kube-apiserver: switch apiserver's DeprecatedInsecureServingOptions

2025-07-24 20:24:09 +00:00 · 2018-08-06 16:31:23 +02:00 · 2018-08-06 16:31:23 +02:00 · d787213d1b
commit d787213d1b
parent 1d9a896066
6 changed files with 29 additions and 172 deletions
--- a/cmd/kube-apiserver/app/options/options.go
+++ b/cmd/kube-apiserver/app/options/options.go
@ -41,7 +41,7 @@ type ServerRunOptions struct {
 	GenericServerRunOptions *genericoptions.ServerRunOptions
 	Etcd                    *genericoptions.EtcdOptions
 	SecureServing           *genericoptions.SecureServingOptionsWithLoopback
-	InsecureServing         *kubeoptions.InsecureServingOptions
+	InsecureServing         *genericoptions.DeprecatedInsecureServingOptionsWithLoopback
 	Audit                   *genericoptions.AuditOptions
 	Features                *genericoptions.FeatureOptions
 	Admission               *kubeoptions.AdmissionOptions
@ -128,7 +128,7 @@ func (s *ServerRunOptions) Flags() (fss apiserverflag.NamedFlagSets) {
 	s.Etcd.AddFlags(fss.FlagSet("etcd"))
 	s.SecureServing.AddFlags(fss.FlagSet("secure serving"))
 	s.InsecureServing.AddFlags(fss.FlagSet("insecure serving"))
-	s.InsecureServing.AddDeprecatedFlags(fss.FlagSet("insecure serving"))
+	s.InsecureServing.AddUnqualifiedFlags(fss.FlagSet("insecure serving")) // TODO: remove it until kops stops using `--address`
 	s.Audit.AddFlags(fss.FlagSet("auditing"))
 	s.Features.AddFlags(fss.FlagSet("features"))
 	s.Authentication.AddFlags(fss.FlagSet("authentication"))
--- a/cmd/kube-apiserver/app/options/options_test.go
+++ b/cmd/kube-apiserver/app/options/options_test.go
@ -159,7 +159,7 @@ func TestAddFlags(t *testing.T) {
 			EnableWatchCache:        true,
 			DefaultWatchCacheSize:   100,
 		},
-		SecureServing: apiserveroptions.SecureServingOptions{
+		SecureServing: (&apiserveroptions.SecureServingOptions{
 			BindAddress: net.ParseIP("192.168.10.20"),
 			BindPort:    6443,
 			ServerCert: apiserveroptions.GeneratableKeyCert{
@ -168,11 +168,11 @@ func TestAddFlags(t *testing.T) {
 			},
 			HTTP2MaxStreamsPerConnection: 42,
 			Required:                     true,
-		}.WithLoopback(),
+		}).WithLoopback(),
-		InsecureServing: &kubeoptions.InsecureServingOptions{
+		InsecureServing: (&apiserveroptions.DeprecatedInsecureServingOptions{
 			BindAddress: net.ParseIP("127.0.0.1"),
 			BindPort:    8080,
-		},
+		}).WithLoopback(),
 		EventTTL: 1 * time.Hour,
 		KubeletConfig: kubeletclient.KubeletClientConfig{
 			Port:         10250,
--- a/cmd/kube-apiserver/app/server.go
+++ b/cmd/kube-apiserver/app/server.go
@ -166,7 +166,7 @@ func CreateServerChain(completedOptions completedServerRunOptions, stopCh <-chan
 		return nil, err
 	}
-	kubeAPIServerConfig, insecureServingOptions, serviceResolver, pluginInitializer, admissionPostStartHook, err := CreateKubeAPIServerConfig(completedOptions, nodeTunneler, proxyTransport)
+	kubeAPIServerConfig, insecureServingInfo, serviceResolver, pluginInitializer, admissionPostStartHook, err := CreateKubeAPIServerConfig(completedOptions, nodeTunneler, proxyTransport)
 	if err != nil {
 		return nil, err
 	}
@ -204,9 +204,9 @@ func CreateServerChain(completedOptions completedServerRunOptions, stopCh <-chan
 		return nil, err
 	}
-	if insecureServingOptions != nil {
+	if insecureServingInfo != nil {
 		insecureHandlerChain := kubeserver.BuildInsecureHandlerChain(aggregatorServer.GenericAPIServer.UnprotectedHandler(), kubeAPIServerConfig.GenericConfig)
-		if err := kubeserver.NonBlockingRun(insecureServingOptions, insecureHandlerChain, kubeAPIServerConfig.GenericConfig.RequestTimeout, stopCh); err != nil {
+		if err := insecureServingInfo.Serve(insecureHandlerChain, kubeAPIServerConfig.GenericConfig.RequestTimeout, stopCh); err != nil {
 			return nil, err
 		}
 	}
@ -278,7 +278,7 @@ func CreateKubeAPIServerConfig(
 	proxyTransport *http.Transport,
 ) (
 	config *master.Config,
-	insecureServingInfo *kubeserver.InsecureServingInfo,
+	insecureServingInfo *genericapiserver.DeprecatedInsecureServingInfo,
 	serviceResolver aggregatorapiserver.ServiceResolver,
 	pluginInitializers []admission.PluginInitializer,
 	admissionPostStartHook genericapiserver.PostStartHookFunc,
@ -421,7 +421,7 @@ func buildGenericConfig(
 	genericConfig *genericapiserver.Config,
 	sharedInformers informers.SharedInformerFactory,
 	versionedInformers clientgoinformers.SharedInformerFactory,
-	insecureServingInfo *kubeserver.InsecureServingInfo,
+	insecureServingInfo *genericapiserver.DeprecatedInsecureServingInfo,
 	serviceResolver aggregatorapiserver.ServiceResolver,
 	pluginInitializers []admission.PluginInitializer,
 	admissionPostStartHook genericapiserver.PostStartHookFunc,
@ -435,7 +435,7 @@ func buildGenericConfig(
 		return
 	}
-	if insecureServingInfo, lastErr = s.InsecureServing.ApplyTo(genericConfig); lastErr != nil {
+	if lastErr = s.InsecureServing.ApplyTo(&insecureServingInfo, &genericConfig.LoopbackClientConfig); lastErr != nil {
 		return
 	}
 	if lastErr = s.SecureServing.ApplyTo(&genericConfig.SecureServing, &genericConfig.LoopbackClientConfig); lastErr != nil {
@ -652,7 +652,7 @@ func Complete(s *options.ServerRunOptions) (completedServerRunOptions, error) {
 	if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing.SecureServingOptions); err != nil {
 		return options, err
 	}
-	if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing); err != nil {
+	if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing.DeprecatedInsecureServingOptions); err != nil {
 		return options, err
 	}
 	serviceIPRange, apiServerServiceIP, err := master.DefaultServiceIPRange(s.ServiceClusterIPRange)
--- a/pkg/kubeapiserver/options/serving.go
+++ b/pkg/kubeapiserver/options/serving.go
@ -20,14 +20,9 @@ package options
 import (
 	"fmt"
 	"net"
 	"strconv"
 	"github.com/spf13/pflag"
 	utilnet "k8s.io/apimachinery/pkg/util/net"
 	"k8s.io/apiserver/pkg/server"
 	genericoptions "k8s.io/apiserver/pkg/server/options"
 	kubeserver "k8s.io/kubernetes/pkg/kubeapiserver/server"
 )
 // NewSecureServingOptions gives default values for the kube-apiserver which are not the options wanted by
@ -45,17 +40,27 @@ func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback
 	return o.WithLoopback()
 }
 // NewInsecureServingOptions gives default values for the kube-apiserver.
 // TODO: switch insecure serving off by default
 func NewInsecureServingOptions() *genericoptions.DeprecatedInsecureServingOptionsWithLoopback {
 	o := genericoptions.DeprecatedInsecureServingOptions{
 		BindAddress: net.ParseIP("127.0.0.1"),
 		BindPort:    8080,
 	}
 	return o.WithLoopback()
 }
 // DefaultAdvertiseAddress sets the field AdvertiseAddress if
 // unset. The field will be set based on the SecureServingOptions. If
 // the SecureServingOptions is not present, DefaultExternalAddress
 // will fall back to the insecure ServingOptions.
-func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *InsecureServingOptions) error {
+func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *genericoptions.DeprecatedInsecureServingOptions) error {
 	if insecure == nil {
 		return nil
 	}
 	if s.AdvertiseAddress == nil || s.AdvertiseAddress.IsUnspecified() {
-		hostIP, err := insecure.DefaultExternalAddress()
+		hostIP, err := utilnet.ChooseBindAddress(insecure.BindAddress)
 		if err != nil {
 			return fmt.Errorf("unable to find suitable network address.error='%v'. "+
 				"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this", err)
@ -65,75 +70,3 @@ func DefaultAdvertiseAddress(s *genericoptions.ServerRunOptions, insecure *Insec
 	return nil
 }
 // InsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port.
 // No one should be using these anymore.
 type InsecureServingOptions struct {
 	BindAddress net.IP
 	BindPort    int
 }
 // NewInsecureServingOptions is for creating an unauthenticated, unauthorized, insecure port.
 // No one should be using these anymore.
 func NewInsecureServingOptions() *InsecureServingOptions {
 	return &InsecureServingOptions{
 		BindAddress: net.ParseIP("127.0.0.1"),
 		BindPort:    8080,
 	}
 }
 func (s InsecureServingOptions) Validate() []error {
 	errors := []error{}
 	if s.BindPort < 0 || s.BindPort > 65535 {
 		errors = append(errors, fmt.Errorf("--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort))
 	}
 	return errors
 }
 func (s *InsecureServingOptions) DefaultExternalAddress() (net.IP, error) {
 	return utilnet.ChooseBindAddress(s.BindAddress)
 }
 func (s *InsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
 	fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
 		"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).")
 	fs.MarkDeprecated("insecure-bind-address", "This flag will be removed in a future version.")
 	fs.Lookup("insecure-bind-address").Hidden = false
 	fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
 		"The port on which to serve unsecured, unauthenticated access. It is assumed "+
 		"that firewall rules are set up such that this port is not reachable from outside of "+
 		"the cluster and that port 443 on the cluster's public address is proxied to this "+
 		"port. This is performed by nginx in the default setup. Set to zero to disable.")
 	fs.MarkDeprecated("insecure-port", "This flag will be removed in a future version.")
 	fs.Lookup("insecure-port").Hidden = false
 }
 // TODO: remove it until kops stop using `--address`
 func (s *InsecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
 	fs.IPVar(&s.BindAddress, "address", s.BindAddress,
 		"DEPRECATED: see --insecure-bind-address instead.")
 	fs.MarkDeprecated("address", "see --insecure-bind-address instead.")
 	fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --insecure-port instead.")
 	fs.MarkDeprecated("port", "see --insecure-port instead.")
 }
 func (s *InsecureServingOptions) ApplyTo(c *server.Config) (*kubeserver.InsecureServingInfo, error) {
 	if s.BindPort <= 0 {
 		return nil, nil
 	}
 	ret := &kubeserver.InsecureServingInfo{
 		BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)),
 	}
 	var err error
 	if c.LoopbackClientConfig, err = ret.NewLoopbackClientConfig(); err != nil {
 		return nil, err
 	}
 	return ret, nil
 }
--- a/pkg/kubeapiserver/server/insecure_handler.go
+++ b/pkg/kubeapiserver/server/insecure_handler.go
@ -17,25 +17,19 @@ limitations under the License.
 package server
 import (
 	"net"
 	"net/http"
 	"time"
 	"github.com/golang/glog"
 	"k8s.io/apiserver/pkg/authentication/user"
 	genericapifilters "k8s.io/apiserver/pkg/endpoints/filters"
 	"k8s.io/apiserver/pkg/features"
 	"k8s.io/apiserver/pkg/server"
 	genericfilters "k8s.io/apiserver/pkg/server/filters"
 	"k8s.io/apiserver/pkg/server/options"
 	utilfeature "k8s.io/apiserver/pkg/util/feature"
 	"k8s.io/client-go/rest"
 )
-// InsecureServingInfo is required to serve http.  HTTP does NOT include authentication or authorization.
+// DeprecatedInsecureServingInfo is required to serve http.  HTTP does NOT include authentication or authorization.
 // You shouldn't be using this.  It makes sig-auth sad.
-// InsecureServingInfo *ServingInfo
+// DeprecatedInsecureServingInfo *ServingInfo
 func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.Handler {
 	handler := apiHandler
@ -55,76 +49,6 @@ func BuildInsecureHandlerChain(apiHandler http.Handler, c *server.Config) http.H
 	return handler
 }
 type InsecureServingInfo struct {
 	// BindAddress is the ip:port to serve on
 	BindAddress string
 	// BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp",
 	// "tcp4", and "tcp6".
 	BindNetwork string
 }
 func (s *InsecureServingInfo) NewLoopbackClientConfig() (*rest.Config, error) {
 	if s == nil {
 		return nil, nil
 	}
 	host, port, err := server.LoopbackHostPort(s.BindAddress)
 	if err != nil {
 		return nil, err
 	}
 	return &rest.Config{
 		Host: "http://" + net.JoinHostPort(host, port),
 		// Increase QPS limits. The client is currently passed to all admission plugins,
 		// and those can be throttled in case of higher load on apiserver - see #22340 and #22422
 		// for more details. Once #22422 is fixed, we may want to remove it.
 		QPS:   50,
 		Burst: 100,
 	}, nil
 }
 // NonBlockingRun spawns the insecure http server. An error is
 // returned if the ports cannot be listened on.
 func NonBlockingRun(insecureServingInfo *InsecureServingInfo, insecureHandler http.Handler, shutDownTimeout time.Duration, stopCh <-chan struct{}) error {
 	// Use an internal stop channel to allow cleanup of the listeners on error.
 	internalStopCh := make(chan struct{})
 	if insecureServingInfo != nil && insecureHandler != nil {
 		if err := serveInsecurely(insecureServingInfo, insecureHandler, shutDownTimeout, internalStopCh); err != nil {
 			close(internalStopCh)
 			return err
 		}
 	}
 	// Now that the listener has bound successfully, it is the
 	// responsibility of the caller to close the provided channel to
 	// ensure cleanup.
 	go func() {
 		<-stopCh
 		close(internalStopCh)
 	}()
 	return nil
 }
 // serveInsecurely run the insecure http server. It fails only if the initial listen
 // call fails. The actual server loop (stoppable by closing stopCh) runs in a go
 // routine, i.e. serveInsecurely does not block.
 func serveInsecurely(insecureServingInfo *InsecureServingInfo, insecureHandler http.Handler, shutDownTimeout time.Duration, stopCh <-chan struct{}) error {
 	insecureServer := &http.Server{
 		Addr:           insecureServingInfo.BindAddress,
 		Handler:        insecureHandler,
 		MaxHeaderBytes: 1 << 20,
 	}
 	glog.Infof("Serving insecurely on %s", insecureServingInfo.BindAddress)
 	ln, _, err := options.CreateListener(insecureServingInfo.BindNetwork, insecureServingInfo.BindAddress)
 	if err != nil {
 		return err
 	}
 	err = server.RunServer(insecureServer, ln, shutDownTimeout, stopCh)
 	return err
 }
 // insecureSuperuser implements authenticator.Request to always return a superuser.
 // This is functionally equivalent to skipping authentication and authorization,
 // but allows apiserver code to stop special-casing a nil user to skip authorization checks.
--- a/staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/serving_test.go
@ -464,7 +464,7 @@ func TestServerRunWithSNI(t *testing.T) {
 			config.Version = &v
 			config.EnableIndex = true
-			secureOptions := SecureServingOptions{
+			secureOptions := (&SecureServingOptions{
 				BindAddress: net.ParseIP("127.0.0.1"),
 				BindPort:    6443,
 				ServerCert: GeneratableKeyCert{
@ -474,7 +474,7 @@ func TestServerRunWithSNI(t *testing.T) {
 					},
 				},
 				SNICertKeys: namedCertKeys,
-			}.WithLoopback()
+			}).WithLoopback()
 			// use a random free port
 			ln, err := net.Listen("tcp", "127.0.0.1:0")
 			if err != nil {