Merge pull request #11737 from johngmyers/ipv6-bindaddr

Set BindAddress appropriately when in IPv6-only mode
2021-06-13 12:23:02 -07:00 · 2021-06-13 12:23:02 -07:00 · 78d0089242
parent 64ab7a5262 fc9ec13bb7
commit 78d0089242
3 changed files with 11 additions and 2 deletions
--- a/pkg/apis/kops/cluster.go
+++ b/pkg/apis/kops/cluster.go
@ -23,6 +23,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 	"k8s.io/kops/pkg/apis/kops/util"
+	"k8s.io/kops/upup/pkg/fi/utils"
 )

 // +genclient
@ -793,6 +794,10 @@ func (c *Cluster) IsSharedAzureRouteTable() bool {
 	return c.Spec.CloudConfig.Azure.RouteTableName != ""
 }

+func (c *ClusterSpec) IsIPv6Only() bool {
+	return utils.IsIPv6CIDR(c.NonMasqueradeCIDR)
+}
+
 // EnvVar represents an environment variable present in a Container.
 type EnvVar struct {
 	// Name of the environment variable. Must be a C_IDENTIFIER.
--- a/pkg/model/components/apiserver.go
+++ b/pkg/model/components/apiserver.go
@ -129,7 +129,11 @@ func (b *KubeAPIServerOptionsBuilder) BuildOptions(o interface{}) error {
 	c.LogLevel = 2
 	c.SecurePort = 443

-	c.BindAddress = "0.0.0.0"
+	if clusterSpec.IsIPv6Only() {
+		c.BindAddress = "::"
+	} else {
+		c.BindAddress = "0.0.0.0"
+	}

 	c.AllowPrivileged = fi.Bool(true)
 	c.ServiceClusterIPRange = clusterSpec.ServiceClusterIPRange
--- a/pkg/model/iam/subject.go
+++ b/pkg/model/iam/subject.go
@ -148,7 +148,7 @@ func supportsPublicJWKS(clusterSpec *kops.ClusterSpec) bool {
 		return false
 	}
 	for _, cidr := range clusterSpec.KubernetesAPIAccess {
-		if cidr == "0.0.0.0/0" {
+		if cidr == "0.0.0.0/0" || cidr == "::/0" {
 			return true
 		}
 	}