New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
host header is not being sent with probes after upgrading to 1.18.1 #46087
Comments
cc @jaellio |
I feel confident at this point that the issue is specific to the Host header. I was able to find some inconsistent config in our app related to the other custom headers that was throwing me off between a couple different deployments I was comparing... The tcpdump in this issue proves that the Host header itself is being sent incorrectly as part of the probe and that's the focus of this issue. |
I'll take a look at this! Thanks for creating the issue! |
Awesome, thank you @jaellio! Let me know if there's some more info I can try to provide. I had to redact things a little bit and not show the full pod because it's on our internal staging deployments, but if you gave me a less sensitive deployment/pod you wanted me to try to run I could probably do that as well. I have identical deployments atm in both 1.16.1 and 1.18.1 to compare. |
I am not sure how you take |
Apologies I'm not clear what point you're making here. The tl;dr of the issue is that istio injection is rewriting the main container such that probes go to istio-proxy over port 15020. The proxy is then re-sending its own probe query to the main container over the loopback interface. The request to the main container from the istio-proxy (over the loopback interface) is showing the wrong Host header in the tcpdump. |
I was poking at this a bit and I feel like it's worth pointing out that if I set the I also tried things like |
Kubernetes itself also does some similar/weird/broken casing things as well
that were recently fixed. Will try to find a link
…On Fri, Jul 21, 2023, 3:33 PM Michael Merickel ***@***.***> wrote:
I was poking at this a bit and I feel like it's worth pointing out that if
I set the httpHeaders value to host or HOST, etc I do not get the
liveness probe sent to my app at all (nothing shows in tcpdump). It seems
to only work if I set the name: Host specifically. This surprises me a
lot and figure something weird is going on. The casing is reflected in the
ISTIO_KUBE_APP_PROBERS.
I also tried things like x-request-id and that did work and got
translated to X-Request-Id in the main container - it feels like some
header normalization is going on somewhere? I wish I had a way to debug
istio but I have no clue how to setup a harness for that, just to see the
values in this code path
https://github.com/istio/istio/blob/1.18.1/pilot/cmd/pilot-agent/status/server.go#L689-L722
.
—
Reply to this email directly, view it on GitHub
<#46087 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAEYGXJMDMB7F5W3YAB6MJ3XRL7TVANCNFSM6AAAAAA2Q3MX5E>
.
You are receiving this because you commented.Message ID:
***@***.***>
|
Quick update, I reverted to 1.18.0 and things are working as expected there. So something changed between 1.18.0 and 1.18.1 that is causing this behavior. I also tried 1.17.4 and it is working fine as well. Also wrt the x-request-id casing, on 1.17.4 if I use the lowercase version then the runtime sends the app header twice (both keys normalized to X-Request-Id) but as John said it may not be istio doing that and it's not a problem if I specify the case correctly in the Deployment. On 1.18.0 I do not observe the header being sent twice. Same version of kubernetes (1.26 on EKS). |
Without istio enabled, if you set HTTP Header Host: example.com, the readiness/liveness Probe will fail too. Please take a look at the kubelet probe code kubernetes/pkg/kubelet/prober/prober.go |
This issue is about setting a |
Setting host header will override HttpGet.Host |
PTAL https://github.com/kubernetes/kubernetes/blob/master/pkg/kubelet/prober/prober.go#L143-L156, and track down the |
I know what happened here. |
What part of this issue are you referring to? I’ve tested my claims about the header vs HttpGet.Host as well as being super confident our config has been working for the last couple years through many versions of istio and k8s using the example posted above. I have repro’d the literal |
All recent testing has been on k8s 1.26 but we’ve been using the same config since at least 1.19. |
In golang the |
Will file a fix |
can be closed |
Is this the right place to submit this?
Bug Description
After upgrading from istio 1.16.1 to 1.18.1 my pods are no longer receiving the correct Host header on their startup/readiness/liveness probes. I have inconsistent results with other custom headers. I have a few pods that are receiving custom headers, but most of them are not receiving those as well. All with the same pod spec.
This configuration worked with istio 1.16.1. I have not tested intermediate versions.
I modified the app to ignore the host header to debug this and can confirm that the probe is hitting the correct endpoint on our app. However, we expect the host header to be sent in the request.
Readiness probe in Deployment
Readiness probe in auto-injected Pod
ISTIO_KUBE_APP_PROBERS
Captured tcpdump
Host
header being sent is10.34.54.17:5000
.X-Request-Id
is the expectedreadiness-probe
value.Version
Additional Information
Probably related: #45632 and #45482
I should probably emphasize again that I have only 1 pod where the x-request-id custom headers are working out of 4 running examples (across 2 separate kubernetes clusters). And every pod has a broken host header.
Affected product area
The text was updated successfully, but these errors were encountered: