kubeadm: Turn off insecure apiserver access on localhost:8080

cmd/kubeadm/app/master/manifests.go

@@ -74,7 +74,7 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {
 			Image:         images.GetCoreImage(images.KubeAPIServerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage),
 			Command:       getAPIServerCommand(cfg, false),
 			VolumeMounts:  volumeMounts,
-			LivenessProbe: componentProbe(8080, "/healthz"),
+			LivenessProbe: componentProbe(6443, "/healthz", api.URISchemeHTTPS),
 			Resources:     componentResources("250m"),
 			Env:           getProxyEnvVars(),
 		}, volumes...),
@@ -83,7 +83,7 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {
 			Image:         images.GetCoreImage(images.KubeControllerManagerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage),
 			Command:       getControllerManagerCommand(cfg, false),
 			VolumeMounts:  volumeMounts,
-			LivenessProbe: componentProbe(10252, "/healthz"),
+			LivenessProbe: componentProbe(10252, "/healthz", api.URISchemeHTTP),
 			Resources:     componentResources("200m"),
 			Env:           getProxyEnvVars(),
 		}, volumes...),
@@ -92,7 +92,7 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {
 			Image:         images.GetCoreImage(images.KubeSchedulerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage),
 			Command:       getSchedulerCommand(cfg, false),
 			VolumeMounts:  []api.VolumeMount{k8sVolumeMount()},
-			LivenessProbe: componentProbe(10251, "/healthz"),
+			LivenessProbe: componentProbe(10251, "/healthz", api.URISchemeHTTP),
 			Resources:     componentResources("100m"),
 			Env:           getProxyEnvVars(),
 		}, k8sVolume(cfg)),
@@ -110,7 +110,7 @@ func WriteStaticPodManifests(cfg *kubeadmapi.MasterConfiguration) error {
 			},
 			VolumeMounts:  []api.VolumeMount{certsVolumeMount(), etcdVolumeMount(), k8sVolumeMount()},
 			Image:         images.GetCoreImage(images.KubeEtcdImage, cfg, kubeadmapi.GlobalEnvParams.EtcdImage),
-			LivenessProbe: componentProbe(2379, "/health"),
+			LivenessProbe: componentProbe(2379, "/health", api.URISchemeHTTP),
 		}, certsVolume(cfg), etcdVolume(cfg), k8sVolume(cfg))
 
 		etcdPod.Spec.SecurityContext = &api.PodSecurityContext{
@@ -249,13 +249,14 @@ func componentResources(cpu string) api.ResourceRequirements {
 	}
 }
 
-func componentProbe(port int, path string) *api.Probe {
+func componentProbe(port int, path string, scheme api.URIScheme) *api.Probe {
 	return &api.Probe{
 		Handler: api.Handler{
 			HTTPGet: &api.HTTPGetAction{
 				Host:   "127.0.0.1",
 				Path:   path,
 				Port:   intstr.FromInt(port),
+				Scheme: scheme,
 			},
 		},
 		InitialDelaySeconds: 15,
@@ -304,7 +305,7 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration, selfHosted bool) [
 	}
 
 	defaultArguments := map[string]string{
-		"insecure-bind-address":           "127.0.0.1",
+		"insecure-port":                   "0",
 		"admission-control":               kubeadmconstants.DefaultAdmissionControl,
 		"service-cluster-ip-range":        cfg.Networking.ServiceSubnet,
 		"service-account-key-file":        getCertFilePath(kubeadmconstants.ServiceAccountPublicKeyName),
@@ -318,7 +319,6 @@ func getAPIServerCommand(cfg *kubeadmapi.MasterConfiguration, selfHosted bool) [
 		"allow-privileged":                "true",
 		"storage-backend":                 "etcd3",
 		"kubelet-preferred-address-types": "InternalIP,ExternalIP,Hostname",
-
 		// add options to configure the front proxy.  Without the generated client cert, this will never be useable
 		// so add it unconditionally with recommended values
 		"requestheader-username-headers":     "X-Remote-User",

cmd/kubeadm/app/master/manifests_test.go

@@ -282,14 +282,21 @@ func TestComponentProbe(t *testing.T) {
 	var tests = []struct {
 		port   int
 		path   string
+		scheme api.URIScheme
 	}{
 		{
 			port:   1,
 			path:   "foo",
+			scheme: api.URISchemeHTTP,
+		},
+		{
+			port:   2,
+			path:   "bar",
+			scheme: api.URISchemeHTTPS,
 		},
 	}
 	for _, rt := range tests {
-		actual := componentProbe(rt.port, rt.path)
+		actual := componentProbe(rt.port, rt.path, rt.scheme)
 		if actual.Handler.HTTPGet.Port != intstr.FromInt(rt.port) {
 			t.Errorf(
 				"failed componentProbe:\n\texpected: %v\n\t  actual: %v",
@@ -304,6 +311,13 @@ func TestComponentProbe(t *testing.T) {
 				actual.Handler.HTTPGet.Path,
 			)
 		}
+		if actual.Handler.HTTPGet.Scheme != rt.scheme {
+			t.Errorf(
+				"failed componentProbe:\n\texpected: %v\n\t  actual: %v",
+				rt.scheme,
+				actual.Handler.HTTPGet.Scheme,
+			)
+		}
 	}
 }
 
@@ -371,7 +385,7 @@ func TestGetAPIServerCommand(t *testing.T) {
 			},
 			expected: []string{
 				"kube-apiserver",
-				"--insecure-bind-address=127.0.0.1",
+				"--insecure-port=0",
 				"--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds",
 				"--service-cluster-ip-range=bar",
 				"--service-account-key-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/sa.pub",
@@ -401,7 +415,7 @@ func TestGetAPIServerCommand(t *testing.T) {
 			},
 			expected: []string{
 				"kube-apiserver",
-				"--insecure-bind-address=127.0.0.1",
+				"--insecure-port=0",
 				"--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds",
 				"--service-cluster-ip-range=bar",
 				"--service-account-key-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/sa.pub",
@@ -433,7 +447,7 @@ func TestGetAPIServerCommand(t *testing.T) {
 			},
 			expected: []string{
 				"kube-apiserver",
-				"--insecure-bind-address=127.0.0.1",
+				"--insecure-port=0",
 				"--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds",
 				"--service-cluster-ip-range=bar",
 				"--service-account-key-file=" + kubeadmapi.GlobalEnvParams.HostPKIPath + "/sa.pub",

cmd/kubeadm/app/master/selfhosted.go

@@ -214,7 +214,7 @@ func getAPIServerDS(cfg *kubeadmapi.MasterConfiguration, volumes []v1.Volume, vo
 							Command:       getAPIServerCommand(cfg, true),
 							Env:           getSelfHostedAPIServerEnv(),
 							VolumeMounts:  volumeMounts,
-							LivenessProbe: componentProbe(8080, "/healthz"),
+							LivenessProbe: componentProbe(6443, "/healthz", v1.URISchemeHTTPS),
 							Resources:     componentResources("250m"),
 						},
 					},
@@ -264,7 +264,7 @@ func getControllerManagerDeployment(cfg *kubeadmapi.MasterConfiguration, volumes
 							Image:         images.GetCoreImage(images.KubeControllerManagerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage),
 							Command:       getControllerManagerCommand(cfg, true),
 							VolumeMounts:  volumeMounts,
-							LivenessProbe: componentProbe(10252, "/healthz"),
+							LivenessProbe: componentProbe(10252, "/healthz", v1.URISchemeHTTP),
 							Resources:     componentResources("200m"),
 							Env:           getProxyEnvVars(),
 						},
@@ -314,7 +314,7 @@ func getSchedulerDeployment(cfg *kubeadmapi.MasterConfiguration) ext.Deployment
 							Name:          "self-hosted-" + kubeScheduler,
 							Image:         images.GetCoreImage(images.KubeSchedulerImage, cfg, kubeadmapi.GlobalEnvParams.HyperkubeImage),
 							Command:       getSchedulerCommand(cfg, true),
-							LivenessProbe: componentProbe(10251, "/healthz"),
+							LivenessProbe: componentProbe(10251, "/healthz", v1.URISchemeHTTP),
 							Resources:     componentResources("100m"),
 							Env:           getProxyEnvVars(),
 						},

cmd/kubeadm/app/preflight/checks.go

@@ -488,7 +488,6 @@ func RunInitMasterChecks(cfg *kubeadmapi.MasterConfiguration) error {
 		ServiceCheck{Service: "docker", CheckIfActive: true},
 		FirewalldCheck{ports: []int{int(cfg.API.Port), 10250}},
 		PortOpenCheck{port: int(cfg.API.Port)},
-		PortOpenCheck{port: 8080},
 		PortOpenCheck{port: 10250},
 		PortOpenCheck{port: 10251},
 		PortOpenCheck{port: 10252},