mirror of
https://github.com/k3s-io/kubernetes.git
synced 2025-07-24 04:06:03 +00:00
kube-apiserver: switch apiserver's DeprecatedInsecureServingOptions
This commit is contained in:
Dr. Stefan Schimanski
parent
1d9a896066
commit
d787213d1b
@ -41,7 +41,7 @@ type ServerRunOptions struct {
|
||||
GenericServerRunOptions *genericoptions.ServerRunOptions
|
||||
Etcd *genericoptions.EtcdOptions
|
||||
SecureServing *genericoptions.SecureServingOptionsWithLoopback
|
||||
InsecureServing *kubeoptions.InsecureServingOptions
|
||||
InsecureServing *genericoptions.DeprecatedInsecureServingOptionsWithLoopback
|
||||
Audit *genericoptions.AuditOptions
|
||||
Features *genericoptions.FeatureOptions
|
||||
Admission *kubeoptions.AdmissionOptions
|
||||
@ -128,7 +128,7 @@ func (s *ServerRunOptions) Flags() (fss apiserverflag.NamedFlagSets) {
|
||||
s.Etcd.AddFlags(fss.FlagSet("etcd"))
|
||||
s.SecureServing.AddFlags(fss.FlagSet("secure serving"))
|
||||
s.InsecureServing.AddFlags(fss.FlagSet("insecure serving"))
|
||||
s.InsecureServing.AddDeprecatedFlags(fss.FlagSet("insecure serving"))
|
||||
s.InsecureServing.AddUnqualifiedFlags(fss.FlagSet("insecure serving")) // TODO: remove it until kops stops using `--address`
|
||||
s.Audit.AddFlags(fss.FlagSet("auditing"))
|
||||
s.Features.AddFlags(fss.FlagSet("features"))
|
||||
s.Authentication.AddFlags(fss.FlagSet("authentication"))
|
||||
|
||||
@ -159,7 +159,7 @@ func TestAddFlags(t *testing.T) {
|
||||
EnableWatchCache: true,
|
||||
DefaultWatchCacheSize: 100,
|
||||
},
|
||||
SecureServing: apiserveroptions.SecureServingOptions{
|
||||
SecureServing: (&apiserveroptions.SecureServingOptions{
|
||||
BindAddress: net.ParseIP("192.168.10.20"),
|
||||
BindPort: 6443,
|
||||
ServerCert: apiserveroptions.GeneratableKeyCert{
|
||||
@ -168,11 +168,11 @@ func TestAddFlags(t *testing.T) {
|
||||
},
|
||||
HTTP2MaxStreamsPerConnection: 42,
|
||||
Required: true,
|
||||
}.WithLoopback(),
|
||||
InsecureServing: &kubeoptions.InsecureServingOptions{
|
||||
}).WithLoopback(),
|
||||
InsecureServing: (&apiserveroptions.DeprecatedInsecureServingOptions{
|
||||
BindAddress: net.ParseIP("127.0.0.1"),
|
||||
BindPort: 8080,
|
||||
},
|
||||
}).WithLoopback(),
|
||||
EventTTL: 1 * time.Hour,
|
||||
KubeletConfig: kubeletclient.KubeletClientConfig{
|
||||
Port: 10250,
|
||||
|
||||
@ -166,7 +166,7 @@ func CreateServerChain(completedOptions completedServerRunOptions, stopCh <-chan
|
||||
return nil, err
|
||||
}
|
||||
|
||||
kubeAPIServerConfig, insecureServingOptions, serviceResolver, pluginInitializer, admissionPostStartHook, err := CreateKubeAPIServerConfig(completedOptions, nodeTunneler, proxyTransport)
|
||||
kubeAPIServerConfig, insecureServingInfo, serviceResolver, pluginInitializer, admissionPostStartHook, err := CreateKubeAPIServerConfig(completedOptions, nodeTunneler, proxyTransport)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
@ -204,9 +204,9 @@ func CreateServerChain(completedOptions completedServerRunOptions, stopCh <-chan
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if insecureServingOptions != nil {
|
||||
if insecureServingInfo != nil {
|
||||
insecureHandlerChain := kubeserver.BuildInsecureHandlerChain(aggregatorServer.GenericAPIServer.UnprotectedHandler(), kubeAPIServerConfig.GenericConfig)
|
||||
if err := kubeserver.NonBlockingRun(insecureServingOptions, insecureHandlerChain, kubeAPIServerConfig.GenericConfig.RequestTimeout, stopCh); err != nil {
|
||||
if err := insecureServingInfo.Serve(insecureHandlerChain, kubeAPIServerConfig.GenericConfig.RequestTimeout, stopCh); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
@ -278,7 +278,7 @@ func CreateKubeAPIServerConfig(
|
||||
proxyTransport *http.Transport,
|
||||
) (
|
||||
config *master.Config,
|
||||
insecureServingInfo *kubeserver.InsecureServingInfo,
|
||||
insecureServingInfo *genericapiserver.DeprecatedInsecureServingInfo,
|
||||
serviceResolver aggregatorapiserver.ServiceResolver,
|
||||
pluginInitializers []admission.PluginInitializer,
|
||||
admissionPostStartHook genericapiserver.PostStartHookFunc,
|
||||
@ -421,7 +421,7 @@ func buildGenericConfig(
|
||||
genericConfig *genericapiserver.Config,
|
||||
sharedInformers informers.SharedInformerFactory,
|
||||
versionedInformers clientgoinformers.SharedInformerFactory,
|
||||
insecureServingInfo *kubeserver.InsecureServingInfo,
|
||||
insecureServingInfo *genericapiserver.DeprecatedInsecureServingInfo,
|
||||
serviceResolver aggregatorapiserver.ServiceResolver,
|
||||
pluginInitializers []admission.PluginInitializer,
|
||||
admissionPostStartHook genericapiserver.PostStartHookFunc,
|
||||
@ -435,7 +435,7 @@ func buildGenericConfig(
|
||||
return
|
||||
}
|
||||
|
||||
if insecureServingInfo, lastErr = s.InsecureServing.ApplyTo(genericConfig); lastErr != nil {
|
||||
if lastErr = s.InsecureServing.ApplyTo(&insecureServingInfo, &genericConfig.LoopbackClientConfig); lastErr != nil {
|
||||
return
|
||||
}
|
||||
if lastErr = s.SecureServing.ApplyTo(&genericConfig.SecureServing, &genericConfig.LoopbackClientConfig); lastErr != nil {
|
||||
@ -652,7 +652,7 @@ func Complete(s *options.ServerRunOptions) (completedServerRunOptions, error) {
|
||||
if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing.SecureServingOptions); err != nil {
|
||||
return options, err
|
||||
}
|
||||
if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing); err != nil {
|
||||
if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing.DeprecatedInsecureServingOptions); err != nil {
|
||||
return options, err
|
||||
}
|
||||
serviceIPRange, apiServerServiceIP, err := master.DefaultServiceIPRange(s.ServiceClusterIPRange)
|
||||
|
||||
@ -20,14 +20,9 @@ package options
|
||||
import (
|
||||
"fmt"
|
||||
"net"
|
||||
"strconv"
|
||||
|
||||
"github.com/spf13/pflag"
|
||||
|
||||
utilnet "k8s.io/apimachinery/pkg/util/net"
|
||||
"k8s.io/apiserver/pkg/server"
|
||||
genericoptions "k8s.io/apiserver/pkg/server/options"
|
||||
kubeserver "k8s.io/kubernetes/pkg/kubeapiserver/server"
|
||||
)
|
||||
|
||||
// NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by
|
||||
@ -45,17 +40,27 @@ func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback
|
||||
return o.WithLoopback()
|
||||
}
|
||||
|
||||
// NewInsecureServingOptions gives default values for the kube-apiserver.
|
||||
// TODO: switch insecure serving off by default
|
||||
func NewInsecureServingOptions() *genericoptions.DeprecatedInsecureServingOptionsWithLoopback {
|
||||
o := genericoptions.DeprecatedInsecureServingOptions{
|
||||
BindAddress: net.ParseIP("127.0.0.1"),
|
||||
BindPort: 8080,
|
||||
}
|
||||
return o.WithLoopback()
|
||||
}
|
||||
|
||||
// DefaultAdvertiseAddress sets the field AdvertiseAddress if
|
||||
// unset. The field will be set based on the SecureServingOptions. If
|
||||
// the SecureServingOptions is not present, DefaultExternalAddress
|
||||
// will fall back to the insecure ServingOptions.
|
||||
func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *InsecureServingOptions) error {
|
||||
func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *genericoptions.DeprecatedInsecureServingOptions) error {
|
||||
if insecure == nil {
|
||||
return nil
|
||||
}
|
||||
|
||||
if s.AdvertiseAddress == nil || s.AdvertiseAddress.IsUnspecified() {
|
||||
hostIP, err := insecure.DefaultExternalAddress()
|
||||
hostIP, err := utilnet.ChooseBindAddress(insecure.BindAddress)
|
||||
if err != nil {
|
||||
return fmt.Errorf("unable to find suitable network address.error='%v'. "+
|
||||
"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this", err)
|
||||
@ -65,75 +70,3 @@ func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *Insec
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// InsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port.
|
||||
// No one should be using these anymore.
|
||||
type InsecureServingOptions struct {
|
||||
BindAddress net.IP
|
||||
BindPort int
|
||||
}
|
||||
|
||||
// NewInsecureServingOptions is for creating an unauthenticated, unauthorized, insecure port.
|
||||
// No one should be using these anymore.
|
||||
func NewInsecureServingOptions() *InsecureServingOptions {
|
||||
return &InsecureServingOptions{
|
||||
BindAddress: net.ParseIP("127.0.0.1"),
|
||||
BindPort: 8080,
|
||||
}
|
||||
}
|
||||
|
||||
func (s InsecureServingOptions) Validate() []error {
|
||||
errors := []error{}
|
||||
|
||||
if s.BindPort < 0 || s.BindPort > 65535 {
|
||||
errors = append(errors, fmt.Errorf("--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort))
|
||||
}
|
||||
|
||||
return errors
|
||||
}
|
||||
|
||||
func (s *InsecureServingOptions) DefaultExternalAddress() (net.IP, error) {
|
||||
return utilnet.ChooseBindAddress(s.BindAddress)
|
||||
}
|
||||
|
||||
func (s *InsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
|
||||
fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
|
||||
"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).")
|
||||
fs.MarkDeprecated("insecure-bind-address", "This flag will be removed in a future version.")
|
||||
fs.Lookup("insecure-bind-address").Hidden = false
|
||||
|
||||
fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
|
||||
"The port on which to serve unsecured, unauthenticated access. It is assumed "+
|
||||
"that firewall rules are set up such that this port is not reachable from outside of "+
|
||||
"the cluster and that port 443 on the cluster's public address is proxied to this "+
|
||||
"port. This is performed by nginx in the default setup. Set to zero to disable.")
|
||||
fs.MarkDeprecated("insecure-port", "This flag will be removed in a future version.")
|
||||
fs.Lookup("insecure-port").Hidden = false
|
||||
}
|
||||
|
||||
// TODO: remove it until kops stop using `--address`
|
||||
func (s *InsecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
|
||||
fs.IPVar(&s.BindAddress, "address", s.BindAddress,
|
||||
"DEPRECATED: see --insecure-bind-address instead.")
|
||||
fs.MarkDeprecated("address", "see --insecure-bind-address instead.")
|
||||
|
||||
fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --insecure-port instead.")
|
||||
fs.MarkDeprecated("port", "see --insecure-port instead.")
|
||||
}
|
||||
|
||||
func (s *InsecureServingOptions) ApplyTo(c *server.Config) (*kubeserver.InsecureServingInfo, error) {
|
||||
if s.BindPort <= 0 {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
ret := &kubeserver.InsecureServingInfo{
|
||||
BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)),
|
||||
}
|
||||
|
||||
var err error
|
||||
if c.LoopbackClientConfig, err = ret.NewLoopbackClientConfig(); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return ret, nil
|
||||
}
|
||||
|
||||
@ -17,25 +17,19 @@ limitations under the License.
|
||||
package server
|
||||
|
||||
import (
|
||||
"net"
|
||||
"net/http"
|
||||
"time"
|
||||
|
||||
"github.com/golang/glog"
|
||||
|
||||
"k8s.io/apiserver/pkg/authentication/user"
|
||||
genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
|
||||
"k8s.io/apiserver/pkg/features"
|
||||
"k8s.io/apiserver/pkg/server"
|
||||
genericfilters "k8s.io/apiserver/pkg/server/filters"
|
||||
"k8s.io/apiserver/pkg/server/options"
|
||||
utilfeature "k8s.io/apiserver/pkg/util/feature"
|
||||
"k8s.io/client-go/rest"
|
||||
)
|
||||
|
||||
// InsecureServingInfo is required to serve http. HTTP does NOT include authentication or authorization.
|
||||
// DeprecatedInsecureServingInfo is required to serve http. HTTP does NOT include authentication or authorization.
|
||||
// You shouldn't be using this. It makes sig-auth sad.
|
||||
// InsecureServingInfo *ServingInfo
|
||||
// DeprecatedInsecureServingInfo *ServingInfo
|
||||
|
||||
func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.Handler {
|
||||
handler := apiHandler
|
||||
@ -55,76 +49,6 @@ func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.H
|
||||
return handler
|
||||
}
|
||||
|
||||
type InsecureServingInfo struct {
|
||||
// BindAddress is the ip:port to serve on
|
||||
BindAddress string
|
||||
// BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp",
|
||||
// "tcp4", and "tcp6".
|
||||
BindNetwork string
|
||||
}
|
||||
|
||||
func (s *InsecureServingInfo) NewLoopbackClientConfig() (*rest.Config, error) {
|
||||
if s == nil {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
host, port, err := server.LoopbackHostPort(s.BindAddress)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return &rest.Config{
|
||||
Host: "http://" + net.JoinHostPort(host, port),
|
||||
// Increase QPS limits. The client is currently passed to all admission plugins,
|
||||
// and those can be throttled in case of higher load on apiserver - see #22340 and #22422
|
||||
// for more details. Once #22422 is fixed, we may want to remove it.
|
||||
QPS: 50,
|
||||
Burst: 100,
|
||||
}, nil
|
||||
}
|
||||
|
||||
// NonBlockingRun spawns the insecure http server. An error is
|
||||
// returned if the ports cannot be listened on.
|
||||
func NonBlockingRun(insecureServingInfo *InsecureServingInfo, insecureHandler http.Handler, shutDownTimeout time.Duration, stopCh <-chan struct{}) error {
|
||||
// Use an internal stop channel to allow cleanup of the listeners on error.
|
||||
internalStopCh := make(chan struct{})
|
||||
|
||||
if insecureServingInfo != nil && insecureHandler != nil {
|
||||
if err := serveInsecurely(insecureServingInfo, insecureHandler, shutDownTimeout, internalStopCh); err != nil {
|
||||
close(internalStopCh)
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
// Now that the listener has bound successfully, it is the
|
||||
// responsibility of the caller to close the provided channel to
|
||||
// ensure cleanup.
|
||||
go func() {
|
||||
<-stopCh
|
||||
close(internalStopCh)
|
||||
}()
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// serveInsecurely run the insecure http server. It fails only if the initial listen
|
||||
// call fails. The actual server loop (stoppable by closing stopCh) runs in a go
|
||||
// routine, i.e. serveInsecurely does not block.
|
||||
func serveInsecurely(insecureServingInfo *InsecureServingInfo, insecureHandler http.Handler, shutDownTimeout time.Duration, stopCh <-chan struct{}) error {
|
||||
insecureServer := &http.Server{
|
||||
Addr: insecureServingInfo.BindAddress,
|
||||
Handler: insecureHandler,
|
||||
MaxHeaderBytes: 1 << 20,
|
||||
}
|
||||
glog.Infof("Serving insecurely on %s", insecureServingInfo.BindAddress)
|
||||
ln, _, err := options.CreateListener(insecureServingInfo.BindNetwork, insecureServingInfo.BindAddress)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
err = server.RunServer(insecureServer, ln, shutDownTimeout, stopCh)
|
||||
return err
|
||||
}
|
||||
|
||||
// insecureSuperuser implements authenticator.Request to always return a superuser.
|
||||
// This is functionally equivalent to skipping authentication and authorization,
|
||||
// but allows apiserver code to stop special-casing a nil user to skip authorization checks.
|
||||
|
||||
@ -464,7 +464,7 @@ func TestServerRunWithSNI(t *testing.T) {
|
||||
config.Version = &v
|
||||
|
||||
config.EnableIndex = true
|
||||
secureOptions := SecureServingOptions{
|
||||
secureOptions := (&SecureServingOptions{
|
||||
BindAddress: net.ParseIP("127.0.0.1"),
|
||||
BindPort: 6443,
|
||||
ServerCert: GeneratableKeyCert{
|
||||
@ -474,7 +474,7 @@ func TestServerRunWithSNI(t *testing.T) {
|
||||
},
|
||||
},
|
||||
SNICertKeys: namedCertKeys,
|
||||
}.WithLoopback()
|
||||
}).WithLoopback()
|
||||
// use a random free port
|
||||
ln, err := net.Listen("tcp", "127.0.0.1:0")
|
||||
if err != nil {
|
||||
|
||||
Loading…
Reference in New Issue
Block a user