Merge pull request #1937 from chadswen/disable-api-insecure-port

Support for disabling apiserver insecure port
2026-02-01 01:28:11 -03:30 · 2017-11-08 18:13:49 -05:00
parent a3a7c2d24e 0c7e1889e4
commit f25e4dc3ed
6 changed files with 31 additions and 6 deletions
--- a/roles/kubernetes-apps/ansible/tasks/main.yml
+++ b/roles/kubernetes-apps/ansible/tasks/main.yml
@@ -1,7 +1,10 @@
 ---
 - name: Kubernetes Apps | Wait for kube-apiserver
  uri:
-    url: "{{ kube_apiserver_insecure_endpoint }}/healthz"
+    url: "{{ kube_apiserver_endpoint }}/healthz"
+    validate_certs: no
+    client_cert: "{{ kube_cert_dir }}/apiserver.pem"
+    client_key: "{{ kube_cert_dir }}/apiserver-key.pem"
  register: result
  until: result.status == 200
  retries: 10
--- a/roles/kubernetes-apps/cluster_roles/tasks/main.yml
+++ b/roles/kubernetes-apps/cluster_roles/tasks/main.yml
@@ -1,7 +1,10 @@
 ---
 - name: Kubernetes Apps | Wait for kube-apiserver
  uri:
-    url: "{{ kube_apiserver_insecure_endpoint }}/healthz"
+    url: "{{ kube_apiserver_endpoint }}/healthz"
+    validate_certs: no
+    client_cert: "{{ kube_cert_dir }}/apiserver.pem"
+    client_key: "{{ kube_cert_dir }}/apiserver-key.pem"
  register: result
  until: result.status == 200
  retries: 10
--- a/roles/kubernetes/master/handlers/main.yml
+++ b/roles/kubernetes/master/handlers/main.yml
@@ -39,7 +39,10 @@

 - name: Master | wait for the apiserver to be running
  uri:
-    url: "{{ kube_apiserver_insecure_endpoint }}/healthz"
+    url: "{{ kube_apiserver_endpoint }}/healthz"
+    validate_certs: no
+    client_cert: "{{ kube_cert_dir }}/apiserver.pem"
+    client_key: "{{ kube_cert_dir }}/apiserver-key.pem"
  register: result
  until: result.status == 200
  retries: 20
--- a/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
+++ b/roles/kubernetes/master/templates/manifests/kube-apiserver.manifest.j2
@@ -110,9 +110,17 @@ spec:
      httpGet:
        host: 127.0.0.1
        path: /healthz
+{% if kube_apiserver_insecure_port == 0 %}
+        port: {{ kube_apiserver_port }}
+        scheme: HTTPS
+{% else %}
        port: {{ kube_apiserver_insecure_port }}
-      initialDelaySeconds: 30
-      timeoutSeconds: 10
+{% endif %}
+      failureThreshold: 8
+      initialDelaySeconds: 15
+      periodSeconds: 10
+      successThreshold: 1
+      timeoutSeconds: 15
    volumeMounts:
    - mountPath: {{ kube_config_dir }}
      name: kubernetes-config
--- a/roles/kubernetes/preinstall/tasks/verify-settings.yml
+++ b/roles/kubernetes/preinstall/tasks/verify-settings.yml
@@ -78,3 +78,9 @@
    that: ansible_swaptotal_mb == 0
  when: kubelet_fail_swap_on|default(true)
  ignore_errors: "{{ ignore_assert_errors }}"
+
+- name: Stop if RBAC and anonymous-auth are not enabled when insecure port is disabled
+  assert:
+    that: rbac_enabled and kube_api_anonymous_auth
+  when: kube_apiserver_insecure_port == 0
+  ignore_errors: "{{ ignore_assert_errors }}"