diff --git a/pkg/server/config.go b/pkg/server/config.go index e9e2a0786..130b6fd78 100644 --- a/pkg/server/config.go +++ b/pkg/server/config.go @@ -371,6 +371,9 @@ func (c completedConfig) New() (*GenericAPIServer, error) { if c.Serializer == nil { return nil, fmt.Errorf("Genericapiserver.New() called with config.Serializer == nil") } + if c.LoopbackClientConfig == nil { + return nil, fmt.Errorf("Genericapiserver.New() called with config.LoopbackClientConfig == nil") + } s := &GenericAPIServer{ discoveryAddresses: c.DiscoveryAddresses, diff --git a/pkg/server/config_selfclient.go b/pkg/server/config_selfclient.go index f916dd534..e96d5d04b 100644 --- a/pkg/server/config_selfclient.go +++ b/pkg/server/config_selfclient.go @@ -20,36 +20,12 @@ import ( "bytes" "crypto/x509" "encoding/pem" - "errors" "fmt" "net" restclient "k8s.io/client-go/rest" - - "github.com/golang/glog" ) -// NewSelfClientConfig returns a clientconfig which can be used to talk to this apiserver. -func NewSelfClientConfig(secureServingInfo *SecureServingInfo, insecureServingInfo *ServingInfo, token string) (*restclient.Config, error) { - cfg, err := secureServingInfo.NewSelfClientConfig(token) - if cfg != nil && err == nil { - return cfg, nil - } - if err != nil { - if insecureServingInfo == nil { - // be fatal if insecure port is not available - return nil, err - } - - glog.Warningf("Failed to create secure local client, falling back to insecure local connection: %v", err) - } - if cfg, err := insecureServingInfo.NewSelfClientConfig(token); err != nil || cfg != nil { - return cfg, err - } - - return nil, errors.New("Unable to set url for apiserver local client") -} - func (s *SecureServingInfo) NewSelfClientConfig(token string) (*restclient.Config, error) { if s == nil || (s.Cert == nil && len(s.SNICerts) == 0) { return nil, nil diff --git a/pkg/server/genericapiserver_test.go b/pkg/server/genericapiserver_test.go index 44fdede40..7bba047f4 100644 --- a/pkg/server/genericapiserver_test.go +++ b/pkg/server/genericapiserver_test.go @@ -46,10 +46,11 @@ import ( "k8s.io/apiserver/pkg/authentication/user" "k8s.io/apiserver/pkg/authorization/authorizer" genericapirequest "k8s.io/apiserver/pkg/endpoints/request" + "k8s.io/apiserver/pkg/registry/rest" etcdtesting "k8s.io/apiserver/pkg/storage/etcd/testing" "k8s.io/client-go/pkg/api" + restclient "k8s.io/client-go/rest" openapigen "k8s.io/kubernetes/pkg/generated/openapi" - "k8s.io/apiserver/pkg/registry/rest" ) const ( @@ -85,6 +86,7 @@ func setUp(t *testing.T) (*etcdtesting.EtcdTestServer, Config, *assert.Assertion config.PublicAddress = net.ParseIP("192.168.10.4") config.RequestContextMapper = genericapirequest.NewRequestContextMapper() config.LegacyAPIGroupPrefixes = sets.NewString("/api") + config.LoopbackClientConfig = &restclient.Config{} config.OpenAPIConfig = DefaultOpenAPIConfig(openapigen.GetOpenAPIDefinitions, api.Scheme) config.OpenAPIConfig.Info = &spec.Info{ diff --git a/pkg/server/options/serving.go b/pkg/server/options/serving.go index 6f08e46b5..fcceb1af5 100644 --- a/pkg/server/options/serving.go +++ b/pkg/server/options/serving.go @@ -26,6 +26,7 @@ import ( "strconv" "github.com/golang/glog" + "github.com/pborman/uuid" "github.com/spf13/pflag" utilnet "k8s.io/apimachinery/pkg/util/net" @@ -139,6 +140,30 @@ func (s *SecureServingOptions) ApplyTo(c *server.Config) error { if s.ServingOptions.BindPort <= 0 { return nil } + if err := s.applyServingInfoTo(c); err != nil { + return err + } + + loopbackClientConfig, err := c.SecureServingInfo.NewSelfClientConfig(uuid.NewRandom().String()) + switch { + // if we failed and there's no fallback loopback client config, we need to fail + case err != nil && c.LoopbackClientConfig == nil: + return err + + // if we failed, but we already have a fallback loopback client config (usually insecure), allow it + case err != nil && c.LoopbackClientConfig != nil: + + default: + c.LoopbackClientConfig = loopbackClientConfig + } + + return nil +} + +func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error { + if s.ServingOptions.BindPort <= 0 { + return nil + } secureServingInfo := &server.SecureServingInfo{ ServingInfo: server.ServingInfo{ @@ -250,6 +275,12 @@ func (s *ServingOptions) ApplyTo(c *server.Config) error { BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)), } + var err error + privilegedLoopbackToken := uuid.NewRandom().String() + if c.LoopbackClientConfig, err = c.InsecureServingInfo.NewSelfClientConfig(privilegedLoopbackToken); err != nil { + return err + } + return nil } diff --git a/pkg/server/options/serving_test.go b/pkg/server/options/serving_test.go index 5dde07ead..269c0272c 100644 --- a/pkg/server/options/serving_test.go +++ b/pkg/server/options/serving_test.go @@ -36,6 +36,7 @@ import ( genericapirequest "k8s.io/apiserver/pkg/endpoints/request" . "k8s.io/apiserver/pkg/server" utilflag "k8s.io/apiserver/pkg/util/flag" + restclient "k8s.io/client-go/rest" utilcert "k8s.io/client-go/util/cert" "k8s.io/kubernetes/pkg/client/clientset_generated/clientset" ) @@ -493,6 +494,7 @@ NextTest: }, SNICertKeys: namedCertKeys, } + config.LoopbackClientConfig = &restclient.Config{} if err := secureOptions.ApplyTo(&config); err != nil { t.Errorf("%q - failed applying the SecureServingOptions: %v", title, err) continue NextTest