diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/deprecated_insecure_serving.go b/staging/src/k8s.io/apiserver/pkg/server/options/deprecated_insecure_serving.go deleted file mode 100644 index dd05bfecdb5..00000000000 --- a/staging/src/k8s.io/apiserver/pkg/server/options/deprecated_insecure_serving.go +++ /dev/null @@ -1,126 +0,0 @@ -/* -Copyright 2017 The Kubernetes Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package options - -import ( - "fmt" - "net" - - "github.com/spf13/pflag" - - "k8s.io/apiserver/pkg/server" -) - -// DeprecatedInsecureServingOptions are for creating an unauthenticated, unauthorized, insecure port. -// No one should be using these anymore. -// DEPRECATED: all insecure serving options are removed in a future version -type DeprecatedInsecureServingOptions struct { - BindAddress net.IP - BindPort int - // BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp", - // "tcp4", and "tcp6". - BindNetwork string - - // Listener is the secure server network listener. - // either Listener or BindAddress/BindPort/BindNetwork is set, - // if Listener is set, use it and omit BindAddress/BindPort/BindNetwork. - Listener net.Listener - - // ListenFunc can be overridden to create a custom listener, e.g. for mocking in tests. - // It defaults to options.CreateListener. - ListenFunc func(network, addr string, config net.ListenConfig) (net.Listener, int, error) -} - -// Validate ensures that the insecure port values within the range of the port. -func (s *DeprecatedInsecureServingOptions) Validate() []error { - if s == nil { - return nil - } - - errors := []error{} - - if s.BindPort < 0 || s.BindPort > 65535 { - errors = append(errors, fmt.Errorf("insecure port %v must be between 0 and 65535, inclusive. 0 for turning off insecure (HTTP) port", s.BindPort)) - } - - return errors -} - -// AddFlags adds flags related to insecure serving to the specified FlagSet. -func (s *DeprecatedInsecureServingOptions) AddFlags(fs *pflag.FlagSet) { - if s == nil { - return - } - - fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+ - "The IP address on which to serve the --insecure-port (set to 0.0.0.0 or :: for listening on all interfaces and IP address families).") - // Though this flag is deprecated, we discovered security concerns over how to do health checks without it e.g. #43784 - fs.MarkDeprecated("insecure-bind-address", "This flag will be removed in a future version.") - fs.Lookup("insecure-bind-address").Hidden = false - - fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+ - "The port on which to serve unsecured, unauthenticated access.") - // Though this flag is deprecated, we discovered security concerns over how to do health checks without it e.g. #43784 - fs.MarkDeprecated("insecure-port", "This flag will be removed in a future version.") - fs.Lookup("insecure-port").Hidden = false -} - -// AddUnqualifiedFlags adds flags related to insecure serving without the --insecure prefix to the specified FlagSet. -func (s *DeprecatedInsecureServingOptions) AddUnqualifiedFlags(fs *pflag.FlagSet) { - if s == nil { - return - } - - fs.IPVar(&s.BindAddress, "address", s.BindAddress, - "The IP address on which to serve the insecure --port (set to '0.0.0.0' or '::' for listening on all interfaces and IP address families).") - fs.MarkDeprecated("address", "see --bind-address instead.") - fs.Lookup("address").Hidden = false - - fs.IntVar(&s.BindPort, "port", s.BindPort, "The port on which to serve unsecured, unauthenticated access. Set to 0 to disable.") - fs.MarkDeprecated("port", "see --secure-port instead.") - fs.Lookup("port").Hidden = false -} - -// ApplyTo adds DeprecatedInsecureServingOptions to the insecureserverinfo and kube-controller manager configuration. -// Note: the double pointer allows to set the *DeprecatedInsecureServingInfo to nil without referencing the struct hosting this pointer. -func (s *DeprecatedInsecureServingOptions) ApplyTo(c **server.DeprecatedInsecureServingInfo) error { - if s == nil { - return nil - } - if s.BindPort <= 0 { - return nil - } - - if s.Listener == nil { - var err error - listen := CreateListener - if s.ListenFunc != nil { - listen = s.ListenFunc - } - addr := net.JoinHostPort(s.BindAddress.String(), fmt.Sprintf("%d", s.BindPort)) - s.Listener, s.BindPort, err = listen(s.BindNetwork, addr, net.ListenConfig{}) - if err != nil { - return fmt.Errorf("failed to create listener: %v", err) - } - } - - *c = &server.DeprecatedInsecureServingInfo{ - Listener: s.Listener, - } - - return nil -} diff --git a/staging/src/k8s.io/pod-security-admission/cmd/webhook/server/options/options.go b/staging/src/k8s.io/pod-security-admission/cmd/webhook/server/options/options.go index 6db53363fba..28b13df8acf 100644 --- a/staging/src/k8s.io/pod-security-admission/cmd/webhook/server/options/options.go +++ b/staging/src/k8s.io/pod-security-admission/cmd/webhook/server/options/options.go @@ -40,21 +40,18 @@ type Options struct { ClientQPSLimit float32 ClientQPSBurst int - SecureServing apiserveroptions.SecureServingOptions - InsecureServing apiserveroptions.DeprecatedInsecureServingOptions + SecureServing apiserveroptions.SecureServingOptions } func NewOptions() *Options { secureServing := apiserveroptions.NewSecureServingOptions() secureServing.ServerCert.PairName = "webhook" o := &Options{ - SecureServing: *secureServing, - InsecureServing: apiserveroptions.DeprecatedInsecureServingOptions{}, - ClientQPSLimit: DefaultClientQPSLimit, - ClientQPSBurst: DefaultClientQPSBurst, + SecureServing: *secureServing, + ClientQPSLimit: DefaultClientQPSLimit, + ClientQPSBurst: DefaultClientQPSBurst, } o.SecureServing.BindPort = DefaultPort - o.InsecureServing.BindPort = DefaultInsecurePort return o } @@ -65,7 +62,6 @@ func (o *Options) AddFlags(fs *pflag.FlagSet) { fs.IntVar(&o.ClientQPSBurst, "client-qps-burst", o.ClientQPSBurst, "Client QPS burst limit for throttling requests to the API server.") o.SecureServing.AddFlags(fs) - o.InsecureServing.AddFlags(fs) } // Validate validates all the required options. @@ -73,7 +69,6 @@ func (o *Options) Validate() []error { var errs []error errs = append(errs, o.SecureServing.Validate()...) - errs = append(errs, o.InsecureServing.Validate()...) return errs } diff --git a/staging/src/k8s.io/pod-security-admission/cmd/webhook/server/server.go b/staging/src/k8s.io/pod-security-admission/cmd/webhook/server/server.go index 524602fb281..c357ab231a7 100644 --- a/staging/src/k8s.io/pod-security-admission/cmd/webhook/server/server.go +++ b/staging/src/k8s.io/pod-security-admission/cmd/webhook/server/server.go @@ -243,7 +243,6 @@ func LoadConfig(opts *options.Options) (*Config, error) { var c Config opts.SecureServing.ApplyTo(&c.SecureServing) - opts.InsecureServing.ApplyTo(&c.InsecureServing) // Load Kube Client kubeConfig, err := clientcmd.BuildConfigFromFlags("", opts.Kubeconfig)