From 767ebf8b9e850075fc6e715413432c31a5a3412e Mon Sep 17 00:00:00 2001 From: Maru Newby Date: Tue, 18 Apr 2017 15:37:19 -0700 Subject: [PATCH] kubefed: Set apiserver pod to bind securely to 8443 instead of 443 On platforms like OpenShift that don't run containers as root by default, binding to ports < 1000 is not permitted. Having the apiserver bind to a high port means it can run with reduced privileges. The service will still expose the apiserver on 443, so this change shouldn't impact clients of the federation api. --- federation/pkg/kubefed/init/BUILD | 2 ++ federation/pkg/kubefed/init/init.go | 20 ++++++++++++++------ federation/pkg/kubefed/init/init_test.go | 14 ++++++++------ 3 files changed, 24 insertions(+), 12 deletions(-) diff --git a/federation/pkg/kubefed/init/BUILD b/federation/pkg/kubefed/init/BUILD index 74568a96a01e..3080c0e09a1b 100644 --- a/federation/pkg/kubefed/init/BUILD +++ b/federation/pkg/kubefed/init/BUILD @@ -28,6 +28,7 @@ go_library( "//vendor/github.com/spf13/pflag:go_default_library", "//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library", "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", + "//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/uuid:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/wait:go_default_library", "//vendor/k8s.io/client-go/tools/clientcmd:go_default_library", @@ -60,6 +61,7 @@ go_test( "//vendor/k8s.io/apimachinery/pkg/api/resource:go_default_library", "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/diff:go_default_library", + "//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library", "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library", "//vendor/k8s.io/client-go/dynamic:go_default_library", "//vendor/k8s.io/client-go/rest/fake:go_default_library", diff --git a/federation/pkg/kubefed/init/init.go b/federation/pkg/kubefed/init/init.go index 80216f98081f..e08c9c14ef4a 100644 --- a/federation/pkg/kubefed/init/init.go +++ b/federation/pkg/kubefed/init/init.go @@ -33,6 +33,7 @@ import ( "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/uuid" "k8s.io/apimachinery/pkg/util/wait" "k8s.io/client-go/tools/clientcmd" @@ -83,6 +84,12 @@ const ( apiserverAdvertiseAddressFlag = "api-server-advertise-address" dnsProviderSecretName = "federation-dns-provider.conf" + + apiServerSecurePortName = "https" + // Set the secure port to 8443 to avoid requiring root privileges + // to bind to port < 1000. The apiserver's service will still + // expose on port 443. + apiServerSecurePort = 8443 ) var ( @@ -429,9 +436,10 @@ func createService(clientset client.Interface, namespace, svcName, federationNam Selector: apiserverSvcSelector, Ports: []api.ServicePort{ { - Name: "https", - Protocol: "TCP", - Port: 443, + Name: "https", + Protocol: "TCP", + Port: 443, + TargetPort: intstr.FromString(apiServerSecurePortName), }, }, }, @@ -651,7 +659,7 @@ func createAPIServer(clientset client.Interface, namespace, name, federationName argsMap := map[string]string{ "--bind-address": "0.0.0.0", "--etcd-servers": "http://localhost:2379", - "--secure-port": "443", + "--secure-port": fmt.Sprintf("%d", apiServerSecurePort), "--client-ca-file": "/etc/federation/apiserver/ca.crt", "--tls-cert-file": "/etc/federation/apiserver/server.crt", "--tls-private-key-file": "/etc/federation/apiserver/server.key", @@ -694,8 +702,8 @@ func createAPIServer(clientset client.Interface, namespace, name, federationName Command: command, Ports: []api.ContainerPort{ { - Name: "https", - ContainerPort: 443, + Name: apiServerSecurePortName, + ContainerPort: apiServerSecurePort, }, { Name: "local", diff --git a/federation/pkg/kubefed/init/init_test.go b/federation/pkg/kubefed/init/init_test.go index 64894360d7b1..d92055012f91 100644 --- a/federation/pkg/kubefed/init/init_test.go +++ b/federation/pkg/kubefed/init/init_test.go @@ -38,6 +38,7 @@ import ( "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/util/diff" + "k8s.io/apimachinery/pkg/util/intstr" "k8s.io/apimachinery/pkg/util/sets" "k8s.io/client-go/dynamic" "k8s.io/client-go/rest/fake" @@ -645,9 +646,10 @@ func fakeInitHostFactory(apiserverServiceType v1.ServiceType, federationName, na Selector: apiserverSvcSelector, Ports: []v1.ServicePort{ { - Name: "https", - Protocol: "TCP", - Port: 443, + Name: "https", + Protocol: "TCP", + Port: 443, + TargetPort: intstr.FromString(apiServerSecurePortName), }, }, }, @@ -836,7 +838,7 @@ func fakeInitHostFactory(apiserverServiceType v1.ServiceType, federationName, na apiserverArgs := []string{ "--bind-address=0.0.0.0", "--etcd-servers=http://localhost:2379", - "--secure-port=443", + fmt.Sprintf("--secure-port=%d", apiServerSecurePort), "--tls-cert-file=/etc/federation/apiserver/server.crt", "--tls-private-key-file=/etc/federation/apiserver/server.key", "--admission-control=NamespaceLifecycle", @@ -887,8 +889,8 @@ func fakeInitHostFactory(apiserverServiceType v1.ServiceType, federationName, na Command: apiserverCommand, Ports: []v1.ContainerPort{ { - Name: "https", - ContainerPort: 443, + Name: apiServerSecurePortName, + ContainerPort: apiServerSecurePort, }, { Name: "local",