From 886b4c97cb84f47a6e5f5294039a833874533d45 Mon Sep 17 00:00:00 2001 From: Ole Markus With Date: Wed, 9 Sep 2020 11:29:52 +0200 Subject: [PATCH] Don't explicitly set insecure-bind-address on newer k8s --- nodeup/pkg/model/tests/golden/awsiam/tasks-kube-apiserver.yaml | 1 - .../pkg/model/tests/golden/minimal/tasks-kube-apiserver.yaml | 1 - .../tests/golden/side-loading/tasks-kube-apiserver-amd64.yaml | 1 - .../tests/golden/side-loading/tasks-kube-apiserver-arm64.yaml | 1 - pkg/model/components/apiserver.go | 3 ++- .../privatecalico/cloudformation.json.extracted.yaml | 1 - ...ster-us-test-1a.masters.privatecalico.example.com_user_data | 1 - 7 files changed, 2 insertions(+), 7 deletions(-) diff --git a/nodeup/pkg/model/tests/golden/awsiam/tasks-kube-apiserver.yaml b/nodeup/pkg/model/tests/golden/awsiam/tasks-kube-apiserver.yaml index de5fd2d371..57402ad299 100644 --- a/nodeup/pkg/model/tests/golden/awsiam/tasks-kube-apiserver.yaml +++ b/nodeup/pkg/model/tests/golden/awsiam/tasks-kube-apiserver.yaml @@ -49,7 +49,6 @@ contents: | - --etcd-keyfile=/etc/kubernetes/pki/kube-apiserver/etcd-client.key - --etcd-servers-overrides=/events#https://127.0.0.1:4002 - --etcd-servers=https://127.0.0.1:4001 - - --insecure-bind-address=127.0.0.1 - --insecure-port=0 - --kubelet-client-certificate=/srv/kubernetes/kubelet-api.crt - --kubelet-client-key=/srv/kubernetes/kubelet-api.key diff --git a/nodeup/pkg/model/tests/golden/minimal/tasks-kube-apiserver.yaml b/nodeup/pkg/model/tests/golden/minimal/tasks-kube-apiserver.yaml index 908b1009e0..0e951b6043 100644 --- a/nodeup/pkg/model/tests/golden/minimal/tasks-kube-apiserver.yaml +++ b/nodeup/pkg/model/tests/golden/minimal/tasks-kube-apiserver.yaml @@ -27,7 +27,6 @@ contents: | - --etcd-keyfile=/etc/kubernetes/pki/kube-apiserver/etcd-client.key - --etcd-servers-overrides=/events#https://127.0.0.1:4002 - --etcd-servers=https://127.0.0.1:4001 - - --insecure-bind-address=127.0.0.1 - --insecure-port=0 - --kubelet-client-certificate=/srv/kubernetes/kubelet-api.crt - --kubelet-client-key=/srv/kubernetes/kubelet-api.key diff --git a/nodeup/pkg/model/tests/golden/side-loading/tasks-kube-apiserver-amd64.yaml b/nodeup/pkg/model/tests/golden/side-loading/tasks-kube-apiserver-amd64.yaml index 9d0f610914..0c5d2f9f44 100644 --- a/nodeup/pkg/model/tests/golden/side-loading/tasks-kube-apiserver-amd64.yaml +++ b/nodeup/pkg/model/tests/golden/side-loading/tasks-kube-apiserver-amd64.yaml @@ -27,7 +27,6 @@ contents: | - --etcd-keyfile=/etc/kubernetes/pki/kube-apiserver/etcd-client.key - --etcd-servers-overrides=/events#https://127.0.0.1:4002 - --etcd-servers=https://127.0.0.1:4001 - - --insecure-bind-address=127.0.0.1 - --insecure-port=0 - --kubelet-client-certificate=/srv/kubernetes/kubelet-api.crt - --kubelet-client-key=/srv/kubernetes/kubelet-api.key diff --git a/nodeup/pkg/model/tests/golden/side-loading/tasks-kube-apiserver-arm64.yaml b/nodeup/pkg/model/tests/golden/side-loading/tasks-kube-apiserver-arm64.yaml index a4801a02a0..17595a0995 100644 --- a/nodeup/pkg/model/tests/golden/side-loading/tasks-kube-apiserver-arm64.yaml +++ b/nodeup/pkg/model/tests/golden/side-loading/tasks-kube-apiserver-arm64.yaml @@ -27,7 +27,6 @@ contents: | - --etcd-keyfile=/etc/kubernetes/pki/kube-apiserver/etcd-client.key - --etcd-servers-overrides=/events#https://127.0.0.1:4002 - --etcd-servers=https://127.0.0.1:4001 - - --insecure-bind-address=127.0.0.1 - --insecure-port=0 - --kubelet-client-certificate=/srv/kubernetes/kubelet-api.crt - --kubelet-client-key=/srv/kubernetes/kubelet-api.key diff --git a/pkg/model/components/apiserver.go b/pkg/model/components/apiserver.go index 281d07bc23..b2e4b79ae0 100644 --- a/pkg/model/components/apiserver.go +++ b/pkg/model/components/apiserver.go @@ -162,7 +162,6 @@ func (b *KubeAPIServerOptionsBuilder) BuildOptions(o interface{}) error { c.SecurePort = 443 c.BindAddress = "0.0.0.0" - c.InsecureBindAddress = "127.0.0.1" c.AllowPrivileged = fi.Bool(true) c.ServiceClusterIPRange = clusterSpec.ServiceClusterIPRange @@ -217,9 +216,11 @@ func (b *KubeAPIServerOptionsBuilder) BuildOptions(o interface{}) error { if b.IsKubernetesGTE("1.17") { // We query via the kube-apiserver-healthcheck proxy, which listens on port 3990 + c.InsecureBindAddress = "" c.InsecurePort = 0 } else { // Older versions of kubernetes continue to rely on the insecure port: kubernetes issue #43784 + c.InsecureBindAddress = "127.0.0.1" c.InsecurePort = 8080 } diff --git a/tests/integration/update_cluster/privatecalico/cloudformation.json.extracted.yaml b/tests/integration/update_cluster/privatecalico/cloudformation.json.extracted.yaml index ac4aad4fd1..d6a74b5d25 100644 --- a/tests/integration/update_cluster/privatecalico/cloudformation.json.extracted.yaml +++ b/tests/integration/update_cluster/privatecalico/cloudformation.json.extracted.yaml @@ -195,7 +195,6 @@ Resources.AWSEC2LaunchTemplatemasterustest1amastersprivatecalicoexamplecom.Prope etcdServersOverrides: - /events#http://127.0.0.1:4002 image: k8s.gcr.io/kube-apiserver:v1.18.0 - insecureBindAddress: 127.0.0.1 kubeletPreferredAddressTypes: - InternalIP - Hostname diff --git a/tests/integration/update_cluster/privatecalico/data/aws_launch_template_master-us-test-1a.masters.privatecalico.example.com_user_data b/tests/integration/update_cluster/privatecalico/data/aws_launch_template_master-us-test-1a.masters.privatecalico.example.com_user_data index 3329d2dd69..d308644a77 100644 --- a/tests/integration/update_cluster/privatecalico/data/aws_launch_template_master-us-test-1a.masters.privatecalico.example.com_user_data +++ b/tests/integration/update_cluster/privatecalico/data/aws_launch_template_master-us-test-1a.masters.privatecalico.example.com_user_data @@ -193,7 +193,6 @@ kubeAPIServer: etcdServersOverrides: - /events#http://127.0.0.1:4002 image: k8s.gcr.io/kube-apiserver:v1.18.0 - insecureBindAddress: 127.0.0.1 kubeletPreferredAddressTypes: - InternalIP - Hostname