k8s.io/apiserver@v0.31.1/pkg/server/deprecated_insecure_serving.go (about) 1 /* 2 Copyright 2017 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package server 18 19 import ( 20 "net" 21 "net/http" 22 "time" 23 24 "k8s.io/klog/v2" 25 26 "k8s.io/apiserver/pkg/authentication/authenticator" 27 "k8s.io/apiserver/pkg/authentication/user" 28 "k8s.io/client-go/rest" 29 ) 30 31 // DeprecatedInsecureServingInfo is the main context object for the insecure http server. 32 // HTTP does NOT include authentication or authorization. 33 // You shouldn't be using this. It makes sig-auth sad. 34 type DeprecatedInsecureServingInfo struct { 35 // Listener is the secure server network listener. 36 Listener net.Listener 37 // optional server name for log messages 38 Name string 39 } 40 41 // Serve starts an insecure http server with the given handler. It fails only if 42 // the initial listen call fails. It does not block. 43 func (s *DeprecatedInsecureServingInfo) Serve(handler http.Handler, shutdownTimeout time.Duration, stopCh <-chan struct{}) error { 44 insecureServer := &http.Server{ 45 Addr: s.Listener.Addr().String(), 46 Handler: handler, 47 MaxHeaderBytes: 1 << 20, 48 49 IdleTimeout: 90 * time.Second, // matches http.DefaultTransport keep-alive timeout 50 ReadHeaderTimeout: 32 * time.Second, // just shy of requestTimeoutUpperBound 51 } 52 53 if len(s.Name) > 0 { 54 klog.Infof("Serving %s insecurely on %s", s.Name, s.Listener.Addr()) 55 } else { 56 klog.Infof("Serving insecurely on %s", s.Listener.Addr()) 57 } 58 _, _, err := RunServer(insecureServer, s.Listener, shutdownTimeout, stopCh) 59 // NOTE: we do not handle stoppedCh returned by RunServer for graceful termination here 60 return err 61 } 62 63 func (s *DeprecatedInsecureServingInfo) NewLoopbackClientConfig() (*rest.Config, error) { 64 if s == nil { 65 return nil, nil 66 } 67 68 host, port, err := LoopbackHostPort(s.Listener.Addr().String()) 69 if err != nil { 70 return nil, err 71 } 72 73 return &rest.Config{ 74 Host: "http://" + net.JoinHostPort(host, port), 75 // Increase QPS limits. The client is currently passed to all admission plugins, 76 // and those can be throttled in case of higher load on apiserver - see #22340 and #22422 77 // for more details. Once #22422 is fixed, we may want to remove it. 78 QPS: 50, 79 Burst: 100, 80 }, nil 81 } 82 83 // InsecureSuperuser implements authenticator.Request to always return a superuser. 84 // This is functionally equivalent to skipping authentication and authorization, 85 // but allows apiserver code to stop special-casing a nil user to skip authorization checks. 86 type InsecureSuperuser struct{} 87 88 func (InsecureSuperuser) AuthenticateRequest(req *http.Request) (*authenticator.Response, bool, error) { 89 auds, _ := authenticator.AudiencesFrom(req.Context()) 90 return &authenticator.Response{ 91 User: &user.DefaultInfo{ 92 Name: "system:unsecured", 93 Groups: []string{user.SystemPrivilegedGroup, user.AllAuthenticated}, 94 }, 95 Audiences: auds, 96 }, true, nil 97 }