diff --git a/cmd/kube-apiserver/app/options/options_test.go b/cmd/kube-apiserver/app/options/options_test.go index 8f9e3a92174..4e0ca207b1c 100644 --- a/cmd/kube-apiserver/app/options/options_test.go +++ b/cmd/kube-apiserver/app/options/options_test.go @@ -166,6 +166,7 @@ func TestAddFlags(t *testing.T) { PairName: "apiserver", }, HTTP2MaxStreamsPerConnection: 42, + Required: true, }), InsecureServing: &kubeoptions.InsecureServingOptions{ BindAddress: net.ParseIP("127.0.0.1"), diff --git a/pkg/kubeapiserver/options/serving.go b/pkg/kubeapiserver/options/serving.go index 85b102c9751..c2bad3e892d 100644 --- a/pkg/kubeapiserver/options/serving.go +++ b/pkg/kubeapiserver/options/serving.go @@ -36,6 +36,7 @@ func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback return genericoptions.WithLoopback(&genericoptions.SecureServingOptions{ BindAddress: net.ParseIP("0.0.0.0"), BindPort: 6443, + Required: true, ServerCert: genericoptions.GeneratableKeyCert{ PairName: "apiserver", CertDirectory: "/var/run/kubernetes", diff --git a/staging/src/k8s.io/apiserver/pkg/server/options/serving.go b/staging/src/k8s.io/apiserver/pkg/server/options/serving.go index ee9cebacd04..7a2f570fc7c 100644 --- a/staging/src/k8s.io/apiserver/pkg/server/options/serving.go +++ b/staging/src/k8s.io/apiserver/pkg/server/options/serving.go @@ -40,6 +40,8 @@ type SecureServingOptions struct { // BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp", // "tcp4", and "tcp6". BindNetwork string + // Required set to true means that BindPort cannot be zero. + Required bool // Listener is the secure server network listener. // either Listener or BindAddress/BindPort/BindNetwork is set, @@ -102,7 +104,9 @@ func (s *SecureServingOptions) Validate() []error { errors := []error{} - if s.BindPort < 0 || s.BindPort > 65535 { + if s.Required && s.BindPort < 1 || s.BindPort > 65535 { + errors = append(errors, fmt.Errorf("--secure-port %v must be between 1 and 65535, inclusive. It cannot turned off with 0", s.BindPort)) + } else if s.BindPort < 0 || s.BindPort > 65535 { errors = append(errors, fmt.Errorf("--secure-port %v must be between 0 and 65535, inclusive. 0 for turning off secure port", s.BindPort)) } @@ -118,9 +122,14 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) { "The IP address on which to listen for the --secure-port port. The "+ "associated interface(s) must be reachable by the rest of the cluster, and by CLI/web "+ "clients. If blank, all interfaces will be used (0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).") - fs.IntVar(&s.BindPort, "secure-port", s.BindPort, ""+ - "The port on which to serve HTTPS with authentication and authorization. If 0, "+ - "don't serve HTTPS at all.") + + desc := "The port on which to serve HTTPS with authentication and authorization." + if s.Required { + desc += "It cannot switched off with 0." + } else { + desc += "If 0, don't serve HTTPS at all." + } + fs.IntVar(&s.BindPort, "secure-port", s.BindPort, desc) fs.StringVar(&s.ServerCert.CertDirectory, "cert-dir", s.ServerCert.CertDirectory, ""+ "The directory where the TLS certs are located. "+