Set BindAddress appropriately when in IPv6-only mode

kubernetes · Jun 11, 2021 · b0068b4 · b0068b4
1 parent 84cecd5
commit b0068b4
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 2 deletions.
diff --git a/pkg/apis/kops/cluster.go b/pkg/apis/kops/cluster.go
@@ -18,6 +18,7 @@ package kops
 
 import (
 	"fmt"
+	"net"
 
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -793,6 +794,11 @@ func (c *Cluster) IsSharedAzureRouteTable() bool {
 	return c.Spec.CloudConfig.Azure.RouteTableName != ""
 }
 
+func (c *ClusterSpec) IsIPv6Only() bool {
+	cidr, _, _ := net.ParseCIDR(c.NonMasqueradeCIDR)
+	return cidr != nil && cidr.To4() == nil
+}
+
 // EnvVar represents an environment variable present in a Container.
 type EnvVar struct {
 	// Name of the environment variable. Must be a C_IDENTIFIER.

diff --git a/pkg/model/components/apiserver.go b/pkg/model/components/apiserver.go
@@ -129,7 +129,11 @@ func (b *KubeAPIServerOptionsBuilder) BuildOptions(o interface{}) error {
 	c.LogLevel = 2
 	c.SecurePort = 443
 
-	c.BindAddress = "0.0.0.0"
+	if clusterSpec.IsIPv6Only() {
+		c.BindAddress = "::"
+	} else {
+		c.BindAddress = "0.0.0.0"
+	}
 
 	c.AllowPrivileged = fi.Bool(true)
 	c.ServiceClusterIPRange = clusterSpec.ServiceClusterIPRange

diff --git a/pkg/model/iam/subject.go b/pkg/model/iam/subject.go
@@ -148,7 +148,7 @@ func supportsPublicJWKS(clusterSpec *kops.ClusterSpec) bool {
 		return false
 	}
 	for _, cidr := range clusterSpec.KubernetesAPIAccess {
-		if cidr == "0.0.0.0/0" {
+		if cidr == "0.0.0.0/0" || cidr == "::/0" {
 			return true
 		}
 	}