From 4f712bf3be997393ad266ed3402be78cad98f306 Mon Sep 17 00:00:00 2001
From: Dan Lorenc <lorenc.d@gmail.com>
Date: Wed, 4 May 2016 22:15:59 -0700
Subject: [PATCH] Make localkube serve securely.

---
 pkg/localkube/apiserver.go          | 17 ++++++++++++++---
 pkg/localkube/controller-manager.go |  2 ++
 2 files changed, 16 insertions(+), 3 deletions(-)

diff --git a/pkg/localkube/apiserver.go b/pkg/localkube/apiserver.go
index 9447ee1562..364e0e9d5e 100644
--- a/pkg/localkube/apiserver.go
+++ b/pkg/localkube/apiserver.go
@@ -20,6 +20,7 @@ import (
 	"fmt"
 	"net"
 	"os"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -29,9 +30,12 @@ import (
 )
 
 const (
-	APIServerName = "apiserver"
-	APIServerHost = "0.0.0.0"
-	APIServerPort = 8080
+	APIServerName       = "apiserver"
+	APIServerHost       = "127.0.0.1"
+	APIServerPort       = 8080
+	APIServerSecureHost = "0.0.0.0"
+	APIServerSecurePort = 443
+	certPath            = "/srv/kubernetes/certs/"
 )
 
 var (
@@ -62,9 +66,16 @@ func StartAPIServer() {
 	config := options.NewAPIServer()
 
 	// use host/port from vars
+	config.BindAddress = net.ParseIP(APIServerSecureHost)
+	config.SecurePort = APIServerSecurePort
 	config.InsecureBindAddress = net.ParseIP(APIServerHost)
 	config.InsecurePort = APIServerPort
 
+	config.ClientCAFile = filepath.Join(certPath, "ca.crt")
+	config.TLSCertFile = filepath.Join(certPath, "kubernetes-master.crt")
+	config.TLSPrivateKeyFile = filepath.Join(certPath, "kubernetes-master.key")
+	config.AdmissionControl = "NamespaceLifecycle,LimitRanger,SecurityContextDeny,ServiceAccount,ResourceQuota"
+
 	// use localkube etcd
 	config.EtcdConfig = etcdstorage.EtcdConfig{
 		ServerList: KubeEtcdClientURLs,
diff --git a/pkg/localkube/controller-manager.go b/pkg/localkube/controller-manager.go
index d85512d613..32d12c489d 100644
--- a/pkg/localkube/controller-manager.go
+++ b/pkg/localkube/controller-manager.go
@@ -18,6 +18,7 @@ package localkube
 
 import (
 	"os"
+	"path/filepath"
 	"time"
 
 	controllerManager "k8s.io/kubernetes/cmd/kube-controller-manager/app"
@@ -50,6 +51,7 @@ func StartControllerManagerServer() {
 	config.DeletingPodsQps = 0.1
 	config.DeletingPodsBurst = 10
 	config.EnableProfiling = true
+	config.ServiceAccountKeyFile = filepath.Join(certPath, "kubernetes-master.key")
 
 	fn := func() error {
 		return controllerManager.Run(config)