Do not set insecure port on k8s 1.20+

nodeup/pkg/model/kube_apiserver.go

@@ -585,10 +585,12 @@ func (b *KubeAPIServerBuilder) buildPod(kubeAPIServer *kops.KubeAPIServerConfig)
 		Path: "/healthz",
 		Port: intstr.FromInt(wellknownports.KubeAPIServerHealthCheck),
 	}
+
+	insecurePort := fi.Int32Value(kubeAPIServer.InsecurePort)
 	if useHealthcheckProxy {
 		// kube-apiserver-healthcheck sidecar container runs on port 3990
-	} else if kubeAPIServer.InsecurePort != 0 {
-		probeAction.Port = intstr.FromInt(int(kubeAPIServer.InsecurePort))
+	} else if insecurePort != 0 {
+		probeAction.Port = intstr.FromInt(int(insecurePort))
 	} else if kubeAPIServer.SecurePort != 0 {
 		probeAction.Port = intstr.FromInt(int(kubeAPIServer.SecurePort))
 		probeAction.Scheme = v1.URISchemeHTTPS
@@ -644,11 +646,11 @@ func (b *KubeAPIServerBuilder) buildPod(kubeAPIServer *kops.KubeAPIServerConfig)
 		},
 	}
 
-	if kubeAPIServer.InsecurePort != 0 {
+	if insecurePort != 0 {
 		container.Ports = append(container.Ports, v1.ContainerPort{
 			Name:          "local",
-			ContainerPort: kubeAPIServer.InsecurePort,
-			HostPort:      kubeAPIServer.InsecurePort,
+			ContainerPort: insecurePort,
+			HostPort:      insecurePort,
 		})
 	}
 

nodeup/pkg/model/kube_apiserver_test.go

@@ -32,109 +32,100 @@ func Test_KubeAPIServer_BuildFlags(t *testing.T) {
 	}{
 		{
 			kops.KubeAPIServerConfig{},
-			"--insecure-port=0 --secure-port=0",
+			"--secure-port=0",
 		},
 		{
 			kops.KubeAPIServerConfig{
 				SecurePort: 443,
 			},
-			"--insecure-port=0 --secure-port=443",
+			"--secure-port=443",
 		},
 		{
 			kops.KubeAPIServerConfig{
 				MaxRequestsInflight: 1000,
 			},
-			"--insecure-port=0 --max-requests-inflight=1000 --secure-port=0",
+			"--max-requests-inflight=1000 --secure-port=0",
 		},
 		{
 			kops.KubeAPIServerConfig{
 				MaxMutatingRequestsInflight: 900,
 			},
-			"--insecure-port=0 --max-mutating-requests-inflight=900 --secure-port=0",
+			"--max-mutating-requests-inflight=900 --secure-port=0",
 		},
 		{
 			kops.KubeAPIServerConfig{
-				InsecurePort: 8080,
-				SecurePort:   443,
+				SecurePort: 443,
 			},
-			"--insecure-port=8080 --secure-port=443",
+			"--secure-port=443",
 		},
 		{
 			kops.KubeAPIServerConfig{
-				InsecurePort:        8080,
 				SecurePort:          443,
 				MaxRequestsInflight: 1000,
 			},
-			"--insecure-port=8080 --max-requests-inflight=1000 --secure-port=443",
+			"--max-requests-inflight=1000 --secure-port=443",
 		},
 		{
 			kops.KubeAPIServerConfig{
-				InsecurePort:                8080,
 				SecurePort:                  443,
 				MaxMutatingRequestsInflight: 900,
 			},
-			"--insecure-port=8080 --max-mutating-requests-inflight=900 --secure-port=443",
-		},
-		{
-			kops.KubeAPIServerConfig{
-				InsecurePort: 8080,
-			},
-			"--insecure-port=8080 --secure-port=0",
+			"--max-mutating-requests-inflight=900 --secure-port=443",
 		},
 		{
 			kops.KubeAPIServerConfig{
 				ServiceNodePortRange: "30000-33000",
 			},
-			"--insecure-port=0 --secure-port=0 --service-node-port-range=30000-33000",
+			"--secure-port=0 --service-node-port-range=30000-33000",
 		},
 		{
 			kops.KubeAPIServerConfig{
 				ExperimentalEncryptionProviderConfig: fi.String("/srv/kubernetes/encryptionconfig.yaml"),
 			},
-			"--experimental-encryption-provider-config=/srv/kubernetes/encryptionconfig.yaml --insecure-port=0 --secure-port=0",
+			"--experimental-encryption-provider-config=/srv/kubernetes/encryptionconfig.yaml --secure-port=0",
 		},
 		{
 			kops.KubeAPIServerConfig{
 				EncryptionProviderConfig: fi.String("/srv/kubernetes/encryptionconfig.yaml"),
 			},
-			"--encryption-provider-config=/srv/kubernetes/encryptionconfig.yaml --insecure-port=0 --secure-port=0",
+			"--encryption-provider-config=/srv/kubernetes/encryptionconfig.yaml --secure-port=0",
 		},
 		{
 			kops.KubeAPIServerConfig{
 				TargetRamMB: 320,
 			},
-			"--insecure-port=0 --secure-port=0 --target-ram-mb=320",
+			"--secure-port=0 --target-ram-mb=320",
 		},
 		{
 			kops.KubeAPIServerConfig{
 				AuditDynamicConfiguration: &[]bool{true}[0],
 				ServiceAccountKeyFile:     []string{"/srv/kubernetes/server.key", "/srv/kubernetes/service-account.key"},
 			},
-			"--audit-dynamic-configuration=true --insecure-port=0 --secure-port=0 --service-account-key-file=/srv/kubernetes/server.key --service-account-key-file=/srv/kubernetes/service-account.key",
+			"--audit-dynamic-configuration=true --secure-port=0 --service-account-key-file=/srv/kubernetes/server.key --service-account-key-file=/srv/kubernetes/service-account.key",
 		},
 		{
 			kops.KubeAPIServerConfig{
 				AuditDynamicConfiguration: &[]bool{false}[0],
 			},
-			"--audit-dynamic-configuration=false --insecure-port=0 --secure-port=0",
+			"--audit-dynamic-configuration=false --secure-port=0",
 		},
 		{
 			kops.KubeAPIServerConfig{
 				AuditDynamicConfiguration: &[]bool{true}[0],
 			},
-			"--audit-dynamic-configuration=true --insecure-port=0 --secure-port=0",
+			"--audit-dynamic-configuration=true --secure-port=0",
 		},
 		{
 			kops.KubeAPIServerConfig{
 				EnableProfiling: &[]bool{false}[0],
 			},
-			"--insecure-port=0 --profiling=false --secure-port=0",
+			"--profiling=false --secure-port=0",
 		},
 		{
 			kops.KubeAPIServerConfig{
 				ClientCAFile: "client-ca.crt",
 			},
-			"--client-ca-file=client-ca.crt --insecure-port=0 --secure-port=0",
+			"--client-ca-file=client-ca.crt --secure-port=0",
 		},
 	}
 

nodeup/pkg/model/tests/golden/minimal/tasks-kube-apiserver.yaml

@@ -31,7 +31,6 @@ contents: |
       - --etcd-keyfile=/srv/kubernetes/kube-apiserver/etcd-client.key
       - --etcd-servers-overrides=/events#https://127.0.0.1:4002
       - --etcd-servers=https://127.0.0.1:4001
-      - --insecure-port=0
       - --kubelet-client-certificate=/srv/kubernetes/kube-apiserver/kubelet-api.crt
       - --kubelet-client-key=/srv/kubernetes/kube-apiserver/kubelet-api.key
       - --kubelet-preferred-address-types=InternalIP,Hostname,ExternalIP

pkg/apis/kops/componentconfig.go

@@ -287,7 +287,7 @@ type KubeAPIServerConfig struct {
 	// SecurePort is the port the kube runs on
 	SecurePort int32 `json:"securePort,omitempty" flag:"secure-port"`
 	// InsecurePort is the port the insecure api runs
-	InsecurePort int32 `json:"insecurePort,omitempty" flag:"insecure-port"`
+	InsecurePort *int32 `json:"insecurePort,omitempty" flag:"insecure-port"`
 	// Address is the binding address for the kube api: Deprecated - use insecure-bind-address and bind-address
 	Address string `json:"address,omitempty" flag:"address"`
 	// BindAddress is the binding address for the secure kubernetes API

pkg/apis/kops/v1alpha2/componentconfig.go

@@ -287,7 +287,7 @@ type KubeAPIServerConfig struct {
 	// SecurePort is the port the kube runs on
 	SecurePort int32 `json:"securePort,omitempty" flag:"secure-port"`
 	// InsecurePort is the port the insecure api runs
-	InsecurePort int32 `json:"insecurePort,omitempty" flag:"insecure-port"`
+	InsecurePort *int32 `json:"insecurePort,omitempty" flag:"insecure-port"`
 	// Address is the binding address for the kube api: Deprecated - use insecure-bind-address and bind-address
 	Address string `json:"address,omitempty" flag:"address"`
 	// BindAddress is the binding address for the secure kubernetes API

pkg/apis/kops/v1alpha2/zz_generated.deepcopy.go

@@ -2643,6 +2643,11 @@ func (in *KubeAPIServerConfig) DeepCopyInto(out *KubeAPIServerConfig) {
 		*out = new(bool)
 		**out = **in
 	}
+	if in.InsecurePort != nil {
+		in, out := &in.InsecurePort, &out.InsecurePort
+		*out = new(int32)
+		**out = **in
+	}
 	if in.EnableBootstrapAuthToken != nil {
 		in, out := &in.EnableBootstrapAuthToken, &out.EnableBootstrapAuthToken
 		*out = new(bool)

pkg/apis/kops/v1alpha3/componentconfig.go

@@ -285,7 +285,7 @@ type KubeAPIServerConfig struct {
 	// SecurePort is the port the kube runs on
 	SecurePort int32 `json:"securePort,omitempty" flag:"secure-port"`
 	// InsecurePort is the port the insecure api runs
-	InsecurePort int32 `json:"insecurePort,omitempty" flag:"insecure-port"`
+	InsecurePort *int32 `json:"insecurePort,omitempty" flag:"insecure-port"`
 	// Address is the binding address for the kube api: Deprecated - use insecure-bind-address and bind-address
 	Address string `json:"address,omitempty" flag:"address"`
 	// BindAddress is the binding address for the secure kubernetes API

pkg/apis/kops/v1alpha3/zz_generated.deepcopy.go

@@ -2549,6 +2549,11 @@ func (in *KubeAPIServerConfig) DeepCopyInto(out *KubeAPIServerConfig) {
 		*out = new(bool)
 		**out = **in
 	}
+	if in.InsecurePort != nil {
+		in, out := &in.InsecurePort, &out.InsecurePort
+		*out = new(int32)
+		**out = **in
+	}
 	if in.EnableBootstrapAuthToken != nil {
 		in, out := &in.EnableBootstrapAuthToken, &out.EnableBootstrapAuthToken
 		*out = new(bool)

pkg/apis/kops/zz_generated.deepcopy.go

@@ -2723,6 +2723,11 @@ func (in *KubeAPIServerConfig) DeepCopyInto(out *KubeAPIServerConfig) {
 		*out = new(bool)
 		**out = **in
 	}
+	if in.InsecurePort != nil {
+		in, out := &in.InsecurePort, &out.InsecurePort
+		*out = new(int32)
+		**out = **in
+	}
 	if in.EnableBootstrapAuthToken != nil {
 		in, out := &in.EnableBootstrapAuthToken, &out.EnableBootstrapAuthToken
 		*out = new(bool)

pkg/flagbuilder/buildflags_test.go

@@ -22,6 +22,7 @@ import (
 
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/upup/pkg/fi"
 )
@@ -170,61 +171,61 @@ func TestBuildAPIServerFlags(t *testing.T) {
 	}{
 		{
 			Config:   &kops.KubeAPIServerConfig{},
-			Expected: "--insecure-port=0 --secure-port=0",
+			Expected: "--secure-port=0",
 		},
 		{
 			Config: &kops.KubeAPIServerConfig{
 				AuditWebhookBatchThrottleQps: resourceValue("3.14"),
 			},
-			Expected: "--audit-webhook-batch-throttle-qps=3.14 --insecure-port=0 --secure-port=0",
+			Expected: "--audit-webhook-batch-throttle-qps=3.14 --secure-port=0",
 		},
 		{
 			Config: &kops.KubeAPIServerConfig{
 				AuditWebhookBatchThrottleEnable: fi.Bool(true),
 			},
-			Expected: "--audit-webhook-batch-throttle-enable=true --insecure-port=0 --secure-port=0",
+			Expected: "--audit-webhook-batch-throttle-enable=true --secure-port=0",
 		},
 		{
 			Config: &kops.KubeAPIServerConfig{
 				AuditWebhookBatchThrottleEnable: fi.Bool(false),
 			},
-			Expected: "--audit-webhook-batch-throttle-enable=false --insecure-port=0 --secure-port=0",
+			Expected: "--audit-webhook-batch-throttle-enable=false --secure-port=0",
 		},
 		{
 			Config: &kops.KubeAPIServerConfig{
 				AuditWebhookInitialBackoff: &metav1.Duration{Duration: 120 * time.Second},
 			},
-			Expected: "--audit-webhook-initial-backoff=2m0s --insecure-port=0 --secure-port=0",
+			Expected: "--audit-webhook-initial-backoff=2m0s --secure-port=0",
 		},
 		{
 			Config: &kops.KubeAPIServerConfig{
 				AuditWebhookBatchMaxSize: fi.Int32(1000),
 			},
-			Expected: "--audit-webhook-batch-max-size=1000 --insecure-port=0 --secure-port=0",
+			Expected: "--audit-webhook-batch-max-size=1000 --secure-port=0",
 		},
 		{
 			Config: &kops.KubeAPIServerConfig{
 				AuthorizationWebhookConfigFile: fi.String("/authorization.yaml"),
 			},
-			Expected: "--authorization-webhook-config-file=/authorization.yaml --insecure-port=0 --secure-port=0",
+			Expected: "--authorization-webhook-config-file=/authorization.yaml --secure-port=0",
 		},
 		{
 			Config: &kops.KubeAPIServerConfig{
 				AuthorizationWebhookCacheAuthorizedTTL: &metav1.Duration{Duration: 100 * time.Second},
 			},
-			Expected: "--authorization-webhook-cache-authorized-ttl=1m40s --insecure-port=0 --secure-port=0",
+			Expected: "--authorization-webhook-cache-authorized-ttl=1m40s --secure-port=0",
 		},
 		{
 			Config: &kops.KubeAPIServerConfig{
 				AuthorizationWebhookCacheUnauthorizedTTL: &metav1.Duration{Duration: 10 * time.Second},
 			},
-			Expected: "--authorization-webhook-cache-unauthorized-ttl=10s --insecure-port=0 --secure-port=0",
+			Expected: "--authorization-webhook-cache-unauthorized-ttl=10s --secure-port=0",
 		},
 		{
 			Config: &kops.KubeAPIServerConfig{
 				EventTTL: &metav1.Duration{Duration: 3 * time.Hour},
 			},
-			Expected: "--event-ttl=3h0m0s --insecure-port=0 --secure-port=0",
+			Expected: "--event-ttl=3h0m0s --secure-port=0",
 		},
 	}
 

pkg/model/components/apiserver.go

@@ -21,6 +21,7 @@ import (
 	"strings"
 
 	v1 "k8s.io/api/core/v1"
+
 	"k8s.io/kops/pkg/apis/kops"
 	"k8s.io/kops/upup/pkg/fi"
 	"k8s.io/kops/upup/pkg/fi/loader"
@@ -173,7 +174,11 @@ func (b *KubeAPIServerOptionsBuilder) BuildOptions(o interface{}) error {
 
 	// We query via the kube-apiserver-healthcheck proxy, which listens on port 3990
 	c.InsecureBindAddress = ""
-	c.InsecurePort = 0
+	if b.IsKubernetesGTE("1.20") {
+		c.InsecurePort = nil
+	} else {
+		c.InsecurePort = fi.Int32(0)
+	}
 
 	return nil
 }

tests/integration/update_cluster/privatecilium2/cloudformation.json.extracted.yaml

@@ -172,6 +172,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersprivateciliumexamplecom.Prope
     etcdServersOverrides:
     - /events#https://127.0.0.1:4002
     image: k8s.gcr.io/kube-apiserver:v1.19.0
+    insecurePort: 0
     kubeletPreferredAddressTypes:
     - InternalIP
     - Hostname
@@ -247,7 +248,7 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersprivateciliumexamplecom.Prope
   ConfigBase: memfs://clusters.example.com/privatecilium.example.com
   InstanceGroupName: master-us-test-1a
   InstanceGroupRole: Master
-  NodeupConfigHash: QPowcTb0hx70EXW2JRFnx/GxS21gMl3ieV5HVprH+dw=
+  NodeupConfigHash: aDr+qFdNzpb6s4sB9AX086uhZx03QpucbLBJjuR2Wys=
 
   __EOF_KUBE_ENV
 

tests/integration/update_cluster/privatecilium2/data/aws_launch_template_master-us-test-1a.masters.privatecilium.example.com_user_data

@@ -170,6 +170,7 @@ kubeAPIServer:
   etcdServersOverrides:
   - /events#https://127.0.0.1:4002
   image: k8s.gcr.io/kube-apiserver:v1.19.0
+  insecurePort: 0
   kubeletPreferredAddressTypes:
   - InternalIP
   - Hostname
@@ -245,7 +246,7 @@ CloudProvider: aws
 ConfigBase: memfs://clusters.example.com/privatecilium.example.com
 InstanceGroupName: master-us-test-1a
 InstanceGroupRole: Master
-NodeupConfigHash: QPowcTb0hx70EXW2JRFnx/GxS21gMl3ieV5HVprH+dw=
+NodeupConfigHash: aDr+qFdNzpb6s4sB9AX086uhZx03QpucbLBJjuR2Wys=
 
 __EOF_KUBE_ENV
 

tests/integration/update_cluster/privatecilium2/data/aws_s3_bucket_object_cluster-completed.spec_content

@@ -77,6 +77,7 @@ spec:
     etcdServersOverrides:
     - /events#https://127.0.0.1:4002
     image: k8s.gcr.io/kube-apiserver:v1.19.0
+    insecurePort: 0
     kubeletPreferredAddressTypes:
     - InternalIP
     - Hostname

tests/integration/update_cluster/privatecilium2/data/aws_s3_bucket_object_nodeupconfig-master-us-test-1a_content

@@ -21,6 +21,7 @@ APIServerConfig:
     etcdServersOverrides:
     - /events#https://127.0.0.1:4002
     image: k8s.gcr.io/kube-apiserver:v1.19.0
+    insecurePort: 0
     kubeletPreferredAddressTypes:
     - InternalIP
     - Hostname

tests/integration/update_cluster/public-jwks-apiserver/data/aws_launch_template_master-us-test-1a.masters.minimal.example.com_user_data

@@ -174,6 +174,7 @@ kubeAPIServer:
   featureGates:
     ServiceAccountIssuerDiscovery: "true"
   image: k8s.gcr.io/kube-apiserver:v1.19.0
+  insecurePort: 0
   kubeletPreferredAddressTypes:
   - InternalIP
   - Hostname
@@ -251,7 +252,7 @@ CloudProvider: aws
 ConfigBase: memfs://clusters.example.com/minimal.example.com
 InstanceGroupName: master-us-test-1a
 InstanceGroupRole: Master
-NodeupConfigHash: Y9j2tHVSobSpxpBbuJbn/MDN0AOcD9fPwPtIDPseeuI=
+NodeupConfigHash: ZaA+/PQSP2WHDGrclU+MT3MLpsflSIFvp6wnRSJAQas=
 
 __EOF_KUBE_ENV
 

tests/integration/update_cluster/public-jwks-apiserver/data/aws_s3_bucket_object_cluster-completed.spec_content

@@ -80,6 +80,7 @@ spec:
     featureGates:
       ServiceAccountIssuerDiscovery: "true"
     image: k8s.gcr.io/kube-apiserver:v1.19.0
+    insecurePort: 0
     kubeletPreferredAddressTypes:
     - InternalIP
     - Hostname

tests/integration/update_cluster/public-jwks-apiserver/data/aws_s3_bucket_object_nodeupconfig-master-us-test-1a_content

@@ -25,6 +25,7 @@ APIServerConfig:
     featureGates:
       ServiceAccountIssuerDiscovery: "true"
     image: k8s.gcr.io/kube-apiserver:v1.19.0
+    insecurePort: 0
     kubeletPreferredAddressTypes:
     - InternalIP
     - Hostname