From 24c8ba832a88ac865d06bfe384c88cba58e529ed Mon Sep 17 00:00:00 2001
From: Calin Cristian Andrei <cristian.calin@outlook.com>
Date: Tue, 14 Jun 2022 12:57:54 +0300
Subject: [PATCH] [kubernetes] drop support for configuring insecure apiserver

---
 docs/ha-mode.md                                       | 11 -----------
 .../sample/group_vars/k8s_cluster/k8s-cluster.yml     |  3 ---
 roles/kubernetes/control-plane/defaults/main/main.yml |  3 ---
 .../templates/kubeadm-config.v1beta3.yaml.j2          |  6 ------
 roles/kubernetes/node/defaults/main.yml               |  3 ---
 .../preinstall/tasks/0020-verify-settings.yml         |  7 -------
 roles/kubespray-defaults/defaults/main.yaml           |  5 -----
 7 files changed, 38 deletions(-)

diff --git a/docs/ha-mode.md b/docs/ha-mode.md
index ca924db7d..de80199de 100644
--- a/docs/ha-mode.md
+++ b/docs/ha-mode.md
@@ -36,12 +36,6 @@ The following diagram shows how traffic to the apiserver is directed.
 
 ![Image](figures/loadbalancer_localhost.png?raw=true)
 
-  Note: Kubernetes master nodes still use insecure localhost access because
-  there are bugs in Kubernetes <1.5.0 in using TLS auth on master role
-  services. This makes backends receiving unencrypted traffic and may be a
-  security issue when interconnecting different nodes, or maybe not, if those
-  belong to the isolated management network without external access.
-
 A user may opt to use an external loadbalancer (LB) instead. An external LB
 provides access for external clients, while the internal LB accepts client
 connections only to the localhost.
@@ -129,11 +123,6 @@ Kubespray has nothing to do with it, this is informational only.
 As you can see, the masters' internal API endpoints are always
 contacted via the local bind IP, which is `https://bip:sp`.
 
-**Note** that for some cases, like healthchecks of applications deployed by
-Kubespray, the masters' APIs are accessed via the insecure endpoint, which
-consists of the local `kube_apiserver_insecure_bind_address` and
-`kube_apiserver_insecure_port`.
-
 ## Optional configurations
 
 ### ETCD with a LB
diff --git a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
index 91674de2d..d31139479 100644
--- a/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
+++ b/inventory/sample/group_vars/k8s_cluster/k8s-cluster.yml
@@ -116,9 +116,6 @@ kube_network_node_prefix_ipv6: 120
 # The port the API Server will be listening on.
 kube_apiserver_ip: "{{ kube_service_addresses|ipaddr('net')|ipaddr(1)|ipaddr('address') }}"
 kube_apiserver_port: 6443  # (https)
-# kube_apiserver_insecure_port: 8080  # (http)
-# Set to 0 to disable insecure port - Requires RBAC in authorization_modes and kube_api_anonymous_auth: true
-kube_apiserver_insecure_port: 0  # (disabled)
 
 # Kube-proxy proxyMode configuration.
 # Can be ipvs, iptables
diff --git a/roles/kubernetes/control-plane/defaults/main/main.yml b/roles/kubernetes/control-plane/defaults/main/main.yml
index 42f9c7654..7205e9b38 100644
--- a/roles/kubernetes/control-plane/defaults/main/main.yml
+++ b/roles/kubernetes/control-plane/defaults/main/main.yml
@@ -2,9 +2,6 @@
 # disable upgrade cluster
 upgrade_cluster_setup: false
 
-# change to 0.0.0.0 to enable insecure access from anywhere (not recommended)
-kube_apiserver_insecure_bind_address: 127.0.0.1
-
 # By default the external API listens on all interfaces, this can be changed to
 # listen on a specific address/interface.
 # NOTE: If you specific address/interface and use loadbalancer_apiserver_localhost
diff --git a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2 b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2
index 9415593d0..363395e05 100644
--- a/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2
+++ b/roles/kubernetes/control-plane/templates/kubeadm-config.v1beta3.yaml.j2
@@ -121,12 +121,6 @@ apiServer:
 {% endif %}
     authorization-mode: {{ authorization_modes | join(',') }}
     bind-address: {{ kube_apiserver_bind_address }}
-{% if kube_apiserver_insecure_port|string != "0" %}
-    insecure-bind-address: {{ kube_apiserver_insecure_bind_address }}
-{% endif %}
-{% if kube_version is version('v1.24.0','<') %}
-    insecure-port: "{{ kube_apiserver_insecure_port }}"
-{% endif %}
 {% if kube_apiserver_enable_admission_plugins|length > 0 %}
     enable-admission-plugins: {{ kube_apiserver_enable_admission_plugins | join(',') }}
 {% endif %}
diff --git a/roles/kubernetes/node/defaults/main.yml b/roles/kubernetes/node/defaults/main.yml
index e73e0b411..73e0898f5 100644
--- a/roles/kubernetes/node/defaults/main.yml
+++ b/roles/kubernetes/node/defaults/main.yml
@@ -1,7 +1,4 @@
 ---
-# change to 0.0.0.0 to enable insecure access from anywhere (not recommended)
-kube_apiserver_insecure_bind_address: 127.0.0.1
-
 # advertised host IP for kubelet. This affects network plugin config. Take caution
 kubelet_address: "{{ ip | default(fallback_ips[inventory_hostname]) }}{{ (',' + ip6) if enable_dual_stack_networks and ip6 is defined else '' }}"
 
diff --git a/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml b/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
index 29e6b1b4a..ada80220e 100644
--- a/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
+++ b/roles/kubernetes/preinstall/tasks/0020-verify-settings.yml
@@ -121,13 +121,6 @@
     - cloud_provider is defined and cloud_provider == "oci"
     - not ignore_assert_errors
 
-- name: Stop if RBAC and anonymous-auth are not enabled when insecure port is disabled
-  assert:
-    that: rbac_enabled and kube_api_anonymous_auth
-  when:
-    - kube_apiserver_insecure_port == 0 and inventory_hostname in groups['kube_control_plane']
-    - not ignore_assert_errors
-
 - name: Stop if kernel version is too low
   assert:
     that: ansible_kernel.split('-')[0] is version('4.9.17', '>=')
diff --git a/roles/kubespray-defaults/defaults/main.yaml b/roles/kubespray-defaults/defaults/main.yaml
index d2b6ad239..e0d948d74 100644
--- a/roles/kubespray-defaults/defaults/main.yaml
+++ b/roles/kubespray-defaults/defaults/main.yaml
@@ -233,9 +233,6 @@ kube_apiserver_bind_address: 0.0.0.0
 
 # https
 kube_apiserver_port: 6443
-# http
-kube_apiserver_insecure_bind_address: 127.0.0.1
-kube_apiserver_insecure_port: 0
 
 # If non-empty, will use this string as identification instead of the actual hostname
 kube_override_hostname: >-
@@ -555,8 +552,6 @@ kube_apiserver_endpoint: |-
   {%- else -%}
       https://{{ first_kube_control_plane_address }}:{{ kube_apiserver_port }}
   {%- endif %}
-kube_apiserver_insecure_endpoint: >-
-  http://{{ kube_apiserver_insecure_bind_address | regex_replace('0\.0\.0\.0','127.0.0.1') }}:{{ kube_apiserver_insecure_port }}
 kube_apiserver_client_cert: "{{ kube_cert_dir }}/ca.crt"
 kube_apiserver_client_key: "{{ kube_cert_dir }}/ca.key"
 
-- 
GitLab