github/kubernetes
1
0
Fork 0
mirror of https://github.com/k3s-io/kubernetes.git synced 2025-08-07 11:13:48 +00:00
Code Issues Projects Releases Wiki Activity

Remove the limitation on exposing port 10250 externally

Browse Source
This commit is contained in:
Aohan Yang 2024-12-12 19:02:26 +08:00
parent 1e55df4985
commit e8087b3f6a
2 changed files with 3 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
pkg/apis/core/validation/validation.go
View File

@ -58,7 +58,6 @@ import (
podshelper "k8s.io/kubernetes/pkg/apis/core/pods" podshelper "k8s.io/kubernetes/pkg/apis/core/pods"
corev1 "k8s.io/kubernetes/pkg/apis/core/v1" corev1 "k8s.io/kubernetes/pkg/apis/core/v1"
"k8s.io/kubernetes/pkg/capabilities" "k8s.io/kubernetes/pkg/capabilities"
"k8s.io/kubernetes/pkg/cluster/ports"
"k8s.io/kubernetes/pkg/features" "k8s.io/kubernetes/pkg/features"
"k8s.io/kubernetes/pkg/fieldpath" "k8s.io/kubernetes/pkg/fieldpath"
) )
@ -5762,16 +5761,6 @@ func ValidateService(service *core.Service) field.ErrorList {
} }
switch service.Spec.Type { switch service.Spec.Type {
case core.ServiceTypeLoadBalancer: case core.ServiceTypeLoadBalancer:
for ix := range service.Spec.Ports {
port := &service.Spec.Ports[ix]
// This is a workaround for broken cloud environments that
// over-open firewalls. Hopefully it can go away when more clouds
// understand containers better.
if port.Port == ports.KubeletPort {
portPath := specPath.Child("ports").Index(ix)
allErrs = append(allErrs, field.Invalid(portPath, port.Port, fmt.Sprintf("may not expose port %v externally since it is used by kubelet", ports.KubeletPort)))
}
}
if isHeadlessService(service) { if isHeadlessService(service) {
allErrs = append(allErrs, field.Invalid(specPath.Child("clusterIPs").Index(0), service.Spec.ClusterIPs[0], "may not be set to 'None' for LoadBalancer services")) allErrs = append(allErrs, field.Invalid(specPath.Child("clusterIPs").Index(0), service.Spec.ClusterIPs[0], "may not be set to 'None' for LoadBalancer services"))
} }

7
pkg/apis/core/validation/validation_test.go
View File

@ -15385,16 +15385,15 @@ func TestValidateServiceCreate(t *testing.T) {
}, },
numErrs: 0, numErrs: 0,
}, { }, {
// For now we open firewalls, and its insecure if we open 10250, remove this // Remove the limitation on exposing port 10250 externally
// when we have better protections in place. name: "valid port type=LoadBalancer",
name: "invalid port type=LoadBalancer",
tweakSvc: func(s *core.Service) { tweakSvc: func(s *core.Service) {
s.Spec.Type = core.ServiceTypeLoadBalancer s.Spec.Type = core.ServiceTypeLoadBalancer
s.Spec.ExternalTrafficPolicy = core.ServiceExternalTrafficPolicyCluster s.Spec.ExternalTrafficPolicy = core.ServiceExternalTrafficPolicyCluster
s.Spec.AllocateLoadBalancerNodePorts = utilpointer.Bool(true) s.Spec.AllocateLoadBalancerNodePorts = utilpointer.Bool(true)
s.Spec.Ports = append(s.Spec.Ports, core.ServicePort{Name: "kubelet", Port: 10250, Protocol: "TCP", TargetPort: intstr.FromInt32(12345)}) s.Spec.Ports = append(s.Spec.Ports, core.ServicePort{Name: "kubelet", Port: 10250, Protocol: "TCP", TargetPort: intstr.FromInt32(12345)})
}, },
numErrs: 1, numErrs: 0,
}, { }, {
name: "valid LoadBalancer source range annotation", name: "valid LoadBalancer source range annotation",
tweakSvc: func(s *core.Service) { tweakSvc: func(s *core.Service) {