Make localkube serve securely.

4f712bf3 · Dan Lorenc · d59e054f · 4f712bf3 · 4f712bf3
隐藏空白更改
内联并排

Showing with 16 addition and 3 deletion

pkg/localkube/apiserver.go pkg/localkube/apiserver.go +14 -3

pkg/localkube/controller-manager.go pkg/localkube/controller-manager.go +2 -0

未找到文件。
--- a/pkg/localkube/apiserver.go
+++ b/pkg/localkube/apiserver.go
@@ -20,6 +20,7 @@ import (
 	"fmt"
 	"net"
 	"os"
+	"path/filepath"
 	"strings"
 	"time"

@@ -29,9 +30,12 @@ import (
 )

 const (
-	APIServerName = "apiserver"
-	APIServerHost = "0.0.0.0"
-	APIServerPort = 8080
+	APIServerName       = "apiserver"
+	APIServerHost       = "127.0.0.1"
+	APIServerPort       = 8080
+	APIServerSecureHost = "0.0.0.0"
+	APIServerSecurePort = 443
+	certPath            = "/srv/kubernetes/certs/"
 )

 var (
@@ -62,9 +66,16 @@ func StartAPIServer() {
 	config := options.NewAPIServer()

 	// use host/port from vars
+	config.BindAddress = net.ParseIP(APIServerSecureHost)
+	config.SecurePort = APIServerSecurePort
 	config.InsecureBindAddress = net.ParseIP(APIServerHost)
 	config.InsecurePort = APIServerPort

+	config.ClientCAFile = filepath.Join(certPath, "ca.crt")
+	config.TLSCertFile = filepath.Join(certPath, "kubernetes-master.crt")
+	config.TLSPrivateKeyFile = filepath.Join(certPath, "kubernetes-master.key")
+	config.AdmissionControl = "NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota"
+
 	// use localkube etcd
 	config.EtcdConfig = etcdstorage.EtcdConfig{
 		ServerList: KubeEtcdClientURLs,

--- a/pkg/localkube/controller-manager.go
+++ b/pkg/localkube/controller-manager.go
@@ -18,6 +18,7 @@ package localkube

 import (
 	"os"
+	"path/filepath"
 	"time"

 	controllerManager "k8s.io/kubernetes/cmd/kube-controller-manager/app"
@@ -50,6 +51,7 @@ func StartControllerManagerServer() {
 	config.DeletingPodsQps = 0.1
 	config.DeletingPodsBurst = 10
 	config.EnableProfiling = true
+	config.ServiceAccountKeyFile = filepath.Join(certPath, "kubernetes-master.key")

 	fn := func() error {
 		return controllerManager.Run(config)