Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
K
k3s
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Jacklull
k3s
Commits
18074d76
Commit
18074d76
authored
Nov 09, 2016
by
deads2k
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
split insecure serving options
parent
a08f3ba5
Hide whitespace changes
Inline
Side-by-side
Showing
11 changed files
with
142 additions
and
99 deletions
+142
-99
BUILD
cmd/kube-apiserver/app/BUILD
+2
-0
server.go
cmd/kube-apiserver/app/server.go
+6
-5
apiserver.go
examples/apiserver/apiserver.go
+2
-2
BUILD
federation/cmd/federation-apiserver/app/BUILD
+1
-0
server.go
federation/cmd/federation-apiserver/app/server.go
+3
-2
config.go
pkg/genericapiserver/config.go
+14
-15
BUILD
pkg/genericapiserver/options/BUILD
+1
-0
server_run_options.go
pkg/genericapiserver/options/server_run_options.go
+11
-56
serving_options.go
pkg/genericapiserver/options/serving_options.go
+94
-10
universal_validation.go
pkg/genericapiserver/validation/universal_validation.go
+6
-7
apiserver_test.go
test/integration/examples/apiserver_test.go
+2
-2
No files found.
cmd/kube-apiserver/app/BUILD
View file @
18074d76
...
@@ -36,10 +36,12 @@ go_library(
...
@@ -36,10 +36,12 @@ go_library(
"//pkg/generated/openapi:go_default_library",
"//pkg/generated/openapi:go_default_library",
"//pkg/genericapiserver:go_default_library",
"//pkg/genericapiserver:go_default_library",
"//pkg/genericapiserver/authorizer:go_default_library",
"//pkg/genericapiserver/authorizer:go_default_library",
"//pkg/genericapiserver/options:go_default_library",
"//pkg/master:go_default_library",
"//pkg/master:go_default_library",
"//pkg/registry/cachesize:go_default_library",
"//pkg/registry/cachesize:go_default_library",
"//pkg/runtime/schema:go_default_library",
"//pkg/runtime/schema:go_default_library",
"//pkg/serviceaccount:go_default_library",
"//pkg/serviceaccount:go_default_library",
"//pkg/util/errors:go_default_library",
"//pkg/util/net:go_default_library",
"//pkg/util/net:go_default_library",
"//pkg/util/wait:go_default_library",
"//pkg/util/wait:go_default_library",
"//pkg/version:go_default_library",
"//pkg/version:go_default_library",
...
...
cmd/kube-apiserver/app/server.go
View file @
18074d76
...
@@ -50,6 +50,7 @@ import (
...
@@ -50,6 +50,7 @@ import (
generatedopenapi
"k8s.io/kubernetes/pkg/generated/openapi"
generatedopenapi
"k8s.io/kubernetes/pkg/generated/openapi"
"k8s.io/kubernetes/pkg/genericapiserver"
"k8s.io/kubernetes/pkg/genericapiserver"
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
genericoptions
"k8s.io/kubernetes/pkg/genericapiserver/options"
"k8s.io/kubernetes/pkg/master"
"k8s.io/kubernetes/pkg/master"
"k8s.io/kubernetes/pkg/registry/cachesize"
"k8s.io/kubernetes/pkg/registry/cachesize"
"k8s.io/kubernetes/pkg/runtime/schema"
"k8s.io/kubernetes/pkg/runtime/schema"
...
@@ -202,9 +203,9 @@ func Run(s *options.ServerRunOptions) error {
...
@@ -202,9 +203,9 @@ func Run(s *options.ServerRunOptions) error {
}
}
// Default to the private server key for service account token signing
// Default to the private server key for service account token signing
if
len
(
s
.
ServiceAccountKeyFiles
)
==
0
&&
s
.
GenericServerRunOptions
.
SecureServing
Options
.
ServerCert
.
CertKey
.
KeyFile
!=
""
{
if
len
(
s
.
ServiceAccountKeyFiles
)
==
0
&&
s
.
GenericServerRunOptions
.
SecureServing
.
ServerCert
.
CertKey
.
KeyFile
!=
""
{
if
authenticator
.
IsValidServiceAccountKeyFile
(
s
.
GenericServerRunOptions
.
SecureServing
Options
.
ServerCert
.
CertKey
.
KeyFile
)
{
if
authenticator
.
IsValidServiceAccountKeyFile
(
s
.
GenericServerRunOptions
.
SecureServing
.
ServerCert
.
CertKey
.
KeyFile
)
{
s
.
ServiceAccountKeyFiles
=
[]
string
{
s
.
GenericServerRunOptions
.
SecureServing
Options
.
ServerCert
.
CertKey
.
KeyFile
}
s
.
ServiceAccountKeyFiles
=
[]
string
{
s
.
GenericServerRunOptions
.
SecureServing
.
ServerCert
.
CertKey
.
KeyFile
}
}
else
{
}
else
{
glog
.
Warning
(
"No TLS key provided, service account token authentication disabled"
)
glog
.
Warning
(
"No TLS key provided, service account token authentication disabled"
)
}
}
...
@@ -225,7 +226,7 @@ func Run(s *options.ServerRunOptions) error {
...
@@ -225,7 +226,7 @@ func Run(s *options.ServerRunOptions) error {
Anonymous
:
s
.
GenericServerRunOptions
.
AnonymousAuth
,
Anonymous
:
s
.
GenericServerRunOptions
.
AnonymousAuth
,
AnyToken
:
s
.
GenericServerRunOptions
.
EnableAnyToken
,
AnyToken
:
s
.
GenericServerRunOptions
.
EnableAnyToken
,
BasicAuthFile
:
s
.
GenericServerRunOptions
.
BasicAuthFile
,
BasicAuthFile
:
s
.
GenericServerRunOptions
.
BasicAuthFile
,
ClientCAFile
:
s
.
GenericServerRunOptions
.
SecureServing
Options
.
ClientCA
,
ClientCAFile
:
s
.
GenericServerRunOptions
.
SecureServing
.
ClientCA
,
TokenAuthFile
:
s
.
GenericServerRunOptions
.
TokenAuthFile
,
TokenAuthFile
:
s
.
GenericServerRunOptions
.
TokenAuthFile
,
OIDCIssuerURL
:
s
.
GenericServerRunOptions
.
OIDCIssuerURL
,
OIDCIssuerURL
:
s
.
GenericServerRunOptions
.
OIDCIssuerURL
,
OIDCClientID
:
s
.
GenericServerRunOptions
.
OIDCClientID
,
OIDCClientID
:
s
.
GenericServerRunOptions
.
OIDCClientID
,
...
@@ -247,7 +248,7 @@ func Run(s *options.ServerRunOptions) error {
...
@@ -247,7 +248,7 @@ func Run(s *options.ServerRunOptions) error {
}
}
privilegedLoopbackToken
:=
uuid
.
NewRandom
()
.
String
()
privilegedLoopbackToken
:=
uuid
.
NewRandom
()
.
String
()
selfClientConfig
,
err
:=
s
.
GenericServerRunOptions
.
NewSelfClientConfig
(
privilegedLoopbackToken
)
selfClientConfig
,
err
:=
genericoptions
.
NewSelfClientConfig
(
s
.
GenericServerRunOptions
.
SecureServing
,
s
.
GenericServerRunOptions
.
InsecureServing
,
privilegedLoopbackToken
)
if
err
!=
nil
{
if
err
!=
nil
{
glog
.
Fatalf
(
"Failed to create clientset: %v"
,
err
)
glog
.
Fatalf
(
"Failed to create clientset: %v"
,
err
)
}
}
...
...
examples/apiserver/apiserver.go
View file @
18074d76
...
@@ -56,8 +56,8 @@ func newStorageFactory() genericapiserver.StorageFactory {
...
@@ -56,8 +56,8 @@ func newStorageFactory() genericapiserver.StorageFactory {
}
}
func
NewServerRunOptions
()
*
genericoptions
.
ServerRunOptions
{
func
NewServerRunOptions
()
*
genericoptions
.
ServerRunOptions
{
serverOptions
:=
genericoptions
.
NewServerRunOptions
()
.
WithEtcdOptions
()
.
WithSecureServingOptions
()
serverOptions
:=
genericoptions
.
NewServerRunOptions
()
.
WithEtcdOptions
()
.
WithSecureServingOptions
()
.
WithInsecureServingOptions
()
serverOptions
.
InsecurePort
=
InsecurePort
serverOptions
.
Insecure
Serving
.
Bind
Port
=
InsecurePort
return
serverOptions
return
serverOptions
}
}
...
...
federation/cmd/federation-apiserver/app/BUILD
View file @
18074d76
...
@@ -43,6 +43,7 @@ go_library(
...
@@ -43,6 +43,7 @@ go_library(
"//pkg/generated/openapi:go_default_library",
"//pkg/generated/openapi:go_default_library",
"//pkg/genericapiserver:go_default_library",
"//pkg/genericapiserver:go_default_library",
"//pkg/genericapiserver/authorizer:go_default_library",
"//pkg/genericapiserver/authorizer:go_default_library",
"//pkg/genericapiserver/options:go_default_library",
"//pkg/registry/cachesize:go_default_library",
"//pkg/registry/cachesize:go_default_library",
"//pkg/registry/core/configmap/etcd:go_default_library",
"//pkg/registry/core/configmap/etcd:go_default_library",
"//pkg/registry/core/event/etcd:go_default_library",
"//pkg/registry/core/event/etcd:go_default_library",
...
...
federation/cmd/federation-apiserver/app/server.go
View file @
18074d76
...
@@ -38,6 +38,7 @@ import (
...
@@ -38,6 +38,7 @@ import (
"k8s.io/kubernetes/pkg/generated/openapi"
"k8s.io/kubernetes/pkg/generated/openapi"
"k8s.io/kubernetes/pkg/genericapiserver"
"k8s.io/kubernetes/pkg/genericapiserver"
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
"k8s.io/kubernetes/pkg/genericapiserver/authorizer"
genericoptions
"k8s.io/kubernetes/pkg/genericapiserver/options"
"k8s.io/kubernetes/pkg/registry/cachesize"
"k8s.io/kubernetes/pkg/registry/cachesize"
"k8s.io/kubernetes/pkg/registry/generic"
"k8s.io/kubernetes/pkg/registry/generic"
"k8s.io/kubernetes/pkg/registry/generic/registry"
"k8s.io/kubernetes/pkg/registry/generic/registry"
...
@@ -121,7 +122,7 @@ func Run(s *options.ServerRunOptions) error {
...
@@ -121,7 +122,7 @@ func Run(s *options.ServerRunOptions) error {
Anonymous
:
s
.
GenericServerRunOptions
.
AnonymousAuth
,
Anonymous
:
s
.
GenericServerRunOptions
.
AnonymousAuth
,
AnyToken
:
s
.
GenericServerRunOptions
.
EnableAnyToken
,
AnyToken
:
s
.
GenericServerRunOptions
.
EnableAnyToken
,
BasicAuthFile
:
s
.
GenericServerRunOptions
.
BasicAuthFile
,
BasicAuthFile
:
s
.
GenericServerRunOptions
.
BasicAuthFile
,
ClientCAFile
:
s
.
GenericServerRunOptions
.
SecureServing
Options
.
ClientCA
,
ClientCAFile
:
s
.
GenericServerRunOptions
.
SecureServing
.
ClientCA
,
TokenAuthFile
:
s
.
GenericServerRunOptions
.
TokenAuthFile
,
TokenAuthFile
:
s
.
GenericServerRunOptions
.
TokenAuthFile
,
OIDCIssuerURL
:
s
.
GenericServerRunOptions
.
OIDCIssuerURL
,
OIDCIssuerURL
:
s
.
GenericServerRunOptions
.
OIDCIssuerURL
,
OIDCClientID
:
s
.
GenericServerRunOptions
.
OIDCClientID
,
OIDCClientID
:
s
.
GenericServerRunOptions
.
OIDCClientID
,
...
@@ -136,7 +137,7 @@ func Run(s *options.ServerRunOptions) error {
...
@@ -136,7 +137,7 @@ func Run(s *options.ServerRunOptions) error {
}
}
privilegedLoopbackToken
:=
uuid
.
NewRandom
()
.
String
()
privilegedLoopbackToken
:=
uuid
.
NewRandom
()
.
String
()
selfClientConfig
,
err
:=
s
.
GenericServerRunOptions
.
NewSelfClientConfig
(
privilegedLoopbackToken
)
selfClientConfig
,
err
:=
genericoptions
.
NewSelfClientConfig
(
s
.
GenericServerRunOptions
.
SecureServing
,
s
.
GenericServerRunOptions
.
InsecureServing
,
privilegedLoopbackToken
)
if
err
!=
nil
{
if
err
!=
nil
{
glog
.
Fatalf
(
"Failed to create clientset: %v"
,
err
)
glog
.
Fatalf
(
"Failed to create clientset: %v"
,
err
)
}
}
...
...
pkg/genericapiserver/config.go
View file @
18074d76
...
@@ -226,7 +226,6 @@ func NewConfig() *Config {
...
@@ -226,7 +226,6 @@ func NewConfig() *Config {
defaultOptions
:=
options
.
NewServerRunOptions
()
defaultOptions
:=
options
.
NewServerRunOptions
()
// unset fields that can be overridden to avoid setting values so that we won't end up with lingering values.
// unset fields that can be overridden to avoid setting values so that we won't end up with lingering values.
// TODO we probably want to run the defaults the other way. A default here drives it in the CLI flags
// TODO we probably want to run the defaults the other way. A default here drives it in the CLI flags
defaultOptions
.
InsecurePort
=
0
defaultOptions
.
AuditLogPath
=
""
defaultOptions
.
AuditLogPath
=
""
return
config
.
ApplyOptions
(
defaultOptions
)
return
config
.
ApplyOptions
(
defaultOptions
)
}
}
...
@@ -242,28 +241,28 @@ func (c *Config) ApplyOptions(options *options.ServerRunOptions) *Config {
...
@@ -242,28 +241,28 @@ func (c *Config) ApplyOptions(options *options.ServerRunOptions) *Config {
}
}
}
}
if
options
.
SecureServing
Options
!=
nil
&&
options
.
SecureServingOptions
.
ServingOptions
.
BindPort
>
0
{
if
options
.
SecureServing
!=
nil
&&
options
.
SecureServing
.
ServingOptions
.
BindPort
>
0
{
secureServingInfo
:=
&
SecureServingInfo
{
secureServingInfo
:=
&
SecureServingInfo
{
ServingInfo
:
ServingInfo
{
ServingInfo
:
ServingInfo
{
BindAddress
:
net
.
JoinHostPort
(
options
.
SecureServing
Options
.
ServingOptions
.
BindAddress
.
String
(),
strconv
.
Itoa
(
options
.
SecureServingOptions
.
ServingOptions
.
BindPort
)),
BindAddress
:
net
.
JoinHostPort
(
options
.
SecureServing
.
ServingOptions
.
BindAddress
.
String
(),
strconv
.
Itoa
(
options
.
SecureServing
.
ServingOptions
.
BindPort
)),
},
},
ServerCert
:
GeneratableKeyCert
{
ServerCert
:
GeneratableKeyCert
{
CertKey
:
CertKey
{
CertKey
:
CertKey
{
CertFile
:
options
.
SecureServing
Options
.
ServerCert
.
CertKey
.
CertFile
,
CertFile
:
options
.
SecureServing
.
ServerCert
.
CertKey
.
CertFile
,
KeyFile
:
options
.
SecureServing
Options
.
ServerCert
.
CertKey
.
KeyFile
,
KeyFile
:
options
.
SecureServing
.
ServerCert
.
CertKey
.
KeyFile
,
},
},
},
},
SNICerts
:
[]
NamedCertKey
{},
SNICerts
:
[]
NamedCertKey
{},
ClientCA
:
options
.
SecureServing
Options
.
ClientCA
,
ClientCA
:
options
.
SecureServing
.
ClientCA
,
}
}
if
options
.
SecureServing
Options
.
ServerCert
.
CertKey
.
CertFile
==
""
&&
options
.
SecureServingOptions
.
ServerCert
.
CertKey
.
KeyFile
==
""
{
if
options
.
SecureServing
.
ServerCert
.
CertKey
.
CertFile
==
""
&&
options
.
SecureServing
.
ServerCert
.
CertKey
.
KeyFile
==
""
{
secureServingInfo
.
ServerCert
.
Generate
=
true
secureServingInfo
.
ServerCert
.
Generate
=
true
secureServingInfo
.
ServerCert
.
CertFile
=
path
.
Join
(
options
.
SecureServing
Options
.
ServerCert
.
CertDirectory
,
options
.
SecureServingOptions
.
ServerCert
.
PairName
+
".crt"
)
secureServingInfo
.
ServerCert
.
CertFile
=
path
.
Join
(
options
.
SecureServing
.
ServerCert
.
CertDirectory
,
options
.
SecureServing
.
ServerCert
.
PairName
+
".crt"
)
secureServingInfo
.
ServerCert
.
KeyFile
=
path
.
Join
(
options
.
SecureServing
Options
.
ServerCert
.
CertDirectory
,
options
.
SecureServingOptions
.
ServerCert
.
PairName
+
".key"
)
secureServingInfo
.
ServerCert
.
KeyFile
=
path
.
Join
(
options
.
SecureServing
.
ServerCert
.
CertDirectory
,
options
.
SecureServing
.
ServerCert
.
PairName
+
".key"
)
}
}
secureServingInfo
.
SNICerts
=
nil
secureServingInfo
.
SNICerts
=
nil
for
_
,
nkc
:=
range
options
.
SecureServing
Options
.
SNICertKeys
{
for
_
,
nkc
:=
range
options
.
SecureServing
.
SNICertKeys
{
secureServingInfo
.
SNICerts
=
append
(
secureServingInfo
.
SNICerts
,
NamedCertKey
{
secureServingInfo
.
SNICerts
=
append
(
secureServingInfo
.
SNICerts
,
NamedCertKey
{
CertKey
:
CertKey
{
CertKey
:
CertKey
{
KeyFile
:
nkc
.
KeyFile
,
KeyFile
:
nkc
.
KeyFile
,
...
@@ -274,12 +273,12 @@ func (c *Config) ApplyOptions(options *options.ServerRunOptions) *Config {
...
@@ -274,12 +273,12 @@ func (c *Config) ApplyOptions(options *options.ServerRunOptions) *Config {
}
}
c
.
SecureServingInfo
=
secureServingInfo
c
.
SecureServingInfo
=
secureServingInfo
c
.
ReadWritePort
=
options
.
SecureServing
Options
.
ServingOptions
.
BindPort
c
.
ReadWritePort
=
options
.
SecureServing
.
ServingOptions
.
BindPort
}
}
if
options
.
InsecurePort
>
0
{
if
options
.
Insecure
Serving
!=
nil
&&
options
.
InsecureServing
.
Bind
Port
>
0
{
insecureServingInfo
:=
&
ServingInfo
{
insecureServingInfo
:=
&
ServingInfo
{
BindAddress
:
net
.
JoinHostPort
(
options
.
Insecure
BindAddress
.
String
(),
strconv
.
Itoa
(
options
.
Insecure
Port
)),
BindAddress
:
net
.
JoinHostPort
(
options
.
Insecure
Serving
.
BindAddress
.
String
(),
strconv
.
Itoa
(
options
.
InsecureServing
.
Bind
Port
)),
}
}
c
.
InsecureServingInfo
=
insecureServingInfo
c
.
InsecureServingInfo
=
insecureServingInfo
}
}
...
@@ -487,8 +486,8 @@ func DefaultAndValidateRunOptions(options *options.ServerRunOptions) {
...
@@ -487,8 +486,8 @@ func DefaultAndValidateRunOptions(options *options.ServerRunOptions) {
// If advertise-address is not specified, use bind-address. If bind-address
// If advertise-address is not specified, use bind-address. If bind-address
// is not usable (unset, 0.0.0.0, or loopback), we will use the host's default
// is not usable (unset, 0.0.0.0, or loopback), we will use the host's default
// interface as valid public addr for master (see: util/net#ValidPublicAddrForMaster)
// interface as valid public addr for master (see: util/net#ValidPublicAddrForMaster)
if
options
.
SecureServing
Options
!=
nil
&&
(
options
.
AdvertiseAddress
==
nil
||
options
.
AdvertiseAddress
.
IsUnspecified
())
{
if
options
.
SecureServing
!=
nil
&&
(
options
.
AdvertiseAddress
==
nil
||
options
.
AdvertiseAddress
.
IsUnspecified
())
{
hostIP
,
err
:=
utilnet
.
ChooseBindAddress
(
options
.
SecureServing
Options
.
ServingOptions
.
BindAddress
)
hostIP
,
err
:=
utilnet
.
ChooseBindAddress
(
options
.
SecureServing
.
ServingOptions
.
BindAddress
)
if
err
!=
nil
{
if
err
!=
nil
{
glog
.
Fatalf
(
"Unable to find suitable network address.error='%v' . "
+
glog
.
Fatalf
(
"Unable to find suitable network address.error='%v' . "
+
"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this."
,
err
)
"Try to set the AdvertiseAddress directly or provide a valid BindAddress to fix this."
,
err
)
...
...
pkg/genericapiserver/options/BUILD
View file @
18074d76
...
@@ -17,6 +17,7 @@ go_library(
...
@@ -17,6 +17,7 @@ go_library(
"doc.go",
"doc.go",
"etcd_options.go",
"etcd_options.go",
"server_run_options.go",
"server_run_options.go",
"serving_options.go",
],
],
tags = ["automanaged"],
tags = ["automanaged"],
deps = [
deps = [
...
...
pkg/genericapiserver/options/server_run_options.go
View file @
18074d76
...
@@ -17,9 +17,7 @@ limitations under the License.
...
@@ -17,9 +17,7 @@ limitations under the License.
package
options
package
options
import
(
import
(
"errors"
"net"
"net"
"strconv"
"strings"
"strings"
"time"
"time"
...
@@ -27,7 +25,6 @@ import (
...
@@ -27,7 +25,6 @@ import (
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/api"
"k8s.io/kubernetes/pkg/apimachinery/registered"
"k8s.io/kubernetes/pkg/apimachinery/registered"
clientset
"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
clientset
"k8s.io/kubernetes/pkg/client/clientset_generated/internalclientset"
"k8s.io/kubernetes/pkg/client/restclient"
"k8s.io/kubernetes/pkg/runtime/schema"
"k8s.io/kubernetes/pkg/runtime/schema"
"k8s.io/kubernetes/pkg/util/config"
"k8s.io/kubernetes/pkg/util/config"
utilnet
"k8s.io/kubernetes/pkg/util/net"
utilnet
"k8s.io/kubernetes/pkg/util/net"
...
@@ -54,8 +51,9 @@ var AuthorizationModeChoices = []string{ModeAlwaysAllow, ModeAlwaysDeny, ModeABA
...
@@ -54,8 +51,9 @@ var AuthorizationModeChoices = []string{ModeAlwaysAllow, ModeAlwaysDeny, ModeABA
// ServerRunOptions contains the options while running a generic api server.
// ServerRunOptions contains the options while running a generic api server.
type
ServerRunOptions
struct
{
type
ServerRunOptions
struct
{
Etcd
*
EtcdOptions
Etcd
*
EtcdOptions
SecureServingOptions
*
SecureServingOptions
SecureServing
*
SecureServingOptions
InsecureServing
*
ServingOptions
AdmissionControl
string
AdmissionControl
string
AdmissionControlConfigFile
string
AdmissionControlConfigFile
string
...
@@ -86,8 +84,6 @@ type ServerRunOptions struct {
...
@@ -86,8 +84,6 @@ type ServerRunOptions struct {
EnableSwaggerUI
bool
EnableSwaggerUI
bool
EnableWatchCache
bool
EnableWatchCache
bool
ExternalHost
string
ExternalHost
string
InsecureBindAddress
net
.
IP
InsecurePort
int
KeystoneURL
string
KeystoneURL
string
KeystoneCAFile
string
KeystoneCAFile
string
KubernetesServiceNodePort
int
KubernetesServiceNodePort
int
...
@@ -133,8 +129,6 @@ func NewServerRunOptions() *ServerRunOptions {
...
@@ -133,8 +129,6 @@ func NewServerRunOptions() *ServerRunOptions {
EnableProfiling
:
true
,
EnableProfiling
:
true
,
EnableContentionProfiling
:
false
,
EnableContentionProfiling
:
false
,
EnableWatchCache
:
true
,
EnableWatchCache
:
true
,
InsecureBindAddress
:
net
.
ParseIP
(
"127.0.0.1"
),
InsecurePort
:
8080
,
LongRunningRequestRE
:
DefaultLongRunningRequestRE
,
LongRunningRequestRE
:
DefaultLongRunningRequestRE
,
MasterCount
:
1
,
MasterCount
:
1
,
MasterServiceNamespace
:
api
.
NamespaceDefault
,
MasterServiceNamespace
:
api
.
NamespaceDefault
,
...
@@ -150,8 +144,14 @@ func (o *ServerRunOptions) WithEtcdOptions() *ServerRunOptions {
...
@@ -150,8 +144,14 @@ func (o *ServerRunOptions) WithEtcdOptions() *ServerRunOptions {
o
.
Etcd
=
NewDefaultEtcdOptions
()
o
.
Etcd
=
NewDefaultEtcdOptions
()
return
o
return
o
}
}
func
(
o
*
ServerRunOptions
)
WithSecureServingOptions
()
*
ServerRunOptions
{
func
(
o
*
ServerRunOptions
)
WithSecureServingOptions
()
*
ServerRunOptions
{
o
.
SecureServingOptions
=
NewDefaultSecureServingOptions
()
o
.
SecureServing
=
NewDefaultSecureServingOptions
()
return
o
}
func
(
o
*
ServerRunOptions
)
WithInsecureServingOptions
()
*
ServerRunOptions
{
o
.
InsecureServing
=
NewDefaultInsecureServingOptions
()
return
o
return
o
}
}
...
@@ -203,42 +203,13 @@ func mergeGroupVersionIntoMap(gvList string, dest map[string]schema.GroupVersion
...
@@ -203,42 +203,13 @@ func mergeGroupVersionIntoMap(gvList string, dest map[string]schema.GroupVersion
// Returns a clientset which can be used to talk to this apiserver.
// Returns a clientset which can be used to talk to this apiserver.
func
(
s
*
ServerRunOptions
)
NewSelfClient
(
token
string
)
(
clientset
.
Interface
,
error
)
{
func
(
s
*
ServerRunOptions
)
NewSelfClient
(
token
string
)
(
clientset
.
Interface
,
error
)
{
clientConfig
,
err
:=
s
.
NewSelfClientConfig
(
token
)
clientConfig
,
err
:=
NewSelfClientConfig
(
s
.
SecureServing
,
s
.
InsecureServing
,
token
)
if
err
!=
nil
{
if
err
!=
nil
{
return
nil
,
err
return
nil
,
err
}
}
return
clientset
.
NewForConfig
(
clientConfig
)
return
clientset
.
NewForConfig
(
clientConfig
)
}
}
// Returns a clientconfig which can be used to talk to this apiserver.
func
(
s
*
ServerRunOptions
)
NewSelfClientConfig
(
token
string
)
(
*
restclient
.
Config
,
error
)
{
clientConfig
:=
&
restclient
.
Config
{
// Increase QPS limits. The client is currently passed to all admission plugins,
// and those can be throttled in case of higher load on apiserver - see #22340 and #22422
// for more details. Once #22422 is fixed, we may want to remove it.
QPS
:
50
,
Burst
:
100
,
}
// Use secure port if the ServerCA is specified
if
s
.
SecureServingOptions
!=
nil
&&
s
.
SecureServingOptions
.
ServingOptions
.
BindPort
>
0
&&
len
(
s
.
SecureServingOptions
.
ServerCA
)
>
0
{
host
:=
s
.
SecureServingOptions
.
ServingOptions
.
BindAddress
.
String
()
if
host
==
"0.0.0.0"
{
host
=
"localhost"
}
clientConfig
.
Host
=
"https://"
+
net
.
JoinHostPort
(
host
,
strconv
.
Itoa
(
s
.
SecureServingOptions
.
ServingOptions
.
BindPort
))
clientConfig
.
CAFile
=
s
.
SecureServingOptions
.
ServerCA
clientConfig
.
BearerToken
=
token
}
else
if
s
.
InsecurePort
>
0
{
clientConfig
.
Host
=
net
.
JoinHostPort
(
s
.
InsecureBindAddress
.
String
(),
strconv
.
Itoa
(
s
.
InsecurePort
))
}
else
{
return
nil
,
errors
.
New
(
"Unable to set url for apiserver local client"
)
}
return
clientConfig
,
nil
}
// AddFlags adds flags for a specific APIServer to the specified FlagSet
// AddFlags adds flags for a specific APIServer to the specified FlagSet
func
(
s
*
ServerRunOptions
)
AddUniversalFlags
(
fs
*
pflag
.
FlagSet
)
{
func
(
s
*
ServerRunOptions
)
AddUniversalFlags
(
fs
*
pflag
.
FlagSet
)
{
// Note: the weird ""+ in below lines seems to be the only way to get gofmt to
// Note: the weird ""+ in below lines seems to be the only way to get gofmt to
...
@@ -337,22 +308,6 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) {
...
@@ -337,22 +308,6 @@ func (s *ServerRunOptions) AddUniversalFlags(fs *pflag.FlagSet) {
fs
.
StringVar
(
&
s
.
ExternalHost
,
"external-hostname"
,
s
.
ExternalHost
,
fs
.
StringVar
(
&
s
.
ExternalHost
,
"external-hostname"
,
s
.
ExternalHost
,
"The hostname to use when generating externalized URLs for this master (e.g. Swagger API Docs)."
)
"The hostname to use when generating externalized URLs for this master (e.g. Swagger API Docs)."
)
fs
.
IPVar
(
&
s
.
InsecureBindAddress
,
"insecure-bind-address"
,
s
.
InsecureBindAddress
,
""
+
"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all interfaces). "
+
"Defaults to localhost."
)
fs
.
IPVar
(
&
s
.
InsecureBindAddress
,
"address"
,
s
.
InsecureBindAddress
,
"DEPRECATED: see --insecure-bind-address instead."
)
fs
.
MarkDeprecated
(
"address"
,
"see --insecure-bind-address instead."
)
fs
.
IntVar
(
&
s
.
InsecurePort
,
"insecure-port"
,
s
.
InsecurePort
,
""
+
"The port on which to serve unsecured, unauthenticated access. Default 8080. It is assumed "
+
"that firewall rules are set up such that this port is not reachable from outside of "
+
"the cluster and that port 443 on the cluster's public address is proxied to this "
+
"port. This is performed by nginx in the default setup."
)
fs
.
IntVar
(
&
s
.
InsecurePort
,
"port"
,
s
.
InsecurePort
,
"DEPRECATED: see --insecure-port instead."
)
fs
.
MarkDeprecated
(
"port"
,
"see --insecure-port instead."
)
fs
.
StringVar
(
&
s
.
KeystoneURL
,
"experimental-keystone-url"
,
s
.
KeystoneURL
,
fs
.
StringVar
(
&
s
.
KeystoneURL
,
"experimental-keystone-url"
,
s
.
KeystoneURL
,
"If passed, activates the keystone authentication plugin."
)
"If passed, activates the keystone authentication plugin."
)
...
...
pkg/genericapiserver/options/serving_options.go
View file @
18074d76
...
@@ -17,11 +17,14 @@ limitations under the License.
...
@@ -17,11 +17,14 @@ limitations under the License.
package
options
package
options
import
(
import
(
"errors"
"fmt"
"fmt"
"net"
"net"
"strconv"
"github.com/spf13/pflag"
"github.com/spf13/pflag"
"k8s.io/kubernetes/pkg/client/restclient"
"k8s.io/kubernetes/pkg/util/config"
"k8s.io/kubernetes/pkg/util/config"
)
)
...
@@ -76,23 +79,37 @@ func NewDefaultSecureServingOptions() *SecureServingOptions {
...
@@ -76,23 +79,37 @@ func NewDefaultSecureServingOptions() *SecureServingOptions {
}
}
}
}
func
(
s
*
SecureServingOptions
)
Validate
()
[]
error
{
func
(
s
*
SecureServingOptions
)
NewSelfClientConfig
(
token
string
)
*
restclient
.
Config
{
errors
:=
[]
error
{}
if
s
==
nil
||
s
.
ServingOptions
.
BindPort
<=
0
&&
len
(
s
.
ServerCA
)
==
0
{
if
s
==
nil
{
return
nil
return
errors
}
clientConfig
:=
&
restclient
.
Config
{
// Increase QPS limits. The client is currently passed to all admission plugins,
// and those can be throttled in case of higher load on apiserver - see #22340 and #22422
// for more details. Once #22422 is fixed, we may want to remove it.
QPS
:
50
,
Burst
:
100
,
}
}
errors
=
append
(
errors
,
s
.
ServingOptions
.
Validate
(
"secure-port"
)
...
)
// Use secure port if the ServerCA is specified
return
errors
host
:=
s
.
ServingOptions
.
BindAddress
.
String
()
if
host
==
"0.0.0.0"
{
host
=
"localhost"
}
clientConfig
.
Host
=
"https://"
+
net
.
JoinHostPort
(
host
,
strconv
.
Itoa
(
s
.
ServingOptions
.
BindPort
))
clientConfig
.
CAFile
=
s
.
ServerCA
clientConfig
.
BearerToken
=
token
return
clientConfig
}
}
func
(
s
ServingOptions
)
Validate
(
portArg
string
)
[]
error
{
func
(
s
*
SecureServingOptions
)
Validate
(
)
[]
error
{
errors
:=
[]
error
{}
errors
:=
[]
error
{}
if
s
==
nil
{
if
s
.
BindPort
<
0
||
s
.
BindPort
>
65535
{
return
errors
errors
=
append
(
errors
,
fmt
.
Errorf
(
"--%v %v must be between 0 and 65535, inclusive. 0 for turning off secure port."
,
portArg
,
s
.
BindPort
))
}
}
errors
=
append
(
errors
,
s
.
ServingOptions
.
Validate
(
"secure-port"
)
...
)
return
errors
return
errors
}
}
...
@@ -145,3 +162,70 @@ func (s *SecureServingOptions) AddDeprecatedSecureServingFlags(fs *pflag.FlagSet
...
@@ -145,3 +162,70 @@ func (s *SecureServingOptions) AddDeprecatedSecureServingFlags(fs *pflag.FlagSet
fs
.
MarkDeprecated
(
"public-address-override"
,
"see --bind-address instead."
)
fs
.
MarkDeprecated
(
"public-address-override"
,
"see --bind-address instead."
)
}
}
func
NewDefaultInsecureServingOptions
()
*
ServingOptions
{
return
&
ServingOptions
{
BindAddress
:
net
.
ParseIP
(
"127.0.0.1"
),
BindPort
:
8080
,
}
}
func
(
s
ServingOptions
)
Validate
(
portArg
string
)
[]
error
{
errors
:=
[]
error
{}
if
s
.
BindPort
<
0
||
s
.
BindPort
>
65535
{
errors
=
append
(
errors
,
fmt
.
Errorf
(
"--%v %v must be between 0 and 65535, inclusive. 0 for turning off secure port."
,
portArg
,
s
.
BindPort
))
}
return
errors
}
func
(
s
*
ServingOptions
)
NewSelfClientConfig
(
token
string
)
*
restclient
.
Config
{
if
s
==
nil
||
s
.
BindPort
<=
0
{
return
nil
}
clientConfig
:=
&
restclient
.
Config
{
// Increase QPS limits. The client is currently passed to all admission plugins,
// and those can be throttled in case of higher load on apiserver - see #22340 and #22422
// for more details. Once #22422 is fixed, we may want to remove it.
QPS
:
50
,
Burst
:
100
,
}
clientConfig
.
Host
=
net
.
JoinHostPort
(
s
.
BindAddress
.
String
(),
strconv
.
Itoa
(
s
.
BindPort
))
return
clientConfig
}
func
(
s
*
ServingOptions
)
AddInsecureServingFlags
(
fs
*
pflag
.
FlagSet
)
{
fs
.
IPVar
(
&
s
.
BindAddress
,
"insecure-bind-address"
,
s
.
BindAddress
,
""
+
"The IP address on which to serve the --insecure-port (set to 0.0.0.0 for all interfaces). "
+
"Defaults to localhost."
)
fs
.
IntVar
(
&
s
.
BindPort
,
"insecure-port"
,
s
.
BindPort
,
""
+
"The port on which to serve unsecured, unauthenticated access. Default 8080. It is assumed "
+
"that firewall rules are set up such that this port is not reachable from outside of "
+
"the cluster and that port 443 on the cluster's public address is proxied to this "
+
"port. This is performed by nginx in the default setup."
)
}
func
(
s
*
ServingOptions
)
AddDeprecatedInsecureServingFlags
(
fs
*
pflag
.
FlagSet
)
{
fs
.
IPVar
(
&
s
.
BindAddress
,
"address"
,
s
.
BindAddress
,
"DEPRECATED: see --insecure-bind-address instead."
)
fs
.
MarkDeprecated
(
"address"
,
"see --insecure-bind-address instead."
)
fs
.
IntVar
(
&
s
.
BindPort
,
"port"
,
s
.
BindPort
,
"DEPRECATED: see --insecure-port instead."
)
fs
.
MarkDeprecated
(
"port"
,
"see --insecure-port instead."
)
}
// Returns a clientconfig which can be used to talk to this apiserver.
func
NewSelfClientConfig
(
secureServingOptions
*
SecureServingOptions
,
insecureServingOptions
*
ServingOptions
,
token
string
)
(
*
restclient
.
Config
,
error
)
{
if
cfg
:=
secureServingOptions
.
NewSelfClientConfig
(
token
);
cfg
!=
nil
{
return
cfg
,
nil
}
if
cfg
:=
insecureServingOptions
.
NewSelfClientConfig
(
token
);
cfg
!=
nil
{
return
cfg
,
nil
}
return
nil
,
errors
.
New
(
"Unable to set url for apiserver local client"
)
}
pkg/genericapiserver/validation/universal_validation.go
View file @
18074d76
...
@@ -51,17 +51,16 @@ func verifyServiceNodePort(options *options.ServerRunOptions) []error {
...
@@ -51,17 +51,16 @@ func verifyServiceNodePort(options *options.ServerRunOptions) []error {
func
verifySecureAndInsecurePort
(
options
*
options
.
ServerRunOptions
)
[]
error
{
func
verifySecureAndInsecurePort
(
options
*
options
.
ServerRunOptions
)
[]
error
{
errors
:=
[]
error
{}
errors
:=
[]
error
{}
errors
=
append
(
errors
,
options
.
SecureServingOptions
.
Validate
()
...
)
errors
=
append
(
errors
,
options
.
SecureServing
.
Validate
()
...
)
errors
=
append
(
errors
,
options
.
InsecureServing
.
Validate
(
"insecure-port"
)
...
)
if
options
.
InsecurePort
<
0
||
options
.
InsecurePort
>
65535
{
if
(
options
.
SecureServing
==
nil
||
options
.
SecureServing
.
ServingOptions
.
BindPort
==
0
)
&&
errors
=
append
(
errors
,
fmt
.
Errorf
(
"--insecure-port %v must be between 0 and 65535, inclusive. 0 for turning off insecure port."
,
options
.
InsecurePort
))
(
options
.
InsecureServing
==
nil
||
options
.
InsecureServing
.
BindPort
==
0
)
{
}
if
(
options
.
SecureServingOptions
==
nil
||
options
.
SecureServingOptions
.
ServingOptions
.
BindPort
==
0
)
&&
options
.
InsecurePort
==
0
{
glog
.
Fatalf
(
"--secure-port and --insecure-port cannot be turned off at the same time."
)
glog
.
Fatalf
(
"--secure-port and --insecure-port cannot be turned off at the same time."
)
}
}
if
options
.
SecureServingOptions
!=
nil
&&
options
.
SecureServingOptions
.
ServingOptions
.
BindPort
==
options
.
InsecurePort
{
if
options
.
SecureServing
!=
nil
&&
options
.
InsecureServing
!=
nil
&&
options
.
SecureServing
.
ServingOptions
.
BindPort
==
options
.
InsecureServing
.
BindPort
{
errors
=
append
(
errors
,
fmt
.
Errorf
(
"--secure-port and --insecure-port cannot use the same port."
))
errors
=
append
(
errors
,
fmt
.
Errorf
(
"--secure-port and --insecure-port cannot use the same port."
))
}
}
return
errors
return
errors
...
...
test/integration/examples/apiserver_test.go
View file @
18074d76
...
@@ -63,8 +63,8 @@ func TestRunSecureServer(t *testing.T) {
...
@@ -63,8 +63,8 @@ func TestRunSecureServer(t *testing.T) {
stopCh
:=
make
(
chan
struct
{})
stopCh
:=
make
(
chan
struct
{})
go
func
()
{
go
func
()
{
options
:=
apiserver
.
NewServerRunOptions
()
options
:=
apiserver
.
NewServerRunOptions
()
options
.
InsecurePort
=
0
options
.
Insecure
Serving
.
Bind
Port
=
0
options
.
SecureServing
Options
.
ServingOptions
.
BindPort
=
apiserver
.
SecurePort
options
.
SecureServing
.
ServingOptions
.
BindPort
=
apiserver
.
SecurePort
if
err
:=
apiserver
.
Run
(
options
,
stopCh
);
err
!=
nil
{
if
err
:=
apiserver
.
Run
(
options
,
stopCh
);
err
!=
nil
{
t
.
Fatalf
(
"Error in bringing up the server: %v"
,
err
)
t
.
Fatalf
(
"Error in bringing up the server: %v"
,
err
)
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment