github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-29 06:27:05 +00:00
Code Issues Projects Releases Wiki Activity

kube-scheduler: enable secure ports 10259

Browse Source
This commit is contained in:
tanshanshan 2018-09-05 16:42:16 +08:00 committed by Dr. Stefan Schimanski
parent 8696cfcfe2
commit cb95edafe8
16 changed files with 153 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
cmd/kube-scheduler/app/config/BUILD
View File

@ -12,6 +12,7 @@ go_library(
"//staging/src/k8s.io/client-go/informers/core/v1:go_default_library", "//staging/src/k8s.io/client-go/informers/core/v1:go_default_library",
"//staging/src/k8s.io/client-go/kubernetes:go_default_library", "//staging/src/k8s.io/client-go/kubernetes:go_default_library",
"//staging/src/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library", "//staging/src/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library",
"//staging/src/k8s.io/client-go/rest:go_default_library",
"//staging/src/k8s.io/client-go/tools/leaderelection:go_default_library", "//staging/src/k8s.io/client-go/tools/leaderelection:go_default_library",
"//staging/src/k8s.io/client-go/tools/record:go_default_library", "//staging/src/k8s.io/client-go/tools/record:go_default_library",
], ],

6
cmd/kube-scheduler/app/config/config.go
View File

@ -22,6 +22,7 @@ import (
coreinformers "k8s.io/client-go/informers/core/v1" coreinformers "k8s.io/client-go/informers/core/v1"
clientset "k8s.io/client-go/kubernetes" clientset "k8s.io/client-go/kubernetes"
v1core "k8s.io/client-go/kubernetes/typed/core/v1" v1core "k8s.io/client-go/kubernetes/typed/core/v1"
restclient "k8s.io/client-go/rest"
"k8s.io/client-go/tools/leaderelection" "k8s.io/client-go/tools/leaderelection"
"k8s.io/client-go/tools/record" "k8s.io/client-go/tools/record"
kubeschedulerconfig "k8s.io/kubernetes/pkg/scheduler/apis/config" kubeschedulerconfig "k8s.io/kubernetes/pkg/scheduler/apis/config"
@ -32,6 +33,9 @@ type Config struct {
// config is the scheduler server's configuration object. // config is the scheduler server's configuration object.
ComponentConfig kubeschedulerconfig.KubeSchedulerConfiguration ComponentConfig kubeschedulerconfig.KubeSchedulerConfiguration
// LoopbackClientConfig is a config for a privileged loopback connection
LoopbackClientConfig *restclient.Config
InsecureServing *apiserver.DeprecatedInsecureServingInfo // nil will disable serving on an insecure port InsecureServing *apiserver.DeprecatedInsecureServingInfo // nil will disable serving on an insecure port
InsecureMetricsServing *apiserver.DeprecatedInsecureServingInfo // non-nil if metrics should be served independently InsecureMetricsServing *apiserver.DeprecatedInsecureServingInfo // non-nil if metrics should be served independently
Authentication apiserver.AuthenticationInfo Authentication apiserver.AuthenticationInfo
@ -70,5 +74,7 @@ func (c *Config) Complete() CompletedConfig {
c.InsecureMetricsServing.Name = "metrics" c.InsecureMetricsServing.Name = "metrics"
} }
apiserver.AuthorizeClientBearerToken(c.LoopbackClientConfig, &c.Authentication, &c.Authorization)
return CompletedConfig{&cc} return CompletedConfig{&cc}
} }

1
cmd/kube-scheduler/app/options/BUILD
View File

@ -14,6 +14,7 @@ go_library(
"//cmd/kube-scheduler/app/config:go_default_library", "//cmd/kube-scheduler/app/config:go_default_library",
"//pkg/api/legacyscheme:go_default_library", "//pkg/api/legacyscheme:go_default_library",
"//pkg/client/leaderelectionconfig:go_default_library", "//pkg/client/leaderelectionconfig:go_default_library",
"//pkg/master/ports:go_default_library",
"//pkg/scheduler/apis/config:go_default_library", "//pkg/scheduler/apis/config:go_default_library",
"//pkg/scheduler/apis/config/scheme:go_default_library", "//pkg/scheduler/apis/config/scheme:go_default_library",
"//pkg/scheduler/apis/config/v1alpha1:go_default_library", "//pkg/scheduler/apis/config/v1alpha1:go_default_library",

12
cmd/kube-scheduler/app/options/insecure_serving.go
View File

@ -31,8 +31,8 @@ import (
// CombinedInsecureServingOptions sets up to two insecure listeners for healthz and metrics. The flags // CombinedInsecureServingOptions sets up to two insecure listeners for healthz and metrics. The flags
// override the ComponentConfig and DeprecatedInsecureServingOptions values for both. // override the ComponentConfig and DeprecatedInsecureServingOptions values for both.
type CombinedInsecureServingOptions struct { type CombinedInsecureServingOptions struct {
Healthz *apiserveroptions.DeprecatedInsecureServingOptions Healthz *apiserveroptions.DeprecatedInsecureServingOptionsWithLoopback
Metrics *apiserveroptions.DeprecatedInsecureServingOptions Metrics *apiserveroptions.DeprecatedInsecureServingOptionsWithLoopback
BindPort int // overrides the structs above on ApplyTo, ignored on ApplyToFromLoadedConfig BindPort int // overrides the structs above on ApplyTo, ignored on ApplyToFromLoadedConfig
BindAddress string // overrides the structs above on ApplyTo, ignored on ApplyToFromLoadedConfig BindAddress string // overrides the structs above on ApplyTo, ignored on ApplyToFromLoadedConfig
@ -60,11 +60,11 @@ func (o *CombinedInsecureServingOptions) applyTo(c *schedulerappconfig.Config, c
return err return err
} }
if err := o.Healthz.ApplyTo(&c.InsecureServing); err != nil { if err := o.Healthz.ApplyTo(&c.InsecureServing, &c.LoopbackClientConfig); err != nil {
return err return err
} }
if o.Metrics != nil && (c.ComponentConfig.MetricsBindAddress != c.ComponentConfig.HealthzBindAddress || o.Healthz == nil) { if o.Metrics != nil && (c.ComponentConfig.MetricsBindAddress != c.ComponentConfig.HealthzBindAddress || o.Healthz == nil) {
if err := o.Metrics.ApplyTo(&c.InsecureMetricsServing); err != nil { if err := o.Metrics.ApplyTo(&c.InsecureMetricsServing, &c.LoopbackClientConfig); err != nil {
return err return err
} }
} }
@ -108,7 +108,7 @@ func (o *CombinedInsecureServingOptions) ApplyToFromLoadedConfig(c *schedulerapp
return o.applyTo(c, componentConfig) return o.applyTo(c, componentConfig)
} }
func updateAddressFromDeprecatedInsecureServingOptions(addr *string, is *apiserveroptions.DeprecatedInsecureServingOptions) error { func updateAddressFromDeprecatedInsecureServingOptions(addr *string, is *apiserveroptions.DeprecatedInsecureServingOptionsWithLoopback) error {
if is == nil { if is == nil {
*addr = "" *addr = ""
} else { } else {
@ -124,7 +124,7 @@ func updateAddressFromDeprecatedInsecureServingOptions(addr *string, is *apiserv
return nil return nil
} }
func updateDeprecatedInsecureServingOptionsFromAddress(is *apiserveroptions.DeprecatedInsecureServingOptions, addr string) error { func updateDeprecatedInsecureServingOptionsFromAddress(is *apiserveroptions.DeprecatedInsecureServingOptionsWithLoopback, addr string) error {
if is == nil { if is == nil {
return nil return nil
} }

28
cmd/kube-scheduler/app/options/insecure_serving_test.go
View File

@ -46,8 +46,8 @@ func TestOptions_ApplyTo(t *testing.T) {
MetricsBindAddress: "1.2.3.4:1234", MetricsBindAddress: "1.2.3.4:1234",
}, },
CombinedInsecureServing: &CombinedInsecureServingOptions{ CombinedInsecureServing: &CombinedInsecureServingOptions{
Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
BindPort: 0, BindPort: 0,
}, },
}, },
@ -61,7 +61,7 @@ func TestOptions_ApplyTo(t *testing.T) {
MetricsBindAddress: "1.2.3.4:1234", MetricsBindAddress: "1.2.3.4:1234",
}, },
CombinedInsecureServing: &CombinedInsecureServingOptions{ CombinedInsecureServing: &CombinedInsecureServingOptions{
Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
BindPort: 0, BindPort: 0,
}, },
}, },
@ -79,7 +79,7 @@ func TestOptions_ApplyTo(t *testing.T) {
MetricsBindAddress: "1.2.3.4:1234", MetricsBindAddress: "1.2.3.4:1234",
}, },
CombinedInsecureServing: &CombinedInsecureServingOptions{ CombinedInsecureServing: &CombinedInsecureServingOptions{
Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
BindPort: 0, BindPort: 0,
}, },
}, },
@ -97,8 +97,8 @@ func TestOptions_ApplyTo(t *testing.T) {
MetricsBindAddress: "1.2.3.4:1234", MetricsBindAddress: "1.2.3.4:1234",
}, },
CombinedInsecureServing: &CombinedInsecureServingOptions{ CombinedInsecureServing: &CombinedInsecureServingOptions{
Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
BindPort: 0, BindPort: 0,
}, },
}, },
@ -118,8 +118,8 @@ func TestOptions_ApplyTo(t *testing.T) {
MetricsBindAddress: "1.2.3.4:1235", MetricsBindAddress: "1.2.3.4:1235",
}, },
CombinedInsecureServing: &CombinedInsecureServingOptions{ CombinedInsecureServing: &CombinedInsecureServingOptions{
Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
BindPort: 0, BindPort: 0,
}, },
}, },
@ -141,8 +141,8 @@ func TestOptions_ApplyTo(t *testing.T) {
MetricsBindAddress: "1.2.3.4:1234", MetricsBindAddress: "1.2.3.4:1234",
}, },
CombinedInsecureServing: &CombinedInsecureServingOptions{ CombinedInsecureServing: &CombinedInsecureServingOptions{
Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
BindPort: 1236, BindPort: 1236,
BindAddress: "1.2.3.4", BindAddress: "1.2.3.4",
}, },
@ -163,8 +163,8 @@ func TestOptions_ApplyTo(t *testing.T) {
MetricsBindAddress: "1.2.3.4:1234", MetricsBindAddress: "1.2.3.4:1234",
}, },
CombinedInsecureServing: &CombinedInsecureServingOptions{ CombinedInsecureServing: &CombinedInsecureServingOptions{
Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
BindAddress: "2.3.4.5", BindAddress: "2.3.4.5",
BindPort: 1234, BindPort: 1234,
}, },
@ -185,8 +185,8 @@ func TestOptions_ApplyTo(t *testing.T) {
MetricsBindAddress: "1.2.3.4:1234", MetricsBindAddress: "1.2.3.4:1234",
}, },
CombinedInsecureServing: &CombinedInsecureServingOptions{ CombinedInsecureServing: &CombinedInsecureServingOptions{
Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{}, Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{}, Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
BindAddress: "2.3.4.5", BindAddress: "2.3.4.5",
BindPort: 0, BindPort: 0,
}, },

46
cmd/kube-scheduler/app/options/options.go
View File

@ -45,6 +45,7 @@ import (
schedulerappconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config" schedulerappconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config"
"k8s.io/kubernetes/pkg/api/legacyscheme" "k8s.io/kubernetes/pkg/api/legacyscheme"
"k8s.io/kubernetes/pkg/client/leaderelectionconfig" "k8s.io/kubernetes/pkg/client/leaderelectionconfig"
"k8s.io/kubernetes/pkg/master/ports"
kubeschedulerconfig "k8s.io/kubernetes/pkg/scheduler/apis/config" kubeschedulerconfig "k8s.io/kubernetes/pkg/scheduler/apis/config"
kubeschedulerscheme "k8s.io/kubernetes/pkg/scheduler/apis/config/scheme" kubeschedulerscheme "k8s.io/kubernetes/pkg/scheduler/apis/config/scheme"
"k8s.io/kubernetes/pkg/scheduler/apis/config/validation" "k8s.io/kubernetes/pkg/scheduler/apis/config/validation"
@ -56,7 +57,7 @@ type Options struct {
// The default values. These are overridden if ConfigFile is set or by values in InsecureServing. // The default values. These are overridden if ConfigFile is set or by values in InsecureServing.
ComponentConfig kubeschedulerconfig.KubeSchedulerConfiguration ComponentConfig kubeschedulerconfig.KubeSchedulerConfiguration
SecureServing *apiserveroptions.SecureServingOptions SecureServing *apiserveroptions.SecureServingOptionsWithLoopback
CombinedInsecureServing *CombinedInsecureServingOptions CombinedInsecureServing *CombinedInsecureServingOptions
Authentication *apiserveroptions.DelegatingAuthenticationOptions Authentication *apiserveroptions.DelegatingAuthenticationOptions
Authorization *apiserveroptions.DelegatingAuthorizationOptions Authorization *apiserveroptions.DelegatingAuthorizationOptions
@ -85,25 +86,34 @@ func NewOptions() (*Options, error) {
o := &Options{ o := &Options{
ComponentConfig: *cfg, ComponentConfig: *cfg,
SecureServing: nil, // TODO: enable with apiserveroptions.NewSecureServingOptions() SecureServing: apiserveroptions.NewSecureServingOptions().WithLoopback(),
CombinedInsecureServing: &CombinedInsecureServingOptions{ CombinedInsecureServing: &CombinedInsecureServingOptions{
Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{ Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{
BindNetwork: "tcp", BindNetwork: "tcp",
}, }).WithLoopback(),
Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{ Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{
BindNetwork: "tcp", BindNetwork: "tcp",
}, }).WithLoopback(),
BindPort: hport, BindPort: hport,
BindAddress: hhost, BindAddress: hhost,
}, },
Authentication: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthenticationOptions() Authentication: apiserveroptions.NewDelegatingAuthenticationOptions(),
Authorization: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthorizationOptions() Authorization: apiserveroptions.NewDelegatingAuthorizationOptions(),
Deprecated: &DeprecatedOptions{ Deprecated: &DeprecatedOptions{
UseLegacyPolicyConfig: false, UseLegacyPolicyConfig: false,
PolicyConfigMapNamespace: metav1.NamespaceSystem, PolicyConfigMapNamespace: metav1.NamespaceSystem,
}, },
} }
o.Authentication.RemoteKubeConfigFileOptional = true
o.Authorization.RemoteKubeConfigFileOptional = true
o.Authorization.AlwaysAllowPaths = []string{"/healthz"}
// Set the PairName but leave certificate directory blank to generate in-memory by default
o.SecureServing.ServerCert.CertDirectory = ""
o.SecureServing.ServerCert.PairName = "kube-scheduler"
o.SecureServing.BindPort = ports.KubeSchedulerPort
return o, nil return o, nil
} }
@ -173,13 +183,19 @@ func (o *Options) ApplyTo(c *schedulerappconfig.Config) error {
} }
} }
if err := o.SecureServing.ApplyTo(&c.SecureServing); err != nil { if err := o.SecureServing.ApplyTo(&c.SecureServing, &c.LoopbackClientConfig); err != nil {
return err return err
} }
if err := o.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil { if o.SecureServing != nil && (o.SecureServing.BindPort != 0 || o.SecureServing.Listener != nil) {
return err if err := o.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil {
return err
}
if err := o.Authorization.ApplyTo(&c.Authorization); err != nil {
return err
}
} }
return o.Authorization.ApplyTo(&c.Authorization)
return nil
} }
// Validate validates all the required options. // Validate validates all the required options.
@ -200,6 +216,12 @@ func (o *Options) Validate() []error {
// Config return a scheduler config object // Config return a scheduler config object
func (o *Options) Config() (*schedulerappconfig.Config, error) { func (o *Options) Config() (*schedulerappconfig.Config, error) {
if o.SecureServing != nil {
if err := o.SecureServing.MaybeDefaultWithSelfSignedCerts("localhost", nil, []net.IP{net.ParseIP("127.0.0.1")}); err != nil {
return nil, fmt.Errorf("error creating self-signed certificates: %v", err)
}
}
c := &schedulerappconfig.Config{} c := &schedulerappconfig.Config{}
if err := o.ApplyTo(c); err != nil { if err := o.ApplyTo(c); err != nil {
return nil, err return nil, err

75
cmd/kube-scheduler/app/options/options_test.go
View File

@ -32,6 +32,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/diff" "k8s.io/apimachinery/pkg/util/diff"
apiserverconfig "k8s.io/apiserver/pkg/apis/config" apiserverconfig "k8s.io/apiserver/pkg/apis/config"
apiserveroptions "k8s.io/apiserver/pkg/server/options"
kubeschedulerconfig "k8s.io/kubernetes/pkg/scheduler/apis/config" kubeschedulerconfig "k8s.io/kubernetes/pkg/scheduler/apis/config"
) )
@ -175,6 +176,29 @@ users:
} }
return *cfg return *cfg
}(), }(),
SecureServing: (&apiserveroptions.SecureServingOptions{
ServerCert: apiserveroptions.GeneratableKeyCert{
CertDirectory: "/a/b/c",
PairName: "kube-scheduler",
},
HTTP2MaxStreamsPerConnection: 47,
}).WithLoopback(),
Authentication: &apiserveroptions.DelegatingAuthenticationOptions{
CacheTTL: 10 * time.Second,
ClientCert: apiserveroptions.ClientCertAuthenticationOptions{},
RequestHeader: apiserveroptions.RequestHeaderAuthenticationOptions{
UsernameHeaders: []string{"x-remote-user"},
GroupHeaders: []string{"x-remote-group"},
ExtraHeaderPrefixes: []string{"x-remote-extra-"},
},
RemoteKubeConfigFileOptional: true,
},
Authorization: &apiserveroptions.DelegatingAuthorizationOptions{
AllowCacheTTL: 10 * time.Second,
DenyCacheTTL: 10 * time.Second,
RemoteKubeConfigFileOptional: true,
AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/*
},
}, },
expectedUsername: "config", expectedUsername: "config",
expectedConfig: kubeschedulerconfig.KubeSchedulerConfiguration{ expectedConfig: kubeschedulerconfig.KubeSchedulerConfiguration{
@ -233,6 +257,29 @@ users:
cfg.ClientConnection.Kubeconfig = flagKubeconfig cfg.ClientConnection.Kubeconfig = flagKubeconfig
return *cfg return *cfg
}(), }(),
SecureServing: (&apiserveroptions.SecureServingOptions{
ServerCert: apiserveroptions.GeneratableKeyCert{
CertDirectory: "/a/b/c",
PairName: "kube-scheduler",
},
HTTP2MaxStreamsPerConnection: 47,
}).WithLoopback(),
Authentication: &apiserveroptions.DelegatingAuthenticationOptions{
CacheTTL: 10 * time.Second,
ClientCert: apiserveroptions.ClientCertAuthenticationOptions{},
RequestHeader: apiserveroptions.RequestHeaderAuthenticationOptions{
UsernameHeaders: []string{"x-remote-user"},
GroupHeaders: []string{"x-remote-group"},
ExtraHeaderPrefixes: []string{"x-remote-extra-"},
},
RemoteKubeConfigFileOptional: true,
},
Authorization: &apiserveroptions.DelegatingAuthorizationOptions{
AllowCacheTTL: 10 * time.Second,
DenyCacheTTL: 10 * time.Second,
RemoteKubeConfigFileOptional: true,
AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/*
},
}, },
expectedUsername: "flag", expectedUsername: "flag",
expectedConfig: kubeschedulerconfig.KubeSchedulerConfiguration{ expectedConfig: kubeschedulerconfig.KubeSchedulerConfiguration{
@ -264,8 +311,32 @@ users:
}, },
}, },
{ {
name: "overridden master", name: "overridden master",
options: &Options{Master: insecureserver.URL}, options: &Options{
Master: insecureserver.URL,
SecureServing: (&apiserveroptions.SecureServingOptions{
ServerCert: apiserveroptions.GeneratableKeyCert{
CertDirectory: "/a/b/c",
PairName: "kube-scheduler",
},
HTTP2MaxStreamsPerConnection: 47,
}).WithLoopback(),
Authentication: &apiserveroptions.DelegatingAuthenticationOptions{
CacheTTL: 10 * time.Second,
RequestHeader: apiserveroptions.RequestHeaderAuthenticationOptions{
UsernameHeaders: []string{"x-remote-user"},
GroupHeaders: []string{"x-remote-group"},
ExtraHeaderPrefixes: []string{"x-remote-extra-"},
},
RemoteKubeConfigFileOptional: true,
},
Authorization: &apiserveroptions.DelegatingAuthorizationOptions{
AllowCacheTTL: 10 * time.Second,
DenyCacheTTL: 10 * time.Second,
RemoteKubeConfigFileOptional: true,
AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/*
},
},
expectedUsername: "none, http", expectedUsername: "none, http",
}, },
{ {

9
pkg/master/ports/ports.go
View File

@ -23,9 +23,10 @@ const (
// KubeletPort is the default port for the kubelet server on each host machine. // KubeletPort is the default port for the kubelet server on each host machine.
// May be overridden by a flag at startup. // May be overridden by a flag at startup.
KubeletPort = 10250 KubeletPort = 10250
// SchedulerPort is the default port for the scheduler status server. // InsecureSchedulerPort is the default port for the scheduler status server.
// May be overridden by a flag at startup. // May be overridden by a flag at startup.
SchedulerPort = 10251 // Deprecated: use the secure KubeSchedulerPort instead.
InsecureSchedulerPort = 10251
// InsecureKubeControllerManagerPort is the default port for the controller manager status server. // InsecureKubeControllerManagerPort is the default port for the controller manager status server.
// May be overridden by a flag at startup. // May be overridden by a flag at startup.
// Deprecated: use the secure KubeControllerManagerPort instead. // Deprecated: use the secure KubeControllerManagerPort instead.
@ -49,4 +50,8 @@ const (
// CloudControllerManagerPort is the default port for the cloud controller manager server. // CloudControllerManagerPort is the default port for the cloud controller manager server.
// This value may be overridden by a flag at startup. // This value may be overridden by a flag at startup.
CloudControllerManagerPort = 10258 CloudControllerManagerPort = 10258
// KubeSchedulerPort is the default port for the scheduler status server.
// May be overridden by a flag at startup.
KubeSchedulerPort = 10259
) )

2
pkg/registry/core/rest/storage_core.go
View File

@ -254,7 +254,7 @@ type componentStatusStorage struct {
func (s componentStatusStorage) serversToValidate() map[string]*componentstatus.Server { func (s componentStatusStorage) serversToValidate() map[string]*componentstatus.Server {
serversToValidate := map[string]*componentstatus.Server{ serversToValidate := map[string]*componentstatus.Server{
"controller-manager": {Addr: "127.0.0.1", Port: ports.InsecureKubeControllerManagerPort, Path: "/healthz"}, "controller-manager": {Addr: "127.0.0.1", Port: ports.InsecureKubeControllerManagerPort, Path: "/healthz"},
"scheduler": {Addr: "127.0.0.1", Port: ports.SchedulerPort, Path: "/healthz"}, "scheduler": {Addr: "127.0.0.1", Port: ports.InsecureSchedulerPort, Path: "/healthz"},
} }
for ix, machine := range s.storageFactory.Backends() { for ix, machine := range s.storageFactory.Backends() {

4
pkg/scheduler/apis/config/v1alpha1/defaults.go
View File

@ -62,7 +62,7 @@ func SetDefaults_KubeSchedulerConfiguration(obj *kubescedulerconfigv1alpha1.Kube
} }
obj.HealthzBindAddress = net.JoinHostPort(host, port) obj.HealthzBindAddress = net.JoinHostPort(host, port)
} else { } else {
obj.HealthzBindAddress = net.JoinHostPort("0.0.0.0", strconv.Itoa(ports.SchedulerPort)) obj.HealthzBindAddress = net.JoinHostPort("0.0.0.0", strconv.Itoa(ports.InsecureSchedulerPort))
} }
if host, port, err := net.SplitHostPort(obj.MetricsBindAddress); err == nil { if host, port, err := net.SplitHostPort(obj.MetricsBindAddress); err == nil {
@ -71,7 +71,7 @@ func SetDefaults_KubeSchedulerConfiguration(obj *kubescedulerconfigv1alpha1.Kube
} }
obj.MetricsBindAddress = net.JoinHostPort(host, port) obj.MetricsBindAddress = net.JoinHostPort(host, port)
} else { } else {
obj.MetricsBindAddress = net.JoinHostPort("0.0.0.0", strconv.Itoa(ports.SchedulerPort)) obj.MetricsBindAddress = net.JoinHostPort("0.0.0.0", strconv.Itoa(ports.InsecureSchedulerPort))
} }
if len(obj.LeaderElection.LockObjectNamespace) == 0 { if len(obj.LeaderElection.LockObjectNamespace) == 0 {

4
staging/src/k8s.io/apiserver/pkg/server/options/deprecated_insecure_serving.go
View File

@ -150,11 +150,11 @@ func (s *DeprecatedInsecureServingOptionsWithLoopback) ApplyTo(insecureServingIn
secureLoopbackClientConfig, err := (*insecureServingInfo).NewLoopbackClientConfig() secureLoopbackClientConfig, err := (*insecureServingInfo).NewLoopbackClientConfig()
switch { switch {
// if we failed and there's no fallback loopback client config, we need to fail // if we failed and there's no fallback loopback client config, we need to fail
case err != nil && secureLoopbackClientConfig == nil: case err != nil && *loopbackClientConfig == nil:
return err return err
// if we failed, but we already have a fallback loopback client config (usually insecure), allow it // if we failed, but we already have a fallback loopback client config (usually insecure), allow it
case err != nil && secureLoopbackClientConfig != nil: case err != nil && *loopbackClientConfig != nil:
default: default:
*loopbackClientConfig = secureLoopbackClientConfig *loopbackClientConfig = secureLoopbackClientConfig

4
staging/src/k8s.io/apiserver/pkg/server/options/serving_with_loopback.go
View File

@ -63,11 +63,11 @@ func (s *SecureServingOptionsWithLoopback) ApplyTo(secureServingInfo **server.Se
secureLoopbackClientConfig, err := (*secureServingInfo).NewLoopbackClientConfig(uuid.NewRandom().String(), certPem) secureLoopbackClientConfig, err := (*secureServingInfo).NewLoopbackClientConfig(uuid.NewRandom().String(), certPem)
switch { switch {
// if we failed and there's no fallback loopback client config, we need to fail // if we failed and there's no fallback loopback client config, we need to fail
case err != nil && secureLoopbackClientConfig == nil: case err != nil && *loopbackClientConfig == nil:
return err return err
// if we failed, but we already have a fallback loopback client config (usually insecure), allow it // if we failed, but we already have a fallback loopback client config (usually insecure), allow it
case err != nil && secureLoopbackClientConfig != nil: case err != nil && *loopbackClientConfig != nil:
default: default:
*loopbackClientConfig = secureLoopbackClientConfig *loopbackClientConfig = secureLoopbackClientConfig

2
test/e2e/apps/daemon_restart.go
View File

@ -281,7 +281,7 @@ var _ = SIGDescribe("DaemonRestart [Disruptive]", func() {
// Requires master ssh access. // Requires master ssh access.
framework.SkipUnlessProviderIs("gce", "aws") framework.SkipUnlessProviderIs("gce", "aws")
restarter := NewRestartConfig( restarter := NewRestartConfig(
framework.GetMasterHost(), "kube-scheduler", ports.SchedulerPort, restartPollInterval, restartTimeout) framework.GetMasterHost(), "kube-scheduler", ports.InsecureSchedulerPort, restartPollInterval, restartTimeout)
// Create pods while the scheduler is down and make sure the scheduler picks them up by // Create pods while the scheduler is down and make sure the scheduler picks them up by
// scaling the rc to the same size. // scaling the rc to the same size.

2
test/e2e/framework/metrics/metrics_grabber.go
View File

@ -127,7 +127,7 @@ func (g *MetricsGrabber) GrabFromScheduler() (SchedulerMetrics, error) {
if !g.registeredMaster { if !g.registeredMaster {
return SchedulerMetrics{}, fmt.Errorf("Master's Kubelet is not registered. Skipping Scheduler's metrics gathering.") return SchedulerMetrics{}, fmt.Errorf("Master's Kubelet is not registered. Skipping Scheduler's metrics gathering.")
} }
output, err := g.getMetricsFromPod(g.client, fmt.Sprintf("%v-%v", "kube-scheduler", g.masterName), metav1.NamespaceSystem, ports.SchedulerPort) output, err := g.getMetricsFromPod(g.client, fmt.Sprintf("%v-%v", "kube-scheduler", g.masterName), metav1.NamespaceSystem, ports.InsecureSchedulerPort)
if err != nil { if err != nil {
return SchedulerMetrics{}, err return SchedulerMetrics{}, err
} }

2
test/e2e/framework/metrics_util.go
View File

@ -611,7 +611,7 @@ func sendRestRequestToScheduler(c clientset.Interface, op string) (string, error
Context(ctx). Context(ctx).
Namespace(metav1.NamespaceSystem). Namespace(metav1.NamespaceSystem).
Resource("pods"). Resource("pods").
Name(fmt.Sprintf("kube-scheduler-%v:%v", TestContext.CloudConfig.MasterName, ports.SchedulerPort)). Name(fmt.Sprintf("kube-scheduler-%v:%v", TestContext.CloudConfig.MasterName, ports.InsecureSchedulerPort)).
SubResource("proxy"). SubResource("proxy").
Suffix("metrics"). Suffix("metrics").
Do().Raw() Do().Raw()

2
test/e2e/network/firewall.go
View File

@ -180,7 +180,7 @@ var _ = SIGDescribe("Firewall rule", func() {
masterAddresses := framework.GetAllMasterAddresses(cs) masterAddresses := framework.GetAllMasterAddresses(cs)
for _, masterAddress := range masterAddresses { for _, masterAddress := range masterAddresses {
assertNotReachableHTTPTimeout(masterAddress, ports.InsecureKubeControllerManagerPort, gce.FirewallTestTcpTimeout) assertNotReachableHTTPTimeout(masterAddress, ports.InsecureKubeControllerManagerPort, gce.FirewallTestTcpTimeout)
assertNotReachableHTTPTimeout(masterAddress, ports.SchedulerPort, gce.FirewallTestTcpTimeout) assertNotReachableHTTPTimeout(masterAddress, ports.InsecureSchedulerPort, gce.FirewallTestTcpTimeout)
} }
assertNotReachableHTTPTimeout(nodeAddrs[0], ports.KubeletPort, gce.FirewallTestTcpTimeout) assertNotReachableHTTPTimeout(nodeAddrs[0], ports.KubeletPort, gce.FirewallTestTcpTimeout)
assertNotReachableHTTPTimeout(nodeAddrs[0], ports.KubeletReadOnlyPort, gce.FirewallTestTcpTimeout) assertNotReachableHTTPTimeout(nodeAddrs[0], ports.KubeletReadOnlyPort, gce.FirewallTestTcpTimeout)