kubernetes
/
apiserver
mirror of https://github.com/kubernetes/apiserver.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

move insecure options to kubeapiserver 

Kubernetes-commit: c2f8ef1b1a4e0e60379b7b7447d59a87b0b0ccf9
This commit is contained in:
deads2k 2017-03-09 13:51:59 -05:00 committed by Kubernetes Publisher
parent b3af46c0dc
commit c2afcd59a6
3 changed files with 33 additions and 107 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
pkg/server/options/server_run_options.go
View File

@ -71,30 +71,20 @@ func (s *ServerRunOptions) ApplyTo(c *server.Config) error {
return nil return nil
} }
// DefaultAdvertiseAddress sets the field AdvertiseAddress if // DefaultAdvertiseAddress sets the field AdvertiseAddress if unset. The field will be set based on the SecureServingOptions.
// unset. The field will be set based on the SecureServingOptions. If func (s *ServerRunOptions) DefaultAdvertiseAddress(secure *SecureServingOptions) error {
// the SecureServingOptions is not present, DefaultExternalAddress if secure == nil {
// will fall back to the insecure ServingOptions. return nil
func (s *ServerRunOptions) DefaultAdvertiseAddress(secure *SecureServingOptions, insecure *ServingOptions) error {
if s.AdvertiseAddress == nil || s.AdvertiseAddress.IsUnspecified() {
switch {
case secure != nil:
hostIP, err := secure.ServingOptions.DefaultExternalAddress()
if err != nil {
return fmt.Errorf("Unable to find suitable network address.error='%v'. "+
"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this.", err)
} }
s.AdvertiseAddress = hostIP
case insecure != nil: if s.AdvertiseAddress == nil || s.AdvertiseAddress.IsUnspecified() {
hostIP, err := insecure.DefaultExternalAddress() hostIP, err := secure.DefaultExternalAddress()
if err != nil { if err != nil {
return fmt.Errorf("Unable to find suitable network address.error='%v'. "+ return fmt.Errorf("Unable to find suitable network address.error='%v'. "+
"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this.", err) "Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this.", err)
} }
s.AdvertiseAddress = hostIP s.AdvertiseAddress = hostIP
} }
}
return nil return nil
} }

98
pkg/server/options/serving.go
View File

@ -35,13 +35,9 @@ import (
certutil "k8s.io/client-go/util/cert" certutil "k8s.io/client-go/util/cert"
) )
type ServingOptions struct { type SecureServingOptions struct {
BindAddress net.IP BindAddress net.IP
BindPort int BindPort int
}
type SecureServingOptions struct {
ServingOptions ServingOptions
// ServerCert is the TLS cert info for serving secure traffic // ServerCert is the TLS cert info for serving secure traffic
ServerCert GeneratableKeyCert ServerCert GeneratableKeyCert
@ -71,10 +67,8 @@ type GeneratableKeyCert struct {
func NewSecureServingOptions() *SecureServingOptions { func NewSecureServingOptions() *SecureServingOptions {
return &SecureServingOptions{ return &SecureServingOptions{
ServingOptions: ServingOptions{
BindAddress: net.ParseIP("0.0.0.0"), BindAddress: net.ParseIP("0.0.0.0"),
BindPort: 443, BindPort: 443,
},
ServerCert: GeneratableKeyCert{ ServerCert: GeneratableKeyCert{
PairName: "apiserver", PairName: "apiserver",
CertDirectory: "apiserver.local.config/certificates", CertDirectory: "apiserver.local.config/certificates",
@ -82,23 +76,27 @@ func NewSecureServingOptions() *SecureServingOptions {
} }
} }
func (s *SecureServingOptions) DefaultExternalAddress() (net.IP, error) {
return utilnet.ChooseBindAddress(s.BindAddress)
}
func (s *SecureServingOptions) Validate() []error { func (s *SecureServingOptions) Validate() []error {
errors := []error{} errors := []error{}
if s == nil {
return errors if s.BindPort < 0 || s.BindPort > 65535 {
errors = append(errors, fmt.Errorf("--secure-port %v must be between 0 and 65535, inclusive. 0 for turning off secure port.", s.BindPort))
} }
errors = append(errors, s.ServingOptions.Validate("secure-port")...)
return errors return errors
} }
func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) { func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
fs.IPVar(&s.ServingOptions.BindAddress, "bind-address", s.ServingOptions.BindAddress, ""+ fs.IPVar(&s.BindAddress, "bind-address", s.BindAddress, ""+
"The IP address on which to listen for the --secure-port port. The "+ "The IP address on which to listen for the --secure-port port. The "+
"associated interface(s) must be reachable by the rest of the cluster, and by CLI/web "+ "associated interface(s) must be reachable by the rest of the cluster, and by CLI/web "+
"clients. If blank, all interfaces will be used (0.0.0.0).") "clients. If blank, all interfaces will be used (0.0.0.0).")
fs.IntVar(&s.ServingOptions.BindPort, "secure-port", s.ServingOptions.BindPort, ""+ fs.IntVar(&s.BindPort, "secure-port", s.BindPort, ""+
"The port on which to serve HTTPS with authentication and authorization. If 0, "+ "The port on which to serve HTTPS with authentication and authorization. If 0, "+
"don't serve HTTPS at all.") "don't serve HTTPS at all.")
@ -131,13 +129,13 @@ func (s *SecureServingOptions) AddFlags(fs *pflag.FlagSet) {
} }
func (s *SecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) { func (s *SecureServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
fs.IPVar(&s.ServingOptions.BindAddress, "public-address-override", s.ServingOptions.BindAddress, fs.IPVar(&s.BindAddress, "public-address-override", s.BindAddress,
"DEPRECATED: see --bind-address instead.") "DEPRECATED: see --bind-address instead.")
fs.MarkDeprecated("public-address-override", "see --bind-address instead.") fs.MarkDeprecated("public-address-override", "see --bind-address instead.")
} }
func (s *SecureServingOptions) ApplyTo(c *server.Config) error { func (s *SecureServingOptions) ApplyTo(c *server.Config) error {
if s.ServingOptions.BindPort <= 0 { if s.BindPort <= 0 {
return nil return nil
} }
if err := s.applyServingInfoTo(c); err != nil { if err := s.applyServingInfoTo(c); err != nil {
@ -173,13 +171,13 @@ func (s *SecureServingOptions) ApplyTo(c *server.Config) error {
} }
func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error { func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
if s.ServingOptions.BindPort <= 0 { if s.BindPort <= 0 {
return nil return nil
} }
secureServingInfo := &server.SecureServingInfo{ secureServingInfo := &server.SecureServingInfo{
ServingInfo: server.ServingInfo{ ServingInfo: server.ServingInfo{
BindAddress: net.JoinHostPort(s.ServingOptions.BindAddress.String(), strconv.Itoa(s.ServingOptions.BindPort)), BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)),
}, },
} }
@ -231,67 +229,7 @@ func (s *SecureServingOptions) applyServingInfoTo(c *server.Config) error {
} }
c.SecureServingInfo = secureServingInfo c.SecureServingInfo = secureServingInfo
c.ReadWritePort = s.ServingOptions.BindPort c.ReadWritePort = s.BindPort
return nil
}
func NewInsecureServingOptions() *ServingOptions {
return &ServingOptions{
BindAddress: net.ParseIP("127.0.0.1"),
BindPort: 8080,
}
}
func (s ServingOptions) Validate(portArg string) []error {
errors := []error{}
if s.BindPort < 0 || s.BindPort > 65535 {
errors = append(errors, fmt.Errorf("--%v %v must be between 0 and 65535, inclusive. 0 for turning off secure port.", portArg, s.BindPort))
}
return errors
}
func (s *ServingOptions) DefaultExternalAddress() (net.IP, error) {
return utilnet.ChooseBindAddress(s.BindAddress)
}
func (s *ServingOptions) AddFlags(fs *pflag.FlagSet) {
fs.IPVar(&s.BindAddress, "insecure-bind-address", s.BindAddress, ""+
"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all interfaces). "+
"Defaults to localhost.")
fs.IntVar(&s.BindPort, "insecure-port", s.BindPort, ""+
"The port on which to serve unsecured, unauthenticated access. Default 8080. It is assumed "+
"that firewall rules are set up such that this port is not reachable from outside of "+
"the cluster and that port 443 on the cluster's public address is proxied to this "+
"port. This is performed by nginx in the default setup.")
}
func (s *ServingOptions) AddDeprecatedFlags(fs *pflag.FlagSet) {
fs.IPVar(&s.BindAddress, "address", s.BindAddress,
"DEPRECATED: see --insecure-bind-address instead.")
fs.MarkDeprecated("address", "see --insecure-bind-address instead.")
fs.IntVar(&s.BindPort, "port", s.BindPort, "DEPRECATED: see --insecure-port instead.")
fs.MarkDeprecated("port", "see --insecure-port instead.")
}
func (s *ServingOptions) ApplyTo(c *server.Config) error {
if s.BindPort <= 0 {
return nil
}
c.InsecureServingInfo = &server.ServingInfo{
BindAddress: net.JoinHostPort(s.BindAddress.String(), strconv.Itoa(s.BindPort)),
}
var err error
privilegedLoopbackToken := uuid.NewRandom().String()
if c.LoopbackClientConfig, err = c.InsecureServingInfo.NewLoopbackClientConfig(privilegedLoopbackToken); err != nil {
return err
}
return nil return nil
} }
@ -301,7 +239,7 @@ func (s *SecureServingOptions) MaybeDefaultWithSelfSignedCerts(publicAddress str
return nil return nil
} }
keyCert := &s.ServerCert.CertKey keyCert := &s.ServerCert.CertKey
if s.ServingOptions.BindPort == 0 || len(keyCert.CertFile) != 0 || len(keyCert.KeyFile) != 0 { if s.BindPort == 0 || len(keyCert.CertFile) != 0 || len(keyCert.KeyFile) != 0 {
return nil return nil
} }
@ -314,11 +252,11 @@ func (s *SecureServingOptions) MaybeDefaultWithSelfSignedCerts(publicAddress str
} }
if !canReadCertAndKey { if !canReadCertAndKey {
// add either the bind address or localhost to the valid alternates // add either the bind address or localhost to the valid alternates
bindIP := s.ServingOptions.BindAddress.String() bindIP := s.BindAddress.String()
if bindIP == "0.0.0.0" { if bindIP == "0.0.0.0" {
alternateDNS = append(alternateDNS, "localhost") alternateDNS = append(alternateDNS, "localhost")
} else { } else {
alternateIPs = append(alternateIPs, s.ServingOptions.BindAddress) alternateIPs = append(alternateIPs, s.BindAddress)
} }
if cert, key, err := certutil.GenerateSelfSignedCertKey(publicAddress, alternateIPs, alternateDNS); err != nil { if cert, key, err := certutil.GenerateSelfSignedCertKey(publicAddress, alternateIPs, alternateDNS); err != nil {

2
pkg/server/options/serving_test.go
View File

@ -459,10 +459,8 @@ NextTest:
config.EnableIndex = true config.EnableIndex = true
secureOptions := &SecureServingOptions{ secureOptions := &SecureServingOptions{
ServingOptions: ServingOptions{
BindAddress: net.ParseIP("127.0.0.1"), BindAddress: net.ParseIP("127.0.0.1"),
BindPort: 6443, BindPort: 6443,
},
ServerCert: GeneratableKeyCert{ ServerCert: GeneratableKeyCert{
CertKey: CertKey{ CertKey: CertKey{
CertFile: serverCertBundleFile, CertFile: serverCertBundleFile,