External-Mirrors/kubespray
2
0
Fork 0
mirror of https://github.com/kubernetes-sigs/kubespray.git synced 2026-02-26 07:26:09 -03:30
Code Issues Packages Projects Releases Wiki Activity

[kubernetes] drop support for configuring insecure apiserver

Browse Source
This commit is contained in:
Calin Cristian Andrei
2022-06-14 12:57:54 +03:00
committed by Kubernetes Prow Robot
parent c2700266b0
commit 24c8ba832a
7 changed files with 0 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
roles/kubernetes/control-plane/defaults/main/main.yml
View File

@@ -2,9 +2,6 @@
# disable upgrade cluster
upgrade_cluster_setup: false
# change to 0.0.0.0 to enable insecure access from anywhere (not recommended)
kube_apiserver_insecure_bind_address: 127.0.0.1
# By default the external API listens on all interfaces, this can be changed to
# listen on a specific address/interface.
# NOTE: If you specific address/interface and use loadbalancer_apiserver_localhost

6
roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2
View File

@@ -121,12 +121,6 @@ apiServer:
{% endif %}
authorization-mode: {{ authorization_modes | join(',') }}
bind-address: {{ kube_apiserver_bind_address }}
{% if kube_apiserver_insecure_port|string != "0" %}
insecure-bind-address: {{ kube_apiserver_insecure_bind_address }}
{% endif %}
{% if kube_version is version('v1.24.0','<') %}
insecure-port: "{{ kube_apiserver_insecure_port }}"
{% endif %}
{% if kube_apiserver_enable_admission_plugins|length > 0 %}
enable-admission-plugins: {{ kube_apiserver_enable_admission_plugins | join(',') }}
{% endif %}

3
roles/kubernetes/node/defaults/main.yml
View File

@@ -1,7 +1,4 @@
---
# change to 0.0.0.0 to enable insecure access from anywhere (not recommended)
kube_apiserver_insecure_bind_address: 127.0.0.1
# advertised host IP for kubelet. This affects network plugin config. Take caution
kubelet_address: "{{ ip | default(fallback_ips[inventory_hostname]) }}{{ (',' + ip6) if enable_dual_stack_networks and ip6 is defined else '' }}"

7
roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
View File

@@ -121,13 +121,6 @@
- cloud_provider is defined and cloud_provider == "oci"
- not ignore_assert_errors
- name: Stop if RBAC and anonymous-auth are not enabled when insecure port is disabled
assert:
that: rbac_enabled and kube_api_anonymous_auth
when:
- kube_apiserver_insecure_port == 0 and inventory_hostname in groups['kube_control_plane']
- not ignore_assert_errors
- name: Stop if kernel version is too low
assert:
that: ansible_kernel.split('-')[0] is version('4.9.17', '>=')

5
roles/kubespray-defaults/defaults/main.yaml
View File

@@ -233,9 +233,6 @@ kube_apiserver_bind_address: 0.0.0.0
# https
kube_apiserver_port: 6443
# http
kube_apiserver_insecure_bind_address: 127.0.0.1
kube_apiserver_insecure_port: 0
# If non-empty, will use this string as identification instead of the actual hostname
kube_override_hostname: >-
@@ -555,8 +552,6 @@ kube_apiserver_endpoint: |-
{%- else -%}
https://{{ first_kube_control_plane_address }}:{{ kube_apiserver_port }}
{%- endif %}
kube_apiserver_insecure_endpoint: >-
http://{{ kube_apiserver_insecure_bind_address | regex_replace('0\.0\.0\.0','127.0.0.1') }}:{{ kube_apiserver_insecure_port }}
kube_apiserver_client_cert: "{{ kube_cert_dir }}/ca.crt"
kube_apiserver_client_key: "{{ kube_cert_dir }}/ca.key"