diff --git a/cmd/kube-apiserver/app/BUILD b/cmd/kube-apiserver/app/BUILD index 1cfb7c20a76dc..bf45bdb09a3fe 100644 --- a/cmd/kube-apiserver/app/BUILD +++ b/cmd/kube-apiserver/app/BUILD @@ -23,8 +23,6 @@ go_library( "//pkg/kubeapiserver/admission:go_default_library", "//pkg/kubeapiserver/authenticator:go_default_library", "//pkg/kubeapiserver/authorizer/modes:go_default_library", - "//pkg/kubeapiserver/options:go_default_library", - "//pkg/kubeapiserver/server:go_default_library", "//pkg/registry/rbac/rest:go_default_library", "//pkg/serviceaccount:go_default_library", "//staging/src/k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1:go_default_library", @@ -74,6 +72,7 @@ go_library( "//staging/src/k8s.io/kube-aggregator/pkg/client/informers/externalversions/apiregistration/v1:go_default_library", "//staging/src/k8s.io/kube-aggregator/pkg/controllers/autoregister:go_default_library", "//vendor/github.com/spf13/cobra:go_default_library", + "//vendor/github.com/spf13/pflag:go_default_library", "//vendor/k8s.io/klog/v2:go_default_library", ], ) diff --git a/cmd/kube-apiserver/app/options/options.go b/cmd/kube-apiserver/app/options/options.go index c7b8bb54958aa..595c929307c63 100644 --- a/cmd/kube-apiserver/app/options/options.go +++ b/cmd/kube-apiserver/app/options/options.go @@ -22,12 +22,14 @@ import ( "strings" "time" + "github.com/spf13/pflag" utilnet "k8s.io/apimachinery/pkg/util/net" genericoptions "k8s.io/apiserver/pkg/server/options" "k8s.io/apiserver/pkg/storage/storagebackend" cliflag "k8s.io/component-base/cli/flag" "k8s.io/component-base/logs" "k8s.io/component-base/metrics" + api "k8s.io/kubernetes/pkg/apis/core" "k8s.io/kubernetes/pkg/cluster/ports" "k8s.io/kubernetes/pkg/controlplane/reconcilers" @@ -37,12 +39,15 @@ import ( "k8s.io/kubernetes/pkg/serviceaccount" ) +// InsecurePortFlags are dummy flags, they are kept only for compatibility and will be removed in v1.24. +// TODO: remove these flags in v1.24. +var InsecurePortFlags = []string{"insecure-port", "port"} + // ServerRunOptions runs a kubernetes api server. type ServerRunOptions struct { GenericServerRunOptions *genericoptions.ServerRunOptions Etcd *genericoptions.EtcdOptions SecureServing *genericoptions.SecureServingOptionsWithLoopback - InsecureServing *genericoptions.DeprecatedInsecureServingOptionsWithLoopback Audit *genericoptions.AuditOptions Features *genericoptions.FeatureOptions Admission *kubeoptions.AdmissionOptions @@ -62,7 +67,7 @@ type ServerRunOptions struct { MaxConnectionBytesPerSec int64 // ServiceClusterIPRange is mapped to input provided by user ServiceClusterIPRanges string - //PrimaryServiceClusterIPRange and SecondaryServiceClusterIPRange are the results + // PrimaryServiceClusterIPRange and SecondaryServiceClusterIPRange are the results // of parsing ServiceClusterIPRange into actual values PrimaryServiceClusterIPRange net.IPNet SecondaryServiceClusterIPRange net.IPNet @@ -92,7 +97,6 @@ func NewServerRunOptions() *ServerRunOptions { GenericServerRunOptions: genericoptions.NewServerRunOptions(), Etcd: genericoptions.NewEtcdOptions(storagebackend.NewDefaultConfig(kubeoptions.DefaultEtcdPathPrefix, nil)), SecureServing: kubeoptions.NewSecureServingOptions(), - InsecureServing: kubeoptions.NewInsecureServingOptions(), Audit: genericoptions.NewAuditOptions(), Features: genericoptions.NewFeatureOptions(), Admission: kubeoptions.NewAdmissionOptions(), @@ -134,14 +138,33 @@ func NewServerRunOptions() *ServerRunOptions { return &s } +// TODO: remove these insecure flags in v1.24 +func addDummyInsecureFlags(fs *pflag.FlagSet) { + var ( + bindAddr = net.IPv4(127, 0, 0, 1) + bindPort int + ) + + for _, name := range []string{"insecure-bind-address", "address"} { + fs.IPVar(&bindAddr, name, bindAddr, ""+ + "The IP address on which to serve the insecure port (set to 0.0.0.0 for all IPv4 interfaces and :: for all IPv6 interfaces).") + fs.MarkDeprecated(name, "This flag has no effect now and will be removed in v1.24.") + } + + for _, name := range InsecurePortFlags { + fs.IntVar(&bindPort, name, bindPort, ""+ + "The port on which to serve unsecured, unauthenticated access.") + fs.MarkDeprecated(name, "This flag has no effect now and will be removed in v1.24.") + } +} + // Flags returns flags for a specific APIServer by section name func (s *ServerRunOptions) Flags() (fss cliflag.NamedFlagSets) { // Add the generic flags. s.GenericServerRunOptions.AddUniversalFlags(fss.FlagSet("generic")) s.Etcd.AddFlags(fss.FlagSet("etcd")) s.SecureServing.AddFlags(fss.FlagSet("secure serving")) - s.InsecureServing.AddFlags(fss.FlagSet("insecure serving")) - s.InsecureServing.AddUnqualifiedFlags(fss.FlagSet("insecure serving")) // TODO: remove it until kops stops using `--address` + addDummyInsecureFlags(fss.FlagSet("insecure serving")) s.Audit.AddFlags(fss.FlagSet("auditing")) s.Features.AddFlags(fss.FlagSet("features")) s.Authentication.AddFlags(fss.FlagSet("authentication")) diff --git a/cmd/kube-apiserver/app/options/options_test.go b/cmd/kube-apiserver/app/options/options_test.go index 29e40727a4dd8..984b6680590c8 100644 --- a/cmd/kube-apiserver/app/options/options_test.go +++ b/cmd/kube-apiserver/app/options/options_test.go @@ -177,10 +177,6 @@ func TestAddFlags(t *testing.T) { HTTP2MaxStreamsPerConnection: 42, Required: true, }).WithLoopback(), - InsecureServing: (&apiserveroptions.DeprecatedInsecureServingOptions{ - BindAddress: net.ParseIP("127.0.0.1"), - BindPort: 8080, - }).WithLoopback(), EventTTL: 1 * time.Hour, KubeletConfig: kubeletclient.KubeletClientConfig{ Port: 10250, diff --git a/cmd/kube-apiserver/app/options/validation.go b/cmd/kube-apiserver/app/options/validation.go index 25519a6783253..8104bf1c63467 100644 --- a/cmd/kube-apiserver/app/options/validation.go +++ b/cmd/kube-apiserver/app/options/validation.go @@ -170,7 +170,6 @@ func (s *ServerRunOptions) Validate() []error { errs = append(errs, s.Authorization.Validate()...) errs = append(errs, s.Audit.Validate()...) errs = append(errs, s.Admission.Validate()...) - errs = append(errs, s.InsecureServing.Validate()...) errs = append(errs, s.APIEnablement.Validate(legacyscheme.Scheme, apiextensionsapiserver.Scheme, aggregatorscheme.Scheme)...) errs = append(errs, validateTokenRequest(s)...) errs = append(errs, s.Metrics.Validate()...) diff --git a/cmd/kube-apiserver/app/server.go b/cmd/kube-apiserver/app/server.go index eccf058b917bc..863e2423a0c02 100644 --- a/cmd/kube-apiserver/app/server.go +++ b/cmd/kube-apiserver/app/server.go @@ -31,6 +31,7 @@ import ( "time" "github.com/spf13/cobra" + "github.com/spf13/pflag" extensionsapiserver "k8s.io/apiextensions-apiserver/pkg/apiserver" utilerrors "k8s.io/apimachinery/pkg/util/errors" @@ -65,6 +66,7 @@ import ( "k8s.io/klog/v2" aggregatorapiserver "k8s.io/kube-aggregator/pkg/apiserver" aggregatorscheme "k8s.io/kube-aggregator/pkg/apiserver/scheme" + "k8s.io/kubernetes/cmd/kube-apiserver/app/options" "k8s.io/kubernetes/pkg/api/legacyscheme" "k8s.io/kubernetes/pkg/capabilities" @@ -77,8 +79,6 @@ import ( kubeapiserveradmission "k8s.io/kubernetes/pkg/kubeapiserver/admission" kubeauthenticator "k8s.io/kubernetes/pkg/kubeapiserver/authenticator" "k8s.io/kubernetes/pkg/kubeapiserver/authorizer/modes" - kubeoptions "k8s.io/kubernetes/pkg/kubeapiserver/options" - kubeserver "k8s.io/kubernetes/pkg/kubeapiserver/server" rbacrest "k8s.io/kubernetes/pkg/registry/rbac/rest" "k8s.io/kubernetes/pkg/serviceaccount" ) @@ -88,6 +88,20 @@ const ( etcdRetryInterval = 1 * time.Second ) +// TODO: delete this check after insecure flags removed in v1.24 +func checkNonZeroInsecurePort(fs *pflag.FlagSet) error { + for _, name := range options.InsecurePortFlags { + val, err := fs.GetInt(name) + if err != nil { + return err + } + if val != 0 { + return fmt.Errorf("invalid port value %d: only zero is allowed", val) + } + } + return nil +} + // NewAPIServerCommand creates a *cobra.Command object with default parameters func NewAPIServerCommand() *cobra.Command { s := options.NewServerRunOptions() @@ -108,8 +122,13 @@ cluster's shared state through which all other components interact.`, }, RunE: func(cmd *cobra.Command, args []string) error { verflag.PrintAndExitIfRequested() - cliflag.PrintFlags(cmd.Flags()) + fs := cmd.Flags() + cliflag.PrintFlags(fs) + err := checkNonZeroInsecurePort(fs) + if err != nil { + return err + } // set default options completedOptions, err := Complete(s) if err != nil { @@ -182,7 +201,7 @@ func CreateServerChain(completedOptions completedServerRunOptions, stopCh <-chan return nil, err } - kubeAPIServerConfig, insecureServingInfo, serviceResolver, pluginInitializer, err := CreateKubeAPIServerConfig(completedOptions, nodeTunneler, proxyTransport) + kubeAPIServerConfig, serviceResolver, pluginInitializer, err := CreateKubeAPIServerConfig(completedOptions, nodeTunneler, proxyTransport) if err != nil { return nil, err } @@ -214,13 +233,6 @@ func CreateServerChain(completedOptions completedServerRunOptions, stopCh <-chan return nil, err } - if insecureServingInfo != nil { - insecureHandlerChain := kubeserver.BuildInsecureHandlerChain(aggregatorServer.GenericAPIServer.UnprotectedHandler(), kubeAPIServerConfig.GenericConfig) - if err := insecureServingInfo.Serve(insecureHandlerChain, kubeAPIServerConfig.GenericConfig.RequestTimeout, stopCh); err != nil { - return nil, err - } - } - return aggregatorServer, nil } @@ -288,19 +300,18 @@ func CreateKubeAPIServerConfig( proxyTransport *http.Transport, ) ( *controlplane.Config, - *genericapiserver.DeprecatedInsecureServingInfo, aggregatorapiserver.ServiceResolver, []admission.PluginInitializer, error, ) { - genericConfig, versionedInformers, insecureServingInfo, serviceResolver, pluginInitializers, admissionPostStartHook, storageFactory, err := buildGenericConfig(s.ServerRunOptions, proxyTransport) + genericConfig, versionedInformers, serviceResolver, pluginInitializers, admissionPostStartHook, storageFactory, err := buildGenericConfig(s.ServerRunOptions, proxyTransport) if err != nil { - return nil, nil, nil, nil, err + return nil, nil, nil, err } if _, port, err := net.SplitHostPort(s.Etcd.StorageConfig.Transport.ServerList[0]); err == nil && port != "0" && len(port) != 0 { if err := utilwait.PollImmediate(etcdRetryInterval, etcdRetryLimit*etcdRetryInterval, preflight.EtcdConnection{ServerList: s.Etcd.StorageConfig.Transport.ServerList}.CheckEtcdServers); err != nil { - return nil, nil, nil, nil, fmt.Errorf("error waiting for etcd connection: %v", err) + return nil, nil, nil, fmt.Errorf("error waiting for etcd connection: %v", err) } } @@ -322,7 +333,7 @@ func CreateKubeAPIServerConfig( serviceIPRange, apiServerServiceIP, err := controlplane.ServiceIPRange(s.PrimaryServiceClusterIPRange) if err != nil { - return nil, nil, nil, nil, err + return nil, nil, nil, err } // defaults to empty range and ip @@ -331,7 +342,7 @@ func CreateKubeAPIServerConfig( if s.SecondaryServiceClusterIPRange.IP != nil { secondaryServiceIPRange, _, err = controlplane.ServiceIPRange(s.SecondaryServiceClusterIPRange) if err != nil { - return nil, nil, nil, nil, err + return nil, nil, nil, err } } @@ -369,13 +380,13 @@ func CreateKubeAPIServerConfig( clientCAProvider, err := s.Authentication.ClientCert.GetClientCAContentProvider() if err != nil { - return nil, nil, nil, nil, err + return nil, nil, nil, err } config.ExtraConfig.ClusterAuthenticationInfo.ClientCA = clientCAProvider requestHeaderConfig, err := s.Authentication.RequestHeader.ToAuthenticationRequestHeaderConfig() if err != nil { - return nil, nil, nil, nil, err + return nil, nil, nil, err } if requestHeaderConfig != nil { config.ExtraConfig.ClusterAuthenticationInfo.RequestHeaderCA = requestHeaderConfig.CAContentProvider @@ -386,7 +397,7 @@ func CreateKubeAPIServerConfig( } if err := config.GenericConfig.AddPostStartHook("start-kube-apiserver-admission-initializer", admissionPostStartHook); err != nil { - return nil, nil, nil, nil, err + return nil, nil, nil, err } if nodeTunneler != nil { @@ -401,7 +412,7 @@ func CreateKubeAPIServerConfig( networkContext := egressselector.Cluster.AsNetworkContext() dialer, err := config.GenericConfig.EgressSelector.Lookup(networkContext) if err != nil { - return nil, nil, nil, nil, err + return nil, nil, nil, err } c := proxyTransport.Clone() c.DialContext = dialer @@ -414,7 +425,7 @@ func CreateKubeAPIServerConfig( for _, f := range s.Authentication.ServiceAccounts.KeyFiles { keys, err := keyutil.PublicKeysFromFile(f) if err != nil { - return nil, nil, nil, nil, fmt.Errorf("failed to parse key file %q: %v", f, err) + return nil, nil, nil, fmt.Errorf("failed to parse key file %q: %v", f, err) } pubKeys = append(pubKeys, keys...) } @@ -424,7 +435,7 @@ func CreateKubeAPIServerConfig( config.ExtraConfig.ServiceAccountPublicKeys = pubKeys } - return config, insecureServingInfo, serviceResolver, pluginInitializers, nil + return config, serviceResolver, pluginInitializers, nil } // BuildGenericConfig takes the master server options and produces the genericapiserver.Config associated with it @@ -434,7 +445,6 @@ func buildGenericConfig( ) ( genericConfig *genericapiserver.Config, versionedInformers clientgoinformers.SharedInformerFactory, - insecureServingInfo *genericapiserver.DeprecatedInsecureServingInfo, serviceResolver aggregatorapiserver.ServiceResolver, pluginInitializers []admission.PluginInitializer, admissionPostStartHook genericapiserver.PostStartHookFunc, @@ -448,9 +458,6 @@ func buildGenericConfig( return } - if lastErr = s.InsecureServing.ApplyTo(&insecureServingInfo, &genericConfig.LoopbackClientConfig); lastErr != nil { - return - } if lastErr = s.SecureServing.ApplyTo(&genericConfig.SecureServing, &genericConfig.LoopbackClientConfig); lastErr != nil { return } @@ -595,9 +602,6 @@ func Complete(s *options.ServerRunOptions) (completedServerRunOptions, error) { if err := s.GenericServerRunOptions.DefaultAdvertiseAddress(s.SecureServing.SecureServingOptions); err != nil { return options, err } - if err := kubeoptions.DefaultAdvertiseAddress(s.GenericServerRunOptions, s.InsecureServing.DeprecatedInsecureServingOptions); err != nil { - return options, err - } // process s.ServiceClusterIPRange from list to Primary and Secondary // we process secondary only if provided by user diff --git a/cmd/kube-apiserver/app/testing/testserver.go b/cmd/kube-apiserver/app/testing/testserver.go index 8a4684cc5839c..5258d2a41f8de 100644 --- a/cmd/kube-apiserver/app/testing/testserver.go +++ b/cmd/kube-apiserver/app/testing/testserver.go @@ -122,7 +122,6 @@ func StartTestServer(t Logger, instanceOptions *TestServerInstanceOptions, custo for _, f := range s.Flags().FlagSets { fs.AddFlagSet(f) } - s.InsecureServing.BindPort = 0 s.SecureServing.Listener, s.SecureServing.BindPort, err = createLocalhostListenerOnFreePort() if err != nil { diff --git a/hack/lib/util.sh b/hack/lib/util.sh index ff699da004f3d..2881dbc9bc5d7 100755 --- a/hack/lib/util.sh +++ b/hack/lib/util.sh @@ -45,6 +45,7 @@ kube::util::wait_for_url() { local wait=${3:-1} local times=${4:-30} local maxtime=${5:-1} + local extra_args=${6:-} command -v curl >/dev/null || { kube::log::usage "curl must be installed" @@ -54,7 +55,9 @@ kube::util::wait_for_url() { local i for i in $(seq 1 "${times}"); do local out - if out=$(curl --max-time "${maxtime}" -gkfs "${url}" 2>/dev/null); then + # shellcheck disable=SC2086 + # Disabling because "${extra_args}" needs to allow for expansion here + if out=$(curl --max-time "${maxtime}" -gkfs $extra_args "${url}" 2>/dev/null); then kube::log::status "On try ${i}, ${prefix}: ${out}" return 0 fi @@ -64,6 +67,17 @@ kube::util::wait_for_url() { return 1 } +kube::util::wait_for_url_with_bearer_token() { + local url=$1 + local token=$2 + local prefix=${3:-} + local wait=${4:-1} + local times=${5:-30} + local maxtime=${6:-1} + + kube::util::wait_for_url "${url}" "${prefix}" "${wait}" "${times}" "${maxtime}" "--oauth2-bearer ${token}" +} + # Example: kube::util::wait_for_success 120 5 "kubectl get nodes|grep localhost" # arguments: wait time, sleep time, shell command # returns 0 if the shell command get output, 1 otherwise. diff --git a/hack/make-rules/test-cmd.sh b/hack/make-rules/test-cmd.sh index b48d21782f60d..3a9e09b764a8a 100755 --- a/hack/make-rules/test-cmd.sh +++ b/hack/make-rules/test-cmd.sh @@ -56,9 +56,7 @@ function run_kube_apiserver() { ENABLE_FEATURE_GATES="ServerSideApply=true" "${KUBE_OUTPUT_HOSTBIN}/kube-apiserver" \ - --insecure-bind-address="127.0.0.1" \ --bind-address="127.0.0.1" \ - --insecure-port="${API_PORT}" \ --authorization-mode="${AUTHORIZATION_MODE}" \ --secure-port="${SECURE_API_PORT}" \ --feature-gates="${ENABLE_FEATURE_GATES}" \ @@ -73,7 +71,7 @@ function run_kube_apiserver() { --token-auth-file=hack/testdata/auth-tokens.csv 1>&2 & export APISERVER_PID=$! - kube::util::wait_for_url "http://127.0.0.1:${API_PORT}/healthz" "apiserver" + kube::util::wait_for_url_with_bearer_token "https://127.0.0.1:${SECURE_API_PORT}/healthz" "admin-token" "apiserver" } # Runs run_kube_controller_manager @@ -85,11 +83,33 @@ function run_kube_controller_manager() { make -C "${KUBE_ROOT}" WHAT="cmd/kube-controller-manager" # Start controller manager + kube::log::status 'Generate kubeconfig for controller-manager' + local config + config="$(mktemp controller-manager.kubeconfig.XXXXX)" + cat < "$config" +kind: Config +users: +- name: controller-manager + user: + token: admin-token +clusters: +- cluster: + server: https://127.0.0.1:${SECURE_API_PORT} + insecure-skip-tls-verify: true + name: local +contexts: +- context: + cluster: local + user: controller-manager + name: local-context +current-context: local-context +EOF + kube::log::status "Starting controller-manager" "${KUBE_OUTPUT_HOSTBIN}/kube-controller-manager" \ --port="${CTLRMGR_PORT}" \ --kube-api-content-type="${KUBE_TEST_API_TYPE-}" \ - --master="127.0.0.1:${API_PORT}" 1>&2 & + --kubeconfig="${config}" 1>&2 & export CTLRMGR_PID=$! kube::util::wait_for_url "http://127.0.0.1:${CTLRMGR_PORT}/healthz" "controller-manager" @@ -101,7 +121,7 @@ function run_kube_controller_manager() { # Exports: # SUPPORTED_RESOURCES(Array of all resources supported by the apiserver). function create_node() { - kubectl create -f - -s "http://127.0.0.1:${API_PORT}" << __EOF__ + kubectl create -f - << __EOF__ { "kind": "Node", "apiVersion": "v1", diff --git a/hack/update-openapi-spec.sh b/hack/update-openapi-spec.sh index bf632005fe4fb..379878ed98e68 100755 --- a/hack/update-openapi-spec.sh +++ b/hack/update-openapi-spec.sh @@ -61,22 +61,22 @@ echo "dummy_token,admin,admin" > "${TMP_DIR}/tokenauth.csv" # Start kube-apiserver kube::log::status "Starting kube-apiserver" "${KUBE_OUTPUT_HOSTBIN}/kube-apiserver" \ - --insecure-bind-address="${API_HOST}" \ --bind-address="${API_HOST}" \ - --insecure-port="${API_PORT}" \ + --secure-port="${API_PORT}" \ --etcd-servers="http://${ETCD_HOST}:${ETCD_PORT}" \ --advertise-address="10.10.10.10" \ --cert-dir="${TMP_DIR}/certs" \ --runtime-config="api/all=true" \ --token-auth-file="${TMP_DIR}/tokenauth.csv" \ - --service-account-issuer="https://kubernetes.devault.svc/" \ + --authorization-mode=RBAC \ + --service-account-issuer="https://kubernetes.default.svc/" \ --service-account-signing-key-file="${KUBE_ROOT}/staging/src/k8s.io/client-go/util/cert/testdata/dontUseThisKey.pem" \ --logtostderr \ --v=2 \ --service-cluster-ip-range="10.0.0.0/24" >"${API_LOGFILE}" 2>&1 & APISERVER_PID=$! -if ! kube::util::wait_for_url "${API_HOST}:${API_PORT}/healthz" "apiserver: "; then +if ! kube::util::wait_for_url "https://${API_HOST}:${API_PORT}/healthz" "apiserver: "; then kube::log::error "Here are the last 10 lines from kube-apiserver (${API_LOGFILE})" kube::log::error "=== BEGIN OF LOG ===" tail -10 "${API_LOGFILE}" >&2 || : @@ -86,7 +86,7 @@ fi kube::log::status "Updating " "${OPENAPI_ROOT_DIR}" -curl -w "\n" -fs "${API_HOST}:${API_PORT}/openapi/v2" | jq -S '.info.version="unversioned"' > "${OPENAPI_ROOT_DIR}/swagger.json" +curl -w "\n" -kfs --oauth2-bearer dummy_token "https://${API_HOST}:${API_PORT}/openapi/v2" | jq -S '.info.version="unversioned"' > "${OPENAPI_ROOT_DIR}/swagger.json" kube::log::status "SUCCESS" diff --git a/test/cmd/authorization.sh b/test/cmd/authorization.sh index 1167b9016791a..bd75ea9504086 100755 --- a/test/cmd/authorization.sh +++ b/test/cmd/authorization.sh @@ -30,7 +30,7 @@ run_authorization_tests() { kubectl create -f test/fixtures/pkg/kubectl/cmd/create/sar-v1beta1.json --validate=false SAR_RESULT_FILE="${KUBE_TEMP}/sar-result.json" - curl -k -H "Content-Type:" http://localhost:8080/apis/authorization.k8s.io/v1beta1/subjectaccessreviews -XPOST -d @test/fixtures/pkg/kubectl/cmd/create/sar-v1beta1.json > "${SAR_RESULT_FILE}" + curl -kfsS -H "Content-Type:" --oauth2-bearer admin-token "https://localhost:${SECURE_API_PORT}/apis/authorization.k8s.io/v1beta1/subjectaccessreviews" -XPOST -d @test/fixtures/pkg/kubectl/cmd/create/sar-v1beta1.json > "${SAR_RESULT_FILE}" if grep -q '"allowed": true' "${SAR_RESULT_FILE}"; then kube::log::status "\"authorization.k8s.io/subjectaccessreviews\" returns as expected: $(cat "${SAR_RESULT_FILE}")" else @@ -40,7 +40,7 @@ run_authorization_tests() { rm "${SAR_RESULT_FILE}" SAR_RESULT_FILE="${KUBE_TEMP}/sar-result.json" - curl -k -H "Content-Type:" http://localhost:8080/apis/authorization.k8s.io/v1/subjectaccessreviews -XPOST -d @test/fixtures/pkg/kubectl/cmd/create/sar-v1.json > "${SAR_RESULT_FILE}" + curl -kfsS -H "Content-Type:" --oauth2-bearer admin-token "https://localhost:${SECURE_API_PORT}/apis/authorization.k8s.io/v1/subjectaccessreviews" -XPOST -d @test/fixtures/pkg/kubectl/cmd/create/sar-v1.json > "${SAR_RESULT_FILE}" if grep -q '"allowed": true' "${SAR_RESULT_FILE}"; then kube::log::status "\"authorization.k8s.io/subjectaccessreviews\" returns as expected: $(cat "${SAR_RESULT_FILE}")" else diff --git a/test/cmd/discovery.sh b/test/cmd/discovery.sh index 3e909f2b9e30e..014bb6a9908ca 100755 --- a/test/cmd/discovery.sh +++ b/test/cmd/discovery.sh @@ -120,7 +120,7 @@ run_swagger_tests() { # Verify schema file="${KUBE_TEMP}/schema.json" - curl -s "http://127.0.0.1:${API_PORT}/openapi/v2" > "${file}" + curl -kfs --oauth2-bearer admin-token "https://127.0.0.1:${SECURE_API_PORT}/openapi/v2" > "${file}" grep -q "list of returned" "${file}" grep -q "List of services" "${file}" grep -q "Watch for changes to the described resources" "${file}" diff --git a/test/cmd/legacy-script.sh b/test/cmd/legacy-script.sh index 1a692f56b0f95..9a63be7a51119 100755 --- a/test/cmd/legacy-script.sh +++ b/test/cmd/legacy-script.sh @@ -59,7 +59,6 @@ source "${KUBE_ROOT}/test/cmd/wait.sh" ETCD_HOST=${ETCD_HOST:-127.0.0.1} ETCD_PORT=${ETCD_PORT:-2379} -API_PORT=${API_PORT:-8080} SECURE_API_PORT=${SECURE_API_PORT:-6443} API_HOST=${API_HOST:-127.0.0.1} KUBELET_HEALTHZ_PORT=${KUBELET_HEALTHZ_PORT:-10248} @@ -307,10 +306,12 @@ setup() { # TODO: we need to note down the current default namespace and set back to this # namespace after the tests are done. - kubectl config view CONTEXT="test" - kubectl config set-context "${CONTEXT}" + kubectl config set-credentials test-admin --token admin-token + kubectl config set-cluster local --insecure-skip-tls-verify --server "https://127.0.0.1:${SECURE_API_PORT}" + kubectl config set-context "${CONTEXT}" --user test-admin --cluster local kubectl config use-context "${CONTEXT}" + kubectl config view kube::log::status "Setup complete" } @@ -339,13 +340,9 @@ runTests() { kubectl config set-context "${CONTEXT}" --namespace="${ns_name}" } - kube_flags=( - '-s' "http://127.0.0.1:${API_PORT}" - ) + kube_flags=( '-s' "https://127.0.0.1:${SECURE_API_PORT}" '--insecure-skip-tls-verify' ) - kube_flags_without_token=( - '-s' "https://127.0.0.1:${SECURE_API_PORT}" '--insecure-skip-tls-verify=true' - ) + kube_flags_without_token=( "${kube_flags[@]}" ) # token defined in hack/testdata/auth-tokens.csv kube_flags_with_token=( "${kube_flags_without_token[@]}" '--token=admin-token' ) diff --git a/test/e2e_node/services/apiserver.go b/test/e2e_node/services/apiserver.go index 906f0aa19f53e..1887943786910 100644 --- a/test/e2e_node/services/apiserver.go +++ b/test/e2e_node/services/apiserver.go @@ -55,8 +55,6 @@ func (a *APIServer) Start() error { return err } o.SecureServing.BindAddress = net.ParseIP("127.0.0.1") - // Disable insecure serving - o.InsecureServing.BindPort = 0 o.ServiceClusterIPRanges = ipnet.String() o.AllowPrivileged = true if err := generateTokenFile(tokenFilePath); err != nil { diff --git a/test/integration/etcd/server.go b/test/integration/etcd/server.go index 783a33c50bcb2..9d4fd38d634f2 100644 --- a/test/integration/etcd/server.go +++ b/test/integration/etcd/server.go @@ -71,7 +71,6 @@ func StartRealMasterOrDie(t *testing.T, configFuncs ...func(*options.ServerRunOp } kubeAPIServerOptions := options.NewServerRunOptions() - kubeAPIServerOptions.InsecureServing.BindPort = 0 kubeAPIServerOptions.SecureServing.Listener = listener kubeAPIServerOptions.SecureServing.ServerCert.CertDirectory = certDir kubeAPIServerOptions.Etcd.StorageConfig.Transport.ServerList = []string{framework.GetEtcdURL()} diff --git a/test/integration/framework/test_server.go b/test/integration/framework/test_server.go index 6e97561073862..42d75a18e10d0 100644 --- a/test/integration/framework/test_server.go +++ b/test/integration/framework/test_server.go @@ -90,7 +90,6 @@ func StartTestServer(t *testing.T, stopCh <-chan struct{}, setup TestServerSetup kubeAPIServerOptions.SecureServing.Listener = listener kubeAPIServerOptions.SecureServing.BindAddress = net.ParseIP("127.0.0.1") kubeAPIServerOptions.SecureServing.ServerCert.CertDirectory = certDir - kubeAPIServerOptions.InsecureServing.BindPort = 0 kubeAPIServerOptions.Etcd.StorageConfig.Prefix = path.Join("/", uuid.New().String(), "registry") kubeAPIServerOptions.Etcd.StorageConfig.Transport.ServerList = []string{GetEtcdURL()} kubeAPIServerOptions.ServiceClusterIPRanges = defaultServiceClusterIPRange.String() @@ -114,7 +113,7 @@ func StartTestServer(t *testing.T, stopCh <-chan struct{}, setup TestServerSetup if err != nil { t.Fatal(err) } - kubeAPIServerConfig, _, _, _, err := app.CreateKubeAPIServerConfig(completedOptions, tunneler, proxyTransport) + kubeAPIServerConfig, _, _, err := app.CreateKubeAPIServerConfig(completedOptions, tunneler, proxyTransport) if err != nil { t.Fatal(err) }