github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-07-25 20:53:33 +00:00
Code Issues Projects Releases Wiki Activity

kube-apiserver: disallow --secure-port 0

Browse Source
This commit is contained in:
Dr. Stefan Schimanski 2018-07-06 12:58:59 +02:00
parent e32f380fa5
commit e15ac9eb72
3 changed files with 15 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
cmd/kube-apiserver/app/options/options_test.go
View File

@ -166,6 +166,7 @@ func TestAddFlags(t *testing.T) {
PairName: "apiserver", PairName: "apiserver",
}, },
HTTP2MaxStreamsPerConnection: 42, HTTP2MaxStreamsPerConnection: 42,
Required: true,
}), }),
InsecureServing: &kubeoptions.InsecureServingOptions{ InsecureServing: &kubeoptions.InsecureServingOptions{
BindAddress: net.ParseIP("127.0.0.1"), BindAddress: net.ParseIP("127.0.0.1"),

1
pkg/kubeapiserver/options/serving.go
View File

@ -36,6 +36,7 @@ func NewSecureServingOptions() *genericoptions.SecureServingOptionsWithLoopback
return genericoptions.WithLoopback(&genericoptions.SecureServingOptions{ return genericoptions.WithLoopback(&genericoptions.SecureServingOptions{
BindAddress: net.ParseIP("0.0.0.0"), BindAddress: net.ParseIP("0.0.0.0"),
BindPort: 6443, BindPort: 6443,
Required: true,
ServerCert: genericoptions.GeneratableKeyCert{ ServerCert: genericoptions.GeneratableKeyCert{
PairName: "apiserver", PairName: "apiserver",
CertDirectory: "/var/run/kubernetes", CertDirectory: "/var/run/kubernetes",

17
staging/src/k8s.io/apiserver/pkg/server/options/serving.go
View File

@ -40,6 +40,8 @@ type SecureServingOptions struct {
// BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp", // BindNetwork is the type of network to bind to - defaults to "tcp", accepts "tcp",
// "tcp4", and "tcp6". // "tcp4", and "tcp6".
BindNetwork string BindNetwork string
// Required set to true means that BindPort cannot be zero.
Required bool
// Listener is the secure server network listener. // Listener is the secure server network listener.
// either Listener or BindAddress/BindPort/BindNetwork is set, // either Listener or BindAddress/BindPort/BindNetwork is set,
@ -102,7 +104,9 @@ func (s *SecureServingOptions) Validate() []error {
errors := []error{} errors := []error{}
if s.BindPort < 0 || s.BindPort > 65535 { if s.Required && s.BindPort < 1 || s.BindPort > 65535 {
errors = append(errors, fmt.Errorf("--secure-port %v must be between 1 and 65535, inclusive. It cannot turned off with 0", s.BindPort))
} else if s.BindPort < 0 || s.BindPort > 65535 {
errors = append(errors, fmt.Errorf("--secure-port %v must be between 0 and 65535, inclusive. 0 for turning off secure port", s.BindPort)) errors = append(errors, fmt.Errorf("--secure-port %v must be between 0 and 65535, inclusive. 0 for turning off secure port", s.BindPort))
} }
@ -118,9 +122,14 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
"The IP address on which to listen for the --secure-port port. The "+ "The IP address on which to listen for the --secure-port port. The "+
"associated interface(s) must be reachable by the rest of the cluster, and by CLI/web "+ "associated interface(s) must be reachable by the rest of the cluster, and by CLI/web "+
"clients. If blank, all interfaces will be used (0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).") "clients. If blank, all interfaces will be used (0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).")
fs.IntVar(&s.BindPort, "secure-port", s.BindPort, ""+
"The port on which to serve HTTPS with authentication and authorization. If 0, "+ desc := "The port on which to serve HTTPS with authentication and authorization."
"don't serve HTTPS at all.") if s.Required {
desc += "It cannot switched off with 0."
} else {
desc += "If 0, don't serve HTTPS at all."
}
fs.IntVar(&s.BindPort, "secure-port", s.BindPort, desc)
fs.StringVar(&s.ServerCert.CertDirectory, "cert-dir", s.ServerCert.CertDirectory, ""+ fs.StringVar(&s.ServerCert.CertDirectory, "cert-dir", s.ServerCert.CertDirectory, ""+
"The directory where the TLS certs are located. "+ "The directory where the TLS certs are located. "+