Stop using insecure serving.

Author: dlorenc

deploy/addons/addon-manager.yaml

@@ -26,6 +26,9 @@ spec:
   containers:
   - name: kube-addon-manager
     image: gcr.io/google-containers/kube-addon-manager:v6.4-beta.2
+    env:
+    - name: KUBECONFIG
+      value: /var/lib/localkube/kubeconfig
     imagePullPolicy: IfNotPresent
     resources:
       requests:
@@ -35,7 +38,13 @@ spec:
     - mountPath: /etc/kubernetes/
       name: addons
       readOnly: true
+    - mountPath: /var/lib/localkube
+      name: kubeconfig
+      readOnly: true
   volumes:
   - hostPath:
       path: /etc/kubernetes/
     name: addons
+  - hostPath:
+      path: /var/lib/localkube
+    name: kubeconfig

hack/jenkins/linux_integration_tests_none.sh

@@ -30,7 +30,8 @@ OS_ARCH="linux-amd64"
 VM_DRIVER="none"
 JOB_NAME="Linux-None"
 EXTRA_BUILD_ARGS="$EXTRA_BUILD_ARGS --use-vendored-driver"
-SUDO_PREFIX="sudo "
+SUDO_PREFIX="sudo -E "
+export KUBECONFIG="/root/.kube/config"
 
 # Download files and set permissions
 source common.sh

pkg/localkube/apiserver.go

@@ -39,8 +39,8 @@ func StartAPIServer(lk LocalkubeServer) func() error {
 	config.SecureServing.BindAddress = lk.APIServerAddress
 	config.SecureServing.BindPort = lk.APIServerPort
 
-	config.InsecureServing.BindAddress = lk.APIServerInsecureAddress
-	config.InsecureServing.BindPort = lk.APIServerInsecurePort
+	// 0 turns off insecure serving.
+	config.InsecureServing.BindPort = 0
 
 	config.Authentication.ClientCert.ClientCA = lk.GetCAPublicKeyCertPath()
 
@@ -84,7 +84,7 @@ func StartAPIServer(lk LocalkubeServer) func() error {
 }
 
 func readyFunc(lk LocalkubeServer) HealthCheck {
-	hostport := net.JoinHostPort(lk.APIServerInsecureAddress.String(), strconv.Itoa(lk.APIServerInsecurePort))
-	addr := "http://" + path.Join(hostport, "healthz")
-	return healthCheck(addr)
+	hostport := net.JoinHostPort("localhost", strconv.Itoa(lk.APIServerPort))
+	addr := "https://" + path.Join(hostport, "healthz")
+	return healthCheck(addr, lk)
 }

pkg/localkube/controller-manager.go

@@ -19,6 +19,7 @@ package localkube
 import (
 	controllerManager "k8s.io/kubernetes/cmd/kube-controller-manager/app"
 	"k8s.io/kubernetes/cmd/kube-controller-manager/app/options"
+	"k8s.io/minikube/pkg/util"
 )
 
 func (lk LocalkubeServer) NewControllerManagerServer() Server {
@@ -28,7 +29,7 @@ func (lk LocalkubeServer) NewControllerManagerServer() Server {
 func StartControllerManagerServer(lk LocalkubeServer) func() error {
 	config := options.NewCMServer()
 
-	config.Master = lk.GetAPIServerInsecureURL()
+	config.Kubeconfig = util.DefaultKubeConfigPath
 
 	// defaults from command
 	config.DeletingPodsQps = 0.1

pkg/localkube/kubelet.go

@@ -17,8 +17,10 @@ limitations under the License.
 package localkube
 
 import (
+	"k8s.io/apiserver/pkg/util/flag"
 	kubelet "k8s.io/kubernetes/cmd/kubelet/app"
 	"k8s.io/kubernetes/cmd/kubelet/app/options"
+	"k8s.io/minikube/pkg/util"
 )
 
 func (lk LocalkubeServer) NewKubeletServer() Server {
@@ -29,7 +31,8 @@ func StartKubeletServer(lk LocalkubeServer) func() error {
 	config := options.NewKubeletServer()
 
 	// Master details
-	config.APIServerList = []string{lk.GetAPIServerInsecureURL()}
+	config.KubeConfig = flag.NewStringFlag(util.DefaultKubeConfigPath)
+	config.RequireKubeConfig = true
 
 	// Set containerized based on the flag
 	config.Containerized = lk.Containerized

pkg/localkube/proxy.go

@@ -18,6 +18,7 @@ package localkube
 
 import (
 	kubeproxy "k8s.io/kubernetes/cmd/kube-proxy/app"
+	"k8s.io/minikube/pkg/util"
 
 	"time"
 
@@ -40,16 +41,17 @@ func StartProxyServer(lk LocalkubeServer) func() error {
 	config := &componentconfig.KubeProxyConfiguration{
 		OOMScoreAdj: &OOMScoreAdj,
 		ClientConnection: componentconfig.ClientConnectionConfiguration{
-			Burst: 10,
-			QPS:   5,
+			Burst:          10,
+			QPS:            5,
+			KubeConfigFile: util.DefaultKubeConfigPath,
 		},
 		ConfigSyncPeriod: v1.Duration{Duration: 15 * time.Minute},
 		IPTables: componentconfig.KubeProxyIPTablesConfiguration{
 			MasqueradeBit: &MasqueradeBit,
 			SyncPeriod:    v1.Duration{Duration: 30 * time.Second},
 			MinSyncPeriod: v1.Duration{Duration: 5 * time.Second},
 		},
-		BindAddress:  lk.APIServerInsecureAddress.String(),
+		BindAddress:  lk.APIServerAddress.String(),
 		Mode:         componentconfig.ProxyModeIPTables,
 		FeatureGates: lk.FeatureGates,
 		// Disable the healthz check
@@ -60,7 +62,7 @@ func StartProxyServer(lk LocalkubeServer) func() error {
 
 	return func() error {
 		// Creating this config requires the API Server to be up, so do it in the start function itself.
-		server, err := kubeproxy.NewProxyServer(config, false, runtime.NewScheme(), lk.GetAPIServerInsecureURL())
+		server, err := kubeproxy.NewProxyServer(config, false, runtime.NewScheme(), "")
 		if err != nil {
 			panic(err)
 		}

pkg/localkube/ready.go

@@ -17,6 +17,8 @@ limitations under the License.
 package localkube
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"io/ioutil"
 	"net/http"
 
@@ -25,10 +27,33 @@ import (
 
 type HealthCheck func() bool
 
-func healthCheck(addr string) HealthCheck {
+func healthCheck(addr string, lk LocalkubeServer) HealthCheck {
 	return func() bool {
 		glog.Infof("Performing healthcheck on %s\n", addr)
-		resp, err := http.Get(addr)
+
+		cert, err := tls.LoadX509KeyPair(lk.GetPublicKeyCertPath(), lk.GetPrivateKeyCertPath())
+		if err != nil {
+			glog.Error(err)
+			return false
+		}
+
+		// Load CA cert
+		caCert, err := ioutil.ReadFile(lk.GetCAPublicKeyCertPath())
+		if err != nil {
+			glog.Warning(err)
+			return false
+		}
+		caCertPool := x509.NewCertPool()
+		caCertPool.AppendCertsFromPEM(caCert)
+		tlsConfig := &tls.Config{
+			Certificates: []tls.Certificate{cert},
+			RootCAs:      caCertPool,
+		}
+		tlsConfig.BuildNameToCertificate()
+		transport := &http.Transport{TLSClientConfig: tlsConfig}
+		client := &http.Client{Transport: transport}
+
+		resp, err := client.Get(addr)
 		if err != nil {
 			glog.Errorf("Error performing healthcheck: %s", err)
 			return false

pkg/localkube/scheduler.go

@@ -19,6 +19,7 @@ package localkube
 import (
 	scheduler "k8s.io/kubernetes/plugin/cmd/kube-scheduler/app"
 	"k8s.io/kubernetes/plugin/cmd/kube-scheduler/app/options"
+	"k8s.io/minikube/pkg/util"
 )
 
 func (lk LocalkubeServer) NewSchedulerServer() Server {
@@ -29,7 +30,7 @@ func StartSchedulerServer(lk LocalkubeServer) func() error {
 	config := options.NewSchedulerServer()
 
 	// master details
-	config.Master = lk.GetAPIServerInsecureURL()
+	config.Kubeconfig = util.DefaultKubeConfigPath
 
 	// defaults from command
 	config.EnableProfiling = true

pkg/localkube/storage_provisioner.go

@@ -32,7 +32,8 @@ import (
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/kubernetes"
 	"k8s.io/client-go/pkg/api/v1"
-	"k8s.io/client-go/rest"
+	"k8s.io/client-go/tools/clientcmd"
+	"k8s.io/minikube/pkg/util"
 )
 
 const (
@@ -121,12 +122,12 @@ func (lk LocalkubeServer) NewStorageProvisionerServer() Server {
 
 func StartStorageProvisioner(lk LocalkubeServer) func() error {
 
-	// Create an InClusterConfig and use it to create a client for the controller
-	// to use to communicate with Kubernetes
-	config := rest.Config{Host: "http://localhost:8080"}
 	return func() error {
-
-		clientset, err := kubernetes.NewForConfig(&config)
+		config, err := clientcmd.BuildConfigFromFlags("", util.DefaultKubeConfigPath)
+		if err != nil {
+			return err
+		}
+		clientset, err := kubernetes.NewForConfig(config)
 		if err != nil {
 			glog.Fatalf("Failed to create client: %v", err)
 		}

pkg/minikube/assets/addons.go

@@ -28,12 +28,12 @@ import (
 )
 
 type Addon struct {
-	Assets    []*MemoryAsset
+	Assets    []*BinDataAsset
 	enabled   bool
 	addonName string
 }
 
-func NewAddon(assets []*MemoryAsset, enabled bool, addonName string) *Addon {
+func NewAddon(assets []*BinDataAsset, enabled bool, addonName string) *Addon {
 	a := &Addon{
 		Assets:    assets,
 		enabled:   enabled,
@@ -55,107 +55,107 @@ func (a *Addon) IsEnabled() (bool, error) {
 }
 
 var Addons = map[string]*Addon{
-	"addon-manager": NewAddon([]*MemoryAsset{
-		NewMemoryAsset(
+	"addon-manager": NewAddon([]*BinDataAsset{
+		NewBinDataAsset(
 			"deploy/addons/addon-manager.yaml",
 			"/etc/kubernetes/manifests/",
 			"addon-manager.yaml",
 			"0640"),
 	}, true, "addon-manager"),
-	"dashboard": NewAddon([]*MemoryAsset{
-		NewMemoryAsset(
+	"dashboard": NewAddon([]*BinDataAsset{
+		NewBinDataAsset(
 			"deploy/addons/dashboard/dashboard-rc.yaml",
 			constants.AddonsPath,
 			"dashboard-rc.yaml",
 			"0640"),
-		NewMemoryAsset(
+		NewBinDataAsset(
 			"deploy/addons/dashboard/dashboard-svc.yaml",
 			constants.AddonsPath,
 			"dashboard-svc.yaml",
 			"0640"),
 	}, true, "dashboard"),
-	"default-storageclass": NewAddon([]*MemoryAsset{
-		NewMemoryAsset(
+	"default-storageclass": NewAddon([]*BinDataAsset{
+		NewBinDataAsset(
 			"deploy/addons/storageclass/storageclass.yaml",
 			constants.AddonsPath,
 			"storageclass.yaml",
 			"0640"),
 	}, true, "default-storageclass"),
-	"kube-dns": NewAddon([]*MemoryAsset{
-		NewMemoryAsset(
+	"kube-dns": NewAddon([]*BinDataAsset{
+		NewBinDataAsset(
 			"deploy/addons/kube-dns/kube-dns-controller.yaml",
 			constants.AddonsPath,
 			"kube-dns-controller.yaml",
 			"0640"),
-		NewMemoryAsset(
+		NewBinDataAsset(
 			"deploy/addons/kube-dns/kube-dns-cm.yaml",
 			constants.AddonsPath,
 			"kube-dns-cm.yaml",
 			"0640"),
-		NewMemoryAsset(
+		NewBinDataAsset(
 			"deploy/addons/kube-dns/kube-dns-svc.yaml",
 			constants.AddonsPath,
 			"kube-dns-svc.yaml",
 			"0640"),
 	}, true, "kube-dns"),
-	"heapster": NewAddon([]*MemoryAsset{
-		NewMemoryAsset(
+	"heapster": NewAddon([]*BinDataAsset{
+		NewBinDataAsset(
 			"deploy/addons/heapster/influxGrafana-rc.yaml",
 			constants.AddonsPath,
 			"influxGrafana-rc.yaml",
 			"0640"),
-		NewMemoryAsset(
+		NewBinDataAsset(
 			"deploy/addons/heapster/grafana-svc.yaml",
 			constants.AddonsPath,
 			"grafana-svc.yaml",
 			"0640"),
-		NewMemoryAsset(
+		NewBinDataAsset(
 			"deploy/addons/heapster/influxdb-svc.yaml",
 			constants.AddonsPath,
 			"influxdb-svc.yaml",
 			"0640"),
-		NewMemoryAsset(
+		NewBinDataAsset(
 			"deploy/addons/heapster/heapster-rc.yaml",
 			constants.AddonsPath,
 			"heapster-rc.yaml",
 			"0640"),
-		NewMemoryAsset(
+		NewBinDataAsset(
 			"deploy/addons/heapster/heapster-svc.yaml",
 			constants.AddonsPath,
 			"heapster-svc.yaml",
 			"0640"),
 	}, false, "heapster"),
-	"ingress": NewAddon([]*MemoryAsset{
-		NewMemoryAsset(
+	"ingress": NewAddon([]*BinDataAsset{
+		NewBinDataAsset(
 			"deploy/addons/ingress/ingress-configmap.yaml",
 			constants.AddonsPath,
 			"ingress-configmap.yaml",
 			"0640"),
-		NewMemoryAsset(
+		NewBinDataAsset(
 			"deploy/addons/ingress/ingress-rc.yaml",
 			constants.AddonsPath,
 			"ingress-rc.yaml",
 			"0640"),
-		NewMemoryAsset(
+		NewBinDataAsset(
 			"deploy/addons/ingress/ingress-svc.yaml",
 			constants.AddonsPath,
 			"ingress-svc.yaml",
 			"0640"),
 	}, false, "ingress"),
-	"registry": NewAddon([]*MemoryAsset{
-		NewMemoryAsset(
+	"registry": NewAddon([]*BinDataAsset{
+		NewBinDataAsset(
 			"deploy/addons/registry/registry-rc.yaml",
 			constants.AddonsPath,
 			"registry-rc.yaml",
 			"0640"),
-		NewMemoryAsset(
+		NewBinDataAsset(
 			"deploy/addons/registry/registry-svc.yaml",
 			constants.AddonsPath,
 			"registry-svc.yaml",
 			"0640"),
 	}, false, "registry"),
-	"registry-creds": NewAddon([]*MemoryAsset{
-		NewMemoryAsset(
+	"registry-creds": NewAddon([]*BinDataAsset{
+		NewBinDataAsset(
 			"deploy/addons/registry-creds/registry-creds-rc.yaml",
 			constants.AddonsPath,
 			"registry-creds-rc.yaml",