Merge pull request #123972 from deads2k/remove-insecure-serving

Remove k8s.io/apiserver ability to bind insecure ports
2025-08-17 15:50:10 +00:00 · 2024-04-18 02:10:35 -07:00 · 2024-04-18 02:10:35 -07:00 · daa3356e72
commit daa3356e72
parent 7f67cb5960 de302c73e9
3 changed files with 4 additions and 136 deletions
--- a/staging/src/k8s.io/apiserver/pkg/server/options/deprecated_insecure_serving.go
+++ b/staging/src/k8s.io/apiserver/pkg/server/options/deprecated_insecure_serving.go
@ -1,126 +0,0 @@
-/*
-Copyright 2017 The Kubernetes Authors.
-
-Licensed under the Apache License, Version 2.0 (the "License");
-you may not use this file except in compliance with the License.
-You may obtain a copy of the License at
-
-    http://www.apache.org/licenses/LICENSE-2.0
-
-Unless required by applicable law or agreed to in writing, software
-distributed under the License is distributed on an "AS IS" BASIS,
-WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-See the License for the specific language governing permissions and
-limitations under the License.
-*/
-
-package options
-
-import (
-	"fmt"
-	"net"
-
-	"github.com/spf13/pflag"
-
-	"k8s.io/apiserver/pkg/server"
-)
-
-// DeprecatedInsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port.
-// No one should be using these anymore.
-// DEPRECATED: all insecure serving options are removed in a future version
-type DeprecatedInsecureServingOptions struct {
-	BindAddress net.IP
-	BindPort    int
-	// BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp",
-	// "tcp4", and "tcp6".
-	BindNetwork string
-
-	// Listener is the secure server network listener.
-	// either Listener or BindAddress/BindPort/BindNetwork is set,
-	// if Listener is set, use it and omit BindAddress/BindPort/BindNetwork.
-	Listener net.Listener
-
-	// ListenFunc can be overridden to create a custom listener, e.g. for mocking in tests.
-	// It defaults to options.CreateListener.
-	ListenFunc func(network, addr string, config net.ListenConfig) (net.Listener, int, error)
-}
-
-// Validate ensures that the insecure port values within the range of the port.
-func (s *DeprecatedInsecureServingOptions) Validate() []error {
-	if s == nil {
-		return nil
-	}
-
-	errors := []error{}
-
-	if s.BindPort < 0 || s.BindPort > 65535 {
-		errors = append(errors, fmt.Errorf("insecure port %v must be between 0 and 65535, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort))
-	}
-
-	return errors
-}
-
-// AddFlags adds flags related to insecure serving to the specified FlagSet.
-func (s *DeprecatedInsecureServingOptions) AddFlags(fs *pflag.FlagSet) {
-	if s == nil {
-		return
-	}
-
-	fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
-		"The IP address on which to serve the --insecure-port (set to 0.0.0.0 or :: for listening on all interfaces and IP address families).")
-	// Though this flag is deprecated, we discovered security concerns over how to do health checks without it e.g. #43784
-	fs.MarkDeprecated("insecure-bind-address", "This flag will be removed in a future version.")
-	fs.Lookup("insecure-bind-address").Hidden = false
-
-	fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
-		"The port on which to serve unsecured, unauthenticated access.")
-	// Though this flag is deprecated, we discovered security concerns over how to do health checks without it e.g. #43784
-	fs.MarkDeprecated("insecure-port", "This flag will be removed in a future version.")
-	fs.Lookup("insecure-port").Hidden = false
-}
-
-// AddUnqualifiedFlags adds flags related to insecure serving without the --insecure prefix to the specified FlagSet.
-func (s *DeprecatedInsecureServingOptions) AddUnqualifiedFlags(fs *pflag.FlagSet) {
-	if s == nil {
-		return
-	}
-
-	fs.IPVar(&s.BindAddress, "address", s.BindAddress,
-		"The IP address on which to serve the insecure --port (set to '0.0.0.0' or '::' for listening on all interfaces and IP address families).")
-	fs.MarkDeprecated("address", "see --bind-address instead.")
-	fs.Lookup("address").Hidden = false
-
-	fs.IntVar(&s.BindPort, "port", s.BindPort, "The port on which to serve unsecured, unauthenticated access. Set to 0 to disable.")
-	fs.MarkDeprecated("port", "see --secure-port instead.")
-	fs.Lookup("port").Hidden = false
-}
-
-// ApplyTo adds DeprecatedInsecureServingOptions to the insecureserverinfo and kube-controller manager configuration.
-// Note: the double pointer allows to set the *DeprecatedInsecureServingInfo to nil without referencing the struct hosting this pointer.
-func (s *DeprecatedInsecureServingOptions) ApplyTo(c **server.DeprecatedInsecureServingInfo) error {
-	if s == nil {
-		return nil
-	}
-	if s.BindPort <= 0 {
-		return nil
-	}
-
-	if s.Listener == nil {
-		var err error
-		listen := CreateListener
-		if s.ListenFunc != nil {
-			listen = s.ListenFunc
-		}
-		addr := net.JoinHostPort(s.BindAddress.String(), fmt.Sprintf("%d", s.BindPort))
-		s.Listener, s.BindPort, err = listen(s.BindNetwork, addr, net.ListenConfig{})
-		if err != nil {
-			return fmt.Errorf("failed to create listener: %v", err)
-		}
-	}
-
-	*c = &server.DeprecatedInsecureServingInfo{
-		Listener: s.Listener,
-	}
-
-	return nil
-}
--- a/staging/src/k8s.io/pod-security-admission/cmd/webhook/server/options/options.go
+++ b/staging/src/k8s.io/pod-security-admission/cmd/webhook/server/options/options.go
@ -40,21 +40,18 @@ type Options struct {
 	ClientQPSLimit float32
 	ClientQPSBurst int

-	SecureServing   apiserveroptions.SecureServingOptions
-	InsecureServing apiserveroptions.DeprecatedInsecureServingOptions
+	SecureServing apiserveroptions.SecureServingOptions
 }

 func NewOptions() *Options {
 	secureServing := apiserveroptions.NewSecureServingOptions()
 	secureServing.ServerCert.PairName = "webhook"
 	o := &Options{
-		SecureServing:   *secureServing,
-		InsecureServing: apiserveroptions.DeprecatedInsecureServingOptions{},
-		ClientQPSLimit:  DefaultClientQPSLimit,
-		ClientQPSBurst:  DefaultClientQPSBurst,
+		SecureServing:  *secureServing,
+		ClientQPSLimit: DefaultClientQPSLimit,
+		ClientQPSBurst: DefaultClientQPSBurst,
 	}
 	o.SecureServing.BindPort = DefaultPort
-	o.InsecureServing.BindPort = DefaultInsecurePort
 	return o
 }

@ -65,7 +62,6 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) {
 	fs.IntVar(&o.ClientQPSBurst, "client-qps-burst", o.ClientQPSBurst, "Client QPS burst limit for throttling requests to the API server.")

 	o.SecureServing.AddFlags(fs)
-	o.InsecureServing.AddFlags(fs)
 }

 // Validate validates all the required options.
@ -73,7 +69,6 @@ func (o *Options) Validate() []error {
 	var errs []error

 	errs = append(errs, o.SecureServing.Validate()...)
-	errs = append(errs, o.InsecureServing.Validate()...)

 	return errs
 }
--- a/staging/src/k8s.io/pod-security-admission/cmd/webhook/server/server.go
+++ b/staging/src/k8s.io/pod-security-admission/cmd/webhook/server/server.go
@ -243,7 +243,6 @@ func LoadConfig(opts *options.Options) (*Config, error) {

 	var c Config
 	opts.SecureServing.ApplyTo(&c.SecureServing)
-	opts.InsecureServing.ApplyTo(&c.InsecureServing)

 	// Load Kube Client
 	kubeConfig, err := clientcmd.BuildConfigFromFlags("", opts.Kubeconfig)