Automatic merge from submit-queue
Verify if Secure and InsecurePort are equal for apiserver
If we specify the kube-apiserver flags `--secure-port` and `--insecure-port` with the same port, the server will print the below error info repeatedly. In fact, it's meaningless to do this. It should verify if the two flags are equal. If so, the server should give error info and exit directly.
```
root@vm:~# [restful] 2016/08/01 13:11:52 log.go:30: [restful/swagger] listing is available at https://172.16.1.11:8888/swaggerapi/
[restful] 2016/08/01 13:11:52 log.go:30: [restful/swagger] https://172.16.1.11:8888/swaggerui/ is mapped to folder /swagger-ui/
E0801 13:11:53.102232 2481 genericapiserver.go:733] Unable to listen for secure (listen tcp 0.0.0.0:8888: bind: address already in use); will try again.
E0801 13:12:08.116463 2481 genericapiserver.go:733] Unable to listen for secure (listen tcp 0.0.0.0:8888: bind: address already in use); will try again.
```
After fixing, the print is like this:
```
root@vm:~# F0801 11:51:44.308180 1921 genericapiserver.go:599] --secure-port and --insecure-port cannot use the same port.
goroutine 1 [running]:
k8s.io/kubernetes/vendor/github.com/golang/glog.stacks(0x4871d00, 0x0, 0x0, 0x0)
/home/paas/zxp/code/k8s/fork/kubernetes/_output/local/go/src/k8s.io/kubernetes/vendor/github.com/golang/glog/glog.go:766 +0xb8
k8s.io/kubernetes/vendor/github.com/golang/glog.(*loggingT).output(0x48517c0, 0xc800000003, 0xc820368000, 0x470aeab, 0x13, 0x257, 0x0)
/home/paas/zxp/code/k8s/fork/kubernetes/_output/local/go/src/k8s.io/kubernetes/vendor/github.com/golang/glog/glog.go:717 +0x259
k8s.io/kubernetes/vendor/github.com/golang/glog.(*loggingT).printf(0x48517c0, 0xc800000003, 0x3518280, 0x3b, 0x0, 0x0, 0x0)
/home/paas/zxp/code/k8s/fork/kubernetes/_output/local/go/src/k8s.io/kubernetes/vendor/github.com/golang/glog/glog.go:655 +0x1d4
k8s.io/kubernetes/vendor/github.com/golang/glog.Fatalf(0x3518280, 0x3b, 0x0, 0x0, 0x0)
/home/paas/zxp/code/k8s/fork/kubernetes/_output/local/go/src/k8s.io/kubernetes/vendor/github.com/golang/glog/glog.go:1145 +0x5d
k8s.io/kubernetes/pkg/genericapiserver.verifySecureAndInsecurePort(0xc820132800)
/home/paas/zxp/code/k8s/fork/kubernetes/_output/local/go/src/k8s.io/kubernetes/pkg/genericapiserver/genericapiserver.go:599 +0xad
k8s.io/kubernetes/pkg/genericapiserver.ValidateRunOptions(0xc820132800)
/home/paas/zxp/code/k8s/fork/kubernetes/_output/local/go/src/k8s.io/kubernetes/pkg/genericapiserver/genericapiserver.go:607 +0x4b
k8s.io/kubernetes/pkg/genericapiserver.DefaultAndValidateRunOptions(0xc820132800)
/home/paas/zxp/code/k8s/fork/kubernetes/_output/local/go/src/k8s.io/kubernetes/pkg/genericapiserver/genericapiserver.go:611 +0x4e
k8s.io/kubernetes/cmd/kube-apiserver/app.Run(0xc8202c9560, 0x0, 0x0)
/home/paas/zxp/code/k8s/fork/kubernetes/_output/local/go/src/k8s.io/kubernetes/cmd/kube-apiserver/app/server.go:84 +0x8e
main.main()
/home/paas/zxp/code/k8s/fork/kubernetes/_output/local/go/src/k8s.io/kubernetes/cmd/kube-apiserver/apiserver.go:48 +0x111
[2]+ Exit 255
```
This will fix the same issue of federation-apiserver.
cc @lavalamp @quinton-hoole
Automatic merge from submit-queue
add DefaultServiceNodePortRange const
The PR add DefaultServiceNodePortRange const in server_run_options.go, and use it in genericapiserver.go and server_run_options.go.
Automatic merge from submit-queue
Refactoring runner resource container linedelimiter to it's own pkg
Continuing my work ref #15634
Anyone is ok to review this fix.
Automatic merge from submit-queue
Modify wrong description about "InsecurePort" in genericapiserver.go
Modify wrong description about "InsecurePort" in genericapiserver.go, avoid misleading.
Automatic merge from submit-queue
Improve fatal error description for init in genericapiserver.go
When api.NewRequestContextFilter return error in the "init" function of genericapiserver.go, there are no handler info, add more information to indicate s.Handler or s.InsecureHandler, I suggest.
Automatic merge from submit-queue
Setting TLS1.2 minimum because TLS1.0 and TLS1.1 are vulnerable
TLS1.0 is known as vulnerable since it can be downgraded to SSL
https://blog.varonis.com/ssl-and-tls-1-0-no-longer-acceptable-for-pci-compliance/
TLS1.1 can be vulnerable if cipher RC4-SHA is used, and in Kubernetes it is, you can check it with
`
openssl s_client -cipher RC4-SHA -connect apiserver.k8s.example.com:443
`
https://www.globalsign.com/en/blog/poodle-vulnerability-expands-beyond-sslv3-to-tls/
Test suites like Qualys are reporting this Kubernetes issue as a level 3 vulnerability, they recommend to upgrade to TLS1.2 that is not affected, quoting Qualys:
`
RC4 should not be used where possible. One reason that RC4 was still being used was BEAST and Lucky13 attacks against CBC mode ciphers in
SSL and
TLS. However, TLSv 1.2 or later address these issues.
`
A few months ago we refactored options to keep it independent of the
implementations, so that it could be used in CLI tools to validate
config or to generate config, without pulling in the full dependency
tree of the master. This change restores that by separating
server_run_options.go back to its own package.
Also, options structs should never contain non-serializable types, which
storagebackend.Config was doing with runtime.Codec. Split the codec out.
Fix a typo on the name of the etcd2.go storage backend.
Finally, move DefaultStorageMediaType to server_run_options.
Automatic merge from submit-queue
enable resource name and service account cases for impersonation
Adds the resource name check since that attribute was added for authorization. Also adds a check against a separate resource for service accounts. Allowing impersonation of service accounts to use a different resource check places control of impersonation with the same users to have the power to get the SA tokens directly.
@kubernetes/kube-iam
@sgallagher FYI
Add tests to watch behavior in both protocols (http and websocket)
against all 3 media types. Adopt the
`application/vnd.kubernetes.protobuf;stream=watch` media type for the
content that comes back from a watch call so that it can be
distinguished from a Status result.
Automatic merge from submit-queue
Make etcd cache size configurable
Instead of the prior 50K limit, allow users to specify a more sensible size for their cluster.
I'm not sure what a sensible default is here. I'm still experimenting on my own clusters. 50 gives me a 270MB max footprint. 50K caused my apiserver to run out of memory as it exceeded >2GB. I believe that number is far too large for most people's use cases.
There are some other fundamental issues that I'm not addressing here:
- Old etcd items are cached and potentially never removed (it stores using modifiedIndex, and doesn't remove the old object when it gets updated)
- Cache isn't LRU, so there's no guarantee the cache remains hot. This makes its performance difficult to predict. More of an issue with a smaller cache size.
- 1.2 etcd entries seem to have a larger memory footprint (I never had an issue in 1.1, even though this cache existed there). I suspect that's due to image lists on the node status.
This is provided as a fix for #23323
Automatic merge from submit-queue
genericapiserver: Moving InstallSwaggerAPI to Run
Ref https://github.com/kubernetes/kubernetes/pull/21190#discussion_r57494673
Moving InstallSwaggerAPI() from InstallAPIGroups() to Run(). This allows the use of InstallAPIGroups() multiple times or using InstallAPIGroup() directly.
cc @jianhuiz @kubernetes/sig-api-machinery
This allows subresources which belong to different API groups than
their parents to be registered in the APIInstaller and REST handlers
installed for them. The specific changes that makes this possible
are:
1. Allow subresource overrides to be specified while registering an
API group.
2. Use those overrides in the APIInstaller while validating the
resource/subresource group version to allow subresources which
belong to a different group to be registered if they have an
override specified.
3. Use the RESTMapper supplied in the override to map the REST paths
to the correct subresource storage object, i.e. correct group
version kinds.
Pass down into the server initialization the necessary interface for
handling client/server content type negotiation. Add integration tests
for the negotiation.
A NegotiatedSerializer is passed into the API installer (and
ParameterCodec, which abstracts conversion of query params) that can be
used to negotiate client/server request/response serialization. All
error paths are now negotiation aware, and are at least minimally
version aware.
Watch is specially coded to only allow application/json - a follow up
change will convert it to use negotiation.
Ensure the swagger scheme will include supported serializations - this
now includes application/yaml as a negotiated option.
