Skip to content

Commit

Permalink
kubeadm: Turn off insecure apiserver access on localhost:8080
Browse files Browse the repository at this point in the history
  • Loading branch information
luxas committed Feb 28, 2017
1 parent 49d1814 commit 3f59284
Show file tree
Hide file tree
Showing 4 changed files with 35 additions and 22 deletions.
20 changes: 10 additions & 10 deletions cmd/kubeadm/app/master/manifests.go
Original file line number Diff line number Diff line change
Expand Up @@ -74,7 +74,7 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {
Image: images.GetCoreImage(images.KubeAPIServerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage),
Command: getAPIServerCommand(cfg, false),
VolumeMounts: volumeMounts,
LivenessProbe: componentProbe(8080, "/healthz"),
LivenessProbe: componentProbe(6443, "/healthz", api.URISchemeHTTPS),
Resources: componentResources("250m"),
Env: getProxyEnvVars(),
}, volumes...),
Expand All @@ -83,7 +83,7 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {
Image: images.GetCoreImage(images.KubeControllerManagerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage),
Command: getControllerManagerCommand(cfg, false),
VolumeMounts: volumeMounts,
LivenessProbe: componentProbe(10252, "/healthz"),
LivenessProbe: componentProbe(10252, "/healthz", api.URISchemeHTTP),
Resources: componentResources("200m"),
Env: getProxyEnvVars(),
}, volumes...),
Expand All @@ -92,7 +92,7 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {
Image: images.GetCoreImage(images.KubeSchedulerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage),
Command: getSchedulerCommand(cfg, false),
VolumeMounts: []api.VolumeMount{k8sVolumeMount()},
LivenessProbe: componentProbe(10251, "/healthz"),
LivenessProbe: componentProbe(10251, "/healthz", api.URISchemeHTTP),
Resources: componentResources("100m"),
Env: getProxyEnvVars(),
}, k8sVolume(cfg)),
Expand All @@ -110,7 +110,7 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {
},
VolumeMounts: []api.VolumeMount{certsVolumeMount(), etcdVolumeMount(), k8sVolumeMount()},
Image: images.GetCoreImage(images.KubeEtcdImage, cfg, kubeadmapi.GlobalEnvParams.EtcdImage),
LivenessProbe: componentProbe(2379, "/health"),
LivenessProbe: componentProbe(2379, "/health", api.URISchemeHTTP),
}, certsVolume(cfg), etcdVolume(cfg), k8sVolume(cfg))

etcdPod.Spec.SecurityContext = &api.PodSecurityContext{
Expand Down Expand Up @@ -249,13 +249,14 @@ func componentResources(cpu string) api.ResourceRequirements {
}
}

func componentProbe(port int, path string) *api.Probe {
func componentProbe(port int, path string, scheme api.URIScheme) *api.Probe {
return &api.Probe{
Handler: api.Handler{
HTTPGet: &api.HTTPGetAction{
Host: "127.0.0.1",
Path: path,
Port: intstr.FromInt(port),
Host: "127.0.0.1",
Path: path,
Port: intstr.FromInt(port),
Scheme: scheme,
},
},
InitialDelaySeconds: 15,
Expand Down Expand Up @@ -304,7 +305,7 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration, selfHosted bool) [
}

defaultArguments := map[string]string{
"insecure-bind-address": "127.0.0.1",
"insecure-port": "0",
"admission-control": kubeadmconstants.DefaultAdmissionControl,
"service-cluster-ip-range": cfg.Networking.ServiceSubnet,
"service-account-key-file": getCertFilePath(kubeadmconstants.ServiceAccountPublicKeyName),
Expand All @@ -318,7 +319,6 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration, selfHosted bool) [
"allow-privileged": "true",
"storage-backend": "etcd3",
"kubelet-preferred-address-types": "InternalIP,ExternalIP,Hostname",

// add options to configure the front proxy. Without the generated client cert, this will never be useable
// so add it unconditionally with recommended values
"requestheader-username-headers": "X-Remote-User",
Expand Down
30 changes: 22 additions & 8 deletions cmd/kubeadm/app/master/manifests_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -280,16 +280,23 @@ func TestComponentResources(t *testing.T) {

func TestComponentProbe(t *testing.T) {
var tests = []struct {
port int
path string
port int
path string
scheme api.URIScheme
}{
{
port: 1,
path: "foo",
port: 1,
path: "foo",
scheme: api.URISchemeHTTP,
},
{
port: 2,
path: "bar",
scheme: api.URISchemeHTTPS,
},
}
for _, rt := range tests {
actual := componentProbe(rt.port, rt.path)
actual := componentProbe(rt.port, rt.path, rt.scheme)
if actual.Handler.HTTPGet.Port != intstr.FromInt(rt.port) {
t.Errorf(
"failed componentProbe:\n\texpected: %v\n\t actual: %v",
Expand All @@ -304,6 +311,13 @@ func TestComponentProbe(t *testing.T) {
actual.Handler.HTTPGet.Path,
)
}
if actual.Handler.HTTPGet.Scheme != rt.scheme {
t.Errorf(
"failed componentProbe:\n\texpected: %v\n\t actual: %v",
rt.scheme,
actual.Handler.HTTPGet.Scheme,
)
}
}
}

Expand Down Expand Up @@ -371,7 +385,7 @@ func TestGetAPIServerCommand(t *testing.T) {
},
expected: []string{
"kube-apiserver",
"--insecure-bind-address=127.0.0.1",
"--insecure-port=0",
"--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds",
"--service-cluster-ip-range=bar",
"--service-account-key-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/sa.pub",
Expand Down Expand Up @@ -401,7 +415,7 @@ func TestGetAPIServerCommand(t *testing.T) {
},
expected: []string{
"kube-apiserver",
"--insecure-bind-address=127.0.0.1",
"--insecure-port=0",
"--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds",
"--service-cluster-ip-range=bar",
"--service-account-key-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/sa.pub",
Expand Down Expand Up @@ -433,7 +447,7 @@ func TestGetAPIServerCommand(t *testing.T) {
},
expected: []string{
"kube-apiserver",
"--insecure-bind-address=127.0.0.1",
"--insecure-port=0",
"--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds",
"--service-cluster-ip-range=bar",
"--service-account-key-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/sa.pub",
Expand Down
6 changes: 3 additions & 3 deletions cmd/kubeadm/app/master/selfhosted.go
Original file line number Diff line number Diff line change
Expand Up @@ -214,7 +214,7 @@ func getAPIServerDS(cfg *kubeadmapi.MasterConfiguration, volumes []v1.Volume, vo
Command: getAPIServerCommand(cfg, true),
Env: getSelfHostedAPIServerEnv(),
VolumeMounts: volumeMounts,
LivenessProbe: componentProbe(8080, "/healthz"),
LivenessProbe: componentProbe(6443, "/healthz", v1.URISchemeHTTPS),
Resources: componentResources("250m"),
},
},
Expand Down Expand Up @@ -264,7 +264,7 @@ func getControllerManagerDeployment(cfg *kubeadmapi.MasterConfiguration, volumes
Image: images.GetCoreImage(images.KubeControllerManagerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage),
Command: getControllerManagerCommand(cfg, true),
VolumeMounts: volumeMounts,
LivenessProbe: componentProbe(10252, "/healthz"),
LivenessProbe: componentProbe(10252, "/healthz", v1.URISchemeHTTP),
Resources: componentResources("200m"),
Env: getProxyEnvVars(),
},
Expand Down Expand Up @@ -314,7 +314,7 @@ func getSchedulerDeployment(cfg *kubeadmapi.MasterConfiguration) ext.Deployment
Name: "self-hosted-" + kubeScheduler,
Image: images.GetCoreImage(images.KubeSchedulerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage),
Command: getSchedulerCommand(cfg, true),
LivenessProbe: componentProbe(10251, "/healthz"),
LivenessProbe: componentProbe(10251, "/healthz", v1.URISchemeHTTP),
Resources: componentResources("100m"),
Env: getProxyEnvVars(),
},
Expand Down
1 change: 0 additions & 1 deletion cmd/kubeadm/app/preflight/checks.go
Original file line number Diff line number Diff line change
Expand Up @@ -488,7 +488,6 @@ func RunInitMasterChecks(cfg *kubeadmapi.MasterConfiguration) error {
ServiceCheck{Service: "docker", CheckIfActive: true},
FirewalldCheck{ports: []int{int(cfg.API.Port), 10250}},
PortOpenCheck{port: int(cfg.API.Port)},
PortOpenCheck{port: 8080},
PortOpenCheck{port: 10250},
PortOpenCheck{port: 10251},
PortOpenCheck{port: 10252},
Expand Down

0 comments on commit 3f59284

Please sign in to comment.