From bc5aa94d8d18b13946b2b5181beff74387133a7b Mon Sep 17 00:00:00 2001
From: Patrick Ohly <patrick.ohly@intel.com>
Date: Tue, 1 Jul 2025 15:54:44 +0200
Subject: [PATCH] local-up-cluster.sh: allow configuring all ports

Some ports (apiserver, one kubelet port) were already configurable.
Several others were not.

Primarily this is done to document the ports which are in used by the different
components.
---
 hack/local-up-cluster.sh | 51 ++++++++++++++++++++++++++++------------
 1 file changed, 36 insertions(+), 15 deletions(-)

diff --git a/hack/local-up-cluster.sh b/hack/local-up-cluster.sh
index 62ec947fe97..c14888b5b88 100755
--- a/hack/local-up-cluster.sh
+++ b/hack/local-up-cluster.sh
@@ -244,24 +244,32 @@ if (( KUBE_VERBOSE >= 2 )); then
   set -x
 fi
 
+# Ports opened by the different components.
+# They must be available on the API_BIND_ADDR (same for all components for the sake of simplicity).
+# Sorted by default port number!
 API_PORT=${API_PORT:-0}
 API_SECURE_PORT=${API_SECURE_PORT:-6443}
-
-# WARNING: For DNS to work on most setups you should export API_HOST as the docker0 ip address,
-API_HOST=${API_HOST:-localhost}
-API_HOST_IP=${API_HOST_IP:-"127.0.0.1"}
-ADVERTISE_ADDRESS=${ADVERTISE_ADDRESS:-""}
-NODE_PORT_RANGE=${NODE_PORT_RANGE:-""}
-API_BIND_ADDR=${API_BIND_ADDR:-"0.0.0.0"}
-EXTERNAL_HOSTNAME=${EXTERNAL_HOSTNAME:-localhost}
-
-KUBELET_HOST=${KUBELET_HOST:-"127.0.0.1"}
-KUBELET_RESOLV_CONF=${KUBELET_RESOLV_CONF:-"/etc/resolv.conf"}
-# By default only allow CORS for requests on localhost
-API_CORS_ALLOWED_ORIGINS=${API_CORS_ALLOWED_ORIGINS:-//127.0.0.1(:[0-9]+)?$,//localhost(:[0-9]+)?$}
+KUBELET_HEALTHZ_PORT=${KUBELET_HEALTHZ_PORT:-10248}
+PROXY_METRICS_PORT=${PROXY_METRICS_PORT:-10249}
 KUBELET_PORT=${KUBELET_PORT:-10250}
 # By default we use 0(close it) for it's insecure
 KUBELET_READ_ONLY_PORT=${KUBELET_READ_ONLY_PORT:-0}
+PROXY_HEALTHZ_PORT=${PROXY_HEALTHZ_PORT:-10256}
+KCM_SECURE_PORT=${KCM_SECURE_PORT:-10257}
+SCHEDULER_SECURE_PORT=${SCHEDULER_SECURE_PORT:-10259}
+
+# WARNING: For DNS to work on most setups you should export API_HOST as the docker0 ip address,
+API_HOST=${API_HOST:-localhost}
+API_HOST_IP=${API_HOST_IP:-"127.0.0.1"} # Used for all components, except kubelet.
+KUBELET_HOST=${KUBELET_HOST:-"127.0.0.1"} # Also the bind address.
+ADVERTISE_ADDRESS=${ADVERTISE_ADDRESS:-""}
+NODE_PORT_RANGE=${NODE_PORT_RANGE:-""}
+API_BIND_ADDR=${API_BIND_ADDR:-"0.0.0.0"} # Used for all components, except kubelet.
+EXTERNAL_HOSTNAME=${EXTERNAL_HOSTNAME:-localhost}
+
+KUBELET_RESOLV_CONF=${KUBELET_RESOLV_CONF:-"/etc/resolv.conf"}
+# By default only allow CORS for requests on localhost
+API_CORS_ALLOWED_ORIGINS=${API_CORS_ALLOWED_ORIGINS:-//127.0.0.1(:[0-9]+)?$,//localhost(:[0-9]+)?$}
 LOG_LEVEL=${LOG_LEVEL:-3}
 # Use to increase verbosity on particular files, e.g. LOG_SPEC=token_controller*=5,other_controller*=4
 LOG_SPEC=${LOG_SPEC:-""}
@@ -632,6 +640,8 @@ EOF
       --client-ca-file="${CERT_DIR}/client-ca.crt" \
       --kubelet-client-certificate="${CERT_DIR}/client-kube-apiserver.crt" \
       --kubelet-client-key="${CERT_DIR}/client-kube-apiserver.key" \
+      --kubelet-port="${KUBELET_PORT}" \
+      --kubelet-read-only-port="${KUBELET_READ_ONLY_PORT}" \
       --service-account-key-file="${SERVICE_ACCOUNT_KEY}" \
       --service-account-lookup="${SERVICE_ACCOUNT_LOOKUP}" \
       --service-account-issuer="https://kubernetes.default.svc" \
@@ -719,7 +729,9 @@ function start_controller_manager {
       --controllers="${KUBE_CONTROLLERS}" \
       --leader-elect="${LEADER_ELECT}" \
       --cert-dir="${CERT_DIR}" \
-      --master="https://${API_HOST}:${API_SECURE_PORT}" >"${CTLRMGR_LOG}" 2>&1 &
+      --secure-port="${KCM_SECURE_PORT}" \
+      --bind-address="${API_BIND_ADDR}" \
+      --master="https://${API_HOST}:${API_SECURE_PORT}" &
     CTLRMGR_PID=$!
 }
 
@@ -891,6 +903,8 @@ evictionPressureTransitionPeriod: "${EVICTION_PRESSURE_TRANSITION_PERIOD}"
 failSwapOn: ${FAIL_SWAP_ON}
 port: ${KUBELET_PORT}
 readOnlyPort: ${KUBELET_READ_ONLY_PORT}
+healthzPort: ${KUBELET_HEALTHZ_PORT}
+healthzBindAddress: ${KUBELET_HOST}
 rotateCertificates: true
 runtimeRequestTimeout: "${RUNTIME_REQUEST_TIMEOUT}"
 staticPodPath: "${POD_MANIFEST_PATH}"
@@ -1031,11 +1045,18 @@ EOF
         generate_kubeproxy_certs
     fi
 
+    # Including the port in the bind addresses mirrors the defaults.
+    # Probably not necessary...
+    #
     # shellcheck disable=SC2024
     sudo "${GO_OUT}/kube-proxy" \
       --v="${LOG_LEVEL}" \
       --config="${TMP_DIR}"/kube-proxy.yaml \
-      --master="https://${API_HOST}:${API_SECURE_PORT}" >"${PROXY_LOG}" 2>&1 &
+      --healthz-port="${PROXY_HEALTHZ_PORT}" \
+      --healthz-bind-address="${API_BIND_ADDR}:${PROXY_HEALTHZ_PORT}" \
+      --metrics-port="${PROXY_METRICS_PORT}" \
+      --metrics-bind-address="${API_BIND_ADDR}:${PROXY_METRICS_PORT}" \
+      --master="https://${API_HOST}:${API_SECURE_PORT}" &
     PROXY_PID=$!
 }