From cb95edafe8bf4f294beb53d0a7bc04d62584577c Mon Sep 17 00:00:00 2001 From: tanshanshan Date: Wed, 5 Sep 2018 16:42:16 +0800 Subject: [PATCH] kube-scheduler: enable secure ports 10259 --- cmd/kube-scheduler/app/config/BUILD | 1 + cmd/kube-scheduler/app/config/config.go | 6 ++ cmd/kube-scheduler/app/options/BUILD | 1 + .../app/options/insecure_serving.go | 12 +-- .../app/options/insecure_serving_test.go | 28 +++---- cmd/kube-scheduler/app/options/options.go | 46 +++++++++--- .../app/options/options_test.go | 75 ++++++++++++++++++- pkg/master/ports/ports.go | 9 ++- pkg/registry/core/rest/storage_core.go | 2 +- .../apis/config/v1alpha1/defaults.go | 4 +- .../options/deprecated_insecure_serving.go | 4 +- .../server/options/serving_with_loopback.go | 4 +- test/e2e/apps/daemon_restart.go | 2 +- test/e2e/framework/metrics/metrics_grabber.go | 2 +- test/e2e/framework/metrics_util.go | 2 +- test/e2e/network/firewall.go | 2 +- 16 files changed, 153 insertions(+), 47 deletions(-) diff --git a/cmd/kube-scheduler/app/config/BUILD b/cmd/kube-scheduler/app/config/BUILD index 6545f5ff84a..877ceef1e05 100644 --- a/cmd/kube-scheduler/app/config/BUILD +++ b/cmd/kube-scheduler/app/config/BUILD @@ -12,6 +12,7 @@ go_library( "//staging/src/k8s.io/client-go/informers/core/v1:go_default_library", "//staging/src/k8s.io/client-go/kubernetes:go_default_library", "//staging/src/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library", + "//staging/src/k8s.io/client-go/rest:go_default_library", "//staging/src/k8s.io/client-go/tools/leaderelection:go_default_library", "//staging/src/k8s.io/client-go/tools/record:go_default_library", ], diff --git a/cmd/kube-scheduler/app/config/config.go b/cmd/kube-scheduler/app/config/config.go index 930759d28c0..2ad5ae9bf34 100644 --- a/cmd/kube-scheduler/app/config/config.go +++ b/cmd/kube-scheduler/app/config/config.go @@ -22,6 +22,7 @@ import ( coreinformers "k8s.io/client-go/informers/core/v1" clientset "k8s.io/client-go/kubernetes" v1core "k8s.io/client-go/kubernetes/typed/core/v1" + restclient "k8s.io/client-go/rest" "k8s.io/client-go/tools/leaderelection" "k8s.io/client-go/tools/record" kubeschedulerconfig "k8s.io/kubernetes/pkg/scheduler/apis/config" @@ -32,6 +33,9 @@ type Config struct { // config is the scheduler server's configuration object. ComponentConfig kubeschedulerconfig.KubeSchedulerConfiguration + // LoopbackClientConfig is a config for a privileged loopback connection + LoopbackClientConfig *restclient.Config + InsecureServing *apiserver.DeprecatedInsecureServingInfo // nil will disable serving on an insecure port InsecureMetricsServing *apiserver.DeprecatedInsecureServingInfo // non-nil if metrics should be served independently Authentication apiserver.AuthenticationInfo @@ -70,5 +74,7 @@ func (c *Config) Complete() CompletedConfig { c.InsecureMetricsServing.Name = "metrics" } + apiserver.AuthorizeClientBearerToken(c.LoopbackClientConfig, &c.Authentication, &c.Authorization) + return CompletedConfig{&cc} } diff --git a/cmd/kube-scheduler/app/options/BUILD b/cmd/kube-scheduler/app/options/BUILD index ebe68f08340..5806f6cc9b5 100644 --- a/cmd/kube-scheduler/app/options/BUILD +++ b/cmd/kube-scheduler/app/options/BUILD @@ -14,6 +14,7 @@ go_library( "//cmd/kube-scheduler/app/config:go_default_library", "//pkg/api/legacyscheme:go_default_library", "//pkg/client/leaderelectionconfig:go_default_library", + "//pkg/master/ports:go_default_library", "//pkg/scheduler/apis/config:go_default_library", "//pkg/scheduler/apis/config/scheme:go_default_library", "//pkg/scheduler/apis/config/v1alpha1:go_default_library", diff --git a/cmd/kube-scheduler/app/options/insecure_serving.go b/cmd/kube-scheduler/app/options/insecure_serving.go index 78662f69eb3..db3c7351100 100644 --- a/cmd/kube-scheduler/app/options/insecure_serving.go +++ b/cmd/kube-scheduler/app/options/insecure_serving.go @@ -31,8 +31,8 @@ import ( // CombinedInsecureServingOptions sets up to two insecure listeners for healthz and metrics. The flags // override the ComponentConfig and DeprecatedInsecureServingOptions values for both. type CombinedInsecureServingOptions struct { - Healthz *apiserveroptions.DeprecatedInsecureServingOptions - Metrics *apiserveroptions.DeprecatedInsecureServingOptions + Healthz *apiserveroptions.DeprecatedInsecureServingOptionsWithLoopback + Metrics *apiserveroptions.DeprecatedInsecureServingOptionsWithLoopback BindPort int // overrides the structs above on ApplyTo, ignored on ApplyToFromLoadedConfig BindAddress string // overrides the structs above on ApplyTo, ignored on ApplyToFromLoadedConfig @@ -60,11 +60,11 @@ func (o *CombinedInsecureServingOptions) applyTo(c *schedulerappconfig.Config, c return err } - if err := o.Healthz.ApplyTo(&c.InsecureServing); err != nil { + if err := o.Healthz.ApplyTo(&c.InsecureServing, &c.LoopbackClientConfig); err != nil { return err } if o.Metrics != nil && (c.ComponentConfig.MetricsBindAddress != c.ComponentConfig.HealthzBindAddress || o.Healthz == nil) { - if err := o.Metrics.ApplyTo(&c.InsecureMetricsServing); err != nil { + if err := o.Metrics.ApplyTo(&c.InsecureMetricsServing, &c.LoopbackClientConfig); err != nil { return err } } @@ -108,7 +108,7 @@ func (o *CombinedInsecureServingOptions) ApplyToFromLoadedConfig(c *schedulerapp return o.applyTo(c, componentConfig) } -func updateAddressFromDeprecatedInsecureServingOptions(addr *string, is *apiserveroptions.DeprecatedInsecureServingOptions) error { +func updateAddressFromDeprecatedInsecureServingOptions(addr *string, is *apiserveroptions.DeprecatedInsecureServingOptionsWithLoopback) error { if is == nil { *addr = "" } else { @@ -124,7 +124,7 @@ func updateAddressFromDeprecatedInsecureServingOptions(addr *string, is *apiserv return nil } -func updateDeprecatedInsecureServingOptionsFromAddress(is *apiserveroptions.DeprecatedInsecureServingOptions, addr string) error { +func updateDeprecatedInsecureServingOptionsFromAddress(is *apiserveroptions.DeprecatedInsecureServingOptionsWithLoopback, addr string) error { if is == nil { return nil } diff --git a/cmd/kube-scheduler/app/options/insecure_serving_test.go b/cmd/kube-scheduler/app/options/insecure_serving_test.go index 09677b6aa06..28bcb600e60 100644 --- a/cmd/kube-scheduler/app/options/insecure_serving_test.go +++ b/cmd/kube-scheduler/app/options/insecure_serving_test.go @@ -46,8 +46,8 @@ func TestOptions_ApplyTo(t *testing.T) { MetricsBindAddress: "1.2.3.4:1234", }, CombinedInsecureServing: &CombinedInsecureServingOptions{ - Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, - Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, + Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(), + Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(), BindPort: 0, }, }, @@ -61,7 +61,7 @@ func TestOptions_ApplyTo(t *testing.T) { MetricsBindAddress: "1.2.3.4:1234", }, CombinedInsecureServing: &CombinedInsecureServingOptions{ - Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, + Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(), BindPort: 0, }, }, @@ -79,7 +79,7 @@ func TestOptions_ApplyTo(t *testing.T) { MetricsBindAddress: "1.2.3.4:1234", }, CombinedInsecureServing: &CombinedInsecureServingOptions{ - Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, + Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(), BindPort: 0, }, }, @@ -97,8 +97,8 @@ func TestOptions_ApplyTo(t *testing.T) { MetricsBindAddress: "1.2.3.4:1234", }, CombinedInsecureServing: &CombinedInsecureServingOptions{ - Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, - Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, + Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(), + Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(), BindPort: 0, }, }, @@ -118,8 +118,8 @@ func TestOptions_ApplyTo(t *testing.T) { MetricsBindAddress: "1.2.3.4:1235", }, CombinedInsecureServing: &CombinedInsecureServingOptions{ - Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, - Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, + Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(), + Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(), BindPort: 0, }, }, @@ -141,8 +141,8 @@ func TestOptions_ApplyTo(t *testing.T) { MetricsBindAddress: "1.2.3.4:1234", }, CombinedInsecureServing: &CombinedInsecureServingOptions{ - Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, - Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, + Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(), + Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(), BindPort: 1236, BindAddress: "1.2.3.4", }, @@ -163,8 +163,8 @@ func TestOptions_ApplyTo(t *testing.T) { MetricsBindAddress: "1.2.3.4:1234", }, CombinedInsecureServing: &CombinedInsecureServingOptions{ - Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, - Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, + Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(), + Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(), BindAddress: "2.3.4.5", BindPort: 1234, }, @@ -185,8 +185,8 @@ func TestOptions_ApplyTo(t *testing.T) { MetricsBindAddress: "1.2.3.4:1234", }, CombinedInsecureServing: &CombinedInsecureServingOptions{ - Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, - Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, + Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(), + Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(), BindAddress: "2.3.4.5", BindPort: 0, }, diff --git a/cmd/kube-scheduler/app/options/options.go b/cmd/kube-scheduler/app/options/options.go index f35c173687a..fdee98c5982 100644 --- a/cmd/kube-scheduler/app/options/options.go +++ b/cmd/kube-scheduler/app/options/options.go @@ -45,6 +45,7 @@ import ( schedulerappconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config" "k8s.io/kubernetes/pkg/api/legacyscheme" "k8s.io/kubernetes/pkg/client/leaderelectionconfig" + "k8s.io/kubernetes/pkg/master/ports" kubeschedulerconfig "k8s.io/kubernetes/pkg/scheduler/apis/config" kubeschedulerscheme "k8s.io/kubernetes/pkg/scheduler/apis/config/scheme" "k8s.io/kubernetes/pkg/scheduler/apis/config/validation" @@ -56,7 +57,7 @@ type Options struct { // The default values. These are overridden if ConfigFile is set or by values in InsecureServing. ComponentConfig kubeschedulerconfig.KubeSchedulerConfiguration - SecureServing *apiserveroptions.SecureServingOptions + SecureServing *apiserveroptions.SecureServingOptionsWithLoopback CombinedInsecureServing *CombinedInsecureServingOptions Authentication *apiserveroptions.DelegatingAuthenticationOptions Authorization *apiserveroptions.DelegatingAuthorizationOptions @@ -85,25 +86,34 @@ func NewOptions() (*Options, error) { o := &Options{ ComponentConfig: *cfg, - SecureServing: nil, // TODO: enable with apiserveroptions.NewSecureServingOptions() + SecureServing: apiserveroptions.NewSecureServingOptions().WithLoopback(), CombinedInsecureServing: &CombinedInsecureServingOptions{ - Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{ + Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{ BindNetwork: "tcp", - }, - Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{ + }).WithLoopback(), + Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{ BindNetwork: "tcp", - }, + }).WithLoopback(), BindPort: hport, BindAddress: hhost, }, - Authentication: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthenticationOptions() - Authorization: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthorizationOptions() + Authentication: apiserveroptions.NewDelegatingAuthenticationOptions(), + Authorization: apiserveroptions.NewDelegatingAuthorizationOptions(), Deprecated: &DeprecatedOptions{ UseLegacyPolicyConfig: false, PolicyConfigMapNamespace: metav1.NamespaceSystem, }, } + o.Authentication.RemoteKubeConfigFileOptional = true + o.Authorization.RemoteKubeConfigFileOptional = true + o.Authorization.AlwaysAllowPaths = []string{"/healthz"} + + // Set the PairName but leave certificate directory blank to generate in-memory by default + o.SecureServing.ServerCert.CertDirectory = "" + o.SecureServing.ServerCert.PairName = "kube-scheduler" + o.SecureServing.BindPort = ports.KubeSchedulerPort + return o, nil } @@ -173,13 +183,19 @@ func (o *Options) ApplyTo(c *schedulerappconfig.Config) error { } } - if err := o.SecureServing.ApplyTo(&c.SecureServing); err != nil { + if err := o.SecureServing.ApplyTo(&c.SecureServing, &c.LoopbackClientConfig); err != nil { return err } - if err := o.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil { - return err + if o.SecureServing != nil && (o.SecureServing.BindPort != 0 || o.SecureServing.Listener != nil) { + if err := o.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil { + return err + } + if err := o.Authorization.ApplyTo(&c.Authorization); err != nil { + return err + } } - return o.Authorization.ApplyTo(&c.Authorization) + + return nil } // Validate validates all the required options. @@ -200,6 +216,12 @@ func (o *Options) Validate() []error { // Config return a scheduler config object func (o *Options) Config() (*schedulerappconfig.Config, error) { + if o.SecureServing != nil { + if err := o.SecureServing.MaybeDefaultWithSelfSignedCerts("localhost", nil, []net.IP{net.ParseIP("127.0.0.1")}); err != nil { + return nil, fmt.Errorf("error creating self-signed certificates: %v", err) + } + } + c := &schedulerappconfig.Config{} if err := o.ApplyTo(c); err != nil { return nil, err diff --git a/cmd/kube-scheduler/app/options/options_test.go b/cmd/kube-scheduler/app/options/options_test.go index b63fac090c4..34cd2404231 100644 --- a/cmd/kube-scheduler/app/options/options_test.go +++ b/cmd/kube-scheduler/app/options/options_test.go @@ -32,6 +32,7 @@ import ( metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/diff" apiserverconfig "k8s.io/apiserver/pkg/apis/config" + apiserveroptions "k8s.io/apiserver/pkg/server/options" kubeschedulerconfig "k8s.io/kubernetes/pkg/scheduler/apis/config" ) @@ -175,6 +176,29 @@ users: } return *cfg }(), + SecureServing: (&apiserveroptions.SecureServingOptions{ + ServerCert: apiserveroptions.GeneratableKeyCert{ + CertDirectory: "/a/b/c", + PairName: "kube-scheduler", + }, + HTTP2MaxStreamsPerConnection: 47, + }).WithLoopback(), + Authentication: &apiserveroptions.DelegatingAuthenticationOptions{ + CacheTTL: 10 * time.Second, + ClientCert: apiserveroptions.ClientCertAuthenticationOptions{}, + RequestHeader: apiserveroptions.RequestHeaderAuthenticationOptions{ + UsernameHeaders: []string{"x-remote-user"}, + GroupHeaders: []string{"x-remote-group"}, + ExtraHeaderPrefixes: []string{"x-remote-extra-"}, + }, + RemoteKubeConfigFileOptional: true, + }, + Authorization: &apiserveroptions.DelegatingAuthorizationOptions{ + AllowCacheTTL: 10 * time.Second, + DenyCacheTTL: 10 * time.Second, + RemoteKubeConfigFileOptional: true, + AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/* + }, }, expectedUsername: "config", expectedConfig: kubeschedulerconfig.KubeSchedulerConfiguration{ @@ -233,6 +257,29 @@ users: cfg.ClientConnection.Kubeconfig = flagKubeconfig return *cfg }(), + SecureServing: (&apiserveroptions.SecureServingOptions{ + ServerCert: apiserveroptions.GeneratableKeyCert{ + CertDirectory: "/a/b/c", + PairName: "kube-scheduler", + }, + HTTP2MaxStreamsPerConnection: 47, + }).WithLoopback(), + Authentication: &apiserveroptions.DelegatingAuthenticationOptions{ + CacheTTL: 10 * time.Second, + ClientCert: apiserveroptions.ClientCertAuthenticationOptions{}, + RequestHeader: apiserveroptions.RequestHeaderAuthenticationOptions{ + UsernameHeaders: []string{"x-remote-user"}, + GroupHeaders: []string{"x-remote-group"}, + ExtraHeaderPrefixes: []string{"x-remote-extra-"}, + }, + RemoteKubeConfigFileOptional: true, + }, + Authorization: &apiserveroptions.DelegatingAuthorizationOptions{ + AllowCacheTTL: 10 * time.Second, + DenyCacheTTL: 10 * time.Second, + RemoteKubeConfigFileOptional: true, + AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/* + }, }, expectedUsername: "flag", expectedConfig: kubeschedulerconfig.KubeSchedulerConfiguration{ @@ -264,8 +311,32 @@ users: }, }, { - name: "overridden master", - options: &Options{Master: insecureserver.URL}, + name: "overridden master", + options: &Options{ + Master: insecureserver.URL, + SecureServing: (&apiserveroptions.SecureServingOptions{ + ServerCert: apiserveroptions.GeneratableKeyCert{ + CertDirectory: "/a/b/c", + PairName: "kube-scheduler", + }, + HTTP2MaxStreamsPerConnection: 47, + }).WithLoopback(), + Authentication: &apiserveroptions.DelegatingAuthenticationOptions{ + CacheTTL: 10 * time.Second, + RequestHeader: apiserveroptions.RequestHeaderAuthenticationOptions{ + UsernameHeaders: []string{"x-remote-user"}, + GroupHeaders: []string{"x-remote-group"}, + ExtraHeaderPrefixes: []string{"x-remote-extra-"}, + }, + RemoteKubeConfigFileOptional: true, + }, + Authorization: &apiserveroptions.DelegatingAuthorizationOptions{ + AllowCacheTTL: 10 * time.Second, + DenyCacheTTL: 10 * time.Second, + RemoteKubeConfigFileOptional: true, + AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/* + }, + }, expectedUsername: "none, http", }, { diff --git a/pkg/master/ports/ports.go b/pkg/master/ports/ports.go index 19207a1012b..23faba1d3ec 100644 --- a/pkg/master/ports/ports.go +++ b/pkg/master/ports/ports.go @@ -23,9 +23,10 @@ const ( // KubeletPort is the default port for the kubelet server on each host machine. // May be overridden by a flag at startup. KubeletPort = 10250 - // SchedulerPort is the default port for the scheduler status server. + // InsecureSchedulerPort is the default port for the scheduler status server. // May be overridden by a flag at startup. - SchedulerPort = 10251 + // Deprecated: use the secure KubeSchedulerPort instead. + InsecureSchedulerPort = 10251 // InsecureKubeControllerManagerPort is the default port for the controller manager status server. // May be overridden by a flag at startup. // Deprecated: use the secure KubeControllerManagerPort instead. @@ -49,4 +50,8 @@ const ( // CloudControllerManagerPort is the default port for the cloud controller manager server. // This value may be overridden by a flag at startup. CloudControllerManagerPort = 10258 + + // KubeSchedulerPort is the default port for the scheduler status server. + // May be overridden by a flag at startup. + KubeSchedulerPort = 10259 ) diff --git a/pkg/registry/core/rest/storage_core.go b/pkg/registry/core/rest/storage_core.go index b9994db1618..78202ee47eb 100644 --- a/pkg/registry/core/rest/storage_core.go +++ b/pkg/registry/core/rest/storage_core.go @@ -254,7 +254,7 @@ type componentStatusStorage struct { func (s componentStatusStorage) serversToValidate() map[string]*componentstatus.Server { serversToValidate := map[string]*componentstatus.Server{ "controller-manager": {Addr: "127.0.0.1", Port: ports.InsecureKubeControllerManagerPort, Path: "/healthz"}, - "scheduler": {Addr: "127.0.0.1", Port: ports.SchedulerPort, Path: "/healthz"}, + "scheduler": {Addr: "127.0.0.1", Port: ports.InsecureSchedulerPort, Path: "/healthz"}, } for ix, machine := range s.storageFactory.Backends() { diff --git a/pkg/scheduler/apis/config/v1alpha1/defaults.go b/pkg/scheduler/apis/config/v1alpha1/defaults.go index ea608b6b37f..e212dcf4370 100644 --- a/pkg/scheduler/apis/config/v1alpha1/defaults.go +++ b/pkg/scheduler/apis/config/v1alpha1/defaults.go @@ -62,7 +62,7 @@ func SetDefaults_KubeSchedulerConfiguration(obj *kubescedulerconfigv1alpha1.Kube } obj.HealthzBindAddress = net.JoinHostPort(host, port) } else { - obj.HealthzBindAddress = net.JoinHostPort("0.0.0.0", strconv.Itoa(ports.SchedulerPort)) + obj.HealthzBindAddress = net.JoinHostPort("0.0.0.0", strconv.Itoa(ports.InsecureSchedulerPort)) } if host, port, err := net.SplitHostPort(obj.MetricsBindAddress); err == nil { @@ -71,7 +71,7 @@ func SetDefaults_KubeSchedulerConfiguration(obj *kubescedulerconfigv1alpha1.Kube } obj.MetricsBindAddress = net.JoinHostPort(host, port) } else { - obj.MetricsBindAddress = net.JoinHostPort("0.0.0.0", strconv.Itoa(ports.SchedulerPort)) + obj.MetricsBindAddress = net.JoinHostPort("0.0.0.0", strconv.Itoa(ports.InsecureSchedulerPort)) } if len(obj.LeaderElection.LockObjectNamespace) == 0 { diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/deprecated_insecure_serving.go b/staging/src/k8s.io/apiserver/pkg/server/options/deprecated_insecure_serving.go index e8e3d7feb3f..f1cc4430b8b 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/deprecated_insecure_serving.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/deprecated_insecure_serving.go @@ -150,11 +150,11 @@ func (s *DeprecatedInsecureServingOptionsWithLoopback) ApplyTo(insecureServingIn secureLoopbackClientConfig, err := (*insecureServingInfo).NewLoopbackClientConfig() switch { // if we failed and there's no fallback loopback client config, we need to fail - case err != nil && secureLoopbackClientConfig == nil: + case err != nil && *loopbackClientConfig == nil: return err // if we failed, but we already have a fallback loopback client config (usually insecure), allow it - case err != nil && secureLoopbackClientConfig != nil: + case err != nil && *loopbackClientConfig != nil: default: *loopbackClientConfig = secureLoopbackClientConfig diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/serving_with_loopback.go b/staging/src/k8s.io/apiserver/pkg/server/options/serving_with_loopback.go index ac9635d2dd3..7f19206425e 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/serving_with_loopback.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/serving_with_loopback.go @@ -63,11 +63,11 @@ func (s *SecureServingOptionsWithLoopback) ApplyTo(secureServingInfo **server.Se secureLoopbackClientConfig, err := (*secureServingInfo).NewLoopbackClientConfig(uuid.NewRandom().String(), certPem) switch { // if we failed and there's no fallback loopback client config, we need to fail - case err != nil && secureLoopbackClientConfig == nil: + case err != nil && *loopbackClientConfig == nil: return err // if we failed, but we already have a fallback loopback client config (usually insecure), allow it - case err != nil && secureLoopbackClientConfig != nil: + case err != nil && *loopbackClientConfig != nil: default: *loopbackClientConfig = secureLoopbackClientConfig diff --git a/test/e2e/apps/daemon_restart.go b/test/e2e/apps/daemon_restart.go index dfb2c6a1a2c..e37a2bda03f 100644 --- a/test/e2e/apps/daemon_restart.go +++ b/test/e2e/apps/daemon_restart.go @@ -281,7 +281,7 @@ var _ = SIGDescribe("DaemonRestart [Disruptive]", func() { // Requires master ssh access. framework.SkipUnlessProviderIs("gce", "aws") restarter := NewRestartConfig( - framework.GetMasterHost(), "kube-scheduler", ports.SchedulerPort, restartPollInterval, restartTimeout) + framework.GetMasterHost(), "kube-scheduler", ports.InsecureSchedulerPort, restartPollInterval, restartTimeout) // Create pods while the scheduler is down and make sure the scheduler picks them up by // scaling the rc to the same size. diff --git a/test/e2e/framework/metrics/metrics_grabber.go b/test/e2e/framework/metrics/metrics_grabber.go index dd95dea3eb6..a9851b2cc8c 100644 --- a/test/e2e/framework/metrics/metrics_grabber.go +++ b/test/e2e/framework/metrics/metrics_grabber.go @@ -127,7 +127,7 @@ func (g *MetricsGrabber) GrabFromScheduler() (SchedulerMetrics, error) { if !g.registeredMaster { return SchedulerMetrics{}, fmt.Errorf("Master's Kubelet is not registered. Skipping Scheduler's metrics gathering.") } - output, err := g.getMetricsFromPod(g.client, fmt.Sprintf("%v-%v", "kube-scheduler", g.masterName), metav1.NamespaceSystem, ports.SchedulerPort) + output, err := g.getMetricsFromPod(g.client, fmt.Sprintf("%v-%v", "kube-scheduler", g.masterName), metav1.NamespaceSystem, ports.InsecureSchedulerPort) if err != nil { return SchedulerMetrics{}, err } diff --git a/test/e2e/framework/metrics_util.go b/test/e2e/framework/metrics_util.go index 1ef6b37268e..9f651df0d37 100644 --- a/test/e2e/framework/metrics_util.go +++ b/test/e2e/framework/metrics_util.go @@ -611,7 +611,7 @@ func sendRestRequestToScheduler(c clientset.Interface, op string) (string, error Context(ctx). Namespace(metav1.NamespaceSystem). Resource("pods"). - Name(fmt.Sprintf("kube-scheduler-%v:%v", TestContext.CloudConfig.MasterName, ports.SchedulerPort)). + Name(fmt.Sprintf("kube-scheduler-%v:%v", TestContext.CloudConfig.MasterName, ports.InsecureSchedulerPort)). SubResource("proxy"). Suffix("metrics"). Do().Raw() diff --git a/test/e2e/network/firewall.go b/test/e2e/network/firewall.go index d46ff96c352..ee3839f16d2 100644 --- a/test/e2e/network/firewall.go +++ b/test/e2e/network/firewall.go @@ -180,7 +180,7 @@ var _ = SIGDescribe("Firewall rule", func() { masterAddresses := framework.GetAllMasterAddresses(cs) for _, masterAddress := range masterAddresses { assertNotReachableHTTPTimeout(masterAddress, ports.InsecureKubeControllerManagerPort, gce.FirewallTestTcpTimeout) - assertNotReachableHTTPTimeout(masterAddress, ports.SchedulerPort, gce.FirewallTestTcpTimeout) + assertNotReachableHTTPTimeout(masterAddress, ports.InsecureSchedulerPort, gce.FirewallTestTcpTimeout) } assertNotReachableHTTPTimeout(nodeAddrs[0], ports.KubeletPort, gce.FirewallTestTcpTimeout) assertNotReachableHTTPTimeout(nodeAddrs[0], ports.KubeletReadOnlyPort, gce.FirewallTestTcpTimeout)