diff --git a/cmd/kube-apiserver/app/options/options.go b/cmd/kube-apiserver/app/options/options.go index 0fc80d5c104..2e5276d4bc7 100644 --- a/cmd/kube-apiserver/app/options/options.go +++ b/cmd/kube-apiserver/app/options/options.go @@ -41,7 +41,7 @@ type ServerRunOptions struct { GenericServerRunOptions *genericoptions.ServerRunOptions Etcd *genericoptions.EtcdOptions SecureServing *genericoptions.SecureServingOptionsWithLoopback - InsecureServing *kubeoptions.InsecureServingOptions + InsecureServing *genericoptions.DeprecatedInsecureServingOptionsWithLoopback Audit *genericoptions.AuditOptions Features *genericoptions.FeatureOptions Admission *kubeoptions.AdmissionOptions @@ -128,7 +128,7 @@ func (s *ServerRunOptions) Flags() (fss apiserverflag.NamedFlagSets) { s.Etcd.AddFlags(fss.FlagSet("etcd")) s.SecureServing.AddFlags(fss.FlagSet("secure serving")) s.InsecureServing.AddFlags(fss.FlagSet("insecure serving")) - s.InsecureServing.AddDeprecatedFlags(fss.FlagSet("insecure serving")) + s.InsecureServing.AddUnqualifiedFlags(fss.FlagSet("insecure serving")) // TODO: remove it until kops stops using `--address` s.Audit.AddFlags(fss.FlagSet("auditing")) s.Features.AddFlags(fss.FlagSet("features")) s.Authentication.AddFlags(fss.FlagSet("authentication")) diff --git a/cmd/kube-apiserver/app/options/options_test.go b/cmd/kube-apiserver/app/options/options_test.go index dc712d18c82..38fbe904535 100644 --- a/cmd/kube-apiserver/app/options/options_test.go +++ b/cmd/kube-apiserver/app/options/options_test.go @@ -159,7 +159,7 @@ func TestAddFlags(t *testing.T) { EnableWatchCache: true, DefaultWatchCacheSize: 100, }, - SecureServing: apiserveroptions.SecureServingOptions{ + SecureServing: (&apiserveroptions.SecureServingOptions{ BindAddress: net.ParseIP("192.168.10.20"), BindPort: 6443, ServerCert: apiserveroptions.GeneratableKeyCert{ @@ -168,11 +168,11 @@ func TestAddFlags(t *testing.T) { }, HTTP2MaxStreamsPerConnection: 42, Required: true, - }.WithLoopback(), - InsecureServing: &kubeoptions.InsecureServingOptions{ + }).WithLoopback(), + InsecureServing: (&apiserveroptions.DeprecatedInsecureServingOptions{ BindAddress: net.ParseIP("127.0.0.1"), BindPort: 8080, - }, + }).WithLoopback(), EventTTL: 1 * time.Hour, KubeletConfig: kubeletclient.KubeletClientConfig{ Port: 10250, diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go index e93320f200e..27880351ab8 100644 --- a/cmd/kube-apiserver/app/server.go +++ b/cmd/kube-apiserver/app/server.go @@ -166,7 +166,7 @@ func CreateServerChain(completedOptions completedServerRunOptions, stopCh <-chan return nil, err } - kubeAPIServerConfig, insecureServingOptions, serviceResolver, pluginInitializer, admissionPostStartHook, err := CreateKubeAPIServerConfig(completedOptions, nodeTunneler, proxyTransport) + kubeAPIServerConfig, insecureServingInfo, serviceResolver, pluginInitializer, admissionPostStartHook, err := CreateKubeAPIServerConfig(completedOptions, nodeTunneler, proxyTransport) if err != nil { return nil, err } @@ -204,9 +204,9 @@ func CreateServerChain(completedOptions completedServerRunOptions, stopCh <-chan return nil, err } - if insecureServingOptions != nil { + if insecureServingInfo != nil { insecureHandlerChain := kubeserver.BuildInsecureHandlerChain(aggregatorServer.GenericAPIServer.UnprotectedHandler(), kubeAPIServerConfig.GenericConfig) - if err := kubeserver.NonBlockingRun(insecureServingOptions, insecureHandlerChain, kubeAPIServerConfig.GenericConfig.RequestTimeout, stopCh); err != nil { + if err := insecureServingInfo.Serve(insecureHandlerChain, kubeAPIServerConfig.GenericConfig.RequestTimeout, stopCh); err != nil { return nil, err } } @@ -278,7 +278,7 @@ func CreateKubeAPIServerConfig( proxyTransport *http.Transport, ) ( config *master.Config, - insecureServingInfo *kubeserver.InsecureServingInfo, + insecureServingInfo *genericapiserver.DeprecatedInsecureServingInfo, serviceResolver aggregatorapiserver.ServiceResolver, pluginInitializers []admission.PluginInitializer, admissionPostStartHook genericapiserver.PostStartHookFunc, @@ -421,7 +421,7 @@ func buildGenericConfig( genericConfig *genericapiserver.Config, sharedInformers informers.SharedInformerFactory, versionedInformers clientgoinformers.SharedInformerFactory, - insecureServingInfo *kubeserver.InsecureServingInfo, + insecureServingInfo *genericapiserver.DeprecatedInsecureServingInfo, serviceResolver aggregatorapiserver.ServiceResolver, pluginInitializers []admission.PluginInitializer, admissionPostStartHook genericapiserver.PostStartHookFunc, @@ -435,7 +435,7 @@ func buildGenericConfig( return } - if insecureServingInfo, lastErr = s.InsecureServing.ApplyTo(genericConfig); lastErr != nil { + if lastErr = s.InsecureServing.ApplyTo(&insecureServingInfo, &genericConfig.LoopbackClientConfig); lastErr != nil { return } if lastErr = s.SecureServing.ApplyTo(&genericConfig.SecureServing, &genericConfig.LoopbackClientConfig); lastErr != nil { @@ -652,7 +652,7 @@ func Complete(s *options.ServerRunOptions) (completedServerRunOptions, error) { if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing.SecureServingOptions); err != nil { return options, err } - if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing); err != nil { + if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing.DeprecatedInsecureServingOptions); err != nil { return options, err } serviceIPRange, apiServerServiceIP, err := master.DefaultServiceIPRange(s.ServiceClusterIPRange) diff --git a/pkg/kubeapiserver/options/serving.go b/pkg/kubeapiserver/options/serving.go index 90915645077..5d561807fd0 100644 --- a/pkg/kubeapiserver/options/serving.go +++ b/pkg/kubeapiserver/options/serving.go @@ -20,14 +20,9 @@ package options import ( "fmt" "net" - "strconv" - - "github.com/spf13/pflag" utilnet "k8s.io/apimachinery/pkg/util/net" - "k8s.io/apiserver/pkg/server" genericoptions "k8s.io/apiserver/pkg/server/options" - kubeserver "k8s.io/kubernetes/pkg/kubeapiserver/server" ) // NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by @@ -45,17 +40,27 @@ func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback return o.WithLoopback() } +// NewInsecureServingOptions gives default values for the kube-apiserver. +// TODO: switch insecure serving off by default +func NewInsecureServingOptions() *genericoptions.DeprecatedInsecureServingOptionsWithLoopback { + o := genericoptions.DeprecatedInsecureServingOptions{ + BindAddress: net.ParseIP("127.0.0.1"), + BindPort: 8080, + } + return o.WithLoopback() +} + // DefaultAdvertiseAddress sets the field AdvertiseAddress if // unset. The field will be set based on the SecureServingOptions. If // the SecureServingOptions is not present, DefaultExternalAddress // will fall back to the insecure ServingOptions. -func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *InsecureServingOptions) error { +func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *genericoptions.DeprecatedInsecureServingOptions) error { if insecure == nil { return nil } if s.AdvertiseAddress == nil || s.AdvertiseAddress.IsUnspecified() { - hostIP, err := insecure.DefaultExternalAddress() + hostIP, err := utilnet.ChooseBindAddress(insecure.BindAddress) if err != nil { return fmt.Errorf("unable to find suitable network address.error='%v'. "+ "Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this", err) @@ -65,75 +70,3 @@ func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *Insec return nil } - -// InsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port. -// No one should be using these anymore. -type InsecureServingOptions struct { - BindAddress net.IP - BindPort int -} - -// NewInsecureServingOptions is for creating an unauthenticated, unauthorized, insecure port. -// No one should be using these anymore. -func NewInsecureServingOptions() *InsecureServingOptions { - return &InsecureServingOptions{ - BindAddress: net.ParseIP("127.0.0.1"), - BindPort: 8080, - } -} - -func (s InsecureServingOptions) Validate() []error { - errors := []error{} - - if s.BindPort < 0 || s.BindPort > 65535 { - errors = append(errors, fmt.Errorf("--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort)) - } - - return errors -} - -func (s *InsecureServingOptions) DefaultExternalAddress() (net.IP, error) { - return utilnet.ChooseBindAddress(s.BindAddress) -} - -func (s *InsecureServingOptions) AddFlags(fs *pflag.FlagSet) { - fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+ - "The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).") - fs.MarkDeprecated("insecure-bind-address", "This flag will be removed in a future version.") - fs.Lookup("insecure-bind-address").Hidden = false - - fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+ - "The port on which to serve unsecured, unauthenticated access. It is assumed "+ - "that firewall rules are set up such that this port is not reachable from outside of "+ - "the cluster and that port 443 on the cluster's public address is proxied to this "+ - "port. This is performed by nginx in the default setup. Set to zero to disable.") - fs.MarkDeprecated("insecure-port", "This flag will be removed in a future version.") - fs.Lookup("insecure-port").Hidden = false -} - -// TODO: remove it until kops stop using `--address` -func (s *InsecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) { - fs.IPVar(&s.BindAddress, "address", s.BindAddress, - "DEPRECATED: see --insecure-bind-address instead.") - fs.MarkDeprecated("address", "see --insecure-bind-address instead.") - - fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --insecure-port instead.") - fs.MarkDeprecated("port", "see --insecure-port instead.") -} - -func (s *InsecureServingOptions) ApplyTo(c *server.Config) (*kubeserver.InsecureServingInfo, error) { - if s.BindPort <= 0 { - return nil, nil - } - - ret := &kubeserver.InsecureServingInfo{ - BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)), - } - - var err error - if c.LoopbackClientConfig, err = ret.NewLoopbackClientConfig(); err != nil { - return nil, err - } - - return ret, nil -} diff --git a/pkg/kubeapiserver/server/insecure_handler.go b/pkg/kubeapiserver/server/insecure_handler.go index bc670140376..d3eb628a287 100644 --- a/pkg/kubeapiserver/server/insecure_handler.go +++ b/pkg/kubeapiserver/server/insecure_handler.go @@ -17,25 +17,19 @@ limitations under the License. package server import ( - "net" "net/http" - "time" - - "github.com/golang/glog" "k8s.io/apiserver/pkg/authentication/user" genericapifilters "k8s.io/apiserver/pkg/endpoints/filters" "k8s.io/apiserver/pkg/features" "k8s.io/apiserver/pkg/server" genericfilters "k8s.io/apiserver/pkg/server/filters" - "k8s.io/apiserver/pkg/server/options" utilfeature "k8s.io/apiserver/pkg/util/feature" - "k8s.io/client-go/rest" ) -// InsecureServingInfo is required to serve http. HTTP does NOT include authentication or authorization. +// DeprecatedInsecureServingInfo is required to serve http. HTTP does NOT include authentication or authorization. // You shouldn't be using this. It makes sig-auth sad. -// InsecureServingInfo *ServingInfo +// DeprecatedInsecureServingInfo *ServingInfo func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.Handler { handler := apiHandler @@ -55,76 +49,6 @@ func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.H return handler } -type InsecureServingInfo struct { - // BindAddress is the ip:port to serve on - BindAddress string - // BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp", - // "tcp4", and "tcp6". - BindNetwork string -} - -func (s *InsecureServingInfo) NewLoopbackClientConfig() (*rest.Config, error) { - if s == nil { - return nil, nil - } - - host, port, err := server.LoopbackHostPort(s.BindAddress) - if err != nil { - return nil, err - } - - return &rest.Config{ - Host: "http://" + net.JoinHostPort(host, port), - // Increase QPS limits. The client is currently passed to all admission plugins, - // and those can be throttled in case of higher load on apiserver - see #22340 and #22422 - // for more details. Once #22422 is fixed, we may want to remove it. - QPS: 50, - Burst: 100, - }, nil -} - -// NonBlockingRun spawns the insecure http server. An error is -// returned if the ports cannot be listened on. -func NonBlockingRun(insecureServingInfo *InsecureServingInfo, insecureHandler http.Handler, shutDownTimeout time.Duration, stopCh <-chan struct{}) error { - // Use an internal stop channel to allow cleanup of the listeners on error. - internalStopCh := make(chan struct{}) - - if insecureServingInfo != nil && insecureHandler != nil { - if err := serveInsecurely(insecureServingInfo, insecureHandler, shutDownTimeout, internalStopCh); err != nil { - close(internalStopCh) - return err - } - } - - // Now that the listener has bound successfully, it is the - // responsibility of the caller to close the provided channel to - // ensure cleanup. - go func() { - <-stopCh - close(internalStopCh) - }() - - return nil -} - -// serveInsecurely run the insecure http server. It fails only if the initial listen -// call fails. The actual server loop (stoppable by closing stopCh) runs in a go -// routine, i.e. serveInsecurely does not block. -func serveInsecurely(insecureServingInfo *InsecureServingInfo, insecureHandler http.Handler, shutDownTimeout time.Duration, stopCh <-chan struct{}) error { - insecureServer := &http.Server{ - Addr: insecureServingInfo.BindAddress, - Handler: insecureHandler, - MaxHeaderBytes: 1 << 20, - } - glog.Infof("Serving insecurely on %s", insecureServingInfo.BindAddress) - ln, _, err := options.CreateListener(insecureServingInfo.BindNetwork, insecureServingInfo.BindAddress) - if err != nil { - return err - } - err = server.RunServer(insecureServer, ln, shutDownTimeout, stopCh) - return err -} - // insecureSuperuser implements authenticator.Request to always return a superuser. // This is functionally equivalent to skipping authentication and authorization, // but allows apiserver code to stop special-casing a nil user to skip authorization checks. diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go b/staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go index 0cc21d6a383..6d8899fd90e 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go @@ -464,7 +464,7 @@ func TestServerRunWithSNI(t *testing.T) { config.Version = &v config.EnableIndex = true - secureOptions := SecureServingOptions{ + secureOptions := (&SecureServingOptions{ BindAddress: net.ParseIP("127.0.0.1"), BindPort: 6443, ServerCert: GeneratableKeyCert{ @@ -474,7 +474,7 @@ func TestServerRunWithSNI(t *testing.T) { }, }, SNICertKeys: namedCertKeys, - }.WithLoopback() + }).WithLoopback() // use a random free port ln, err := net.Listen("tcp", "127.0.0.1:0") if err != nil {