kube-scheduler: enable secure ports 10259

2025-09-04 02:37:36 +00:00 · 2018-09-05 16:42:16 +08:00
parent 8696cfcfe2
commit cb95edafe8
16 changed files with 153 additions and 47 deletions
--- a/cmd/kube-scheduler/app/config/BUILD
+++ b/cmd/kube-scheduler/app/config/BUILD
@@ -12,6 +12,7 @@ go_library(
        "//staging/src/k8s.io/client-go/informers/core/v1:go_default_library",
        "//staging/src/k8s.io/client-go/kubernetes:go_default_library",
        "//staging/src/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library",
+        "//staging/src/k8s.io/client-go/rest:go_default_library",
        "//staging/src/k8s.io/client-go/tools/leaderelection:go_default_library",
        "//staging/src/k8s.io/client-go/tools/record:go_default_library",
    ],
--- a/cmd/kube-scheduler/app/config/config.go
+++ b/cmd/kube-scheduler/app/config/config.go
@@ -22,6 +22,7 @@ import (
 	coreinformers "k8s.io/client-go/informers/core/v1"
 	clientset "k8s.io/client-go/kubernetes"
 	v1core "k8s.io/client-go/kubernetes/typed/core/v1"
+	restclient "k8s.io/client-go/rest"
 	"k8s.io/client-go/tools/leaderelection"
 	"k8s.io/client-go/tools/record"
 	kubeschedulerconfig "k8s.io/kubernetes/pkg/scheduler/apis/config"
@@ -32,6 +33,9 @@ type Config struct {
 	// config is the scheduler server's configuration object.
 	ComponentConfig kubeschedulerconfig.KubeSchedulerConfiguration

+	// LoopbackClientConfig is a config for a privileged loopback connection
+	LoopbackClientConfig *restclient.Config
+
 	InsecureServing        *apiserver.DeprecatedInsecureServingInfo // nil will disable serving on an insecure port
 	InsecureMetricsServing *apiserver.DeprecatedInsecureServingInfo // non-nil if metrics should be served independently
 	Authentication         apiserver.AuthenticationInfo
@@ -70,5 +74,7 @@ func (c *Config) Complete() CompletedConfig {
 		c.InsecureMetricsServing.Name = "metrics"
 	}

+	apiserver.AuthorizeClientBearerToken(c.LoopbackClientConfig, &c.Authentication, &c.Authorization)
+
 	return CompletedConfig{&cc}
 }
--- a/cmd/kube-scheduler/app/options/BUILD
+++ b/cmd/kube-scheduler/app/options/BUILD
@@ -14,6 +14,7 @@ go_library(
        "//cmd/kube-scheduler/app/config:go_default_library",
        "//pkg/api/legacyscheme:go_default_library",
        "//pkg/client/leaderelectionconfig:go_default_library",
+        "//pkg/master/ports:go_default_library",
        "//pkg/scheduler/apis/config:go_default_library",
        "//pkg/scheduler/apis/config/scheme:go_default_library",
        "//pkg/scheduler/apis/config/v1alpha1:go_default_library",
--- a/cmd/kube-scheduler/app/options/insecure_serving.go
+++ b/cmd/kube-scheduler/app/options/insecure_serving.go
@@ -31,8 +31,8 @@ import (
 // CombinedInsecureServingOptions sets up to two insecure listeners for healthz and metrics. The flags
 // override the ComponentConfig and DeprecatedInsecureServingOptions values for both.
 type CombinedInsecureServingOptions struct {
-	Healthz *apiserveroptions.DeprecatedInsecureServingOptions
-	Metrics *apiserveroptions.DeprecatedInsecureServingOptions
+	Healthz *apiserveroptions.DeprecatedInsecureServingOptionsWithLoopback
+	Metrics *apiserveroptions.DeprecatedInsecureServingOptionsWithLoopback

 	BindPort    int    // overrides the structs above on ApplyTo, ignored on ApplyToFromLoadedConfig
 	BindAddress string // overrides the structs above on ApplyTo, ignored on ApplyToFromLoadedConfig
@@ -60,11 +60,11 @@ func (o *CombinedInsecureServingOptions) applyTo(c *schedulerappconfig.Config, c
 		return err
 	}

-	if err := o.Healthz.ApplyTo(&c.InsecureServing); err != nil {
+	if err := o.Healthz.ApplyTo(&c.InsecureServing, &c.LoopbackClientConfig); err != nil {
 		return err
 	}
 	if o.Metrics != nil && (c.ComponentConfig.MetricsBindAddress != c.ComponentConfig.HealthzBindAddress || o.Healthz == nil) {
-		if err := o.Metrics.ApplyTo(&c.InsecureMetricsServing); err != nil {
+		if err := o.Metrics.ApplyTo(&c.InsecureMetricsServing, &c.LoopbackClientConfig); err != nil {
 			return err
 		}
 	}
@@ -108,7 +108,7 @@ func (o *CombinedInsecureServingOptions) ApplyToFromLoadedConfig(c *schedulerapp
 	return o.applyTo(c, componentConfig)
 }

-func updateAddressFromDeprecatedInsecureServingOptions(addr *string, is *apiserveroptions.DeprecatedInsecureServingOptions) error {
+func updateAddressFromDeprecatedInsecureServingOptions(addr *string, is *apiserveroptions.DeprecatedInsecureServingOptionsWithLoopback) error {
 	if is == nil {
 		*addr = ""
 	} else {
@@ -124,7 +124,7 @@ func updateAddressFromDeprecatedInsecureServingOptions(addr *string, is *apiserv
 	return nil
 }

-func updateDeprecatedInsecureServingOptionsFromAddress(is *apiserveroptions.DeprecatedInsecureServingOptions, addr string) error {
+func updateDeprecatedInsecureServingOptionsFromAddress(is *apiserveroptions.DeprecatedInsecureServingOptionsWithLoopback, addr string) error {
 	if is == nil {
 		return nil
 	}
--- a/cmd/kube-scheduler/app/options/insecure_serving_test.go
+++ b/cmd/kube-scheduler/app/options/insecure_serving_test.go
@@ -46,8 +46,8 @@ func TestOptions_ApplyTo(t *testing.T) {
 					MetricsBindAddress: "1.2.3.4:1234",
 				},
 				CombinedInsecureServing: &CombinedInsecureServingOptions{
-					Healthz:  &apiserveroptions.DeprecatedInsecureServingOptions{},
-					Metrics:  &apiserveroptions.DeprecatedInsecureServingOptions{},
+					Healthz:  (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
+					Metrics:  (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
 					BindPort: 0,
 				},
 			},
@@ -61,7 +61,7 @@ func TestOptions_ApplyTo(t *testing.T) {
 					MetricsBindAddress: "1.2.3.4:1234",
 				},
 				CombinedInsecureServing: &CombinedInsecureServingOptions{
-					Healthz:  &apiserveroptions.DeprecatedInsecureServingOptions{},
+					Healthz:  (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
 					BindPort: 0,
 				},
 			},
@@ -79,7 +79,7 @@ func TestOptions_ApplyTo(t *testing.T) {
 					MetricsBindAddress: "1.2.3.4:1234",
 				},
 				CombinedInsecureServing: &CombinedInsecureServingOptions{
-					Metrics:  &apiserveroptions.DeprecatedInsecureServingOptions{},
+					Metrics:  (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
 					BindPort: 0,
 				},
 			},
@@ -97,8 +97,8 @@ func TestOptions_ApplyTo(t *testing.T) {
 					MetricsBindAddress: "1.2.3.4:1234",
 				},
 				CombinedInsecureServing: &CombinedInsecureServingOptions{
-					Healthz:  &apiserveroptions.DeprecatedInsecureServingOptions{},
-					Metrics:  &apiserveroptions.DeprecatedInsecureServingOptions{},
+					Healthz:  (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
+					Metrics:  (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
 					BindPort: 0,
 				},
 			},
@@ -118,8 +118,8 @@ func TestOptions_ApplyTo(t *testing.T) {
 					MetricsBindAddress: "1.2.3.4:1235",
 				},
 				CombinedInsecureServing: &CombinedInsecureServingOptions{
-					Healthz:  &apiserveroptions.DeprecatedInsecureServingOptions{},
-					Metrics:  &apiserveroptions.DeprecatedInsecureServingOptions{},
+					Healthz:  (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
+					Metrics:  (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
 					BindPort: 0,
 				},
 			},
@@ -141,8 +141,8 @@ func TestOptions_ApplyTo(t *testing.T) {
 					MetricsBindAddress: "1.2.3.4:1234",
 				},
 				CombinedInsecureServing: &CombinedInsecureServingOptions{
-					Healthz:     &apiserveroptions.DeprecatedInsecureServingOptions{},
-					Metrics:     &apiserveroptions.DeprecatedInsecureServingOptions{},
+					Healthz:     (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
+					Metrics:     (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
 					BindPort:    1236,
 					BindAddress: "1.2.3.4",
 				},
@@ -163,8 +163,8 @@ func TestOptions_ApplyTo(t *testing.T) {
 					MetricsBindAddress: "1.2.3.4:1234",
 				},
 				CombinedInsecureServing: &CombinedInsecureServingOptions{
-					Healthz:     &apiserveroptions.DeprecatedInsecureServingOptions{},
-					Metrics:     &apiserveroptions.DeprecatedInsecureServingOptions{},
+					Healthz:     (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
+					Metrics:     (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
 					BindAddress: "2.3.4.5",
 					BindPort:    1234,
 				},
@@ -185,8 +185,8 @@ func TestOptions_ApplyTo(t *testing.T) {
 					MetricsBindAddress: "1.2.3.4:1234",
 				},
 				CombinedInsecureServing: &CombinedInsecureServingOptions{
-					Healthz:     &apiserveroptions.DeprecatedInsecureServingOptions{},
-					Metrics:     &apiserveroptions.DeprecatedInsecureServingOptions{},
+					Healthz:     (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
+					Metrics:     (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
 					BindAddress: "2.3.4.5",
 					BindPort:    0,
 				},
--- a/cmd/kube-scheduler/app/options/options.go
+++ b/cmd/kube-scheduler/app/options/options.go
@@ -45,6 +45,7 @@ import (
 	schedulerappconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config"
 	"k8s.io/kubernetes/pkg/api/legacyscheme"
 	"k8s.io/kubernetes/pkg/client/leaderelectionconfig"
+	"k8s.io/kubernetes/pkg/master/ports"
 	kubeschedulerconfig "k8s.io/kubernetes/pkg/scheduler/apis/config"
 	kubeschedulerscheme "k8s.io/kubernetes/pkg/scheduler/apis/config/scheme"
 	"k8s.io/kubernetes/pkg/scheduler/apis/config/validation"
@@ -56,7 +57,7 @@ type Options struct {
 	// The default values. These are overridden if ConfigFile is set or by values in InsecureServing.
 	ComponentConfig kubeschedulerconfig.KubeSchedulerConfiguration

-	SecureServing           *apiserveroptions.SecureServingOptions
+	SecureServing           *apiserveroptions.SecureServingOptionsWithLoopback
 	CombinedInsecureServing *CombinedInsecureServingOptions
 	Authentication          *apiserveroptions.DelegatingAuthenticationOptions
 	Authorization           *apiserveroptions.DelegatingAuthorizationOptions
@@ -85,25 +86,34 @@ func NewOptions() (*Options, error) {

 	o := &Options{
 		ComponentConfig: *cfg,
-		SecureServing:   nil, // TODO: enable with apiserveroptions.NewSecureServingOptions()
+		SecureServing:   apiserveroptions.NewSecureServingOptions().WithLoopback(),
 		CombinedInsecureServing: &CombinedInsecureServingOptions{
-			Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{
+			Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{
 				BindNetwork: "tcp",
-			},
-			Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{
+			}).WithLoopback(),
+			Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{
 				BindNetwork: "tcp",
-			},
+			}).WithLoopback(),
 			BindPort:    hport,
 			BindAddress: hhost,
 		},
-		Authentication: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthenticationOptions()
-		Authorization:  nil, // TODO: enable with apiserveroptions.NewDelegatingAuthorizationOptions()
+		Authentication: apiserveroptions.NewDelegatingAuthenticationOptions(),
+		Authorization:  apiserveroptions.NewDelegatingAuthorizationOptions(),
 		Deprecated: &DeprecatedOptions{
 			UseLegacyPolicyConfig:    false,
 			PolicyConfigMapNamespace: metav1.NamespaceSystem,
 		},
 	}

+	o.Authentication.RemoteKubeConfigFileOptional = true
+	o.Authorization.RemoteKubeConfigFileOptional = true
+	o.Authorization.AlwaysAllowPaths = []string{"/healthz"}
+
+	// Set the PairName but leave certificate directory blank to generate in-memory by default
+	o.SecureServing.ServerCert.CertDirectory = ""
+	o.SecureServing.ServerCert.PairName = "kube-scheduler"
+	o.SecureServing.BindPort = ports.KubeSchedulerPort
+
 	return o, nil
 }

@@ -173,13 +183,19 @@ func (o *Options) ApplyTo(c *schedulerappconfig.Config) error {
 		}
 	}

-	if err := o.SecureServing.ApplyTo(&c.SecureServing); err != nil {
+	if err := o.SecureServing.ApplyTo(&c.SecureServing, &c.LoopbackClientConfig); err != nil {
 		return err
 	}
-	if err := o.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil {
-		return err
+	if o.SecureServing != nil && (o.SecureServing.BindPort != 0 || o.SecureServing.Listener != nil) {
+		if err := o.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil {
+			return err
+		}
+		if err := o.Authorization.ApplyTo(&c.Authorization); err != nil {
+			return err
+		}
 	}
-	return o.Authorization.ApplyTo(&c.Authorization)
+
+	return nil
 }

 // Validate validates all the required options.
@@ -200,6 +216,12 @@ func (o *Options) Validate() []error {

 // Config return a scheduler config object
 func (o *Options) Config() (*schedulerappconfig.Config, error) {
+	if o.SecureServing != nil {
+		if err := o.SecureServing.MaybeDefaultWithSelfSignedCerts("localhost", nil, []net.IP{net.ParseIP("127.0.0.1")}); err != nil {
+			return nil, fmt.Errorf("error creating self-signed certificates: %v", err)
+		}
+	}
+
 	c := &schedulerappconfig.Config{}
 	if err := o.ApplyTo(c); err != nil {
 		return nil, err
--- a/cmd/kube-scheduler/app/options/options_test.go
+++ b/cmd/kube-scheduler/app/options/options_test.go
@@ -32,6 +32,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/diff"
 	apiserverconfig "k8s.io/apiserver/pkg/apis/config"
+	apiserveroptions "k8s.io/apiserver/pkg/server/options"
 	kubeschedulerconfig "k8s.io/kubernetes/pkg/scheduler/apis/config"
 )

@@ -175,6 +176,29 @@ users:
 					}
 					return *cfg
 				}(),
+				SecureServing: (&apiserveroptions.SecureServingOptions{
+					ServerCert: apiserveroptions.GeneratableKeyCert{
+						CertDirectory: "/a/b/c",
+						PairName:      "kube-scheduler",
+					},
+					HTTP2MaxStreamsPerConnection: 47,
+				}).WithLoopback(),
+				Authentication: &apiserveroptions.DelegatingAuthenticationOptions{
+					CacheTTL:   10 * time.Second,
+					ClientCert: apiserveroptions.ClientCertAuthenticationOptions{},
+					RequestHeader: apiserveroptions.RequestHeaderAuthenticationOptions{
+						UsernameHeaders:     []string{"x-remote-user"},
+						GroupHeaders:        []string{"x-remote-group"},
+						ExtraHeaderPrefixes: []string{"x-remote-extra-"},
+					},
+					RemoteKubeConfigFileOptional: true,
+				},
+				Authorization: &apiserveroptions.DelegatingAuthorizationOptions{
+					AllowCacheTTL:                10 * time.Second,
+					DenyCacheTTL:                 10 * time.Second,
+					RemoteKubeConfigFileOptional: true,
+					AlwaysAllowPaths:             []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/*
+				},
 			},
 			expectedUsername: "config",
 			expectedConfig: kubeschedulerconfig.KubeSchedulerConfiguration{
@@ -233,6 +257,29 @@ users:
 					cfg.ClientConnection.Kubeconfig = flagKubeconfig
 					return *cfg
 				}(),
+				SecureServing: (&apiserveroptions.SecureServingOptions{
+					ServerCert: apiserveroptions.GeneratableKeyCert{
+						CertDirectory: "/a/b/c",
+						PairName:      "kube-scheduler",
+					},
+					HTTP2MaxStreamsPerConnection: 47,
+				}).WithLoopback(),
+				Authentication: &apiserveroptions.DelegatingAuthenticationOptions{
+					CacheTTL:   10 * time.Second,
+					ClientCert: apiserveroptions.ClientCertAuthenticationOptions{},
+					RequestHeader: apiserveroptions.RequestHeaderAuthenticationOptions{
+						UsernameHeaders:     []string{"x-remote-user"},
+						GroupHeaders:        []string{"x-remote-group"},
+						ExtraHeaderPrefixes: []string{"x-remote-extra-"},
+					},
+					RemoteKubeConfigFileOptional: true,
+				},
+				Authorization: &apiserveroptions.DelegatingAuthorizationOptions{
+					AllowCacheTTL:                10 * time.Second,
+					DenyCacheTTL:                 10 * time.Second,
+					RemoteKubeConfigFileOptional: true,
+					AlwaysAllowPaths:             []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/*
+				},
 			},
 			expectedUsername: "flag",
 			expectedConfig: kubeschedulerconfig.KubeSchedulerConfiguration{
@@ -264,8 +311,32 @@ users:
 			},
 		},
 		{
-			name:             "overridden master",
-			options:          &Options{Master: insecureserver.URL},
+			name: "overridden master",
+			options: &Options{
+				Master: insecureserver.URL,
+				SecureServing: (&apiserveroptions.SecureServingOptions{
+					ServerCert: apiserveroptions.GeneratableKeyCert{
+						CertDirectory: "/a/b/c",
+						PairName:      "kube-scheduler",
+					},
+					HTTP2MaxStreamsPerConnection: 47,
+				}).WithLoopback(),
+				Authentication: &apiserveroptions.DelegatingAuthenticationOptions{
+					CacheTTL: 10 * time.Second,
+					RequestHeader: apiserveroptions.RequestHeaderAuthenticationOptions{
+						UsernameHeaders:     []string{"x-remote-user"},
+						GroupHeaders:        []string{"x-remote-group"},
+						ExtraHeaderPrefixes: []string{"x-remote-extra-"},
+					},
+					RemoteKubeConfigFileOptional: true,
+				},
+				Authorization: &apiserveroptions.DelegatingAuthorizationOptions{
+					AllowCacheTTL:                10 * time.Second,
+					DenyCacheTTL:                 10 * time.Second,
+					RemoteKubeConfigFileOptional: true,
+					AlwaysAllowPaths:             []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/*
+				},
+			},
 			expectedUsername: "none, http",
 		},
 		{