remove insecure listen address

Signed-off-by: Krzysztof Ostrowski <kostrows@redhat.com>
brancz · Aug 4, 2022 · 825ea12 · 825ea12
1 parent f66fcd9
commit 825ea12
Show file tree

Hide file tree

Showing 2 changed files with 0 additions and 26 deletions.
diff --git a/README.md b/README.md
@@ -39,7 +39,6 @@ Usage of _output/kube-rbac-proxy:
       --client-ca-file string                       If set, any request presenting a client certificate signed by one of the authorities in the client-ca-file is authenticated with an identity corresponding to the CommonName of the client certificate.
       --config-file string                          Configuration file to configure kube-rbac-proxy.
       --ignore-paths strings                        Comma-separated list of paths against which kube-rbac-proxy pattern-matches the incoming request. If the requst matches, it will proxy the request without performing an authentication or authorization check. Cannot be used with --allow-paths.
-      --insecure-listen-address string              The address the kube-rbac-proxy HTTP server should listen on.
       --kubeconfig string                           Path to a kubeconfig file, specifying how to connect to the API server. If unset, in-cluster configuration will be used
       --log_backtrace_at traceLocation              when logging hits line file:N, emit a stack trace (default :0)
       --log_dir string                              If non-empty, write log files in this directory (no effect when -logtostderr=true)

diff --git a/main.go b/main.go
@@ -36,7 +36,6 @@ import (
 	"github.com/oklog/run"
 	"github.com/spf13/pflag"
 	"golang.org/x/net/http2"
-	"golang.org/x/net/http2/h2c"
 	"k8s.io/apiserver/pkg/authentication/authenticator"
 	"k8s.io/apiserver/pkg/authorization/union"
 	"k8s.io/client-go/kubernetes"
@@ -53,7 +52,6 @@ import (
 )
 
 type config struct {
-	insecureListenAddress string
 	secureListenAddress   string
 	upstream              string
 	upstreamForceH2C      bool
@@ -99,7 +97,6 @@ func main() {
 	flagset.AddGoFlagSet(klogFlags)
 
 	// kube-rbac-proxy flags
-	flagset.StringVar(&cfg.insecureListenAddress, "insecure-listen-address", "", "The address the kube-rbac-proxy HTTP server should listen on.")
 	flagset.StringVar(&cfg.secureListenAddress, "secure-listen-address", "", "The address the kube-rbac-proxy HTTPs server should listen on.")
 	flagset.StringVar(&cfg.upstream, "upstream", "", "The upstream URL to proxy to once requests have successfully been authenticated and authorized.")
 	flagset.BoolVar(&cfg.upstreamForceH2C, "upstream-force-h2c", false, "Force h2c to communiate with the upstream. This is required when the upstream speaks h2c(http/2 cleartext - insecure variant of http/2) only. For example, go-grpc server in the insecure mode, such as helm's tiller w/o TLS, speaks h2c only")
@@ -383,28 +380,6 @@ func main() {
 			})
 		}
 	}
-	{
-		if cfg.insecureListenAddress != "" {
-			srv := &http.Server{Handler: h2c.NewHandler(mux, &http2.Server{})}
-
-			l, err := net.Listen("tcp", cfg.insecureListenAddress)
-			if err != nil {
-				klog.Fatalf("Failed to listen on insecure address: %v", err)
-			}
-
-			gr.Add(func() error {
-				klog.Infof("Listening insecurely on %v", cfg.insecureListenAddress)
-				return srv.Serve(l)
-			}, func(err error) {
-				if err := srv.Shutdown(context.Background()); err != nil {
-					klog.Errorf("failed to gracefully shutdown server: %v", err)
-				}
-				if err := l.Close(); err != nil {
-					klog.Errorf("failed to gracefully close listener: %v", err)
-				}
-			})
-		}
-	}
 	{
 		sig := make(chan os.Signal, 1)
 		gr.Add(func() error {