diff --git a/docs/ha-mode.md b/docs/ha-mode.md index ca924db7d..de80199de 100644 --- a/docs/ha-mode.md +++ b/docs/ha-mode.md @@ -36,12 +36,6 @@ The following diagram shows how traffic to the apiserver is directed. ![Image](figures/loadbalancer_localhost.png?raw=true) - Note: Kubernetes master nodes still use insecure localhost access because - there are bugs in Kubernetes <1.5.0 in using TLS auth on master role - services. This makes backends receiving unencrypted traffic and may be a - security issue when interconnecting different nodes, or maybe not, if those - belong to the isolated management network without external access. - A user may opt to use an external loadbalancer (LB) instead. An external LB provides access for external clients, while the internal LB accepts client connections only to the localhost. @@ -129,11 +123,6 @@ Kubespray has nothing to do with it, this is informational only. As you can see, the masters' internal API endpoints are always contacted via the local bind IP, which is `https://bip:sp`. -**Note** that for some cases, like healthchecks of applications deployed by -Kubespray, the masters' APIs are accessed via the insecure endpoint, which -consists of the local `kube_apiserver_insecure_bind_address` and -`kube_apiserver_insecure_port`. - ## Optional configurations ### ETCD with a LB diff --git a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml index 91674de2d..d31139479 100644 --- a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml +++ b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml @@ -116,9 +116,6 @@ kube_network_node_prefix_ipv6: 120 # The port the API Server will be listening on. kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}" kube_apiserver_port: 6443 # (https) -# kube_apiserver_insecure_port: 8080 # (http) -# Set to 0 to disable insecure port - Requires RBAC in authorization_modes and kube_api_anonymous_auth: true -kube_apiserver_insecure_port: 0 # (disabled) # Kube-proxy proxyMode configuration. # Can be ipvs, iptables diff --git a/roles/kubernetes/control-plane/defaults/main/main.yml b/roles/kubernetes/control-plane/defaults/main/main.yml index 42f9c7654..7205e9b38 100644 --- a/roles/kubernetes/control-plane/defaults/main/main.yml +++ b/roles/kubernetes/control-plane/defaults/main/main.yml @@ -2,9 +2,6 @@ # disable upgrade cluster upgrade_cluster_setup: false -# change to 0.0.0.0 to enable insecure access from anywhere (not recommended) -kube_apiserver_insecure_bind_address: 127.0.0.1 - # By default the external API listens on all interfaces, this can be changed to # listen on a specific address/interface. # NOTE: If you specific address/interface and use loadbalancer_apiserver_localhost diff --git a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2 b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2 index 9415593d0..363395e05 100644 --- a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2 +++ b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2 @@ -121,12 +121,6 @@ apiServer: {% endif %} authorization-mode: {{ authorization_modes | join(',') }} bind-address: {{ kube_apiserver_bind_address }} -{% if kube_apiserver_insecure_port|string != "0" %} - insecure-bind-address: {{ kube_apiserver_insecure_bind_address }} -{% endif %} -{% if kube_version is version('v1.24.0','<') %} - insecure-port: "{{ kube_apiserver_insecure_port }}" -{% endif %} {% if kube_apiserver_enable_admission_plugins|length > 0 %} enable-admission-plugins: {{ kube_apiserver_enable_admission_plugins | join(',') }} {% endif %} diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml index e73e0b411..73e0898f5 100644 --- a/roles/kubernetes/node/defaults/main.yml +++ b/roles/kubernetes/node/defaults/main.yml @@ -1,7 +1,4 @@ --- -# change to 0.0.0.0 to enable insecure access from anywhere (not recommended) -kube_apiserver_insecure_bind_address: 127.0.0.1 - # advertised host IP for kubelet. This affects network plugin config. Take caution kubelet_address: "{{ ip | default(fallback_ips[inventory_hostname]) }}{{ (',' + ip6) if enable_dual_stack_networks and ip6 is defined else '' }}" diff --git a/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml b/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml index 29e6b1b4a..ada80220e 100644 --- a/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml +++ b/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml @@ -121,13 +121,6 @@ - cloud_provider is defined and cloud_provider == "oci" - not ignore_assert_errors -- name: Stop if RBAC and anonymous-auth are not enabled when insecure port is disabled - assert: - that: rbac_enabled and kube_api_anonymous_auth - when: - - kube_apiserver_insecure_port == 0 and inventory_hostname in groups['kube_control_plane'] - - not ignore_assert_errors - - name: Stop if kernel version is too low assert: that: ansible_kernel.split('-')[0] is version('4.9.17', '>=') diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml index d2b6ad239..e0d948d74 100644 --- a/roles/kubespray-defaults/defaults/main.yaml +++ b/roles/kubespray-defaults/defaults/main.yaml @@ -233,9 +233,6 @@ kube_apiserver_bind_address: 0.0.0.0 # https kube_apiserver_port: 6443 -# http -kube_apiserver_insecure_bind_address: 127.0.0.1 -kube_apiserver_insecure_port: 0 # If non-empty, will use this string as identification instead of the actual hostname kube_override_hostname: >- @@ -555,8 +552,6 @@ kube_apiserver_endpoint: |- {%- else -%} https://{{ first_kube_control_plane_address }}:{{ kube_apiserver_port }} {%- endif %} -kube_apiserver_insecure_endpoint: >- - http://{{ kube_apiserver_insecure_bind_address | regex_replace('0\.0\.0\.0','127.0.0.1') }}:{{ kube_apiserver_insecure_port }} kube_apiserver_client_cert: "{{ kube_cert_dir }}/ca.crt" kube_apiserver_client_key: "{{ kube_cert_dir }}/ca.key"