mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-25 20:53:33 +00:00
kube-scheduler: enable secure ports 10259
This commit is contained in:
parent
8696cfcfe2
commit
cb95edafe8
@ -12,6 +12,7 @@ go_library(
|
|||||||
"//staging/src/k8s.io/client-go/informers/core/v1:go_default_library",
|
"//staging/src/k8s.io/client-go/informers/core/v1:go_default_library",
|
||||||
"//staging/src/k8s.io/client-go/kubernetes:go_default_library",
|
"//staging/src/k8s.io/client-go/kubernetes:go_default_library",
|
||||||
"//staging/src/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library",
|
"//staging/src/k8s.io/client-go/kubernetes/typed/core/v1:go_default_library",
|
||||||
|
"//staging/src/k8s.io/client-go/rest:go_default_library",
|
||||||
"//staging/src/k8s.io/client-go/tools/leaderelection:go_default_library",
|
"//staging/src/k8s.io/client-go/tools/leaderelection:go_default_library",
|
||||||
"//staging/src/k8s.io/client-go/tools/record:go_default_library",
|
"//staging/src/k8s.io/client-go/tools/record:go_default_library",
|
||||||
],
|
],
|
||||||
|
@ -22,6 +22,7 @@ import (
|
|||||||
coreinformers "k8s.io/client-go/informers/core/v1"
|
coreinformers "k8s.io/client-go/informers/core/v1"
|
||||||
clientset "k8s.io/client-go/kubernetes"
|
clientset "k8s.io/client-go/kubernetes"
|
||||||
v1core "k8s.io/client-go/kubernetes/typed/core/v1"
|
v1core "k8s.io/client-go/kubernetes/typed/core/v1"
|
||||||
|
restclient "k8s.io/client-go/rest"
|
||||||
"k8s.io/client-go/tools/leaderelection"
|
"k8s.io/client-go/tools/leaderelection"
|
||||||
"k8s.io/client-go/tools/record"
|
"k8s.io/client-go/tools/record"
|
||||||
kubeschedulerconfig "k8s.io/kubernetes/pkg/scheduler/apis/config"
|
kubeschedulerconfig "k8s.io/kubernetes/pkg/scheduler/apis/config"
|
||||||
@ -32,6 +33,9 @@ type Config struct {
|
|||||||
// config is the scheduler server's configuration object.
|
// config is the scheduler server's configuration object.
|
||||||
ComponentConfig kubeschedulerconfig.KubeSchedulerConfiguration
|
ComponentConfig kubeschedulerconfig.KubeSchedulerConfiguration
|
||||||
|
|
||||||
|
// LoopbackClientConfig is a config for a privileged loopback connection
|
||||||
|
LoopbackClientConfig *restclient.Config
|
||||||
|
|
||||||
InsecureServing *apiserver.DeprecatedInsecureServingInfo // nil will disable serving on an insecure port
|
InsecureServing *apiserver.DeprecatedInsecureServingInfo // nil will disable serving on an insecure port
|
||||||
InsecureMetricsServing *apiserver.DeprecatedInsecureServingInfo // non-nil if metrics should be served independently
|
InsecureMetricsServing *apiserver.DeprecatedInsecureServingInfo // non-nil if metrics should be served independently
|
||||||
Authentication apiserver.AuthenticationInfo
|
Authentication apiserver.AuthenticationInfo
|
||||||
@ -70,5 +74,7 @@ func (c *Config) Complete() CompletedConfig {
|
|||||||
c.InsecureMetricsServing.Name = "metrics"
|
c.InsecureMetricsServing.Name = "metrics"
|
||||||
}
|
}
|
||||||
|
|
||||||
|
apiserver.AuthorizeClientBearerToken(c.LoopbackClientConfig, &c.Authentication, &c.Authorization)
|
||||||
|
|
||||||
return CompletedConfig{&cc}
|
return CompletedConfig{&cc}
|
||||||
}
|
}
|
||||||
|
@ -14,6 +14,7 @@ go_library(
|
|||||||
"//cmd/kube-scheduler/app/config:go_default_library",
|
"//cmd/kube-scheduler/app/config:go_default_library",
|
||||||
"//pkg/api/legacyscheme:go_default_library",
|
"//pkg/api/legacyscheme:go_default_library",
|
||||||
"//pkg/client/leaderelectionconfig:go_default_library",
|
"//pkg/client/leaderelectionconfig:go_default_library",
|
||||||
|
"//pkg/master/ports:go_default_library",
|
||||||
"//pkg/scheduler/apis/config:go_default_library",
|
"//pkg/scheduler/apis/config:go_default_library",
|
||||||
"//pkg/scheduler/apis/config/scheme:go_default_library",
|
"//pkg/scheduler/apis/config/scheme:go_default_library",
|
||||||
"//pkg/scheduler/apis/config/v1alpha1:go_default_library",
|
"//pkg/scheduler/apis/config/v1alpha1:go_default_library",
|
||||||
|
@ -31,8 +31,8 @@ import (
|
|||||||
// CombinedInsecureServingOptions sets up to two insecure listeners for healthz and metrics. The flags
|
// CombinedInsecureServingOptions sets up to two insecure listeners for healthz and metrics. The flags
|
||||||
// override the ComponentConfig and DeprecatedInsecureServingOptions values for both.
|
// override the ComponentConfig and DeprecatedInsecureServingOptions values for both.
|
||||||
type CombinedInsecureServingOptions struct {
|
type CombinedInsecureServingOptions struct {
|
||||||
Healthz *apiserveroptions.DeprecatedInsecureServingOptions
|
Healthz *apiserveroptions.DeprecatedInsecureServingOptionsWithLoopback
|
||||||
Metrics *apiserveroptions.DeprecatedInsecureServingOptions
|
Metrics *apiserveroptions.DeprecatedInsecureServingOptionsWithLoopback
|
||||||
|
|
||||||
BindPort int // overrides the structs above on ApplyTo, ignored on ApplyToFromLoadedConfig
|
BindPort int // overrides the structs above on ApplyTo, ignored on ApplyToFromLoadedConfig
|
||||||
BindAddress string // overrides the structs above on ApplyTo, ignored on ApplyToFromLoadedConfig
|
BindAddress string // overrides the structs above on ApplyTo, ignored on ApplyToFromLoadedConfig
|
||||||
@ -60,11 +60,11 @@ func (o *CombinedInsecureServingOptions) applyTo(c *schedulerappconfig.Config, c
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := o.Healthz.ApplyTo(&c.InsecureServing); err != nil {
|
if err := o.Healthz.ApplyTo(&c.InsecureServing, &c.LoopbackClientConfig); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if o.Metrics != nil && (c.ComponentConfig.MetricsBindAddress != c.ComponentConfig.HealthzBindAddress || o.Healthz == nil) {
|
if o.Metrics != nil && (c.ComponentConfig.MetricsBindAddress != c.ComponentConfig.HealthzBindAddress || o.Healthz == nil) {
|
||||||
if err := o.Metrics.ApplyTo(&c.InsecureMetricsServing); err != nil {
|
if err := o.Metrics.ApplyTo(&c.InsecureMetricsServing, &c.LoopbackClientConfig); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
@ -108,7 +108,7 @@ func (o *CombinedInsecureServingOptions) ApplyToFromLoadedConfig(c *schedulerapp
|
|||||||
return o.applyTo(c, componentConfig)
|
return o.applyTo(c, componentConfig)
|
||||||
}
|
}
|
||||||
|
|
||||||
func updateAddressFromDeprecatedInsecureServingOptions(addr *string, is *apiserveroptions.DeprecatedInsecureServingOptions) error {
|
func updateAddressFromDeprecatedInsecureServingOptions(addr *string, is *apiserveroptions.DeprecatedInsecureServingOptionsWithLoopback) error {
|
||||||
if is == nil {
|
if is == nil {
|
||||||
*addr = ""
|
*addr = ""
|
||||||
} else {
|
} else {
|
||||||
@ -124,7 +124,7 @@ func updateAddressFromDeprecatedInsecureServingOptions(addr *string, is *apiserv
|
|||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
func updateDeprecatedInsecureServingOptionsFromAddress(is *apiserveroptions.DeprecatedInsecureServingOptions, addr string) error {
|
func updateDeprecatedInsecureServingOptionsFromAddress(is *apiserveroptions.DeprecatedInsecureServingOptionsWithLoopback, addr string) error {
|
||||||
if is == nil {
|
if is == nil {
|
||||||
return nil
|
return nil
|
||||||
}
|
}
|
||||||
|
@ -46,8 +46,8 @@ func TestOptions_ApplyTo(t *testing.T) {
|
|||||||
MetricsBindAddress: "1.2.3.4:1234",
|
MetricsBindAddress: "1.2.3.4:1234",
|
||||||
},
|
},
|
||||||
CombinedInsecureServing: &CombinedInsecureServingOptions{
|
CombinedInsecureServing: &CombinedInsecureServingOptions{
|
||||||
Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{},
|
Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
|
||||||
Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{},
|
Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
|
||||||
BindPort: 0,
|
BindPort: 0,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@ -61,7 +61,7 @@ func TestOptions_ApplyTo(t *testing.T) {
|
|||||||
MetricsBindAddress: "1.2.3.4:1234",
|
MetricsBindAddress: "1.2.3.4:1234",
|
||||||
},
|
},
|
||||||
CombinedInsecureServing: &CombinedInsecureServingOptions{
|
CombinedInsecureServing: &CombinedInsecureServingOptions{
|
||||||
Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{},
|
Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
|
||||||
BindPort: 0,
|
BindPort: 0,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@ -79,7 +79,7 @@ func TestOptions_ApplyTo(t *testing.T) {
|
|||||||
MetricsBindAddress: "1.2.3.4:1234",
|
MetricsBindAddress: "1.2.3.4:1234",
|
||||||
},
|
},
|
||||||
CombinedInsecureServing: &CombinedInsecureServingOptions{
|
CombinedInsecureServing: &CombinedInsecureServingOptions{
|
||||||
Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{},
|
Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
|
||||||
BindPort: 0,
|
BindPort: 0,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@ -97,8 +97,8 @@ func TestOptions_ApplyTo(t *testing.T) {
|
|||||||
MetricsBindAddress: "1.2.3.4:1234",
|
MetricsBindAddress: "1.2.3.4:1234",
|
||||||
},
|
},
|
||||||
CombinedInsecureServing: &CombinedInsecureServingOptions{
|
CombinedInsecureServing: &CombinedInsecureServingOptions{
|
||||||
Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{},
|
Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
|
||||||
Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{},
|
Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
|
||||||
BindPort: 0,
|
BindPort: 0,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@ -118,8 +118,8 @@ func TestOptions_ApplyTo(t *testing.T) {
|
|||||||
MetricsBindAddress: "1.2.3.4:1235",
|
MetricsBindAddress: "1.2.3.4:1235",
|
||||||
},
|
},
|
||||||
CombinedInsecureServing: &CombinedInsecureServingOptions{
|
CombinedInsecureServing: &CombinedInsecureServingOptions{
|
||||||
Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{},
|
Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
|
||||||
Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{},
|
Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
|
||||||
BindPort: 0,
|
BindPort: 0,
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
@ -141,8 +141,8 @@ func TestOptions_ApplyTo(t *testing.T) {
|
|||||||
MetricsBindAddress: "1.2.3.4:1234",
|
MetricsBindAddress: "1.2.3.4:1234",
|
||||||
},
|
},
|
||||||
CombinedInsecureServing: &CombinedInsecureServingOptions{
|
CombinedInsecureServing: &CombinedInsecureServingOptions{
|
||||||
Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{},
|
Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
|
||||||
Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{},
|
Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
|
||||||
BindPort: 1236,
|
BindPort: 1236,
|
||||||
BindAddress: "1.2.3.4",
|
BindAddress: "1.2.3.4",
|
||||||
},
|
},
|
||||||
@ -163,8 +163,8 @@ func TestOptions_ApplyTo(t *testing.T) {
|
|||||||
MetricsBindAddress: "1.2.3.4:1234",
|
MetricsBindAddress: "1.2.3.4:1234",
|
||||||
},
|
},
|
||||||
CombinedInsecureServing: &CombinedInsecureServingOptions{
|
CombinedInsecureServing: &CombinedInsecureServingOptions{
|
||||||
Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{},
|
Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
|
||||||
Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{},
|
Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
|
||||||
BindAddress: "2.3.4.5",
|
BindAddress: "2.3.4.5",
|
||||||
BindPort: 1234,
|
BindPort: 1234,
|
||||||
},
|
},
|
||||||
@ -185,8 +185,8 @@ func TestOptions_ApplyTo(t *testing.T) {
|
|||||||
MetricsBindAddress: "1.2.3.4:1234",
|
MetricsBindAddress: "1.2.3.4:1234",
|
||||||
},
|
},
|
||||||
CombinedInsecureServing: &CombinedInsecureServingOptions{
|
CombinedInsecureServing: &CombinedInsecureServingOptions{
|
||||||
Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{},
|
Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
|
||||||
Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{},
|
Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{}).WithLoopback(),
|
||||||
BindAddress: "2.3.4.5",
|
BindAddress: "2.3.4.5",
|
||||||
BindPort: 0,
|
BindPort: 0,
|
||||||
},
|
},
|
||||||
|
@ -45,6 +45,7 @@ import (
|
|||||||
schedulerappconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config"
|
schedulerappconfig "k8s.io/kubernetes/cmd/kube-scheduler/app/config"
|
||||||
"k8s.io/kubernetes/pkg/api/legacyscheme"
|
"k8s.io/kubernetes/pkg/api/legacyscheme"
|
||||||
"k8s.io/kubernetes/pkg/client/leaderelectionconfig"
|
"k8s.io/kubernetes/pkg/client/leaderelectionconfig"
|
||||||
|
"k8s.io/kubernetes/pkg/master/ports"
|
||||||
kubeschedulerconfig "k8s.io/kubernetes/pkg/scheduler/apis/config"
|
kubeschedulerconfig "k8s.io/kubernetes/pkg/scheduler/apis/config"
|
||||||
kubeschedulerscheme "k8s.io/kubernetes/pkg/scheduler/apis/config/scheme"
|
kubeschedulerscheme "k8s.io/kubernetes/pkg/scheduler/apis/config/scheme"
|
||||||
"k8s.io/kubernetes/pkg/scheduler/apis/config/validation"
|
"k8s.io/kubernetes/pkg/scheduler/apis/config/validation"
|
||||||
@ -56,7 +57,7 @@ type Options struct {
|
|||||||
// The default values. These are overridden if ConfigFile is set or by values in InsecureServing.
|
// The default values. These are overridden if ConfigFile is set or by values in InsecureServing.
|
||||||
ComponentConfig kubeschedulerconfig.KubeSchedulerConfiguration
|
ComponentConfig kubeschedulerconfig.KubeSchedulerConfiguration
|
||||||
|
|
||||||
SecureServing *apiserveroptions.SecureServingOptions
|
SecureServing *apiserveroptions.SecureServingOptionsWithLoopback
|
||||||
CombinedInsecureServing *CombinedInsecureServingOptions
|
CombinedInsecureServing *CombinedInsecureServingOptions
|
||||||
Authentication *apiserveroptions.DelegatingAuthenticationOptions
|
Authentication *apiserveroptions.DelegatingAuthenticationOptions
|
||||||
Authorization *apiserveroptions.DelegatingAuthorizationOptions
|
Authorization *apiserveroptions.DelegatingAuthorizationOptions
|
||||||
@ -85,25 +86,34 @@ func NewOptions() (*Options, error) {
|
|||||||
|
|
||||||
o := &Options{
|
o := &Options{
|
||||||
ComponentConfig: *cfg,
|
ComponentConfig: *cfg,
|
||||||
SecureServing: nil, // TODO: enable with apiserveroptions.NewSecureServingOptions()
|
SecureServing: apiserveroptions.NewSecureServingOptions().WithLoopback(),
|
||||||
CombinedInsecureServing: &CombinedInsecureServingOptions{
|
CombinedInsecureServing: &CombinedInsecureServingOptions{
|
||||||
Healthz: &apiserveroptions.DeprecatedInsecureServingOptions{
|
Healthz: (&apiserveroptions.DeprecatedInsecureServingOptions{
|
||||||
BindNetwork: "tcp",
|
BindNetwork: "tcp",
|
||||||
},
|
}).WithLoopback(),
|
||||||
Metrics: &apiserveroptions.DeprecatedInsecureServingOptions{
|
Metrics: (&apiserveroptions.DeprecatedInsecureServingOptions{
|
||||||
BindNetwork: "tcp",
|
BindNetwork: "tcp",
|
||||||
},
|
}).WithLoopback(),
|
||||||
BindPort: hport,
|
BindPort: hport,
|
||||||
BindAddress: hhost,
|
BindAddress: hhost,
|
||||||
},
|
},
|
||||||
Authentication: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthenticationOptions()
|
Authentication: apiserveroptions.NewDelegatingAuthenticationOptions(),
|
||||||
Authorization: nil, // TODO: enable with apiserveroptions.NewDelegatingAuthorizationOptions()
|
Authorization: apiserveroptions.NewDelegatingAuthorizationOptions(),
|
||||||
Deprecated: &DeprecatedOptions{
|
Deprecated: &DeprecatedOptions{
|
||||||
UseLegacyPolicyConfig: false,
|
UseLegacyPolicyConfig: false,
|
||||||
PolicyConfigMapNamespace: metav1.NamespaceSystem,
|
PolicyConfigMapNamespace: metav1.NamespaceSystem,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
o.Authentication.RemoteKubeConfigFileOptional = true
|
||||||
|
o.Authorization.RemoteKubeConfigFileOptional = true
|
||||||
|
o.Authorization.AlwaysAllowPaths = []string{"/healthz"}
|
||||||
|
|
||||||
|
// Set the PairName but leave certificate directory blank to generate in-memory by default
|
||||||
|
o.SecureServing.ServerCert.CertDirectory = ""
|
||||||
|
o.SecureServing.ServerCert.PairName = "kube-scheduler"
|
||||||
|
o.SecureServing.BindPort = ports.KubeSchedulerPort
|
||||||
|
|
||||||
return o, nil
|
return o, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -173,13 +183,19 @@ func (o *Options) ApplyTo(c *schedulerappconfig.Config) error {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if err := o.SecureServing.ApplyTo(&c.SecureServing); err != nil {
|
if err := o.SecureServing.ApplyTo(&c.SecureServing, &c.LoopbackClientConfig); err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
if err := o.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil {
|
if o.SecureServing != nil && (o.SecureServing.BindPort != 0 || o.SecureServing.Listener != nil) {
|
||||||
return err
|
if err := o.Authentication.ApplyTo(&c.Authentication, c.SecureServing, nil); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
if err := o.Authorization.ApplyTo(&c.Authorization); err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
}
|
}
|
||||||
return o.Authorization.ApplyTo(&c.Authorization)
|
|
||||||
|
return nil
|
||||||
}
|
}
|
||||||
|
|
||||||
// Validate validates all the required options.
|
// Validate validates all the required options.
|
||||||
@ -200,6 +216,12 @@ func (o *Options) Validate() []error {
|
|||||||
|
|
||||||
// Config return a scheduler config object
|
// Config return a scheduler config object
|
||||||
func (o *Options) Config() (*schedulerappconfig.Config, error) {
|
func (o *Options) Config() (*schedulerappconfig.Config, error) {
|
||||||
|
if o.SecureServing != nil {
|
||||||
|
if err := o.SecureServing.MaybeDefaultWithSelfSignedCerts("localhost", nil, []net.IP{net.ParseIP("127.0.0.1")}); err != nil {
|
||||||
|
return nil, fmt.Errorf("error creating self-signed certificates: %v", err)
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
c := &schedulerappconfig.Config{}
|
c := &schedulerappconfig.Config{}
|
||||||
if err := o.ApplyTo(c); err != nil {
|
if err := o.ApplyTo(c); err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
@ -32,6 +32,7 @@ import (
|
|||||||
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
||||||
"k8s.io/apimachinery/pkg/util/diff"
|
"k8s.io/apimachinery/pkg/util/diff"
|
||||||
apiserverconfig "k8s.io/apiserver/pkg/apis/config"
|
apiserverconfig "k8s.io/apiserver/pkg/apis/config"
|
||||||
|
apiserveroptions "k8s.io/apiserver/pkg/server/options"
|
||||||
kubeschedulerconfig "k8s.io/kubernetes/pkg/scheduler/apis/config"
|
kubeschedulerconfig "k8s.io/kubernetes/pkg/scheduler/apis/config"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -175,6 +176,29 @@ users:
|
|||||||
}
|
}
|
||||||
return *cfg
|
return *cfg
|
||||||
}(),
|
}(),
|
||||||
|
SecureServing: (&apiserveroptions.SecureServingOptions{
|
||||||
|
ServerCert: apiserveroptions.GeneratableKeyCert{
|
||||||
|
CertDirectory: "/a/b/c",
|
||||||
|
PairName: "kube-scheduler",
|
||||||
|
},
|
||||||
|
HTTP2MaxStreamsPerConnection: 47,
|
||||||
|
}).WithLoopback(),
|
||||||
|
Authentication: &apiserveroptions.DelegatingAuthenticationOptions{
|
||||||
|
CacheTTL: 10 * time.Second,
|
||||||
|
ClientCert: apiserveroptions.ClientCertAuthenticationOptions{},
|
||||||
|
RequestHeader: apiserveroptions.RequestHeaderAuthenticationOptions{
|
||||||
|
UsernameHeaders: []string{"x-remote-user"},
|
||||||
|
GroupHeaders: []string{"x-remote-group"},
|
||||||
|
ExtraHeaderPrefixes: []string{"x-remote-extra-"},
|
||||||
|
},
|
||||||
|
RemoteKubeConfigFileOptional: true,
|
||||||
|
},
|
||||||
|
Authorization: &apiserveroptions.DelegatingAuthorizationOptions{
|
||||||
|
AllowCacheTTL: 10 * time.Second,
|
||||||
|
DenyCacheTTL: 10 * time.Second,
|
||||||
|
RemoteKubeConfigFileOptional: true,
|
||||||
|
AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/*
|
||||||
|
},
|
||||||
},
|
},
|
||||||
expectedUsername: "config",
|
expectedUsername: "config",
|
||||||
expectedConfig: kubeschedulerconfig.KubeSchedulerConfiguration{
|
expectedConfig: kubeschedulerconfig.KubeSchedulerConfiguration{
|
||||||
@ -233,6 +257,29 @@ users:
|
|||||||
cfg.ClientConnection.Kubeconfig = flagKubeconfig
|
cfg.ClientConnection.Kubeconfig = flagKubeconfig
|
||||||
return *cfg
|
return *cfg
|
||||||
}(),
|
}(),
|
||||||
|
SecureServing: (&apiserveroptions.SecureServingOptions{
|
||||||
|
ServerCert: apiserveroptions.GeneratableKeyCert{
|
||||||
|
CertDirectory: "/a/b/c",
|
||||||
|
PairName: "kube-scheduler",
|
||||||
|
},
|
||||||
|
HTTP2MaxStreamsPerConnection: 47,
|
||||||
|
}).WithLoopback(),
|
||||||
|
Authentication: &apiserveroptions.DelegatingAuthenticationOptions{
|
||||||
|
CacheTTL: 10 * time.Second,
|
||||||
|
ClientCert: apiserveroptions.ClientCertAuthenticationOptions{},
|
||||||
|
RequestHeader: apiserveroptions.RequestHeaderAuthenticationOptions{
|
||||||
|
UsernameHeaders: []string{"x-remote-user"},
|
||||||
|
GroupHeaders: []string{"x-remote-group"},
|
||||||
|
ExtraHeaderPrefixes: []string{"x-remote-extra-"},
|
||||||
|
},
|
||||||
|
RemoteKubeConfigFileOptional: true,
|
||||||
|
},
|
||||||
|
Authorization: &apiserveroptions.DelegatingAuthorizationOptions{
|
||||||
|
AllowCacheTTL: 10 * time.Second,
|
||||||
|
DenyCacheTTL: 10 * time.Second,
|
||||||
|
RemoteKubeConfigFileOptional: true,
|
||||||
|
AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/*
|
||||||
|
},
|
||||||
},
|
},
|
||||||
expectedUsername: "flag",
|
expectedUsername: "flag",
|
||||||
expectedConfig: kubeschedulerconfig.KubeSchedulerConfiguration{
|
expectedConfig: kubeschedulerconfig.KubeSchedulerConfiguration{
|
||||||
@ -264,8 +311,32 @@ users:
|
|||||||
},
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
name: "overridden master",
|
name: "overridden master",
|
||||||
options: &Options{Master: insecureserver.URL},
|
options: &Options{
|
||||||
|
Master: insecureserver.URL,
|
||||||
|
SecureServing: (&apiserveroptions.SecureServingOptions{
|
||||||
|
ServerCert: apiserveroptions.GeneratableKeyCert{
|
||||||
|
CertDirectory: "/a/b/c",
|
||||||
|
PairName: "kube-scheduler",
|
||||||
|
},
|
||||||
|
HTTP2MaxStreamsPerConnection: 47,
|
||||||
|
}).WithLoopback(),
|
||||||
|
Authentication: &apiserveroptions.DelegatingAuthenticationOptions{
|
||||||
|
CacheTTL: 10 * time.Second,
|
||||||
|
RequestHeader: apiserveroptions.RequestHeaderAuthenticationOptions{
|
||||||
|
UsernameHeaders: []string{"x-remote-user"},
|
||||||
|
GroupHeaders: []string{"x-remote-group"},
|
||||||
|
ExtraHeaderPrefixes: []string{"x-remote-extra-"},
|
||||||
|
},
|
||||||
|
RemoteKubeConfigFileOptional: true,
|
||||||
|
},
|
||||||
|
Authorization: &apiserveroptions.DelegatingAuthorizationOptions{
|
||||||
|
AllowCacheTTL: 10 * time.Second,
|
||||||
|
DenyCacheTTL: 10 * time.Second,
|
||||||
|
RemoteKubeConfigFileOptional: true,
|
||||||
|
AlwaysAllowPaths: []string{"/healthz"}, // note: this does not match /healthz/ or /healthz/*
|
||||||
|
},
|
||||||
|
},
|
||||||
expectedUsername: "none, http",
|
expectedUsername: "none, http",
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -23,9 +23,10 @@ const (
|
|||||||
// KubeletPort is the default port for the kubelet server on each host machine.
|
// KubeletPort is the default port for the kubelet server on each host machine.
|
||||||
// May be overridden by a flag at startup.
|
// May be overridden by a flag at startup.
|
||||||
KubeletPort = 10250
|
KubeletPort = 10250
|
||||||
// SchedulerPort is the default port for the scheduler status server.
|
// InsecureSchedulerPort is the default port for the scheduler status server.
|
||||||
// May be overridden by a flag at startup.
|
// May be overridden by a flag at startup.
|
||||||
SchedulerPort = 10251
|
// Deprecated: use the secure KubeSchedulerPort instead.
|
||||||
|
InsecureSchedulerPort = 10251
|
||||||
// InsecureKubeControllerManagerPort is the default port for the controller manager status server.
|
// InsecureKubeControllerManagerPort is the default port for the controller manager status server.
|
||||||
// May be overridden by a flag at startup.
|
// May be overridden by a flag at startup.
|
||||||
// Deprecated: use the secure KubeControllerManagerPort instead.
|
// Deprecated: use the secure KubeControllerManagerPort instead.
|
||||||
@ -49,4 +50,8 @@ const (
|
|||||||
// CloudControllerManagerPort is the default port for the cloud controller manager server.
|
// CloudControllerManagerPort is the default port for the cloud controller manager server.
|
||||||
// This value may be overridden by a flag at startup.
|
// This value may be overridden by a flag at startup.
|
||||||
CloudControllerManagerPort = 10258
|
CloudControllerManagerPort = 10258
|
||||||
|
|
||||||
|
// KubeSchedulerPort is the default port for the scheduler status server.
|
||||||
|
// May be overridden by a flag at startup.
|
||||||
|
KubeSchedulerPort = 10259
|
||||||
)
|
)
|
||||||
|
@ -254,7 +254,7 @@ type componentStatusStorage struct {
|
|||||||
func (s componentStatusStorage) serversToValidate() map[string]*componentstatus.Server {
|
func (s componentStatusStorage) serversToValidate() map[string]*componentstatus.Server {
|
||||||
serversToValidate := map[string]*componentstatus.Server{
|
serversToValidate := map[string]*componentstatus.Server{
|
||||||
"controller-manager": {Addr: "127.0.0.1", Port: ports.InsecureKubeControllerManagerPort, Path: "/healthz"},
|
"controller-manager": {Addr: "127.0.0.1", Port: ports.InsecureKubeControllerManagerPort, Path: "/healthz"},
|
||||||
"scheduler": {Addr: "127.0.0.1", Port: ports.SchedulerPort, Path: "/healthz"},
|
"scheduler": {Addr: "127.0.0.1", Port: ports.InsecureSchedulerPort, Path: "/healthz"},
|
||||||
}
|
}
|
||||||
|
|
||||||
for ix, machine := range s.storageFactory.Backends() {
|
for ix, machine := range s.storageFactory.Backends() {
|
||||||
|
@ -62,7 +62,7 @@ func SetDefaults_KubeSchedulerConfiguration(obj *kubescedulerconfigv1alpha1.Kube
|
|||||||
}
|
}
|
||||||
obj.HealthzBindAddress = net.JoinHostPort(host, port)
|
obj.HealthzBindAddress = net.JoinHostPort(host, port)
|
||||||
} else {
|
} else {
|
||||||
obj.HealthzBindAddress = net.JoinHostPort("0.0.0.0", strconv.Itoa(ports.SchedulerPort))
|
obj.HealthzBindAddress = net.JoinHostPort("0.0.0.0", strconv.Itoa(ports.InsecureSchedulerPort))
|
||||||
}
|
}
|
||||||
|
|
||||||
if host, port, err := net.SplitHostPort(obj.MetricsBindAddress); err == nil {
|
if host, port, err := net.SplitHostPort(obj.MetricsBindAddress); err == nil {
|
||||||
@ -71,7 +71,7 @@ func SetDefaults_KubeSchedulerConfiguration(obj *kubescedulerconfigv1alpha1.Kube
|
|||||||
}
|
}
|
||||||
obj.MetricsBindAddress = net.JoinHostPort(host, port)
|
obj.MetricsBindAddress = net.JoinHostPort(host, port)
|
||||||
} else {
|
} else {
|
||||||
obj.MetricsBindAddress = net.JoinHostPort("0.0.0.0", strconv.Itoa(ports.SchedulerPort))
|
obj.MetricsBindAddress = net.JoinHostPort("0.0.0.0", strconv.Itoa(ports.InsecureSchedulerPort))
|
||||||
}
|
}
|
||||||
|
|
||||||
if len(obj.LeaderElection.LockObjectNamespace) == 0 {
|
if len(obj.LeaderElection.LockObjectNamespace) == 0 {
|
||||||
|
@ -150,11 +150,11 @@ func (s *DeprecatedInsecureServingOptionsWithLoopback) ApplyTo(insecureServingIn
|
|||||||
secureLoopbackClientConfig, err := (*insecureServingInfo).NewLoopbackClientConfig()
|
secureLoopbackClientConfig, err := (*insecureServingInfo).NewLoopbackClientConfig()
|
||||||
switch {
|
switch {
|
||||||
// if we failed and there's no fallback loopback client config, we need to fail
|
// if we failed and there's no fallback loopback client config, we need to fail
|
||||||
case err != nil && secureLoopbackClientConfig == nil:
|
case err != nil && *loopbackClientConfig == nil:
|
||||||
return err
|
return err
|
||||||
|
|
||||||
// if we failed, but we already have a fallback loopback client config (usually insecure), allow it
|
// if we failed, but we already have a fallback loopback client config (usually insecure), allow it
|
||||||
case err != nil && secureLoopbackClientConfig != nil:
|
case err != nil && *loopbackClientConfig != nil:
|
||||||
|
|
||||||
default:
|
default:
|
||||||
*loopbackClientConfig = secureLoopbackClientConfig
|
*loopbackClientConfig = secureLoopbackClientConfig
|
||||||
|
@ -63,11 +63,11 @@ func (s *SecureServingOptionsWithLoopback) ApplyTo(secureServingInfo **server.Se
|
|||||||
secureLoopbackClientConfig, err := (*secureServingInfo).NewLoopbackClientConfig(uuid.NewRandom().String(), certPem)
|
secureLoopbackClientConfig, err := (*secureServingInfo).NewLoopbackClientConfig(uuid.NewRandom().String(), certPem)
|
||||||
switch {
|
switch {
|
||||||
// if we failed and there's no fallback loopback client config, we need to fail
|
// if we failed and there's no fallback loopback client config, we need to fail
|
||||||
case err != nil && secureLoopbackClientConfig == nil:
|
case err != nil && *loopbackClientConfig == nil:
|
||||||
return err
|
return err
|
||||||
|
|
||||||
// if we failed, but we already have a fallback loopback client config (usually insecure), allow it
|
// if we failed, but we already have a fallback loopback client config (usually insecure), allow it
|
||||||
case err != nil && secureLoopbackClientConfig != nil:
|
case err != nil && *loopbackClientConfig != nil:
|
||||||
|
|
||||||
default:
|
default:
|
||||||
*loopbackClientConfig = secureLoopbackClientConfig
|
*loopbackClientConfig = secureLoopbackClientConfig
|
||||||
|
@ -281,7 +281,7 @@ var _ = SIGDescribe("DaemonRestart [Disruptive]", func() {
|
|||||||
// Requires master ssh access.
|
// Requires master ssh access.
|
||||||
framework.SkipUnlessProviderIs("gce", "aws")
|
framework.SkipUnlessProviderIs("gce", "aws")
|
||||||
restarter := NewRestartConfig(
|
restarter := NewRestartConfig(
|
||||||
framework.GetMasterHost(), "kube-scheduler", ports.SchedulerPort, restartPollInterval, restartTimeout)
|
framework.GetMasterHost(), "kube-scheduler", ports.InsecureSchedulerPort, restartPollInterval, restartTimeout)
|
||||||
|
|
||||||
// Create pods while the scheduler is down and make sure the scheduler picks them up by
|
// Create pods while the scheduler is down and make sure the scheduler picks them up by
|
||||||
// scaling the rc to the same size.
|
// scaling the rc to the same size.
|
||||||
|
@ -127,7 +127,7 @@ func (g *MetricsGrabber) GrabFromScheduler() (SchedulerMetrics, error) {
|
|||||||
if !g.registeredMaster {
|
if !g.registeredMaster {
|
||||||
return SchedulerMetrics{}, fmt.Errorf("Master's Kubelet is not registered. Skipping Scheduler's metrics gathering.")
|
return SchedulerMetrics{}, fmt.Errorf("Master's Kubelet is not registered. Skipping Scheduler's metrics gathering.")
|
||||||
}
|
}
|
||||||
output, err := g.getMetricsFromPod(g.client, fmt.Sprintf("%v-%v", "kube-scheduler", g.masterName), metav1.NamespaceSystem, ports.SchedulerPort)
|
output, err := g.getMetricsFromPod(g.client, fmt.Sprintf("%v-%v", "kube-scheduler", g.masterName), metav1.NamespaceSystem, ports.InsecureSchedulerPort)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return SchedulerMetrics{}, err
|
return SchedulerMetrics{}, err
|
||||||
}
|
}
|
||||||
|
@ -611,7 +611,7 @@ func sendRestRequestToScheduler(c clientset.Interface, op string) (string, error
|
|||||||
Context(ctx).
|
Context(ctx).
|
||||||
Namespace(metav1.NamespaceSystem).
|
Namespace(metav1.NamespaceSystem).
|
||||||
Resource("pods").
|
Resource("pods").
|
||||||
Name(fmt.Sprintf("kube-scheduler-%v:%v", TestContext.CloudConfig.MasterName, ports.SchedulerPort)).
|
Name(fmt.Sprintf("kube-scheduler-%v:%v", TestContext.CloudConfig.MasterName, ports.InsecureSchedulerPort)).
|
||||||
SubResource("proxy").
|
SubResource("proxy").
|
||||||
Suffix("metrics").
|
Suffix("metrics").
|
||||||
Do().Raw()
|
Do().Raw()
|
||||||
|
@ -180,7 +180,7 @@ var _ = SIGDescribe("Firewall rule", func() {
|
|||||||
masterAddresses := framework.GetAllMasterAddresses(cs)
|
masterAddresses := framework.GetAllMasterAddresses(cs)
|
||||||
for _, masterAddress := range masterAddresses {
|
for _, masterAddress := range masterAddresses {
|
||||||
assertNotReachableHTTPTimeout(masterAddress, ports.InsecureKubeControllerManagerPort, gce.FirewallTestTcpTimeout)
|
assertNotReachableHTTPTimeout(masterAddress, ports.InsecureKubeControllerManagerPort, gce.FirewallTestTcpTimeout)
|
||||||
assertNotReachableHTTPTimeout(masterAddress, ports.SchedulerPort, gce.FirewallTestTcpTimeout)
|
assertNotReachableHTTPTimeout(masterAddress, ports.InsecureSchedulerPort, gce.FirewallTestTcpTimeout)
|
||||||
}
|
}
|
||||||
assertNotReachableHTTPTimeout(nodeAddrs[0], ports.KubeletPort, gce.FirewallTestTcpTimeout)
|
assertNotReachableHTTPTimeout(nodeAddrs[0], ports.KubeletPort, gce.FirewallTestTcpTimeout)
|
||||||
assertNotReachableHTTPTimeout(nodeAddrs[0], ports.KubeletReadOnlyPort, gce.FirewallTestTcpTimeout)
|
assertNotReachableHTTPTimeout(nodeAddrs[0], ports.KubeletReadOnlyPort, gce.FirewallTestTcpTimeout)
|
||||||
|
Loading…
Reference in New Issue
Block a user