",
|
||||||
"//vendor:k8s.io/apimachinery/pkg/runtime/schema",
|
"//vendor:k8s.io/apimachinery/pkg/runtime/schema",
|
||||||
|
"//vendor:k8s.io/apimachinery/pkg/util/net",
|
||||||
"//vendor:k8s.io/apiserver/pkg/server",
|
"//vendor:k8s.io/apiserver/pkg/server",
|
||||||
"//vendor:k8s.io/apiserver/pkg/server/options",
|
"//vendor:k8s.io/apiserver/pkg/server/options",
|
||||||
"//vendor:k8s.io/apiserver/pkg/util/flag",
|
"//vendor:k8s.io/apiserver/pkg/util/flag",
|
||||||
|
@ -18,8 +18,15 @@ limitations under the License.
|
|||||||
package options
|
package options
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"fmt"
|
||||||
"net"
|
"net"
|
||||||
|
"strconv"
|
||||||
|
|
||||||
|
"github.com/pborman/uuid"
|
||||||
|
"github.com/spf13/pflag"
|
||||||
|
|
||||||
|
utilnet "k8s.io/apimachinery/pkg/util/net"
|
||||||
|
"k8s.io/apiserver/pkg/server"
|
||||||
genericoptions "k8s.io/apiserver/pkg/server/options"
|
genericoptions "k8s.io/apiserver/pkg/server/options"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -27,13 +34,101 @@ import (
|
|||||||
// "normal" API servers running on the platform
|
// "normal" API servers running on the platform
|
||||||
func NewSecureServingOptions() *genericoptions.SecureServingOptions {
|
func NewSecureServingOptions() *genericoptions.SecureServingOptions {
|
||||||
return &genericoptions.SecureServingOptions{
|
return &genericoptions.SecureServingOptions{
|
||||||
ServingOptions: genericoptions.ServingOptions{
|
|
||||||
BindAddress: net.ParseIP("0.0.0.0"),
|
BindAddress: net.ParseIP("0.0.0.0"),
|
||||||
BindPort: 6443,
|
BindPort: 6443,
|
||||||
},
|
|
||||||
ServerCert: genericoptions.GeneratableKeyCert{
|
ServerCert: genericoptions.GeneratableKeyCert{
|
||||||
PairName: "apiserver",
|
PairName: "apiserver",
|
||||||
CertDirectory: "/var/run/kubernetes",
|
CertDirectory: "/var/run/kubernetes",
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// DefaultAdvertiseAddress sets the field AdvertiseAddress if
|
||||||
|
// unset. The field will be set based on the SecureServingOptions. If
|
||||||
|
// the SecureServingOptions is not present, DefaultExternalAddress
|
||||||
|
// will fall back to the insecure ServingOptions.
|
||||||
|
func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *InsecureServingOptions) error {
|
||||||
|
if insecure == nil {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
if s.AdvertiseAddress == nil || s.AdvertiseAddress.IsUnspecified() {
|
||||||
|
hostIP, err := insecure.DefaultExternalAddress()
|
||||||
|
if err != nil {
|
||||||
|
return fmt.Errorf("Unable to find suitable network address.error='%v'. "+
|
||||||
|
"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this.", err)
|
||||||
|
}
|
||||||
|
s.AdvertiseAddress = hostIP
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
// InsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port.
|
||||||
|
// No one should be using these anymore.
|
||||||
|
type InsecureServingOptions struct {
|
||||||
|
BindAddress net.IP
|
||||||
|
BindPort int
|
||||||
|
}
|
||||||
|
|
||||||
|
// NewInsecureServingOptions is for creating an unauthenticated, unauthorized, insecure port.
|
||||||
|
// No one should be using these anymore.
|
||||||
|
func NewInsecureServingOptions() *InsecureServingOptions {
|
||||||
|
return &InsecureServingOptions{
|
||||||
|
BindAddress: net.ParseIP("127.0.0.1"),
|
||||||
|
BindPort: 8080,
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s InsecureServingOptions) Validate(portArg string) []error {
|
||||||
|
errors := []error{}
|
||||||
|
|
||||||
|
if s.BindPort < 0 || s.BindPort > 65535 {
|
||||||
|
errors = append(errors, fmt.Errorf("--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off secure port.", s.BindPort))
|
||||||
|
}
|
||||||
|
|
||||||
|
return errors
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *InsecureServingOptions) DefaultExternalAddress() (net.IP, error) {
|
||||||
|
return utilnet.ChooseBindAddress(s.BindAddress)
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *InsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
|
||||||
|
fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
|
||||||
|
"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all interfaces). "+
|
||||||
|
"Defaults to localhost.")
|
||||||
|
|
||||||
|
fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
|
||||||
|
"The port on which to serve unsecured, unauthenticated access. Default 8080. It is assumed "+
|
||||||
|
"that firewall rules are set up such that this port is not reachable from outside of "+
|
||||||
|
"the cluster and that port 443 on the cluster's public address is proxied to this "+
|
||||||
|
"port. This is performed by nginx in the default setup.")
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *InsecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
|
||||||
|
fs.IPVar(&s.BindAddress, "address", s.BindAddress,
|
||||||
|
"DEPRECATED: see --insecure-bind-address instead.")
|
||||||
|
fs.MarkDeprecated("address", "see --insecure-bind-address instead.")
|
||||||
|
|
||||||
|
fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --insecure-port instead.")
|
||||||
|
fs.MarkDeprecated("port", "see --insecure-port instead.")
|
||||||
|
}
|
||||||
|
|
||||||
|
func (s *InsecureServingOptions) ApplyTo(c *server.Config) error {
|
||||||
|
if s.BindPort <= 0 {
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
|
||||||
|
c.InsecureServingInfo = &server.ServingInfo{
|
||||||
|
BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)),
|
||||||
|
}
|
||||||
|
|
||||||
|
var err error
|
||||||
|
privilegedLoopbackToken := uuid.NewRandom().String()
|
||||||
|
if c.LoopbackClientConfig, err = c.InsecureServingInfo.NewLoopbackClientConfig(privilegedLoopbackToken); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
|
return nil
|
||||||
|
}
|
||||||
|
@ -71,30 +71,20 @@ func (s *ServerRunOptions) ApplyTo(c *server.Config) error {
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// DefaultAdvertiseAddress sets the field AdvertiseAddress if
|
// DefaultAdvertiseAddress sets the field AdvertiseAddress if unset. The field will be set based on the SecureServingOptions.
|
||||||
// unset. The field will be set based on the SecureServingOptions. If
|
func (s *ServerRunOptions) DefaultAdvertiseAddress(secure *SecureServingOptions) error {
|
||||||
// the SecureServingOptions is not present, DefaultExternalAddress
|
if secure == nil {
|
||||||
// will fall back to the insecure ServingOptions.
|
return nil
|
||||||
func (s *ServerRunOptions) DefaultAdvertiseAddress(secure *SecureServingOptions, insecure *ServingOptions) error {
|
|
||||||
if s.AdvertiseAddress == nil || s.AdvertiseAddress.IsUnspecified() {
|
|
||||||
switch {
|
|
||||||
case secure != nil:
|
|
||||||
hostIP, err := secure.ServingOptions.DefaultExternalAddress()
|
|
||||||
if err != nil {
|
|
||||||
return fmt.Errorf("Unable to find suitable network address.error='%v'. "+
|
|
||||||
"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this.", err)
|
|
||||||
}
|
}
|
||||||
s.AdvertiseAddress = hostIP
|
|
||||||
|
|
||||||
case insecure != nil:
|
if s.AdvertiseAddress == nil || s.AdvertiseAddress.IsUnspecified() {
|
||||||
hostIP, err := insecure.DefaultExternalAddress()
|
hostIP, err := secure.DefaultExternalAddress()
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return fmt.Errorf("Unable to find suitable network address.error='%v'. "+
|
return fmt.Errorf("Unable to find suitable network address.error='%v'. "+
|
||||||
"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this.", err)
|
"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this.", err)
|
||||||
}
|
}
|
||||||
s.AdvertiseAddress = hostIP
|
s.AdvertiseAddress = hostIP
|
||||||
}
|
}
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
@ -35,13 +35,9 @@ import (
|
|||||||
certutil "k8s.io/client-go/util/cert"
|
certutil "k8s.io/client-go/util/cert"
|
||||||
)
|
)
|
||||||
|
|
||||||
type ServingOptions struct {
|
type SecureServingOptions struct {
|
||||||
BindAddress net.IP
|
BindAddress net.IP
|
||||||
BindPort int
|
BindPort int
|
||||||
}
|
|
||||||
|
|
||||||
type SecureServingOptions struct {
|
|
||||||
ServingOptions ServingOptions
|
|
||||||
|
|
||||||
// ServerCert is the TLS cert info for serving secure traffic
|
// ServerCert is the TLS cert info for serving secure traffic
|
||||||
ServerCert GeneratableKeyCert
|
ServerCert GeneratableKeyCert
|
||||||
@ -71,10 +67,8 @@ type GeneratableKeyCert struct {
|
|||||||
|
|
||||||
func NewSecureServingOptions() *SecureServingOptions {
|
func NewSecureServingOptions() *SecureServingOptions {
|
||||||
return &SecureServingOptions{
|
return &SecureServingOptions{
|
||||||
ServingOptions: ServingOptions{
|
|
||||||
BindAddress: net.ParseIP("0.0.0.0"),
|
BindAddress: net.ParseIP("0.0.0.0"),
|
||||||
BindPort: 443,
|
BindPort: 443,
|
||||||
},
|
|
||||||
ServerCert: GeneratableKeyCert{
|
ServerCert: GeneratableKeyCert{
|
||||||
PairName: "apiserver",
|
PairName: "apiserver",
|
||||||
CertDirectory: "apiserver.local.config/certificates",
|
CertDirectory: "apiserver.local.config/certificates",
|
||||||
@ -82,23 +76,27 @@ func NewSecureServingOptions() *SecureServingOptions {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (s *SecureServingOptions) DefaultExternalAddress() (net.IP, error) {
|
||||||
|
return utilnet.ChooseBindAddress(s.BindAddress)
|
||||||
|
}
|
||||||
|
|
||||||
func (s *SecureServingOptions) Validate() []error {
|
func (s *SecureServingOptions) Validate() []error {
|
||||||
errors := []error{}
|
errors := []error{}
|
||||||
if s == nil {
|
|
||||||
return errors
|
if s.BindPort < 0 || s.BindPort > 65535 {
|
||||||
|
errors = append(errors, fmt.Errorf("--secure-port %v must be between 0 and 65535, inclusive. 0 for turning off secure port.", s.BindPort))
|
||||||
}
|
}
|
||||||
|
|
||||||
errors = append(errors, s.ServingOptions.Validate("secure-port")...)
|
|
||||||
return errors
|
return errors
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
|
func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
|
||||||
fs.IPVar(&s.ServingOptions.BindAddress, "bind-address", s.ServingOptions.BindAddress, ""+
|
fs.IPVar(&s.BindAddress, "bind-address", s.BindAddress, ""+
|
||||||
"The IP address on which to listen for the --secure-port port. The "+
|
"The IP address on which to listen for the --secure-port port. The "+
|
||||||
"associated interface(s) must be reachable by the rest of the cluster, and by CLI/web "+
|
"associated interface(s) must be reachable by the rest of the cluster, and by CLI/web "+
|
||||||
"clients. If blank, all interfaces will be used (0.0.0.0).")
|
"clients. If blank, all interfaces will be used (0.0.0.0).")
|
||||||
|
|
||||||
fs.IntVar(&s.ServingOptions.BindPort, "secure-port", s.ServingOptions.BindPort, ""+
|
fs.IntVar(&s.BindPort, "secure-port", s.BindPort, ""+
|
||||||
"The port on which to serve HTTPS with authentication and authorization. If 0, "+
|
"The port on which to serve HTTPS with authentication and authorization. If 0, "+
|
||||||
"don't serve HTTPS at all.")
|
"don't serve HTTPS at all.")
|
||||||
|
|
||||||
@ -131,13 +129,13 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (s *SecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
|
func (s *SecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
|
||||||
fs.IPVar(&s.ServingOptions.BindAddress, "public-address-override", s.ServingOptions.BindAddress,
|
fs.IPVar(&s.BindAddress, "public-address-override", s.BindAddress,
|
||||||
"DEPRECATED: see --bind-address instead.")
|
"DEPRECATED: see --bind-address instead.")
|
||||||
fs.MarkDeprecated("public-address-override", "see --bind-address instead.")
|
fs.MarkDeprecated("public-address-override", "see --bind-address instead.")
|
||||||
}
|
}
|
||||||
|
|
||||||
func (s *SecureServingOptions) ApplyTo(c *server.Config) error {
|
func (s *SecureServingOptions) ApplyTo(c *server.Config) error {
|
||||||
if s.ServingOptions.BindPort <= 0 {
|
if s.BindPort <= 0 {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
if err := s.applyServingInfoTo(c); err != nil {
|
if err := s.applyServingInfoTo(c); err != nil {
|
||||||
@ -173,13 +171,13 @@ func (s *SecureServingOptions) ApplyTo(c *server.Config) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
|
func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
|
||||||
if s.ServingOptions.BindPort <= 0 {
|
if s.BindPort <= 0 {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
secureServingInfo := &server.SecureServingInfo{
|
secureServingInfo := &server.SecureServingInfo{
|
||||||
ServingInfo: server.ServingInfo{
|
ServingInfo: server.ServingInfo{
|
||||||
BindAddress: net.JoinHostPort(s.ServingOptions.BindAddress.String(), strconv.Itoa(s.ServingOptions.BindPort)),
|
BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)),
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -231,67 +229,7 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
|
|||||||
}
|
}
|
||||||
|
|
||||||
c.SecureServingInfo = secureServingInfo
|
c.SecureServingInfo = secureServingInfo
|
||||||
c.ReadWritePort = s.ServingOptions.BindPort
|
c.ReadWritePort = s.BindPort
|
||||||
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func NewInsecureServingOptions() *ServingOptions {
|
|
||||||
return &ServingOptions{
|
|
||||||
BindAddress: net.ParseIP("127.0.0.1"),
|
|
||||||
BindPort: 8080,
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s ServingOptions) Validate(portArg string) []error {
|
|
||||||
errors := []error{}
|
|
||||||
|
|
||||||
if s.BindPort < 0 || s.BindPort > 65535 {
|
|
||||||
errors = append(errors, fmt.Errorf("--%v %v must be between 0 and 65535, inclusive. 0 for turning off secure port.", portArg, s.BindPort))
|
|
||||||
}
|
|
||||||
|
|
||||||
return errors
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *ServingOptions) DefaultExternalAddress() (net.IP, error) {
|
|
||||||
return utilnet.ChooseBindAddress(s.BindAddress)
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *ServingOptions) AddFlags(fs *pflag.FlagSet) {
|
|
||||||
fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
|
|
||||||
"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all interfaces). "+
|
|
||||||
"Defaults to localhost.")
|
|
||||||
|
|
||||||
fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
|
|
||||||
"The port on which to serve unsecured, unauthenticated access. Default 8080. It is assumed "+
|
|
||||||
"that firewall rules are set up such that this port is not reachable from outside of "+
|
|
||||||
"the cluster and that port 443 on the cluster's public address is proxied to this "+
|
|
||||||
"port. This is performed by nginx in the default setup.")
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *ServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
|
|
||||||
fs.IPVar(&s.BindAddress, "address", s.BindAddress,
|
|
||||||
"DEPRECATED: see --insecure-bind-address instead.")
|
|
||||||
fs.MarkDeprecated("address", "see --insecure-bind-address instead.")
|
|
||||||
|
|
||||||
fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --insecure-port instead.")
|
|
||||||
fs.MarkDeprecated("port", "see --insecure-port instead.")
|
|
||||||
}
|
|
||||||
|
|
||||||
func (s *ServingOptions) ApplyTo(c *server.Config) error {
|
|
||||||
if s.BindPort <= 0 {
|
|
||||||
return nil
|
|
||||||
}
|
|
||||||
|
|
||||||
c.InsecureServingInfo = &server.ServingInfo{
|
|
||||||
BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)),
|
|
||||||
}
|
|
||||||
|
|
||||||
var err error
|
|
||||||
privilegedLoopbackToken := uuid.NewRandom().String()
|
|
||||||
if c.LoopbackClientConfig, err = c.InsecureServingInfo.NewLoopbackClientConfig(privilegedLoopbackToken); err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
|
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
@ -301,7 +239,7 @@ func (s *SecureServingOptions) MaybeDefaultWithSelfSignedCerts(publicAddress str
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
keyCert := &s.ServerCert.CertKey
|
keyCert := &s.ServerCert.CertKey
|
||||||
if s.ServingOptions.BindPort == 0 || len(keyCert.CertFile) != 0 || len(keyCert.KeyFile) != 0 {
|
if s.BindPort == 0 || len(keyCert.CertFile) != 0 || len(keyCert.KeyFile) != 0 {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -314,11 +252,11 @@ func (s *SecureServingOptions) MaybeDefaultWithSelfSignedCerts(publicAddress str
|
|||||||
}
|
}
|
||||||
if !canReadCertAndKey {
|
if !canReadCertAndKey {
|
||||||
// add either the bind address or localhost to the valid alternates
|
// add either the bind address or localhost to the valid alternates
|
||||||
bindIP := s.ServingOptions.BindAddress.String()
|
bindIP := s.BindAddress.String()
|
||||||
if bindIP == "0.0.0.0" {
|
if bindIP == "0.0.0.0" {
|
||||||
alternateDNS = append(alternateDNS, "localhost")
|
alternateDNS = append(alternateDNS, "localhost")
|
||||||
} else {
|
} else {
|
||||||
alternateIPs = append(alternateIPs, s.ServingOptions.BindAddress)
|
alternateIPs = append(alternateIPs, s.BindAddress)
|
||||||
}
|
}
|
||||||
|
|
||||||
if cert, key, err := certutil.GenerateSelfSignedCertKey(publicAddress, alternateIPs, alternateDNS); err != nil {
|
if cert, key, err := certutil.GenerateSelfSignedCertKey(publicAddress, alternateIPs, alternateDNS); err != nil {
|
||||||
|
@ -459,10 +459,8 @@ NextTest:
|
|||||||
|
|
||||||
config.EnableIndex = true
|
config.EnableIndex = true
|
||||||
secureOptions := &SecureServingOptions{
|
secureOptions := &SecureServingOptions{
|
||||||
ServingOptions: ServingOptions{
|
|
||||||
BindAddress: net.ParseIP("127.0.0.1"),
|
BindAddress: net.ParseIP("127.0.0.1"),
|
||||||
BindPort: 6443,
|
BindPort: 6443,
|
||||||
},
|
|
||||||
ServerCert: GeneratableKeyCert{
|
ServerCert: GeneratableKeyCert{
|
||||||
CertKey: CertKey{
|
CertKey: CertKey{
|
||||||
CertFile: serverCertBundleFile,
|
CertFile: serverCertBundleFile,
|
||||||
|
@ -96,7 +96,6 @@ func NewDefaultOptions(out, err io.Writer) *AggregatorOptions {
|
|||||||
StdOut: out,
|
StdOut: out,
|
||||||
StdErr: err,
|
StdErr: err,
|
||||||
}
|
}
|
||||||
o.RecommendedOptions.SecureServing.ServingOptions.BindPort = 443
|
|
||||||
return o
|
return o
|
||||||
}
|
}
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user