Skip to content

Commit 0befec7

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request kubernetes#77447 from dekkagaijin/mip
disable the apiserver's insecure port by default
2 parents 7673b2d + e4d521e commit 0befec7

File tree

1 file changed

+16
-2
lines changed

1 file changed

+16
-2
lines changed

cluster/gce/gci/configure-helper.sh

Lines changed: 16 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -604,6 +604,9 @@ function create-master-auth {
604604
if [[ -n "${KUBE_BEARER_TOKEN:-}" ]]; then
605605
append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_BEARER_TOKEN}," "admin,admin,system:masters"
606606
fi
607+
if [[ -n "${KUBE_BOOTSTRAP_TOKEN:-}" ]]; then
608+
append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_BOOTSTRAP_TOKEN}," "system:cluster-bootstrap,uid:system:cluster-bootstrap,system:masters"
609+
fi
607610
if [[ -n "${KUBE_CONTROLLER_MANAGER_TOKEN:-}" ]]; then
608611
append_or_replace_prefixed_line "${known_tokens_csv}" "${KUBE_CONTROLLER_MANAGER_TOKEN}," "system:kube-controller-manager,uid:system:kube-controller-manager"
609612
fi
@@ -1562,7 +1565,7 @@ function start-kube-apiserver {
15621565
params+=" --etcd-keyfile=${ETCD_APISERVER_CLIENT_KEY_PATH}"
15631566
fi
15641567
params+=" --secure-port=443"
1565-
if [[ "${ENABLE_APISERVER_INSECURE_PORT:-true}" != "true" ]]; then
1568+
if [[ "${ENABLE_APISERVER_INSECURE_PORT:-false}" != "true" ]]; then
15661569
# Default is :8080
15671570
params+=" --insecure-port=0"
15681571
fi
@@ -2866,6 +2869,14 @@ function wait-till-apiserver-ready() {
28662869
done
28672870
}
28682871

2872+
function ensure-bootstrap-kubectl-auth {
2873+
# Creating an authenticated kubeconfig is only necessary if the insecure port is disabled.
2874+
if [[ -n "${KUBE_BOOTSTRAP_TOKEN}" ]]; then
2875+
create-kubeconfig "cluster-bootstrap" ${KUBE_BOOTSTRAP_TOKEN}
2876+
export KUBECONFIG=/etc/srv/kubernetes/cluster-bootstrap/kubeconfig
2877+
fi
2878+
}
2879+
28692880
########### Main Function ###########
28702881
function main() {
28712882
echo "Start to configure instance for kubernetes"
@@ -2913,10 +2924,12 @@ function main() {
29132924
fi
29142925
fi
29152926

2916-
# generate the controller manager, scheduler and cluster autoscaler tokens here since they are only used on the master.
29172927
KUBE_CONTROLLER_MANAGER_TOKEN="$(secure_random 32)"
29182928
KUBE_SCHEDULER_TOKEN="$(secure_random 32)"
29192929
KUBE_CLUSTER_AUTOSCALER_TOKEN="$(secure_random 32)"
2930+
if [[ "${ENABLE_APISERVER_INSECURE_PORT:-false}" != "true" ]]; then
2931+
KUBE_BOOTSTRAP_TOKEN="$(secure_random 32)"
2932+
fi
29202933
if [[ "${ENABLE_L7_LOADBALANCING:-}" == "glbc" ]]; then
29212934
GCE_GLBC_TOKEN="$(secure_random 32)"
29222935
fi
@@ -2933,6 +2946,7 @@ function main() {
29332946
create-node-pki
29342947
create-master-pki
29352948
create-master-auth
2949+
ensure-bootstrap-kubectl-auth
29362950
create-master-kubelet-auth
29372951
create-master-etcd-auth
29382952
create-master-etcd-apiserver-auth

0 commit comments

Comments
 (0)